bWAPP----iFrame Injection

iFrame Injection

直接上代码

 1 <div id="main">
 2 
 3     <h1>iFrame Injection</h1>
 4 
 5 <?php
 6 
 7 if($_COOKIE["security_level"] == "1" || $_COOKIE["security_level"] == "2")      //如果防御级别不是low执行这里，
 8 {
 9 
10 ?>
11     <iframe frameborder="0" 
        src="robots.txt"                                                           //对高度和宽度的参数进行xss（）函数
        height="<?php echo xss($_GET["ParamHeight"])?>" 
        width="<?php echo xss($_GET["ParamWidth"])?>">
        </iframe>
12 <?php
13 
14 }
15 
16 else
17 {
18 
19 ?>
20     <iframe frameborder="0"                                                      //如果防御级别是0，对URL，宽度，高度都进行xss（）
       src="<?php echo xss($_GET["ParamUrl"])?>" 
       height="<?php echo xss($_GET["ParamHeight"])?>" 
       width="<?php echo xss($_GET["ParamWidth"])?>">
       </iframe>
21 <?php
22 
23 }
24 
25 ?>
26 
27 </div>

防御代码

 1 if(!(isset($_GET["ParamUrl"])) || !(isset($_GET["ParamHeight"])) || !(isset($_GET["ParamWidth"])))          //如果这三个参数有一个没有传参，
 2 {
 3 
 4     header("Location: iframei.php?ParamUrl=robots.txt&ParamWidth=250&ParamHeight=250");                     //展示这个
 5 
 6     exit;
 7 
 8 }
 9 
10 function xss($data)
11 {
12 
13     switch($_COOKIE["security_level"])
14     {
15 
16         case "0" :
17 
18             $data = no_check($data);      
19             break;
20 
21         case "1" :
22 
23             $data = xss_check_4($data);
24             break;
25 
26         case "2" :
27 
28             $data = xss_check_3($data);
29             break;
30 
31         default :
32 
33             $data = no_check($data);
34             break;   
35 
36     }
37 
38     return $data;

1.low

当low级别时，no_check()

该函数为不做任何处理

low级别时对三个参数不做任何处理

<iframe frameborder="0" 
        src="robots.txt"                                                           
        height="<?php echo xss($_GET["ParamHeight"])?>" 
        width="<?php echo xss($_GET["ParamWidth"])?>">
</iframe>

2.medium

function xss_check_4($data)
{
  
    // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
    // These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).
    // Do NOT use this for XSS or HTML validations!!!
    
    return addslashes($data);
    
}

前边已经碰到过好多次

3.high

function xss_check_3($data, $encoding = "UTF-8")
{

   // htmlspecialchars - converts special characters to HTML entities    
   // '&' (ampersand) becomes '&amp;' 
   // '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set
   // "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set
   // '<' (less than) becomes '&lt;'
   // '>' (greater than) becomes '&gt;'  
   
   return htmlspecialchars($data, ENT_QUOTES, $encoding);
      
}
前边也已经碰到过好多次