我有一个php ajax网站,发现ajax库中存在XSS的可能性。请在下面找到请求和回复。 rsargs []参数可以采用任何脚本或值,因此容易受到攻击。 到目前为止尝试: html编码 - 没有用,因为它修剪了我的内容
在下面的示例中,应用程序将在Windows目录中提供文件。
请求:
POST /Weblogin.php HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: https://xxx.xx.xx.xx/Code/weblogin.php
Accept: application/json, text/javascript, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 172.25.152.91
Content-Length: 144
Connection: Keep-Alive
Cache-Control: no-cache
rs=GetWaitTime&rst=&rsrnd=1395815006191&rsobj=&rsargs[]=37091&rsargs[]=42lqd7b000&rsargs[]=../../../../../../../../../../windows/setupact.log%00
Repsonse:
HTTP/1.0 200 OK
Date: Wed, 26 Mar 2014 06:39:30 GMT
Server: Apache/2.2.12 (Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0
X-Powered-By: PHP/5.3.0
Connection: close
Content-Type: text/html
dispci.dll: ============BEGIN DisplayClassInstaller============
dispci.dll: ============BEGIN OnSelectBestCompatDrv============
dispci.dll: ============END OnSelectBestCompatDrv==============
dispci.dll: DisplayClassInstaller: Returning 0xe000020e for DIF 0x17 and device PCI\VEN_1002&DEV_515E&SUBSYS_01E61028&REV_02\4&1FC3087&0&28F0
dispci.dll: ============END DisplayClassInstaller==============
dispci.dll: ============BEGIN DisplayClassInstaller============
dispci.dll: ============BEGIN OnDestroyPrivateData============
dispci.dll: ============END OnDestroyPrivateData==============
<br />
<b>Fatal error</b>: Call to undefined function get_wait_time() in <b>C:\xampp\htdocs\Code\functions\Parent Functions\GetWaitTime.php</b> on line <b>11</b><br />
答案 0 :(得分:1)
这不是XSS漏洞,而是Path Traversal。您似乎正在使用其中一个参数来构造文件路径,然后读取该文件。您应该验证文件路径构造中使用的用户输入,而不是html编码。您可以咨询OWASP Guide以保护您的申请。