bWAPP----HTML Injection - Stored (Blog)
阿新 • • 發佈:2017-07-11
單引號 level med per error bsp consola lose nor
HTML Injection - Stored (Blog)
界面
1 <div id="main"> 2 3 <h1>HTML Injection - Stored (Blog)</h1> 4 5 <form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="POST"> 6 7 <table> 8 9 <tr> 10 11 <td colspan="6"><p><textarea name="entry" id="entry" cols="80" rows="3"></textarea></p></td> 1213 </tr> 14 15 <tr> 16 17 <td width="79" align="left"> 18 19 <button type="submit" name="blog" value="submit">Submit</button> 20 21 </td> 22 23 <td width="85" align="center"> 2425 <label for="entry_add">Add:</label> 26 <input type="checkbox" id="entry_add" name="entry_add" value="" checked="on"> 27 28 </td> 29 30 <td width="100" align="center"> 31 32 <label for="entry_all">Show all:</label> 33 <input type="checkbox" id="entry_all" name="entry_all" value=""> 34 35 </td> 36 37 <td width="106" align="center"> 38 39 <label for="entry_delete">Delete:</label> 40 <input type="checkbox" id="entry_delete" name="entry_delete" value=""> 41 42 </td> 43 44 <td width="7"></td> 45 46 <td align="left"><?php echo $message;?></td> 47 48 </tr> 49 50 </table> 51 52 </form> 53 54 <br /> 55 56 <table id="table_yellow"> 57 58 <tr height="30" bgcolor="#ffb717" align="center"> 59 60 <td width="20">#</td> 61 <td width="100"><b>Owner</b></td> 62 <td width="100"><b>Date</b></td> 63 <td width="445"><b>Entry</b></td> 64 65 </tr> 66
// 上面是html,下面開始是PHP源碼
67 <?php 68 69 // Selects all the records 70 71 $entry_all = isset($_POST["entry_all"]) ? 1 : 0; 72 73 if($entry_all == false) 74 { 75 76 $sql = "SELECT * FROM blog WHERE owner = ‘" . $_SESSION["login"] . "‘"; 77 78 } 79 80 else 81 { 82 83 $sql = "SELECT * FROM blog"; 84 85 } 86 87 $recordset = $link->query($sql); 88 89 if(!$recordset) 90 { 91 92 // die("Error: " . $link->connect_error . "<br /><br />"); 93 94 ?> 95 <tr height="50"> 96 97 <td colspan="4" width="665"><?php die("Error: " . $link->error);?></td> 98 <!-- 99 <td></td> 100 <td></td> 101 <td></td> 102 --> 103 104 </tr> 105 106 <?php 107 108 } 109 110 while($row = $recordset->fetch_object()) 111 { 112 113 if($_COOKIE["security_level"] == "1" or $_COOKIE["security_level"] == "2") 114 { 115 116 ?> 117 <tr height="40"> 118 119 <td align="center"><?php echo $row->id; ?></td> 120 <td><?php echo $row->owner; ?></td> 121 <td><?php echo $row->date; ?></td> 122 <td><?php echo xss_check_3($row->entry); ?></td> 123 124 </tr> 125 126 <?php 127 128 } 129 130 else 131 { 132 133 ?> 134 <tr height="40"> 135 136 <td align="center"><?php echo $row->id; ?></td> 137 <td><?php echo $row->owner; ?></td> 138 <td><?php echo $row->date; ?></td> 139 <td><?php echo $row->entry; ?></td> 140 141 </tr> 142 143 <?php 144 145 } 146 147 } 148 149 $recordset->close(); 150 151 $link->close(); 152 153 ?> 154 </table> 155 156 </div>
感覺防護代碼這有點問題,我沒看明白
1 function htmli($data) 2 { 3 4 include("connect_i.php"); //鏈接數據庫 5 6 switch($_COOKIE["security_level"]) //檢測級別在cookie裏 7 { 8 9 case "0" : 10 11 $data = sqli_check_3($link, $data); 12 break; 13 14 case "1" : 15 16 $data = sqli_check_3($link, $data); 17 // $data = xss_check_4($data); 18 break; 19 20 case "2" : 21 22 $data = sqli_check_3($link, $data); 23 // $data = xss_check_3($data); 24 break; 25 26 default : 27 28 $data = sqli_check_3($link, $data); 29 break; 30 31 }
無論case是幾,執行的都是
sqli_check_3()進行過濾
sqli_check_3()的定義是
1 function sqli_check_3($link, $data) 2 { 3 4 return mysqli_real_escape_string($link, $data); 5 6 }
mysql_real_escape_string() 函數轉義 SQL 語句中使用的字符串中的特殊字符。
下列字符受影響:
- \x00
- \n
- \r
- \
- ‘
- "
- \x1a
如果成功,則該函數返回被轉義的字符串。如果失敗,則返回 false。
1.low
級別同時不進行保護
2.medium
xss_check_4進行防xss保護 函數功能為function xss_check_4($data) { // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc. // These characters are single quote (‘), double quote ("), backslash (\) and NUL (the NULL byte). // Do NOT use this for XSS or HTML validations!!! return addslashes($data); }
在預定義字符前加反斜杠
預定義字符是:
- 單引號(‘)
- 雙引號(")
- 反斜杠(\)
- NULL
3.high
xss_check_3功能1 function xss_check_3($data, $encoding = "UTF-8") 2 { 3 4 // htmlspecialchars - converts special characters to HTML entities 5 // ‘&‘ (ampersand) becomes ‘&‘ 6 // ‘"‘ (double quote) becomes ‘"‘ when ENT_NOQUOTES is not set 7 // "‘" (single quote) becomes ‘'‘ (or ') only when ENT_QUOTES is set 8 // ‘<‘ (less than) becomes ‘<‘ 9 // ‘>‘ (greater than) becomes ‘>‘ 10 11 return htmlspecialchars($data, ENT_QUOTES, $encoding); 12 13 }
htmlspecialchars()功能,將部分字符轉化為html字符
bWAPP----HTML Injection - Stored (Blog)