DVWA——XSS(Stored)(low)

Others 2021-04-01 16:20:40 views: null

XSS(Stored)

interface

Insert picture description here

Source code

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    
    
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = stripslashes( $message );
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Sanitize name input
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    //mysql_close();
}

?>

Code analysis

          The trim() method is used to delete the leading and trailing blank characters of the string. The blank characters include: spaces, tabs, newlines and other blank characters, etc.; the
          stripslashes() function deletes the backslashes added by the addslashes() function;
          You can see that the code does not filter the html tags, and other tags can be constructed for XSS attacks.

Infiltration step

          Step 1: Enter in the name column <script>alert(‘qwe’)</script>and find that there is a limit on the number of words in the name column.
          Step 2: Enter it in the name field, click sign, use burp suit to capture the packet, modify the parameters of the name, and submit the modified data packet, and the pop-up window is found, and the injection is successful.
Modify the data package
Injected successfully
         Step 3: Enter in the message column and find a pop-up window to prove that both the name and message can be XSS.
Insert picture description here
Insert picture description here

Guess you like

Origin blog.csdn.net/qq_37589805/article/details/112628196
Recommended
Ranking
稀疏数组(狂神)
Windows11 system configuration Pycharm installation tutorial
[From the springboard machine ssh to the intranet target server] Configure vscode to achieve remote connection
Architecture python program
C language test code binary tree search
Questions about University website maintenance
echarts sized digital dashboards
Layui table click event
fantasy function
Windows turns on CPU virtualization + turns off Hyper-V
Daily
More
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)

Code World

© 2018 codetd.com