HTML Injection - Reflected (URL)
核心代碼
1 <div id="main"> 2 3 <h1>HTML Injection - Reflected (URL)</h1> 4 5 <?php echo "<p align=\"left\">Your current URL: <i>" . $url . "</i></p>";?> 6 7 </div>
防護代碼
$url= ""; switch($_COOKIE["security_level"]) { case "0" : // $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]); $url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; //$url= ''接受的參數來自請求頭HOST和URL break; case "1" : $url = "<script>document.write(document.URL)</script>"; break; case "2" : $url = "http://" . $_SERVER["HTTP_HOST"] . xss_check_3($_SERVER["REQUEST_URI"]); break; default : // $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]); $url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; break; } <select name="security_level"> <option value="0">low</option> <option value="1">medium</option> <option value="2">high</option> </select>
1.low
用burp攔截改包
更改 host
結果
2. medium
<script>document.write(document.URL)</script>,
document對象 -- 代表整個HTML 文檔,可用來訪問頁面中的所有元素
document.URL 設置URL屬性從而在同一窗口打開另一網頁
document.write() 動態向頁面寫入內容
3.high
$url = "http://" . $_SERVER["HTTP_HOST"] . xss_check_3($_SERVER["REQUEST_URI"])
;
"."是鏈接符,鏈接"http://",$_SERVER["HTTP_HOST"],xss_check_3($_SERVER["REQUEST_URI"])三個部分
xss_check_3()的功能為
1 function xss_check_3($data, $encoding = "UTF-8") 2 { 3 4 // htmlspecialchars - converts special characters to HTML entities 5 // '&' (ampersand) becomes '&' 6 // '"' (double quote) becomes '"' when ENT_NOQUOTES is not set 7 // "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set 8 // '<' (less than) becomes '<' 9 // '>' (greater than) becomes '>' 10 11 return htmlspecialchars($data, ENT_QUOTES, $encoding); 12 13 }