bWAPP----HTML Injection - Stored (Blog)

Posted 每天积累一点点

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了bWAPP----HTML Injection - Stored (Blog)相关的知识,希望对你有一定的参考价值。

html Injection - Stored (Blog)

界面

 

 

 

  1 <div id="main">
  2 
  3     <h1>HTML Injection - Stored (Blog)</h1>
  4 
  5     <form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="POST">
  6 
  7     <table>
  8 
  9             <tr>
 10 
 11                 <td colspan="6"><p><textarea name="entry" id="entry" cols="80" rows="3"></textarea></p></td>
 12 
 13             </tr>
 14 
 15             <tr>
 16 
 17                 <td width="79" align="left">
 18 
 19                     <button type="submit" name="blog" value="submit">Submit</button>
 20 
 21                 </td>
 22 
 23                 <td width="85" align="center">
 24 
 25                     <label for="entry_add">Add:</label>
 26                     <input type="checkbox" id="entry_add" name="entry_add" value="" checked="on">
 27 
 28                 </td>
 29 
 30                 <td width="100" align="center">
 31 
 32                     <label for="entry_all">Show all:</label>
 33                     <input type="checkbox" id="entry_all" name="entry_all" value="">
 34 
 35                 </td>
 36 
 37                 <td width="106" align="center">
 38 
 39                     <label for="entry_delete">Delete:</label>
 40                     <input type="checkbox" id="entry_delete" name="entry_delete" value="">
 41 
 42                 </td>
 43 
 44                 <td width="7"></td>
 45 
 46                 <td align="left"><?php echo $message;?></td>
 47 
 48             </tr>
 49 
 50     </table>
 51 
 52     </form>
 53 
 54     <br />
 55 
 56     <table id="table_yellow">
 57 
 58         <tr height="30" bgcolor="#ffb717" align="center">
 59 
 60             <td width="20">#</td>
 61             <td width="100"><b>Owner</b></td>
 62             <td width="100"><b>Date</b></td>
 63             <td width="445"><b>Entry</b></td>
 64 
 65         </tr>
 66 
// 上面是html,下面开始是PHP源码
67 <?php 68 69 // Selects all the records 70 71 $entry_all = isset($_POST["entry_all"]) ? 1 : 0; 72 73 if($entry_all == false) 74 { 75 76 $sql = "SELECT * FROM blog WHERE owner = \'" . $_SESSION["login"] . "\'"; 77 78 } 79 80 else 81 { 82 83 $sql = "SELECT * FROM blog"; 84 85 } 86 87 $recordset = $link->query($sql); 88 89 if(!$recordset) 90 { 91 92 // die("Error: " . $link->connect_error . "<br /><br />"); 93 94 ?> 95 <tr height="50"> 96 97 <td colspan="4" width="665"><?php die("Error: " . $link->error);?></td> 98 <!-- 99 <td></td> 100 <td></td> 101 <td></td> 102 --> 103 104 </tr> 105 106 <?php 107 108 } 109 110 while($row = $recordset->fetch_object()) 111 { 112 113 if($_COOKIE["security_level"] == "1" or $_COOKIE["security_level"] == "2") 114 { 115 116 ?> 117 <tr height="40"> 118 119 <td align="center"><?php echo $row->id; ?></td> 120 <td><?php echo $row->owner; ?></td> 121 <td><?php echo $row->date; ?></td> 122 <td><?php echo xss_check_3($row->entry); ?></td> 123 124 </tr> 125 126 <?php 127 128 } 129 130 else 131 { 132 133 ?> 134 <tr height="40"> 135 136 <td align="center"><?php echo $row->id; ?></td> 137 <td><?php echo $row->owner; ?></td> 138 <td><?php echo $row->date; ?></td> 139 <td><?php echo $row->entry; ?></td> 140 141 </tr> 142 143 <?php 144 145 } 146 147 } 148 149 $recordset->close(); 150 151 $link->close(); 152 153 ?> 154 </table> 155 156 </div>

感觉防护代码这有点问题,我没看明白

 1 function htmli($data)
 2 {
 3 
 4     include("connect_i.php");                  //链接数据库
 5 
 6     switch($_COOKIE["security_level"])        //检测级别在cookie里
 7     {
 8 
 9         case "0" :
10 
11             $data = sqli_check_3($link, $data);
12             break;
13 
14         case "1" :
15 
16             $data = sqli_check_3($link, $data);
17             // $data = xss_check_4($data);
18             break;
19 
20         case "2" :
21 
22             $data = sqli_check_3($link, $data);
23             // $data = xss_check_3($data);
24             break;
25 
26         default :
27 
28             $data = sqli_check_3($link, $data);
29             break;
30 
31     }

无论case是几,执行的都是

sqli_check_3()进行过滤

sqli_check_3()的定义是

 

应该把xss的防御加在这里

1 function sqli_check_3($link, $data)
2 {
3    
4     return mysqli_real_escape_string($link, $data);
5     
6 }

mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。

下列字符受影响:

  • \\x00
  • \\n
  • \\r
  • \\
  • \'
  • "
  • \\x1a

如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。

 

1.low

级别同时不进行保护

 

2.medium

xss_check_4进行防xss保护
函数功能为
function xss_check_4($data)
{
 
 // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
 // These characters are single quote (\'), double quote ("), backslash (\\) and NUL (the NULL byte).
 // Do NOT use this for XSS or HTML validations!!!
 
 return addslashes($data);
 
}

在预定义字符前加反斜杠

预定义字符是:

  • 单引号(\')
  • 双引号(")
  • 反斜杠(\\)
  • NULL

3.high

xss_check_3功能
 
 1 function xss_check_3($data, $encoding = "UTF-8")
 2 {
 3 
 4     // htmlspecialchars - converts special characters to HTML entities    
 5     // \'&\' (ampersand) becomes \'&amp;\' 
 6     // \'"\' (double quote) becomes \'&quot;\' when ENT_NOQUOTES is not set
 7     // "\'" (single quote) becomes \'&#039;\' (or &apos;) only when ENT_QUOTES is set
 8     // \'<\' (less than) becomes \'&lt;\'
 9     // \'>\' (greater than) becomes \'&gt;\'  
10     
11     return htmlspecialchars($data, ENT_QUOTES, $encoding);
12        
13 }

 

 htmlspecialchars()功能,将部分字符转化为html字符

以上是关于bWAPP----HTML Injection - Stored (Blog)的主要内容,如果未能解决你的问题,请参考以下文章

Test-injection中注入对象,只能直接在 test-injection中直接初始化。

SeedLab - SQL Injection Attack Lab

BTS PenTesting Lab-Injection-sql injection-blind sqli1

BTS PenTesting Lab-Injection-sql injection-authentication bypass

SQL injection cheat sheet

DEPENDENCY INJECTION EXAMPLE USING SPRING