bWAPP----HTML Injection

HTML Injection - Stored (Blog)

界面

  1 <div id="main">
  2 
  3     <h1>HTML Injection - Stored (Blog)</h1>
  4 
  5     <form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="POST">
  6 
  7     <table>
  8 
  9             <tr>
 10 
 11                 <td colspan="6"><p><textarea name="entry" id="entry" cols="80" rows="3"></textarea></p></td>
 12 
 13             </tr>
 14 
 15             <tr>
 16 
 17                 <td width="79" align="left">
 18 
 19                     <button type="submit" name="blog" value="submit">Submit</button>
 20 
 21                 </td>
 22 
 23                 <td width="85" align="center">
 24 
 25                     <label for="entry_add">Add:</label>
 26                     <input type="checkbox" id="entry_add" name="entry_add" value="" checked="on">
 27 
 28                 </td>
 29 
 30                 <td width="100" align="center">
 31 
 32                     <label for="entry_all">Show all:</label>
 33                     <input type="checkbox" id="entry_all" name="entry_all" value="">
 34 
 35                 </td>
 36 
 37                 <td width="106" align="center">
 38 
 39                     <label for="entry_delete">Delete:</label>
 40                     <input type="checkbox" id="entry_delete" name="entry_delete" value="">
 41 
 42                 </td>
 43 
 44                 <td width="7"></td>
 45 
 46                 <td align="left"><?php echo $message;?></td>
 47 
 48             </tr>
 49 
 50     </table>
 51 
 52     </form>
 53 
 54     <br />
 55 
 56     <table id="table_yellow">
 57 
 58         <tr height="30" bgcolor="#ffb717" align="center">
 59 
 60             <td width="20">#</td>
 61             <td width="100"><b>Owner</b></td>
 62             <td width="100"><b>Date</b></td>
 63             <td width="445"><b>Entry</b></td>
 64 
 65         </tr>
 66 
   // 上面是html,下面开始是PHP源码

 67 <?php
 68 
 69 // Selects all the records
 70 
 71 $entry_all = isset($_POST["entry_all"]) ? 1 : 0;
 72 
 73 if($entry_all == false)
 74 {
 75 
 76     $sql = "SELECT * FROM blog WHERE owner = '" . $_SESSION["login"] . "'";
 77 
 78 }
 79 
 80 else
 81 {
 82 
 83     $sql = "SELECT * FROM blog";
 84 
 85 }
 86 
 87 $recordset = $link->query($sql);
 88 
 89 if(!$recordset)
 90 {
 91 
 92     // die("Error: " . $link->connect_error . "<br /><br />");
 93 
 94 ?>
 95         <tr height="50">
 96 
 97             <td colspan="4" width="665"><?php die("Error: " . $link->error);?></td>
 98             <!--
 99             <td></td>
100             <td></td>
101             <td></td>
102             -->
103 
104         </tr>
105 
106 <?php
107 
108 }
109 
110 while($row = $recordset->fetch_object())
111 {
112 
113     if($_COOKIE["security_level"] == "1" or $_COOKIE["security_level"] == "2")
114     {
115 
116 ?>
117         <tr height="40">
118 
119             <td align="center"><?php echo $row->id; ?></td>
120             <td><?php echo $row->owner; ?></td>
121             <td><?php echo $row->date; ?></td>
122             <td><?php echo xss_check_3($row->entry); ?></td>
123 
124         </tr>
125 
126 <?php
127 
128     }
129 
130     else
131     {
132 
133 ?>
134         <tr height="40">
135 
136             <td align="center"><?php echo $row->id; ?></td>
137             <td><?php echo $row->owner; ?></td>
138             <td><?php echo $row->date; ?></td>
139             <td><?php echo $row->entry; ?></td>
140 
141         </tr>
142 
143 <?php
144 
145     }
146 
147 }
148 
149 $recordset->close();
150 
151 $link->close();
152 
153 ?>
154     </table>
155 
156 </div>

感觉防护代码这有点问题,我没看明白

 1 function htmli($data)
 2 {
 3 
 4     include("connect_i.php");                  //链接数据库
 5 
 6     switch($_COOKIE["security_level"])        //检测级别在cookie里
 7     {
 8 
 9         case "0" :
10 
11             $data = sqli_check_3($link, $data);
12             break;
13 
14         case "1" :
15 
16             $data = sqli_check_3($link, $data);
17             // $data = xss_check_4($data);
18             break;
19 
20         case "2" :
21 
22             $data = sqli_check_3($link, $data);
23             // $data = xss_check_3($data);
24             break;
25 
26         default :
27 
28             $data = sqli_check_3($link, $data);
29             break;
30 
31     }

无论case是几,执行的都是

sqli_check_3()进行过滤

sqli_check_3()的定义是

应该把xss的防御加在这里

1 function sqli_check_3($link, $data)
2 {
3    
4     return mysqli_real_escape_string($link, $data);
5     
6 }

mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。

下列字符受影响:

  • x00
  • '
  • "
  • x1a

如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。

1.low

级别同时不进行保护

2.medium

xss_check_4进行防xss保护
函数功能为
function xss_check_4($data)
{
 
 // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
 // These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).
 // Do NOT use this for XSS or HTML validations!!!
 
 return addslashes($data);
 
}

在预定义字符前加反斜杠

预定义字符是:

  • 单引号(')
  • 双引号(")
  • 反斜杠()
  • NULL

3.high

xss_check_3功能
 
 1 function xss_check_3($data, $encoding = "UTF-8")
 2 {
 3 
 4     // htmlspecialchars - converts special characters to HTML entities    
 5     // '&' (ampersand) becomes '&amp;' 
 6     // '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set
 7     // "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set
 8     // '<' (less than) becomes '&lt;'
 9     // '>' (greater than) becomes '&gt;'  
10     
11     return htmlspecialchars($data, ENT_QUOTES, $encoding);
12        
13 }

 htmlspecialchars()功能,将部分字符转化为html字符

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/hongren/p/7151935.html