Shulou(Shulou.com)06/01 Report--

Low level

When we enter the name and content in the table, it will be stored in the database and displayed on the page.

Similarly, we enter a name, and then enter our payload statement in the content to analyze whether it can be successful.

* successful. At this point our statements are stored in the database.

Let's see if it's really stored in the database.

You can see that the record in the third line is our payload statement, which is completely stored in the database without any filtering.

Because it is storage, the pop-up box will definitely appear when we visit again, which can refresh the test.

Next, to analyze the reasons for this result, let's look at the source code.

The trim () function, which is used to remove spaces on the left and right sides of a string

The stripslashes () function, which removes the backslash from a string

Mysqli_real_escape_string () escapes special characters in the sql statement.

From the point of view of the source code, here, only the input name,message is filtered to prevent sql injection, and the input string is not securely filtered and processed.

When a string is written to the database, if there are special characters, it will also be escaped, but when we call it from the database, it does not affect the function of the special characters.

Medium level

At this level, let's test the results in the same way.

A pop-up box appears, but the pop-up is 1, because I didn't delete the payload stored under low in the database. But as you can see, what we typed became alert (2), and the tags were filtered.

Let's go to the database to see what we have stored in the database.

You can see the fourth line, which obviously filters the label.

Look at the source code and analyze the filtering process.

The strip_tags () function removes the html tag

The htmlspecialchars () function, which converts predefined characters into html entities

The str_replace () function, the escape function, converts the specified character or string into another character, which in this case will be empty. Defects are case-sensitive when escaped.

As can be seen from the source code, the value of message is filtered by tags and escaped by predefined characters. The value of name is escaped.

It may be difficult for us to implement * * in message, but we can try to do * * in name. Because only lowercase is escaped there, we only need to capitalize one or more characters in the payload to succeed.

But at this time we found that we can only enter these few characters here, what to do.

Review the element and change maxlength to 100. 0.

At this time, we can type payload, and then we can pop up the box.

We bypass the filtering of the function and take a look at the storage of the database.

You can see that payload is stored under name.

High level

Using the above two levels of method testing, it is found that neither of them will succeed. Let's look at the source code analysis.

This source code than the medium level of a filter function to filter the value of name, preg_replace () function, regular expression matching to prevent case, multiple input characters bypass the filter function.

This function is good, but we can successfully bypass this function without using payload, which is similar to low-and intermediate-level ones.

We construct payload:

Test our payload. If the name text box cannot enter all of it, you can review the element and modify the value of maxlength.

The bounce frame was carried out successfully. Let's take a look at the data stored in the database.

Impossible level

Just look at the source code. People say it's impossible. Let's see why it's impossible.

On the basis of high, this source code adds a htmlspecialchars () function to the value of name to escape, and converts predefined symbols into html entities.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.