bWAPP----HTML Injection - Stored (Blog)

Posted 2020-09-27 每天积累一点点

html Injection - Stored (Blog)

界面

 

 

 

  1 <div id="main">
  2 
  3     <h1>HTML Injection - Stored (Blog)</h1>
  4 
  5     <form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="POST">
  6 
  7     <table>
  8 
  9             <tr>
 10 
 11                 <td colspan="6"><p><textarea name="entry" id="entry" cols="80" rows="3"></textarea></p></td>
 12 
 13             </tr>
 14 
 15             <tr>
 16 
 17                 <td width="79" align="left">
 18 
 19                     <button type="submit" name="blog" value="submit">Submit</button>
 20 
 21                 </td>
 22 
 23                 <td width="85" align="center">
 24 
 25                     <label for="entry_add">Add:</label>
 26                     <input type="checkbox" id="entry_add" name="entry_add" value="" checked="on">
 27 
 28                 </td>
 29 
 30                 <td width="100" align="center">
 31 
 32                     <label for="entry_all">Show all:</label>
 33                     <input type="checkbox" id="entry_all" name="entry_all" value="">
 34 
 35                 </td>
 36 
 37                 <td width="106" align="center">
 38 
 39                     <label for="entry_delete">Delete:</label>
 40                     <input type="checkbox" id="entry_delete" name="entry_delete" value="">
 41 
 42                 </td>
 43 
 44                 <td width="7"></td>
 45 
 46                 <td align="left"><?php echo $message;?></td>
 47 
 48             </tr>
 49 
 50     </table>
 51 
 52     </form>
 53 
 54     <br />
 55 
 56     <table id="table_yellow">
 57 
 58         <tr height="30" bgcolor="#ffb717" align="center">
 59 
 60             <td width="20">#</td>
 61             <td width="100"><b>Owner</b></td>
 62             <td width="100"><b>Date</b></td>
 63             <td width="445"><b>Entry</b></td>
 64 
 65         </tr>
 66 
   // 上面是html，下面开始是PHP源码

 67 <?php
 68 
 69 // Selects all the records
 70 
 71 $entry_all = isset($_POST["entry_all"]) ? 1 : 0;
 72 
 73 if($entry_all == false)
 74 {
 75 
 76     $sql = "SELECT * FROM blog WHERE owner = \'" . $_SESSION["login"] . "\'";
 77 
 78 }
 79 
 80 else
 81 {
 82 
 83     $sql = "SELECT * FROM blog";
 84 
 85 }
 86 
 87 $recordset = $link->query($sql);
 88 
 89 if(!$recordset)
 90 {
 91 
 92     // die("Error: " . $link->connect_error . "<br /><br />");
 93 
 94 ?>
 95         <tr height="50">
 96 
 97             <td colspan="4" width="665"><?php die("Error: " . $link->error);?></td>
 98             <!--
 99             <td></td>
100             <td></td>
101             <td></td>
102             -->
103 
104         </tr>
105 
106 <?php
107 
108 }
109 
110 while($row = $recordset->fetch_object())
111 {
112 
113     if($_COOKIE["security_level"] == "1" or $_COOKIE["security_level"] == "2")
114     {
115 
116 ?>
117         <tr height="40">
118 
119             <td align="center"><?php echo $row->id; ?></td>
120             <td><?php echo $row->owner; ?></td>
121             <td><?php echo $row->date; ?></td>
122             <td><?php echo xss_check_3($row->entry); ?></td>
123 
124         </tr>
125 
126 <?php
127 
128     }
129 
130     else
131     {
132 
133 ?>
134         <tr height="40">
135 
136             <td align="center"><?php echo $row->id; ?></td>
137             <td><?php echo $row->owner; ?></td>
138             <td><?php echo $row->date; ?></td>
139             <td><?php echo $row->entry; ?></td>
140 
141         </tr>
142 
143 <?php
144 
145     }
146 
147 }
148 
149 $recordset->close();
150 
151 $link->close();
152 
153 ?>
154     </table>
155 
156 </div>

感觉防护代码这有点问题，我没看明白

 1 function htmli($data)
 2 {
 3 
 4     include("connect_i.php");                  //链接数据库
 5 
 6     switch($_COOKIE["security_level"])        //检测级别在cookie里
 7     {
 8 
 9         case "0" :
10 
11             $data = sqli_check_3($link, $data);
12             break;
13 
14         case "1" :
15 
16             $data = sqli_check_3($link, $data);
17             // $data = xss_check_4($data);
18             break;
19 
20         case "2" :
21 
22             $data = sqli_check_3($link, $data);
23             // $data = xss_check_3($data);
24             break;
25 
26         default :
27 
28             $data = sqli_check_3($link, $data);
29             break;
30 
31     }

无论case是几，执行的都是

sqli_check_3（）进行过滤

sqli_check_3()的定义是

 

应该把xss的防御加在这里

1 function sqli_check_3($link, $data)
2 {
3    
4     return mysqli_real_escape_string($link, $data);
5     
6 }

mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。

下列字符受影响：

• \\x00
• \\n
• \\r
• \\
• \'
• "
• \\x1a

如果成功，则该函数返回被转义的字符串。如果失败，则返回 false。

 

1.low

级别同时不进行保护

 

2.medium

xss_check_4进行防xss保护

函数功能为

function xss_check_4($data)
{
 
 // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
 // These characters are single quote (\'), double quote ("), backslash (\\) and NUL (the NULL byte).
 // Do NOT use this for XSS or HTML validations!!!
 
 return addslashes($data);
 
}

在预定义字符前加反斜杠

预定义字符是：

• 单引号（\'）
• 双引号（"）
• 反斜杠（\\）
• NULL

3.high

xss_check_3功能

 

 1 function xss_check_3($data, $encoding = "UTF-8")
 2 {
 3 
 4     // htmlspecialchars - converts special characters to HTML entities    
 5     // \'&\' (ampersand) becomes \'&\' 
 6     // \'"\' (double quote) becomes \'"\' when ENT_NOQUOTES is not set
 7     // "\'" (single quote) becomes \''\' (or ') only when ENT_QUOTES is set
 8     // \'<\' (less than) becomes \'&lt;\'
 9     // \'>\' (greater than) becomes \'&gt;\'  
10     
11     return htmlspecialchars($data, ENT_QUOTES, $encoding);
12        
13 }

 

 htmlspecialchars（）功能，将部分字符转化为html字符