Google漏洞过滤规则研究
来源:互联网 发布:联合电子汽车 知乎 编辑:程序博客网 时间:2024/05/18 15:06
1、通过Protobuf的代码发现了过滤逻辑
goog.string.AMP_RE_ = /&/g;goog.string.LT_RE_ = /</g;goog.string.GT_RE_ = />/g;goog.string.QUOT_RE_ = /"/g;goog.string.SINGLE_QUOTE_RE_ = /'/g;goog.string.NULL_RE_ = /\x00/g;goog.string.E_RE_ = /e/g;goog.string.ALL_RE_ = goog.string.DETECT_DOUBLE_ESCAPING ? /[\x00&<>"'e]/ : /[\x00&<>"']/;
2、过滤一些特殊字符goog.string.htmlEscape = function(str, opt_isLikelyToContainHtmlChars) { if (opt_isLikelyToContainHtmlChars) { str = str.replace(goog.string.AMP_RE_, "&").replace(goog.string.LT_RE_, "<").replace(goog.string.GT_RE_, ">").replace(goog.string.QUOT_RE_, """).replace(goog.string.SINGLE_QUOTE_RE_, "'").replace(goog.string.NULL_RE_, "�"), goog.string.DETECT_DOUBLE_ESCAPING && (str = str.replace(goog.string.E_RE_, "e")); } else { if (!goog.string.ALL_RE_.test(str)) { return str; } -1 != str.indexOf("&") && (str = str.replace(goog.string.AMP_RE_, "&")); -1 != str.indexOf("<") && (str = str.replace(goog.string.LT_RE_, "<")); -1 != str.indexOf(">") && (str = str.replace(goog.string.GT_RE_, ">")); -1 != str.indexOf('"') && (str = str.replace(goog.string.QUOT_RE_, """)); -1 != str.indexOf("'") && (str = str.replace(goog.string.SINGLE_QUOTE_RE_, "'")); -1 != str.indexOf("\x00") && (str = str.replace(goog.string.NULL_RE_, "�")); goog.string.DETECT_DOUBLE_ESCAPING && -1 != str.indexOf("e") && (str = str.replace(goog.string.E_RE_, "e")); } return str;};
oog.string.specialEscapeChars_ = {"\x00":"\\0", "\b":"\\b", "\f":"\\f", "\n":"\\n", "\r":"\\r", "\t":"\\t", "\x0B":"\\x0B", '"':'\\"', "\\":"\\\\", "<":"<"};
goog.string.jsEscapeCache_ = {"'":"\\'"};
" >>>>>> \"
3、 URLENCODE
对URL中一些请求进行服务端URLENCODE后输出;
4、HTML过滤
f.string.Sj = function(a, c) {
if (c) a = a.replace(f.string.IG, "&").replace(f.string.GH, "<").replace(f.string.DH, ">").replace(f.string.ZH, """).replace(f.string.cI, "'").replace(f.string.NH, "�"), f.string.Gy && (a = a.replace(f.string.AH, "e"));
else {
if (!f.string.SU.test(a)) return a; - 1 != a.indexOf("&") && (a = a.replace(f.string.IG, "&")); - 1 != a.indexOf("<") && (a = a.replace(f.string.GH, "<")); - 1 != a.indexOf(">") && (a = a.replace(f.string.DH, ">")); - 1 != a.indexOf('"') && (a = a.replace(f.string.ZH,
""")); - 1 != a.indexOf("'") && (a = a.replace(f.string.cI, "'")); - 1 != a.indexOf("\x00") && (a = a.replace(f.string.NH, "�"));
f.string.Gy && -1 != a.indexOf("e") && (a = a.replace(f.string.AH, "e"))
}
return a
};
f.string.IG = /&/g;
f.string.GH = /</g;
f.string.DH = />/g;
f.string.ZH = /"/g;
f.string.cI = /'/g;
f.string.NH = /\x00/g;
f.string.AH = /e/g;
f.string.SU = f.string.Gy ? /[\x00&<>"'e]/ : /[\x00&<>"']/;
f.string.nG = function(a) {
return f.string.contains(a, "&") ? !f.string.n0 && "document" in f.global ? f.string.gU(a) : f.string.Jka(a) : a
};
5. 默认输出过滤
针对所有的输出进行过滤;
- Google漏洞过滤规则研究
- Google Gson 字段过滤:自定义过滤规则
- wireshark 过滤规则 过滤语法
- DEDE万能过滤规则
- WinPcap过滤规则
- zz bpf过滤规则
- Nutch url过滤规则
- Ethereal过滤规则语法
- Ethereal过滤规则
- smsniff过滤规则
- Wireshark的过滤规则
- Wireshark过滤规则
- Ethereal过滤规则语法
- wireshark常用过滤规则
- Wireshark过滤规则
- wireshark简单过滤规则
- bpf过滤规则
- Box2D 碰撞过滤规则
- 龙与地下城游戏
- C++转换函数
- 海量数据处理面试题
- python模块介绍- binascii:十六进制进制和ASCII字吗互转
- 数组字符串转换为字母组合的种数
- Google漏洞过滤规则研究
- 二叉树问题---先序,中序,和后序数组两两结合重构二叉树
- 17. Letter Combinations of a Phone Number
- 勘探-微信小程序
- poj
- PHP基础教程-18 比较操作符
- 负雪明烛CSDN博客迁移公告
- Ubuntu-14.0.1中将vim改装为python和c++的IDE
- C++数据结构---链表(删除操作)