HTML注入-存储型
这是一个存储型的漏洞,有一个留言功能,可以尝试xss弹窗
在level low下
输入<script>alert(/bee/)</script>后点击提交,就会执行该语句并显示弹窗
也可以读取用户cookie,<script>alert(document.cookie)</script>
根据源码找到了数据存储的地方
(已经被我删了)
在查看源码后,三个级别都使用了sqli_check_3函数进行语句转义
下列字符受影响:
\x00
\n
\r
\
‘
"
\x1a
如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。
当设置等级为medium时,调用xss_check_4进行防xss保护
1 function xss_check_4($data) 2 { 3 // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc. 4 // These characters are single quote (‘), double quote ("), backslash (\) and NUL (the NULL byte). 5 // Do NOT use this for XSS or HTML validations!!! 6 return addslashes($data); 7 }
(不论是medium级别还是high级别均无法进行注入)
当设置等级为high时,调用xss_check_3进行防xss保护
1 function xss_check_3($data, $encoding = "UTF-8") 2 { 3 // htmlspecialchars - converts special characters to HTML entities 4 // ‘&‘ (ampersand) becomes ‘&‘ 5 // ‘"‘ (double quote) becomes ‘"‘ when ENT_NOQUOTES is not set 6 // "‘" (single quote) becomes ‘'‘ (or ') only when ENT_QUOTES is set 7 // ‘<‘ (less than) becomes ‘<‘ 8 // ‘>‘ (greater than) becomes ‘>‘ 9 return htmlspecialchars($data, ENT_QUOTES, $encoding); 10 }