Error message here!

Hide Error message here!

忘记密码?

Error message here!

请输入正确邮箱

Hide Error message here!

密码丢失?请输入您的电子邮件地址。您将收到一个重设密码链接。

Error message here!

返回登录

Close

DWVA-关于存储型xss的漏洞详解<xss stored>

千与千寻了个啥 2020-01-14 19:31:00 阅读数:14 评论数:0 点赞数:0 收藏数:0

low级别

代码如下:

 <?php

if( isset( $_POST[ 'btnSign' ] ) ) {
 // Get input
$message = trim( $_POST[ 'mtxMessage' ] );
 $name = trim( $_POST[ 'txtName' ] );

// Sanitize message input
$message = stripslashes( $message );
 $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Sanitize name input
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

//mysql_close();
}

?>

代码中各个函数功能如下:

trim(string,charlist)

函数移除字符串两侧的空白字符或其他预定义字符,预定义字符包括\t\n\x0B\r以及空格,可选参数charlist支持添加额外需要删除的字符。

mysql_real_escape_string(string,connection)

函数会对字符串中的特殊符号(\x00\n\r\\x1a)进行转义。

stripslashes(string)

函数删除字符串中的反斜杠。

对于输入的参数message,并没有做相关过滤,所以可以进行注入。

 

message栏填入:

<script>alert('hahaha')</script>

 

效果如下:

 

 

还有一种方法,在name栏填入构造的恶意代码,由于name栏有字符大小限制,所以可以用burpsuit抓包后改为<script>alert('hahaha')</script>

即可注入成功。

 

medium级别

代码如下:

 <?php

if( isset( $_POST[ 'btnSign' ] ) ) {
 // Get input
$message = trim( $_POST[ 'mtxMessage' ] );
 $name = trim( $_POST[ 'txtName' ] );

// Sanitize message input
$message = strip_tags( addslashes( $message ) );
 $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 $message = htmlspecialchars( $message );

// Sanitize name input
$name = str_replace( '<script>', '', $name );
 $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

//mysql_close();
}

?> 

从代码可以看出,对于message的输入参数使用htmlspecialchars函数进行了重新编码,无法使用之前的xss注入了

但是对于name参数的输入,仅仅是将<script>便签转换为空,因此可以用组合进行绕过

先输入任意参数提交,burpsuit抓包,更改为:

<scr<script>ipt>alert('lalala')</script>

效果如下:

 

 

也可以使用大小绕过

<sCrIpt>alert('aaaaa')</ScRipt>

效果如下:

 

 

 

high级别

代码如下:

 <?php

if( isset( $_POST[ 'btnSign' ] ) ) {
 // Get input
$message = trim( $_POST[ 'mtxMessage' ] );
 $name = trim( $_POST[ 'txtName' ] );

// Sanitize message input
$message = strip_tags( addslashes( $message ) );
 $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 $message = htmlspecialchars( $message );

// Sanitize name input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
 $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

//mysql_close();
}

?>

代码中对name的提交参数进行了过滤转换,所以不能用<script>进行注入,可以使用如下方法:

<img src=1 onerror=alert('yayaya')>

效果如下:

版权声明
本文为[千与千寻了个啥]所创,转载请带上原文链接,感谢
https://www.cnblogs.com/Hpineapple/p/12193700.html