DWVA-關於存儲型xss的漏洞詳解

時間 2020-01-15

原文原文鏈接

low級別php

代碼以下：html

 1  <?php
 2 
 3 if( isset( $_POST[ 'btnSign' ] ) ) {
 4     // Get input
 5     $message = trim( $_POST[ 'mtxMessage' ] );
 6     $name    = trim( $_POST[ 'txtName' ] );
 7 
 8     // Sanitize message input
 9     $message = stripslashes( $message );
10     $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
11 
12     // Sanitize name input
13     $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
14 
15     // Update database
16     $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
17     $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
18 
19     //mysql_close();
20 }
21 
22 ?>

代碼中各個函數功能以下：mysql

trim(string,charlist)sql

函數移除字符串兩側的空白字符或其餘預約義字符，預約義字符包括、\t、\n、\x0B、\r以及空格，可選參數charlist支持添加額外須要刪除的字符。xss

mysql_real_escape_string(string,connection)函數

函數會對字符串中的特殊符號（\x00，\n，\r，\，‘，「，\x1a）進行轉義。ui

stripslashes(string)編碼

函數刪除字符串中的反斜槓。spa

對於輸入的參數message，並無作相關過濾，因此能夠進行注入。code

message欄填入：

效果以下：

還有一種方法，在name欄填入構造的惡意代碼，因爲name欄有字符大小限制，因此能夠用burpsuit抓包後改成<script>alert('hahaha')</script>

便可注入成功。

medium級別

代碼以下：

 1 <?php
 2 
 3 if( isset( $_POST[ 'btnSign' ] ) ) {
 4     // Get input
 5     $message = trim( $_POST[ 'mtxMessage' ] );
 6     $name    = trim( $_POST[ 'txtName' ] );
 7 
 8     // Sanitize message input
 9     $message = strip_tags( addslashes( $message ) );
10     $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
11     $message = htmlspecialchars( $message );
12 
13     // Sanitize name input
14     $name = str_replace( '<script>', '', $name );
15     $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
16 
17     // Update database
18     $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
19     $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
20 
21     //mysql_close();
22 }
23 
24 ?>

從代碼能夠看出，對於message的輸入參數使用htmlspecialchars函數進行了從新編碼，沒法使用以前的xss注入了

可是對於name參數的輸入，僅僅是將<script>便籤轉換爲空，所以能夠用組合進行繞過

先輸入任意參數提交，burpsuit抓包，更改成：

<scr<script>ipt>alert('lalala')</script>

效果以下：

也能夠使用大小繞過

<sCrIpt>alert('aaaaa')</ScRipt>

效果以下：

high級別

代碼以下：

 1  <?php
 2 
 3 if( isset( $_POST[ 'btnSign' ] ) ) {
 4     // Get input
 5     $message = trim( $_POST[ 'mtxMessage' ] );
 6     $name    = trim( $_POST[ 'txtName' ] );
 7 
 8     // Sanitize message input
 9     $message = strip_tags( addslashes( $message ) );
10     $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
11     $message = htmlspecialchars( $message );
12 
13     // Sanitize name input
14     $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
15     $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
16 
17     // Update database
18     $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
19     $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
20 
21     //mysql_close();
22 }
23 
24 ?>