• DVWA靶场之XSS(Stored)通关


    Low

    <?php

    if( isset( $_POST[ 'btnSign' ] ) ) {

        // Get input

        $message = trim( $_POST[ 'mtxMessage' ] );

        $name    = trim( $_POST[ 'txtName' ] );

        // Sanitize message input

        $message = stripslashes( $message );

        $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

        // Sanitize name input

        $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

        // Update database

        $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";

        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        //mysql_close();

    }

    ?>

    trim用于移除字符串两侧空白字符和其他预定义字符

    mysql_real_escape_string对字符串中特殊符号转义

    stripslashes删除字符串中的反斜杠

    但是对过滤XSS没用,还存到数据库里了。直接在message中输入<script>alert(/xss/)</script>就会弹框

    Name对输入有长度限制,抓包改包传

    一返回这个界面就弹框,是为存储型XSS

    Medium
    <?php

    if( isset( $_POST[ 'btnSign' ] ) ) {

        // Get input

        $message = trim( $_POST[ 'mtxMessage' ] );

        $name    = trim( $_POST[ 'txtName' ] );

        // Sanitize message input

        $message = strip_tags( addslashes( $message ) );

        $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

        $message = htmlspecialchars( $message );

        // Sanitize name input

        $name = str_replace( '<script>', '', $name );

        $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

        // Update database

        $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";

        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        //mysql_close();

    }

    ?>

    strip_tags清理了HTMLXMLPHP 的标签,但保留<b>标签的使用权限

    addslashes在预定义字符前加反斜杠转义

    htmlspecialchars把预定义字符转为HTML实体

    还把name 的<script>过滤了

    message惨遭毒手,可以从name下手

    抓包改包加绕过

    <sc<script>ript>alert(/xss/)</script>

    <Script>alert(/xss/)</script>

    High

    <?php

    if( isset( $_POST[ 'btnSign' ] ) ) {

        // Get input

        $message = trim( $_POST[ 'mtxMessage' ] );

        $name    = trim( $_POST[ 'txtName' ] );

        // Sanitize message input

        $message = strip_tags( addslashes( $message ) );

        $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

        $message = htmlspecialchars( $message );

        // Sanitize name input

        $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );

        $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

        // Update database

        $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";

        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        //mysql_close();

    }

    ?>

    把name的<script>彻底过滤了

    可以换别的标签

    <img src=1 onerror=alert(1)>

    Impossible

    <?php

    if( isset( $_POST[ 'btnSign' ] ) ) {

        // Check Anti-CSRF token

        checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

        // Get input

        $message = trim( $_POST[ 'mtxMessage' ] );

        $name    = trim( $_POST[ 'txtName' ] );

        // Sanitize message input

        $message = stripslashes( $message );

        $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

        $message = htmlspecialchars( $message );

        // Sanitize name input

        $name = stripslashes( $name );

        $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

        $name = htmlspecialchars( $name );

        // Update database

        $data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' );

        $data->bindParam( ':message', $message, PDO::PARAM_STR );

        $data->bindParam( ':name', $name, PDO::PARAM_STR );

        $data->execute();

    }

    // Generate Anti-CSRF token

    generateSessionToken();

    ?>

    这回厉害了,升到impossible级别,之前打进数据库的语句,打开页面都不弹框了

    就全员htmlspecialchars呗

    但要注意htmlspecialchars使用位置,不要被绕过了

  • 相关阅读:
    ERP需求调研之仓库物料管理十问十答
    Oracle ERP系统月结与年结流程探讨
    利用fnd_flex_keyval包轻松获取关键性弹性域组合描述字段
    AR/AP 借项通知单和贷项通知单的区别
    EBS Profile的定义与使用
    EBS System Profile 常用清单
    月结经验摘抄1
    Oracle 总帐模块会计业务周期
    MFC自动注册ODBC数据源
    RichEditView自写WriteColorMessage
  • 原文地址:https://www.cnblogs.com/lcxblogs/p/13325467.html
Copyright © 2020-2023  润新知