bWAPP----HTML Injection

HTML Injection - Reflected (GET)

进入界面，

html标签注入

这是核心代码

 1 <div id="main">
 2     
 3     <h1>HTML Injection - Reflected (GET)</h1>
 4 
 5     <p>Enter your first and last name:</p>
 6 
 7     <form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="GET">
 8 
 9         <p><label for="firstname">First name:</label><br />
10         <input type="text" id="firstname" name="firstname"></p>         //first name 框
11  
12         <p><label for="lastname">Last name:</label><br />               //last name 框
13         <input type="text" id="lastname" name="lastname"></p>
14 
15         <button type="submit" name="form" value="submit">Go</button>    //按钮标签
16 
17     </form>
18 
19     <br />
20     <?php
21 
22     if(isset($_GET["firstname"]) && isset($_GET["lastname"]))　　                 //以GET方式获取表单传递的firstname和lastname，isset检测是否存在
23     {   
24 
25         $firstname = $_GET["firstname"];                                        //接受参数
26         $lastname = $_GET["lastname"];    
27 
28         if($firstname == "" or $lastname == "")　　                             //如果其中一个为空，显示下边内容 
29         {
30 
31             echo "<font color="red">Please enter both fields...</font>";       
32 
33         }
34 
35         else            
36         { 
37 
38             echo "Welcome " . htmli($firstname) . " " . htmli($lastname);   
39 
40         }
41 
42     }
43 
44     ?>
45 
46 </div>

过滤部分

 1 function htmli($data)
 2 {
 3          
 4     switch($_COOKIE["security_level"])
 5     {
 6         
 7         case "0" : 
 8             
 9             $data = no_check($data);            
10             break;
11         
12         case "1" :
13             
14             $data = xss_check_1($data);
15             break;
16         
17         case "2" :            
18                        
19             $data = xss_check_3($data);            
20             break;
21         
22         default : 
23             
24             $data = no_check($data);            
25             break;;   
26 
27     }       
28 
29     return $data;
30 
31 }
32 
33  <label>Set your security level:</label><br />
34         
35         <select name="security_level">
36             
37             <option value="0">low</option>
38             <option value="1">medium</option>
39             <option value="2">high</option> 
40             
41         </select>

1.low级别

function no_check($data)
{    
   
    return $data;
        
}

没有过滤

2.medium

 1 function xss_check_1($data)
 2 {
 3     
 4     // Converts only "<" and ">" to HTLM entities    
 5     $input = str_replace("<", "&lt;", $data);                       
 6     $input = str_replace(">", "&gt;", $input);
 7     
 8     // Failure is an option
 9     // Bypasses double encoding attacks                                         
10     // <script>alert(0)</script>
11     // %3Cscript%3Ealert%280%29%3C%2Fscript%3E
12     // %253Cscript%253Ealert%25280%2529%253C%252Fscript%253E
13     $input = urldecode($input);
14     
15     return $input;
16     
17 }

str_replace():对<，>，进行替换，

urldecode（）用于解码已编码的 URL 字符串，其原理就是把十六进制字符串转换为中文字符

也就是进行URL编码可以绕过过滤





3.high

 1 function xss_check_3($data, $encoding = "UTF-8")
 2 {
 3 
 4     // htmlspecialchars - converts special characters to HTML entities    
 5     // '&' (ampersand) becomes '&amp;' 
 6     // '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set
 7     // "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set
 8     // '<' (less than) becomes '&lt;'
 9     // '>' (greater than) becomes '&gt;'  
10     
11     return htmlspecialchars($data, ENT_QUOTES, $encoding);
12        
13 }

htmlspecialchars() 函数把预定义的字符转换为 HTML 实体。

预定义的字符是：

& （和号）成为 &
" （双引号）成为 "
' （单引号）成为 '
< （小于）成为 <
> （大于）成为 >