HTML Injection - Reflected (URL)
核心代码
1 <div id="main"> 2 3 <h1>HTML Injection - Reflected (URL)</h1> 4 5 <?php echo "<p align="left">Your current URL: <i>" . $url . "</i></p>";?> 6 7 </div>
防护代码
$url= ""; switch($_COOKIE["security_level"]) { case "0" : // $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]); $url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; //$url= ''接受的参数来自请求头HOST和URL break; case "1" : $url = "<script>document.write(document.URL)</script>"; break; case "2" : $url = "http://" . $_SERVER["HTTP_HOST"] . xss_check_3($_SERVER["REQUEST_URI"]); break; default : // $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]); $url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; break; } <select name="security_level"> <option value="0">low</option> <option value="1">medium</option> <option value="2">high</option> </select>
1.low
用burp拦截改包
更改 host
结果
2. medium
<script>document.write(document.URL)</script>,
document对象 -- 代表整个HTML 文档,可用来访问页面中的所有元素
document.URL 设置URL属性从而在同一窗口打开另一网页
document.write() 动态向页面写入内容
3.high
$url = "http://" . $_SERVER["HTTP_HOST"] . xss_check_3($_SERVER["REQUEST_URI"])
;
"."是链接符,链接"http://",$_SERVER["HTTP_HOST"],xss_check_3($_SERVER["REQUEST_URI"])三个部分
xss_check_3()的功能为
1 function xss_check_3($data, $encoding = "UTF-8") 2 { 3 4 // htmlspecialchars - converts special characters to HTML entities 5 // '&' (ampersand) becomes '&' 6 // '"' (double quote) becomes '"' when ENT_NOQUOTES is not set 7 // "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set 8 // '<' (less than) becomes '<' 9 // '>' (greater than) becomes '>' 10 11 return htmlspecialchars($data, ENT_QUOTES, $encoding); 12 13 }