DVWA靶场之XSS(Stored)通关

DVWA靶场之XSS(Stored)通关,第1张

DVWA靶场之XSS(Stored)通关

Low:

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {

// Get input

$message = trim( $_POST[ 'mtxMessage' ] );

$name    = trim( $_POST[ 'txtName' ] );

// Sanitize message input

$message = stripslashes( $message );

$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Sanitize name input

$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Update database

$query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";

$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

//mysql_close();

}

?>

trim用于移除字符串两侧空白字符和其他预定义字符

mysql_real_escape_string对字符串中特殊符号转义

stripslashes删除字符串中的反斜杠

但是对过滤XSS没用,还存到数据库里了。


直接在message中输入<script>alert(/xss/)</script>就会d框

Name对输入有长度限制,抓包改包传

一返回这个界面就d框,是为存储型XSS

Medium:

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {

// Get input

$message = trim( $_POST[ 'mtxMessage' ] );

$name    = trim( $_POST[ 'txtName'
] );

// Sanitize message input

$message = strip_tags( addslashes( $message ) );

$message = ((isset($GLOBALS["___mysqli_ston"]) &&
is_object($GLOBALS["___mysqli_ston"])) ?
mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) :
((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call!
This code does not work.", E_USER_ERROR)) ? "" : ""));

$message = htmlspecialchars( $message );

// Sanitize name input

$name = str_replace( '<script>', '', $name );

$name = ((isset($GLOBALS["___mysqli_ston"]) &&
is_object($GLOBALS["___mysqli_ston"])) ?
mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) :
((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call!
This code does not work.", E_USER_ERROR)) ? "" : ""));

// Update database

$query  = "INSERT INTO
guestbook ( comment, name ) VALUES ( '$message', '$name' );";

$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"]))
? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res =
mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

//mysql_close();

}

?>

strip_tags清理了HTML\XML\PHP 的标签,但保留<b>标签的使用权限

addslashes在预定义字符前加反斜杠转义

htmlspecialchars把预定义字符转为HTML实体

还把name 的<script>过滤了

message惨遭毒手,可以从name下手

抓包改包加绕过

<sc<script>ript>alert(/xss/)</script>

<Script>alert(/xss/)</script>

High:

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {

// Get input

$message = trim( $_POST[ 'mtxMessage' ] );

$name    = trim( $_POST[ 'txtName'
] );

// Sanitize message input

$message = strip_tags( addslashes( $message ) );

$message = ((isset($GLOBALS["___mysqli_ston"]) &&
is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) :
((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call!
This code does not work.", E_USER_ERROR)) ? "" : ""));

$message = htmlspecialchars( $message );

// Sanitize name input

$name = preg_replace(
'/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );

$name = ((isset($GLOBALS["___mysqli_ston"]) &&
is_object($GLOBALS["___mysqli_ston"])) ?
mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo]
Fix the mysql_escape_string() call! This code does not work.",
E_USER_ERROR)) ? "" : ""));

// Update database

$query  = "INSERT INTO
guestbook ( comment, name ) VALUES ( '$message', '$name' );";

$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' .
((is_object($GLOBALS["___mysqli_ston"])) ?
mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res =
mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

//mysql_close();

}

?>

把name的<script>彻底过滤了

可以换别的标签

<img src=1 onerror=alert(1)>

Impossible:

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {

// Check Anti-CSRF token

checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ],
'index.php' );

// Get input

$message = trim( $_POST[ 'mtxMessage' ] );

$name    = trim( $_POST[ 'txtName'
] );

// Sanitize message input

$message = stripslashes( $message );

$message = ((isset($GLOBALS["___mysqli_ston"]) &&
is_object($GLOBALS["___mysqli_ston"])) ?
mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) :
((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call!
This code does not work.", E_USER_ERROR)) ? "" : ""));

$message = htmlspecialchars( $message );

// Sanitize name input

$name = stripslashes( $name );

$name = ((isset($GLOBALS["___mysqli_ston"]) &&
is_object($GLOBALS["___mysqli_ston"])) ?
mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) :
((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call!
This code does not work.", E_USER_ERROR)) ? "" : ""));

$name = htmlspecialchars( $name );

// Update database

$data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES
( :message, :name );' );

$data->bindParam( ':message', $message, PDO::PARAM_STR );

$data->bindParam( ':name', $name, PDO::PARAM_STR );

$data->execute();

}

// Generate Anti-CSRF token

generateSessionToken();

?>

这回厉害了,升到impossible级别,之前打进数据库的语句,打开页面都不d框了

就全员htmlspecialchars呗

但要注意htmlspecialchars使用位置,不要被绕过了

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/zaji/588578.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-04-12
下一篇 2022-04-12

发表评论

登录后才能评论

评论列表(0条)

保存