Shulou(Shulou.com)06/01 Report--

1. What is XSS

XSS***, the full name of cross-site scripting, XSS is a computer security vulnerability in web applications that allows malicious web users to implant code into pages provided to other users.

XSS*** is divided into two categories:

(1) one is internal * *, which mainly refers to the construction of cross-site statements by making use of the loopholes in the program itself.

(2) the other category comes from external * *, which mainly refers to constructing XSS cross-site vulnerability web pages or looking for web pages with cross-site vulnerabilities other than non-target computers.

For example, when we want to * a site, we construct a web page with cross-site vulnerabilities, and then construct cross-site statements to deceive the administrator of the target server to open it by combining other technologies, such as social engineering.

XSS can be divided into memory type and reflection type.

Storage XSS: storage XSS, persistence, code is stored in the server, such as in personal information or articles, add code, if not filtered or lax, then the code will be stored in the server. This kind of XSS is dangerous, easy to cause worms, theft cookie (although there is a Dom XSS but also included in the storage XSS) reflective XSS: non-persistent, users need to deceive themselves to click on the link to trigger XSS code (there are no such pages and content in the server) generally easy to appear in the search page

Start our experiment.

Low level

1. Construct our commonly used payload:alert (1)

Get the bounce box. Not only to do it, but to analyze the principle.

2. You can view the source code directly here, and click view source in the lower right corner. View the source code

There is a judgment statement in the source code, and the arrary_key_exists () function determines whether the "name" key name exists in the value of $_ GET. And whether the value of $_ GET ['name'] is not empty, if these conditions are met, output the following output statement directly.

There is nothing special about this string of source code, and there are no other processing functions. Typical xss source code can be *. So you can use our payload*** directly.

Medium level

1. Try the first method and see what's the difference

We found that the tags we entered had been filtered out and guessed what filtering function was used. Now that it can filter this tag, let's try to construct a payload that does not use this tag.

2. Construct payload:

.

Explanation:

The tag adds a picture, src, and specifies that the url,onerror of the picture is the event to be executed if an error occurs when the picture is loaded.

Here our picture url must be wrong, and this pop-up box event must be executed.

Try using our payload***.

When a pop-up box occurs, you can see that only the tags should be filtered in the background processing.

3. Let's check the source code:

We can see that when the acquired name is worth it, the str_replace () function filters the tag in the name value to be empty. Then output the result of the name value.

So our tags are filtered out when we use low-level payload.

4. Note that this function is not perfect either, because it is case-sensitive. So when we use payload capitalization in the low level, we can also bypass its filtering. Let's have a try.

Payload:alert (1)

You can also bounce the frame, of course, there are many ways to get around.

When dealing with such a paylaod, it is best to add a strtolower () function in front of it to change all the passed name worthy characters to lowercase. In this way, no matter how big or lowercase you can get out. (for this one payload only)

High level

1. When we enter payload with tags, there is nothing left to filter regardless of case >. What is the case? let's take a look at the source code:

This takes advantage of the preg_replace () function, which contains

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.