欢迎大家一起来Hacking水友攻防实验室学习,渗透测试,代码审计,免杀逆向,实战分享,靶场靶机,求关注
HTML注入类似于xss注入但又不是,因为他的威胁程度大于后者,它可以在HTML页面中嵌入如何可以执行的代码,实际上它是所有注入类代码漏洞的鼻祖
目录
HTML Injection - Reflected (GET)
HTML Injection - Reflected (POST)
HTML Injection - Reflected (URL)
HTML Injection - Stored (Blog)
HTML Injection - Reflected (GET)
low
get传递参数,这是由于代码过滤不严格导致的,我们可以在可以输入的first name和last name处注入我们的恶意代码:
<div id="main">
<h1>HTML Injection - Reflected (GET)</h1>
<p>Enter your first and last name:</p>
<form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="GET">
<p><label for="firstname">First name:</label><br />
<input type="text" id="firstname" name="firstname"></p>
<p><label for="lastname">Last name:</label><br />
<input type="text" id="lastname" name="lastname"></p>
<button type="submit" name="form" value="submit">Go</button>
</form>
<br />
<?php
if(isset($_GET["firstname"]) && isset($_GET["lastname"]))
{
$firstname = $_GET["firstname"];
$lastname = $_GET["lastname"];
if($firstname == "" or $lastname == "")
{
echo "<font color=\"red\">Please enter both fields...</font>";