HTML Injection - Reflected (GET)
進入界面,
html標簽注入
這是核心代碼
1 <div id="main"> 2 3 <h1>HTML Injection - Reflected (GET)</h1> 4 5 <p>Enter your first and last name:</p> 6 7 <form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="GET"> 8 9 <p><label for="firstname">First name:</label><br /> 10 <input type="text" id="firstname" name="firstname"></p> //first name 框 11 12 <p><label for="lastname">Last name:</label><br /> //last name 框 13 <input type="text" id="lastname" name="lastname"></p> 14 15 <button type="submit" name="form" value="submit">Go</button> //按鈕標簽 16 17 </form> 18 19 <br /> 20 <?php 21 22 if(isset($_GET["firstname"]) && isset($_GET["lastname"])) //以GET方式獲取表單傳遞的firstname和lastname,isset檢測是否存在 23 { 24 25 $firstname = $_GET["firstname"]; //接受參數 26 $lastname = $_GET["lastname"]; 27 28 if($firstname == "" or $lastname == "") //如果其中一個為空,顯示下邊內容 29 { 30 31 echo "<font color=\"red\">Please enter both fields...</font>"; 32 33 } 34 35 else 36 { 37 38 echo "Welcome " . htmli($firstname) . " " . htmli($lastname); 39 40 } 41 42 } 43 44 ?> 45 46 </div>
過濾部分
1 function htmli($data)
2 {
3
4 switch($_COOKIE["security_level"])
5 {
6
7 case "0" :
8
9 $data = no_check($data);
10 break;
11
12 case "1" :
13
14 $data = xss_check_1($data);
15 break;
16
17 case "2" :
18
19 $data = xss_check_3($data);
20 break;
21
22 default :
23
24 $data = no_check($data);
25 break;;
26
27 }
28
29 return $data;
30
31 }
32
33 <label>Set your security level:</label><br />
34
35 <select name="security_level">
36
37 <option value="0">low</option>
38 <option value="1">medium</option>
39 <option value="2">high</option>
40
41 </select>
1.low級別
function no_check($data) { return $data; }
沒有過濾
2.medium
1 function xss_check_1($data) 2 { 3 4 // Converts only "<" and ">" to HTLM entities 5 $input = str_replace("<", "<", $data); 6 $input = str_replace(">", ">", $input); 7 8 // Failure is an option 9 // Bypasses double encoding attacks 10 // <script>alert(0)</script> 11 // %3Cscript%3Ealert%280%29%3C%2Fscript%3E 12 // %253Cscript%253Ealert%25280%2529%253C%252Fscript%253E 13 $input = urldecode($input); 14 15 return $input; 16 17 }
str_replace():對<,>,進行替換,
urldecode()用於解碼已編碼的 URL 字符串,其原理就是把十六進制字符串轉換為中文字符
也就是進行URL編碼可以繞過過濾
3.high
1 function xss_check_3($data, $encoding = "UTF-8") 2 { 3 4 // htmlspecialchars - converts special characters to HTML entities 5 // '&' (ampersand) becomes '&' 6 // '"' (double quote) becomes '"' when ENT_NOQUOTES is not set 7 // "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set 8 // '<' (less than) becomes '<' 9 // '>' (greater than) becomes '>' 10 11 return htmlspecialchars($data, ENT_QUOTES, $encoding); 12 13 }
htmlspecialchars() 函數把預定義的字符轉換為 HTML 實體。
預定義的字符是:
- & (和號)成為 &
- " (雙引號)成為 "
- ' (單引號)成為 '
- < (小於)成為 <
- > (大於)成為 >