bWAPP A1 HTML Injection - Reflected (GET/POST)

QMDD

已于 2023-02-10 17:09:49 修改

阅读量131

点赞数

分类专栏： bWAPP 文章标签： html javascript 前端

于 2023-02-10 15:40:38 首次发布

本文链接：https://blog.csdn.net/m0_73606240/article/details/128960579

版权

bWAPP 专栏收录该内容

2 篇文章 0 订阅

订阅专栏

前置知识：

1.html注入介绍：(27条消息) Web渗透（三）bWAPP之HTML注入篇_三体-二向箔的博客-CSDN博客

LOW:

查看源码，发现low等级没有对数据进行处理

<?php

/*

bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.
bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!
It is for security-testing and educational purposes only.

Enjoy!

Malik Mesellem
Twitter: @MME_IT

bWAPP is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (http://creativecommons.org/licenses/by-nc-nd/4.0/). Copyright © 2014 MME BVBA. All rights reserved.

*/

include("security.php");
include("security_level_check.php");
include("functions_external.php");
include("selections.php");

function htmli($data)
{
         
    switch($_COOKIE["security_level"])
    {
        
        case "0" : 
            
            $data = no_check($data);            
            break;
        
        case "1" :
            
            $data = xss_check_1($data);
            break;
        
        case "2" :            
                       
            $data = xss_check_3($data);            
            break;
        
        default : 
            
            $data = no_check($data);            
            break;   

    }       

    return $data;

}

?>

function no_check($data)
{    
   
    return $data;
        
}

    <?php

    if(isset($_GET["firstname"]) && isset($_GET["lastname"]))
    {   

        $firstname = $_GET["firstname"];
        $lastname = $_GET["lastname"];    

        if($firstname == "" or $lastname == "")
        {

            echo "<font color=\"red\">Please enter both fields...</font>";       

        }

        else            
        { 

            echo "Welcome " . htmli($firstname) . " " . htmli($lastname);   

        }

    }

    ?>

firstname尝试<script>alert("ahhh");</script>,注入成功

Medium：

前置知识：

1.url编码可绕过str_replace对特殊字符的过滤

writeup：

查看源码

function xss_check_1($data)
{
    
    // Converts only "<" and ">" to HTLM entities    
    $input = str_replace("<", "&lt;", $data);
    $input = str_replace(">", "&gt;", $input);
    
    // Failure is an option
    // Bypasses double encoding attacks   
    // <script>alert(0)</script>
    // %3Cscript%3Ealert%280%29%3C%2Fscript%3E
    // %253Cscript%253Ealert%25280%2529%253C%252Fscript%253E
    $input = urldecode($input);
    
    return $input;
    
}

由于源码会对输入的内容进行url解码，尝试将<script>alert("ahhh");</script>编码，成功

下面讲讲POST，POST不能直接把url编码的内容改包，在上传数据时，客户端自己会进行一次url编码，然后服务端进行一次解码，再加上源码又进行了一次url解码，如果代码只进行一次编码那么就无法绕过，需要进行两次编码

High：

前置知识：

1.htmlspecialchars函数

查看源码，htmlspecialchars对下列符号都进行了过滤，避免了注入

function xss_check_3($data, $encoding = "UTF-8")
{

    // htmlspecialchars - converts special characters to HTML entities    
    // '&' (ampersand) becomes '&amp;' 
    // '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set
    // "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set
    // '<' (less than) becomes '&lt;'
    // '>' (greater than) becomes '&gt;'  
    
    return htmlspecialchars($data, ENT_QUOTES, $encoding);
       
}