国内精品一区二区福利视频,久久婷婷五月国产色综合,四虎影库亚洲精品无码在线观看

3.2、存儲(chǔ)型xss

### 2、存儲(chǔ)型xss ### ①、Low 漏洞代碼： ``` <?php if( isset( $_POST[ 'btnSign' ] ) ) { // Get input $message = trim( $_POST[ 'mtxMessage' ] ); $name = trim( $_POST[ 'txtName' ] ); // Sanitize message input $message = stripslashes( $message ); $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitize name input $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Update database $query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); //mysql_close(); } ?> ``` 分析與利用：分析代碼執(zhí)行流程：首先把用戶輸入的數(shù)據(jù)，使用trim去除字符串首尾處的空白字符（或者其他字符）。之后stripslashes方法返回一個(gè)去除轉(zhuǎn)義反斜線后的字符串（' 轉(zhuǎn)換為 ' 等等），雙反斜線（）被轉(zhuǎn)換為單個(gè)反斜線（）。之后mysqli_real_escape_string對(duì)字符串特殊符號(hào)n r ‘ “ 等進(jìn)行轉(zhuǎn)義最終未對(duì)用戶輸入數(shù)據(jù)進(jìn)行xss檢測(cè)編碼，直接寫入到數(shù)據(jù)庫(kù)中，于是造成存儲(chǔ)型xss漏洞。構(gòu)造利用： ![](/upload/attach/201710/201710161534_1db8ghmvo9iqm33.jpg) Message文本框可以直接寫入<script>： ![](/upload/attach/201710/201710161535_tcz8tltuua3t4gz.jpg) name字段對(duì)輸入字符有長(zhǎng)度限制，這個(gè)可以通過(guò)burpsuite抓包改包繞過(guò)：（burp使用在此不再贅述，請(qǐng)自行查閱教程） ![](/upload/attach/201710/201710161535_0zcrabyvta5id43.jpg) 修改txtname字段為payload腳本： ![](/upload/attach/201710/201710161536_hcn058e5tp2ebcu.jpg) 成功執(zhí)行xss腳本： ![](/upload/attach/201710/201710161536_9ake91mqe44v3av.jpg) ### ②、medium 漏洞代碼： ``` <?php if( isset( $_POST[ 'btnSign' ] ) ) { // Get input $message = trim( $_POST[ 'mtxMessage' ] ); $name = trim( $_POST[ 'txtName' ] ); // Sanitize message input $message = strip_tags( addslashes( $message ) ); $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $message = htmlspecialchars( $message ); // Sanitize name input $name = str_replace( '<script>', '', $name ); $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Update database $query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); //mysql_close(); } ?> ``` 分析與利用：以上代碼我們重點(diǎn)關(guān)注兩行： ``` $message = htmlspecialchars( $message ); $name = str_replace( '<script>', '', $name ); ``` Message由于使用了htmlspecialchars方法對(duì)用戶輸入數(shù)據(jù)進(jìn)行編碼轉(zhuǎn)換，因此不存在xss漏洞。但是name由于僅僅用了str_replace方法把<script>替換為空，于是我們有以下三種方法來(lái)繞過(guò)：非<script>標(biāo)簽： ``` <img src=0 onerror=alert(/xss1/)> ``` 大小寫轉(zhuǎn)換： ``` <Script>alert(/xss2/)</sCript> ``` 雙重<script>標(biāo)簽： ``` <sc<script>ript>alert(/xss3/)</script> ``` 由于name字段對(duì)長(zhǎng)度有限制，使用以上改包抓包方式，依次修改參數(shù)值，結(jié)果如下： ![](/upload/attach/201710/201710161537_6zp0igmb3acwl4e.jpg) ![](/upload/attach/201710/201710161537_t418zbxpieh8nb4.jpg) ![](/upload/attach/201710/201710161537_aqy5amxpgta48qt.jpg) ### ③、high 漏洞代碼： ``` <?php if( isset( $_POST[ 'btnSign' ] ) ) { // Get input $message = trim( $_POST[ 'mtxMessage' ] ); $name = trim( $_POST[ 'txtName' ] ); // Sanitize message input $message = strip_tags( addslashes( $message ) ); $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $message = htmlspecialchars( $message ); // Sanitize name input $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name ); $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Update database $query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); //mysql_close(); } ?> ``` 分析與利用：這里我們重點(diǎn)關(guān)注兩行代碼： ``` $message = htmlspecialchars( $message ); ``` Message依舊不可繞過(guò) ``` $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name ); ``` preg_replace執(zhí)行一個(gè)正則表達(dá)式的搜索和替換，此時(shí)可以使用別的標(biāo)簽<img> <a> <iframe>等，比如剛剛使用過(guò)的<img>，構(gòu)造payload ：<img src=0 onerror=alert(/xss/)>，改包替換繞過(guò)，成功執(zhí)行xss代碼： ![](/upload/attach/201710/201710161538_f1l75kititc8xlu.jpg) ### ④、impossible 安全代碼： ``` <?php if( isset( $_POST[ 'btnSign' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $message = trim( $_POST[ 'mtxMessage' ] ); $name = trim( $_POST[ 'txtName' ] ); // Sanitize message input $message = stripslashes( $message ); $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $message = htmlspecialchars( $message ); // Sanitize name input $name = stripslashes( $name ); $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $name = htmlspecialchars( $name ); // Update database $data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' ); $data->bindParam( ':message', $message, PDO::PARAM_STR ); $data->bindParam( ':name', $name, PDO::PARAM_STR ); $data->execute(); } // Generate Anti-CSRF token generateSessionToken(); ?> ``` 分析：在此name和message都使用了htmlspecialchars方法，于是此處不存在xss漏洞。