bWAPP--low--HTML Injection - Reflected (GET) _Reflect

上下观古今，起伏千万途。这篇文章主要讲述bWAPP--low--HTML Injection - Reflected (GET)相关的知识，希望能为你提供帮助。
html Injection - Reflected (GET)

【bWAPP--low--HTML Injection - Reflected (GET)】进入界面，

html标签注入

文章图片

这是核心代码

1 < div id="main"> 2 3< h1> HTML Injection - Reflected (GET)< /h1> 4 5< p> Enter your first and last name:< /p> 6 7< form action="< ?php echo($_SERVER["SCRIPT_NAME"]); ?> " method="GET"> 8 9< p> < label for="firstname"> First name:< /label> < br /> 10< input type="text" id="firstname" name="firstname"> < /p> //first name 框 11 12< p> < label for="lastname"> Last name:< /label> < br /> //last name 框 13< input type="text" id="lastname" name="lastname"> < /p> 14 15< button type="submit" name="form" value="https://www.songbingjia.com/android/submit"> Go< /button> //按钮标签 16 17< /form> 18 19< br /> 20< ?php 21 22if(isset($_GET["firstname"]) & & isset($_GET["lastname"]))//以GET方式获取表单传递的firstname和lastname，isset检测是否存在 23{ 24 25$firstname = $_GET["firstname"]; //接受参数 26$lastname = $_GET["lastname"]; 27 28if($firstname == "" or $lastname == "")//如果其中一个为空，显示下边内容 29{ 30 31echo "< font color=\\"red\\"> Please enter both fields...< /font> "; 32 33} 34 35else 36{ 37 38echo "Welcome " . htmli($firstname) . " " . htmli($lastname); 39 40} 41 42} 43 44?> 45 46 < /div>

过滤部分

1 function htmli($data) 2 { 3 4switch($_COOKIE["security_level"]) 5{ 6 7case "0" : 8 9$data = https://www.songbingjia.com/android/no_check($data); 10break; 11 12case"1" : 13 14$data = https://www.songbingjia.com/android/xss_check_1($data); 15break; 16 17case"2" : 18 19$data = https://www.songbingjia.com/android/xss_check_3($data); 20break; 21 22default : 23 24$data = no_check($data); 25break; ; 26 27} 28 29return $data; 30 31 } 32 33< label> Set your security level:< /label> < br /> 34 35< select name="security_level"> 36 37< option value="https://www.songbingjia.com/android/0"> low< /option> 38< option value="https://www.songbingjia.com/android/1"> medium< /option> 39< option value="https://www.songbingjia.com/android/2"> high< /option> 40 41< /select>

1.low级别

function no_check($data) {return $data; }

没有过滤

2.medium

1 function xss_check_1($data) 2 { 3 4// Converts only "< " and "> " to HTLM entities 5$input = str_replace("< ", "& lt; ", $data); 6$input = str_replace("> ", "& gt; ", $input); 7 8// Failure is an option 9// Bypasses double encoding attacks 10// < script> alert(0)< /script> 11// %3Cscript%3Ealert%280%29%3C%2Fscript%3E 12// %253Cscript%253Ealert%25280%2529%253C%252Fscript%253E 13$input = urldecode($input); 14 15return $input; 16 17 }

str_replace():对< ，> ，进行替换，

urldecode（）用于解码已编码的 URL 字符串，其原理就是把十六进制字符串转换为中文字符

也就是进行URL编码可以绕过过滤

文章图片

文章图片

3.high

1 function xss_check_3($data, $encoding = "UTF-8") 2 { 3 4// htmlspecialchars - converts special characters to HTML entities 5// \'& \' (ampersand) becomes \'& amp; \' 6// \'"\' (double quote) becomes \'& quot; \' when ENT_NOQUOTES is not set 7// "\'" (single quote) becomes \'& #039; \' (or & apos; ) only when ENT_QUOTES is set 8// \'< \' (less than) becomes \'& lt; \' 9// \'> \' (greater than) becomes \'& gt; \' 10 11return htmlspecialchars($data, ENT_QUOTES, $encoding); 12 13 }

htmlspecialchars() 函数把预定义的字符转换为 HTML 实体。
预定义的字符是：