篇首语：本文由编程笔记#小编为大家整理，主要介绍了bWAPP----HTML Injection - Stored (Blog)相关的知识，希望对你有一定的参考价值。

html Injection - Stored (Blog)

界面

2
3

HTML Injection - Stored (Blog)

4
5 php echo($_SERVER["SCRIPT_NAME"]);?>" method="POST">
6
7
8
9
10
11
12
13
14
15
16
17
22
23
29
30
36
37
43
44
45
46
47
48
49
50


18 19 20 21	24 25 for="entry_add">Add: 26 27 28	31 32 for="entry_all">Show all: 33 34 35	38 39 for="entry_delete">Delete: 40 41 42		echo $message;?>

51
52
53
54

55
56
57
58
59
60
61
62
63
64
65
66
// 上面是html，下面开始是PHP源码
67php
68
69// Selects all the records
70
71$entry_all = isset($_POST["entry_all"]) ? 1 : 0;
72
73if($entry_all == false)
74{
75
76$sql = "SELECT * FROM blog WHERE owner = \'" . $_SESSION["login"] . "\'";
77
78}
79
80else
81{
82
83$sql = "SELECT * FROM blog";
84
85}
86
87$recordset = $link->query($sql);
88
89if(!$recordset)
90{
91
92// die("Error: " . $link->connect_error . "

");
93
94 ?>
95
96
97
98
103
104
105
106php
107
108}
109
110while($row = $recordset->fetch_object())
111{
112
113if($_COOKIE["security_level"] == "1" or $_COOKIE["security_level"] == "2")
114 {
115
116 ?>
117
118
119
120
121
122
123
124
125
126php
127
128 }
129
130else
131 {
132
133 ?>
134
135
136
137
138
139
140
141
142
143php
144
145 }
146
147}
148
149$recordset->close();
150
151$link->close();
152
153 ?>
154

#	Owner	Date	Entry
die("Error: " . $link->error);?>
echo $row->id; ?>	echo $row->owner; ?>	echo $row->date; ?>	echo xss_check_3($row->entry); ?>
echo $row->id; ?>	echo $row->owner; ?>	echo $row->date; ?>	echo $row->entry; ?>

155
156

感觉防护代码这有点问题，我没看明白

1 function htmli($data)
2 {
3
4 include("connect_i.php"); //链接数据库
5
6 switch($_COOKIE["security_level"]) //检测级别在COOKIE里
7 {
8
9 case "0" :
10
11 $data = sqli_check_3($link, $data);
12 break;
13
14 case "1" :
15
16 $data = sqli_check_3($link, $data);
17 // $data = xss_check_4($data);
18 break;
19
20 case "2" :
21
22 $data = sqli_check_3($link, $data);
23 // $data = xss_check_3($data);
24 break;
25
26 default :
27
28 $data = sqli_check_3($link, $data);
29 break;
30
31 }

无论case是几，执行的都是

sqli_check_3（）进行过滤

sqli_check_3()的定义是

应该把xss的防御加在这里

1 function sqli_check_3($link, $data)
2 {
3
4 return mysqli_real_escape_string($link, $data);
5
6 }

mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。

下列字符受影响：

\\x00

\\x1a

如果成功，则该函数返回被转义的字符串。如果失败，则返回 false。

1.low

级别同时不进行保护

2.medium

xss_check_4进行防xss保护

函数功能为

function xss_check_4($data)
{

// addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
// These characters are single quote (\'), double quote ("), backslash (\\) and NUL (the NULL byte).
// Do NOT use this for XSS or HTML validations!!!

return addslashes($data);

}

在预定义字符前加反斜杠

预定义字符是：

单引号（\'）

双引号（"）

反斜杠（\\）

NULL

3.high

xss_check_3功能

1 function xss_check_3($data, $encoding = "UTF-8")
2 {
3
4 // htmlspecialchars - converts special characters to HTML entities
5 // \'&\' (ampersand) becomes \'&\'
6 // \'"\' (double quote) becomes \'"\' when ENT_NOQUOTES is not set
7 // "\'" (single quote) becomes \'&＃039;\' (or ') only when ENT_QUOTES is set
8 // \'<\' (less than) becomes \'<\'
9 // \'>\' (greater than) becomes \'>\'
10
11 return htmlspecialchars($data, ENT_QUOTES, $encoding);
12
13 }