前置知识:
0.firefox在输入框右键检查,可以查看对应值的源码
1.stripslashes函数
2.
3.
4.
LOW
writeup:
先看一下源码只是对一些空格、/、'、"进行了过滤
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = mysql_real_escape_string( $message );
// Sanitize name input
$name = mysql_real_escape_string( $name );
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
//mysql_close();
}
?>
这里直接尝试name=g,message=<script>alert(document.cookie);</script>,这里完美体现了stored XSS,每一次刷新网页所有alert都被执行了遍。
Medium:
前置知识:
1.
2.
3.
writeup:
先看源码,发现medium对message的过滤较多,这里考虑对name进行payload
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = mysql_real_escape_string( $message );
$message = htmlspecialchars( $message );
// Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = mysql_real_escape_string( $name );
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
//mysql_close();
}
?>
medium把name中的<script>替换成"",这里尝试大小写绕过,双写也可以。尝试<Script>alert("happy new year!");</script>,发现似乎有长度限制,看了源代码确实如此,这里删除10,这样就输入成功了
High:
writeup:
查看源码,和medium差不多,但是<script>被彻底过滤
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = mysql_real_escape_string( $message );
$message = htmlspecialchars( $message );
// Sanitize name input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
$name = mysql_real_escape_string( $name );
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
//mysql_close();
}
?>
尝试调用其他事件来触发,payload:name=<img src=1 οnerrοr=alert("ahhhhhhhhhhh");>,成功