zoukankan      html  css  js  c++  java

  • bWAPP----HTML Injection

    HTML Injection - Reflected (URL)

    核心代码

    1 <div id="main">
2     
3     <h1>HTML Injection - Reflected (URL)</h1>   
4 
5     <?php echo "<p align="left">Your current URL: <i>" . $url . "</i></p>";?>    
6 
7 </div>

    防护代码

    $url= "";

        
switch($_COOKIE["security_level"])
{

    case "0" :

        // $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]);
        $url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];                  //$url= ''接受的参数来自请求头HOST和URL
break;

    case "1" :

        $url = "<script>document.write(document.URL)</script>";
        break;

    case "2" :

        $url = "http://" . $_SERVER["HTTP_HOST"] . xss_check_3($_SERVER["REQUEST_URI"]);
        break;

    default :

        // $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]);
        $url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];               
        break;

}


<select name="security_level">
            
            <option value="0">low</option>
            <option value="1">medium</option>
            <option value="2">high</option> 
            
        </select>

    1.low

    用burp拦截改包

    更改 host

    结果

    2. medium

    <script>document.write(document.URL)</script>,

    document对象 -- 代表整个HTML 文档,可用来访问页面中的所有元素

    document.URL                设置URL属性从而在同一窗口打开另一网页

    document.write()             动态向页面写入内容


    3.high
     $url = "http://" . $_SERVER["HTTP_HOST"] . xss_check_3($_SERVER["REQUEST_URI"])
    ; 

    "."是链接符,链接"http://",$_SERVER["HTTP_HOST"],xss_check_3($_SERVER["REQUEST_URI"])三个部分

    xss_check_3()的功能为

     1 function xss_check_3($data, $encoding = "UTF-8")
 2 {
 3 
 4     // htmlspecialchars - converts special characters to HTML entities    
 5     // '&' (ampersand) becomes '&amp;' 
 6     // '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set
 7     // "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set
 8     // '<' (less than) becomes '&lt;'
 9     // '>' (greater than) becomes '&gt;'  
10     
11     return htmlspecialchars($data, ENT_QUOTES, $encoding);
12        
13 }
     


     
  • 相关阅读:
    golang并发编程:通道
    golang并发编程:并发同步概述
    java网络通信:TCP协议
    Java基础:GC机制
    Java基础:内存模型
    Java基础:泛型
    Java基础:异常机制
    JavaWEB开发框架:Shiro
    Spring:与Redis的集成
    Spring:面向切片编程
  • 原文地址:https://www.cnblogs.com/hongren/p/7149012.html
Copyright © 2011-2022 走看看