Creation time: 21:56:10, May 16, 2022
Author: Xia Xiaohuang
Store: backend database
Insertion point: HTML
- definition:
The attacker directly uploads or stores the malicious JS code to the vulnerability server. When other users browse the page, the site reads the illegal data stored by the malicious user from the database and can execute the malicious code on the victim's browser; Persistent XSS often appears in the message board, comments, blog logs and other interactive places of websites
- characteristic:
Cross site scripts can be executed without the user clicking on a specific URL
- Utilization mode:
Store malicious code directly to the server, and users will be caught if they visit this page
XSS worm
- Summary:
Storage XSS (message board, forum posting, commodity comments, user private letters, blog logs, etc.) is easy to appear where there is user interaction and where the user has the function of saving data
1, Stored Low level:
- When we get this topic, we first audit the code:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input filters the message input
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitize name input filters name input
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
---------------------------------------------------------------------------------------
PHP $_POST Variables: in PHP In, predefined $_POST Variables are used to collect data from method="post" The value in the form.
isset()Function in php It is used to detect whether the variable is set. The function returns a Boolean value, that is true/false
trim()Function removes white space characters or other predefined characters on both sides of a string, including\0,\t,\n,\x0B,\r And spaces, optional parameters charlist Support adding additional characters that need to be deleted.
stripslashes()The backslash() function removes backslashes from a string
is_object() Function is used to detect whether the variable is an object.
$GLOBALS : References all variables available in the global scope. $GLOBALS This global variable is used in PHP Access global variables anywhere in the script (from functions or methods). PHP Under the name $GLOBALS[index] All global variables are stored in the array of. The name of the variable is the key of the array.
trigger_error() Function to create a user-defined error message. The function is used to trigger an error message under user specified conditions. It can be used with built-in error handlers, or with set_error_handler() Function settings are used with user-defined functions.
SQL INSERT INTO Statement is used to insert a new record into a table. This code involves the second usage, which requires specifying the column name and the inserted value
mysqli_query() Function to execute a query against a database.
mysqli_real_escape_string()The function evaluates special symbols in a string(\x00,\n,\r,\,',",\x1a)To escape from in code message,name The content of the input box is not changed XSS Filtering and inspection. And pass query Statement is inserted into the database. So there is a storage type XSS loophole
- Code meaning:
- First, judge the input and receive the method="post" form data passed by the foreground
- Preprocess the received data once to clear things other than the data in the transfer form
- The stripslashes(string) function does not handle 'txtName'
- The striplashes (string) function clears the backslash / in the passed data for 'mtxMessage', using mysqli_ real_ escape_ The string() function escapes name and message, which are generally used to prevent the database from hitting the database.
- The following is to process the data and write the update to the database
- Next, we insert malicious code into the name box. We can find that the input box has some restrictions on the length. One way is to modify the length through bp packet capturing, and the other way is to modify maxlength directly in the console to trigger xss, as shown in the figure below
- <script>alert(document.cookie)</script>
2, Stored Medium level:
- It's still the old routine. When we get a question, we first review the code:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
---------------------------------------------------------------------------------------
strip_tags() The function strips the string HTML,XML as well as PHP Label. This function always splits HTML notes. This cannot be passed allow Parameter change.
addslashes()Function returns predefined characters (single quotation mark, double quotation mark, backslash NULL)String with backslash added before.
As you can see, due to message Parameter used htmlspecialchars Function, so it can no longer pass message Parameter injection XSS Code, but for name Parameters, just simple filtering<script>String, there are still stored XSS.
htmlspecialchars(string): Put predefined characters "<" (Less than) ">" (Greater than)& ,'',"" Convert to HTML Entity to prevent the browser from using it as HTML element
- Double write bypass
- Change the name parameter of Burpsuite packet capture to:
- <sc<script>ript>alert(/xss/)</script>
- Case confusion bypass
- Change the name parameter of Burpsuite packet capture to < Scipt > alert (/ XSS /)</ ScRipt>:
- * * xss payload * * using non * * script * * Tags:
- For example: img tag:
- Change the name parameter of Burpsuite packet capture to < img SRC = 1 onerror = alert (/ XSS /) > >
- There are many other labels and uses
- After the above packet capturing and modifying data Forward, the window pops up successfully:
3, Stored High level:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
------------------------------------------------------------------------------------------------------------------------
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
As you can see, regular expression filtering is used here<script>Tag, but ignored img,iframe And other dangerous labels, so name The parameter is still stored XSS.
- Change the name parameter of Burpsuite packet capture to < img SRC = 1 onerror = alert (/ XSS /) >:
- After Forward, the window pops up successfully:
4, Stored **Impossible * * level:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = stripslashes( $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$name = htmlspecialchars( $name );
// Update database
$data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' );
$data->bindParam( ':message', $message, PDO::PARAM_STR );
$data->bindParam( ':name', $name, PDO::PARAM_STR );
$data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
----------------------------------------------------------------------------------------
As you can see, by using htmlspecialchars Function to escape several special characters to HTML Entity, mysqli_real_escape_string Function pair single quotation mark'Escape to prevent SQL injection,Completely prevent storage type XSS Utilization and harm of.
- It can be seen that this time, impossibile also filters the name parameter more strictly on the basis of high level, which makes the name parameter unable to carry out XSS attack. Moreover, the anti CSRF token is used to prevent CSRF attacks, completely eliminating XSS vulnerabilities and CSRF vulnerabilities.
5, Reference link:
https://www.runoob.com/sql/sql-insert.html https://www.runoob.com/php/func-mysqli-query.html https://www.w3school.com.cn/php/func_string_strip_tags.asp
XSS vulnerability and CSRF vulnerability were.
5, Reference link:
https://www.runoob.com/sql/sql-insert.html https://www.runoob.com/php/func-mysqli-query.html https://www.w3school.com.cn/php/func_string_strip_tags.asp