bWAPP----HTML Injection - Stored (Blog)

莫道桑榆晚,为霞尚满天。这篇文章主要讲述bWAPP----HTML Injection - Stored (Blog)相关的知识,希望能为你提供帮助。
html Injection - Stored (Blog)界面
 

bWAPP----HTML Injection - Stored (Blog)

文章图片

 
 
1 < div id="main"> 2 3< h1> HTML Injection - Stored (Blog)< /h1> 4 5< form action="< ?php echo($_SERVER["SCRIPT_NAME"]); ?> " method="POST"> 6 7< table> 8 9< tr> 10 11< td colspan="6"> < p> < textarea name="entry" id="entry" cols="80" rows="3"> < /textarea> < /p> < /td> 12 13< /tr> 14 15< tr> 16 17< td width="79" align="left"> 18 19< button type="submit" name="blog" value="https://www.songbingjia.com/android/submit"> Submit< /button> 20 21< /td> 22 23< td width="85" align="center"> 24 25< label for="entry_add"> Add:< /label> 26< input type="checkbox" id="entry_add" name="entry_add" value="" checked="on"> 27 28< /td> 29 30< td width="100" align="center"> 31 32< label for="entry_all"> Show all:< /label> 33< input type="checkbox" id="entry_all" name="entry_all" value=""> 34 35< /td> 36 37< td width="106" align="center"> 38 39< label for="entry_delete"> Delete:< /label> 40< input type="checkbox" id="entry_delete" name="entry_delete" value=""> 41 42< /td> 43 44< td width="7"> < /td> 45 46< td align="left"> < ?php echo $message; ?> < /td> 47 48< /tr> 49 50< /table> 51 52< /form> 53 54< br /> 55 56< table id="table_yellow"> 57 58< tr height="30" bgcolor="#ffb717" align="center"> 59 60< td width="20"> #< /td> 61< td width="100"> < b> Owner< /b> < /td> 62< td width="100"> < b> Date< /b> < /td> 63< td width="445"> < b> Entry< /b> < /td> 64 65< /tr> 66
// 上面是html,下面开始是PHP源码
67 < ?php 68 69 // Selects all the records 70 71 $entry_all = isset($_POST["entry_all"]) ? 1 : 0; 72 73 if($entry_all == false) 74 { 75 76$sql = "SELECT * FROM blog WHERE owner = \'" . $_SESSION["login"] . "\'"; 77 78 } 79 80 else 81 { 82 83$sql = "SELECT * FROM blog"; 84 85 } 86 87 $recordset = $link-> query($sql); 88 89 if(!$recordset) 90 { 91 92// die("Error: " . $link-> connect_error . "< br /> < br /> "); 93 94 ?> 95< tr height="50"> 96 97< td colspan="4" width="665"> < ?php die("Error: " . $link-> error); ?> < /td> 98< !-- 99< td> < /td> 100< td> < /td> 101< td> < /td> 102--> 103 104< /tr> 105 106 < ?php 107 108 } 109 110 while($row = $recordset-> fetch_object()) 111 { 112 113if($_COOKIE["security_level"] == "1" or $_COOKIE["security_level"] == "2") 114{ 115 116 ?> 117< tr height="40"> 118 119< td align="center"> < ?php echo $row-> id; ?> < /td> 120< td> < ?php echo $row-> owner; ?> < /td> 121< td> < ?php echo $row-> date; ?> < /td> 122< td> < ?php echo xss_check_3($row-> entry); ?> < /td> 123 124< /tr> 125 126 < ?php 127 128} 129 130else 131{ 132 133 ?> 134< tr height="40"> 135 136< td align="center"> < ?php echo $row-> id; ?> < /td> 137< td> < ?php echo $row-> owner; ?> < /td> 138< td> < ?php echo $row-> date; ?> < /td> 139< td> < ?php echo $row-> entry; ?> < /td> 140 141< /tr> 142 143 < ?php 144 145} 146 147 } 148 149 $recordset-> close(); 150 151 $link-> close(); 152 153 ?> 154< /table> 155 156 < /div>

感觉防护代码这有点问题,我没看明白
1 function htmli($data) 2 { 3 4include("connect_i.php"); //链接数据库 5 6switch($_COOKIE["security_level"])//检测级别在cookie里 7{ 8 9case "0" : 10 11$data = https://www.songbingjia.com/android/sqli_check_3($link, $data); 12break; 13 14case"1" : 15 16$data = https://www.songbingjia.com/android/sqli_check_3($link, $data); 17// $data = xss_check_4($data); 18break; 19 20case"2" : 21 22$data = https://www.songbingjia.com/android/sqli_check_3($link, $data); 23// $data = xss_check_3($data); 24break; 25 26default : 27 28$data = sqli_check_3($link, $data); 29break; 30 31}

无论case是几,执行的都是
sqli_check_3()进行过滤
sqli_check_3()的定义是
 
应该把xss的防御加在这里
1 function sqli_check_3($link, $data) 2 { 3 4return mysqli_real_escape_string($link, $data); 5 6 }

mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。
下列字符受影响:
  • \\x00
  • \\n
  • \\r
  • \\
  • \'
  • "
  • \\x1a
如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。
 
1.low
级别同时不进行保护
 
2.medium
xss_check_4进行防xss保护 函数功能为
function xss_check_4($data) { // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc. // These characters are single quote (\'), double quote ("), backslash (\\) and NUL (the NULL byte). // Do NOT use this for XSS or HTML validations!!! return addslashes($data); }

在预定义字符前加反斜杠
预定义字符是:
  • 单引号(\')
  • 双引号(")
  • 反斜杠(\\)
  • NULL
3.high
xss_check_3功能  
1 function xss_check_3($data, $encoding = "UTF-8") 2 { 3 4// htmlspecialchars - converts special characters to HTML entities 5// \'& \' (ampersand) becomes \'& amp; \' 6// \'"\' (double quote) becomes \'& quot; \' when ENT_NOQUOTES is not set 7// "\'" (single quote) becomes \'& #039; \' (or & apos; ) only when ENT_QUOTES is set 8// \'< \' (less than) becomes \'& lt; \' 9// \'> \' (greater than) becomes \'& gt; \' 10 11return htmlspecialchars($data, ENT_QUOTES, $encoding); 12 13 }

 
【bWAPP----HTML Injection - Stored (Blog)】  htmlspecialchars()功能,将部分字符转化为html字符

    推荐阅读