基於get的xss注入
abc.php
<?php
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "test";
// 建立連線
$conn = new mysqli($servername, $username, $password, $dbname);
// 檢測連線
if ($conn->connect_error) {
die("連線失敗: " . $conn->connect_error);
}
$sql = "INSERT INTO yonghu (username, password)
VALUES ('John', '".$_GET['id']."')";
if ($conn->query($sql) === TRUE) {
echo "ok";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
瀏覽器訪問 http://localhost/abc.php?id=234<script>alert("1231")</script>
但是如果輸入http://localhost/abc.php?id=234<script>alert('1231')</script>會報錯,拼接不出字串
發現數據庫插入成功
password的欄位資訊為2<script>alert("1231")</script>
然後顯示該資訊寫個welcome.php
程式碼如下
<html>
<body>
<?php
$con = mysql_connect("localhost","root","root");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
else
{
mysql_select_db("test");
$id = $_GET['id'];
$query ="select * from yonghu where Id=$id";
$result = mysql_query($query);
$info= mysql_fetch_array($result);
$re_num = mysql_num_rows($result);
if($info==FALSE)
{
echo "抱歉,您的訂餐資訊沒有查到!";
}
else
{
echo "<form action='index.php' method='post' name='chakanform'>";
echo "<table>";
echo "<tr>";
echo "<h3>你的訂餐記錄是:</h3>";
echo "</tr>";
echo "<tr>";
echo "<td>";
echo "序號:";
echo "</td>";
echo "<td>";
echo "菜品:";
echo "</td>";
echo "<td>";
echo "訂餐時間";
echo "</td>";
echo "<td>";
echo "訂餐時間";
echo "</td>";
echo "<td>";
echo "訂餐時間";
echo "</td>";
echo "<td>";
echo "訂餐時間";
echo "</td>";
echo "<td>";
echo "訂餐時間";
echo "</td>";
echo "<td>";
echo "訂餐時間";
echo "</td>";
echo "</tr>";
do
{
$xuhao++;
echo "<tr>";
echo "<td>";
echo $xuhao;
echo "</td>";
echo "<td>";
echo $info[username];
echo "</td>";
echo "<td>";
echo $info[password];
echo "</td>";
echo "<td>";
echo $info[id];
echo "</td>";
echo "<td>";
}
while($info= @mysql_fetch_array($result));
echo "</table>";
echo "</form>";
}
mysql_close($con);
}
?>
</body>
</html>
結果訪問提示alert,成功注入