bWAPP--low--HTML Injection - Reflected (GET)

Posted 2020-09-27 每天积累一点点

html Injection - Reflected (GET)

 

进入界面，

 

html标签注入

 

这是核心代码

 

 1 <div id="main">
 2     
 3     <h1>HTML Injection - Reflected (GET)</h1>
 4 
 5     <p>Enter your first and last name:</p>
 6 
 7     <form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="GET">
 8 
 9         <p><label for="firstname">First name:</label><br />
10         <input type="text" id="firstname" name="firstname"></p>         //first name 框
11  
12         <p><label for="lastname">Last name:</label><br />               //last name 框
13         <input type="text" id="lastname" name="lastname"></p>
14 
15         <button type="submit" name="form" value="submit">Go</button>    //按钮标签
16 
17     </form>
18 
19     <br />
20     <?php
21 
22     if(isset($_GET["firstname"]) && isset($_GET["lastname"]))　　                 //以GET方式获取表单传递的firstname和lastname，isset检测是否存在
23     {   
24 
25         $firstname = $_GET["firstname"];                                        //接受参数
26         $lastname = $_GET["lastname"];    
27 
28         if($firstname == "" or $lastname == "")　　                             //如果其中一个为空，显示下边内容 
29         {
30 
31             echo "<font color=\\"red\\">Please enter both fields...</font>";       
32 
33         }
34 
35         else            
36         { 
37 
38             echo "Welcome " . htmli($firstname) . " " . htmli($lastname);   
39 
40         }
41 
42     }
43 
44     ?>
45 
46 </div>

过滤部分

 1 function htmli($data)
 2 {
 3          
 4     switch($_COOKIE["security_level"])
 5     {
 6         
 7         case "0" : 
 8             
 9             $data = no_check($data);            
10             break;
11         
12         case "1" :
13             
14             $data = xss_check_1($data);
15             break;
16         
17         case "2" :            
18                        
19             $data = xss_check_3($data);            
20             break;
21         
22         default : 
23             
24             $data = no_check($data);            
25             break;;   
26 
27     }       
28 
29     return $data;
30 
31 }
32 
33  <label>Set your security level:</label><br />
34         
35         <select name="security_level">
36             
37             <option value="0">low</option>
38             <option value="1">medium</option>
39             <option value="2">high</option> 
40             
41         </select>

 

1.low级别

function no_check($data)
{    
   
    return $data;
        
}

 

 

没有过滤

 

2.medium

 1 function xss_check_1($data)
 2 {
 3     
 4     // Converts only "<" and ">" to HTLM entities    
 5     $input = str_replace("<", "&lt;", $data);                       
 6     $input = str_replace(">", "&gt;", $input);
 7     
 8     // Failure is an option
 9     // Bypasses double encoding attacks                                         
10     // <script>alert(0)</script>
11     // %3Cscript%3Ealert%280%29%3C%2Fscript%3E
12     // %253Cscript%253Ealert%25280%2529%253C%252Fscript%253E
13     $input = urldecode($input);
14     
15     return $input;
16     
17 }

 

str_replace():对<，>，进行替换，

 

urldecode（）用于解码已编码的 URL 字符串，其原理就是把十六进制字符串转换为中文字符

也就是进行URL编码可以绕过过滤





3.high

 1 function xss_check_3($data, $encoding = "UTF-8")
 2 {
 3 
 4     // htmlspecialchars - converts special characters to HTML entities    
 5     // \'&\' (ampersand) becomes \'&\' 
 6     // \'"\' (double quote) becomes \'"\' when ENT_NOQUOTES is not set
 7     // "\'" (single quote) becomes \''\' (or ') only when ENT_QUOTES is set
 8     // \'<\' (less than) becomes \'&lt;\'
 9     // \'>\' (greater than) becomes \'&gt;\'  
10     
11     return htmlspecialchars($data, ENT_QUOTES, $encoding);
12        
13 }

htmlspecialchars() 函数把预定义的字符转换为 HTML 实体。

预定义的字符是：

• & （和号）成为 &
• " （双引号）成为 "
• \' （单引号）成为 \'
• < （小于）成为 <
• > （大于）成为 >