Shulou(Shulou.com)05/31 Report--

This article mainly introduces the misuse of html entities function caused by how to solve the relevant knowledge, detailed and easy to understand, simple and fast operation, has a certain reference value, I believe that everyone read this misuse html entities function caused by how to solve the vulnerability article will have some harvest, let's take a look at it.

The title codes are as follows:

Vulnerability analysis:

According to the title meaning, here should be an xss vulnerability, vulnerability trigger point should be in the code lines 13-14. The purpose of these two lines of code is to output an html tag directly. Lines 3-5 of the code, the foreach loop, process the arguments passed in by $_GET, but there's a problem. Let's look at the fourth line of code, which casts $value into int. But this code only deals with the $value variable, not the $key variable. After the code processing in lines 3-5, it is divided according to the symbol &, and then spliced into the echo statement in line 13. When outputting, the htmlentities function is processed again. The htmlentities function essentially encodes HTML entities for special symbols. Specifically defined as follows:

htmlentities -converts characters to HTML escape characters

string htmlentities ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = true ]]] )

Function: When writing PHP code, you cannot write entity characters directly in strings. PHP provides a function htmlentities() that converts HTML special characters into entity characters.

Note: htmlentities() does not convert all special characters, it converts special characters except spaces, and single and double quotes need to be controlled separately (through the second parameter). The second parameter has three values, which are as follows:

ENT_COMPAT (default): Convert only double quotes.

ENT_QUOTES: Both quotes are converted.

ENT_NOQUOTES: Neither quotation mark is converted.

Attached here is a list of useful character entities in HTML

After the above analysis, let's go back to the topic and think about how to construct an attack payload. Let's start by sorting out some of the known information:

Here the $query parameter is controllable

And htmlentities function can escape single quotes here

The xss vulnerability trigger point is in the tag.

In, we can execute js code via javascript events, such as: onclick, so the final poc construct is as follows:

/? a'onclick%3dalert(1)%2f%2f=c

example analysis

This instance analysis selects sql injection vulnerability in DM enterprise website building system v201710 for analysis. First of all, we can see some relevant information from cnvd, as follows:

Some useful information can be found in the vulnerability notice. The vulnerability is located at the login site. When it is built, it is prompted that the background login port is located in the admindm-yourname/g.php file. Open this file and find that it is redirected to the admindm-yournamemod_common/login.php file, so the vulnerability trigger point should be in this file.

Open the admindm-yournamemod_common/login.php file, see the vulnerability location at a glance, intercept some of the relevant code as follows:

Line 15 clearly contains sql injection vulnerabilities, which are inserted directly into select statements by concatenation. The $user variable in line 15 is submitted via POST and has a controllable value. But line 3 of the above image calls htmlentitiesdm to process POST data, and we follow up with htmlentitiesdm. The function is located in the component/dm-config/global.common.php file, and the key code is as follows:

This function calls htmlentities to process the input data. We have already introduced the use of this function, where the optional parameter of this function is ENT_NOQUOTES, which means that neither quotation mark is converted. Let's look at a small example:

Here I guess the developer should have considered the xss problem, but due to the deviation of the parameters selected by htmlentities function, we can introduce single quotes here to cause injection problems.

Let's see how the latest version fixes it, using beyond compare to compare the differences between the two versions of code.

When the new version is fixed, the optional parameter is changed to ENT_QUOTES. The function of this parameter is to filter single quotation marks and double quotation marks. Let's take a look at the following example, and it is easy to understand the function of this parameter.

vulnerability verification

Because there is no echo here, it is blind. Here is the verification screenshot:

bug fixes

For htmlentities function, we recommend that you add optional parameters as much as possible when using it, and select ENT_QUOTES parameter.

Let's see how the contrast works.

conclusion

After reading the above analysis, I don't know if you have a deeper understanding of the problems that may arise during the use of htmlentities function. The code used in this article can be downloaded from here. Of course, if there is any impropriety in this article, I hope you will correct it. If you are interested in our project, please contact us at hongrisec@gmail.com The analysis article of Day12 is here. We finally left a CTF topic for everyone to practice. The topic is as follows:

# Host: localhost (Version: 5.5.53)# Date: 2018-08-05 12:55:29# Generator: MySQL-Front 5.3 (Build 4.234)/*! 40101 SET NAMES utf8 */;## Structure for table "users"#DROP TABLE IF EXISTS `users`;CREATE TABLE `users` ( `Id` int(11) NOT NULL AUTO_INCREMENT, `name` varchar(255) DEFAULT NULL, `pass` varchar(255) DEFAULT NULL, `flag` varchar(255) DEFAULT NULL, PRIMARY KEY (`Id`)) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;## Data for table "users"#/*! 40000 ALTER TABLE `users` DISABLE KEYS */;INSERT INTO `users` VALUES (1,'admin','qwer!@# zxca','hrctf{sql_Inject1on_Is_1nterEst1ng}');/*! 40000 ALTER TABLE `users` ENABLE KEYS */; About "How to solve the vulnerability caused by misuse html entities function" The content of this article is introduced here, thank you for reading! I believe everyone has a certain understanding of the knowledge of "how to solve the vulnerability caused by misuse of html entities function." If you still want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.