HTML注入-存储型
这是一个存储型的漏洞,有一个留言功能,可以尝试xss弹窗
在level low下
输入<script>alert(/bee/)</script>后点击提交,就会执行该语句并显示弹窗
也可以读取用户cookie,<script>alert(document.cookie)</script>
根据源码找到了数据存储的地方
(已经被我删了)
在查看源码后,三个级别都使用了sqli_check_3函数进行语句转义
下列字符受影响:
\x00
\n
\r
\
'
"
\x1a
如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。
当设置等级为medium时,调用xss_check_4进行防xss保护
1 function xss_check_4($data)
2 {
3 // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
4 // These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
5 // Do NOT use this for XSS or HTML validations!!!
6 return addslashes($data);
7 }(不论是medium级别还是high级别均无法进行注入)
当设置等级为high时,调用xss_check_3进行防xss保护
1 function xss_check_3($data, $encoding = "UTF-8")
2 {
3 // htmlspecialchars - converts special characters to HTML entities
4 // '&' (ampersand) becomes '&'
5 // '"' (double quote) becomes '"' when ENT_NOQUOTES is not set
6 // "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set
7 // '<' (less than) becomes '<'
8 // '>' (greater than) becomes '>'
9 return htmlspecialchars($data, ENT_QUOTES, $encoding);
10 }来源:oschina
链接:https://my.oschina.net/u/4392886/blog/4331775