XSS(Stored)
interface
Source code
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitize name input
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
Code analysis
The trim() method is used to delete the leading and trailing blank characters of the string. The blank characters include: spaces, tabs, newlines and other blank characters, etc.; the
stripslashes() function deletes the backslashes added by the addslashes() function;
You can see that the code does not filter the html tags, and other tags can be constructed for XSS attacks.
Infiltration step
Step 1: Enter in the name column <script>alert(‘qwe’)</script>
and find that there is a limit on the number of words in the name column.
Step 2: Enter it in the name field, click sign, use burp suit to capture the packet, modify the parameters of the name, and submit the modified data packet, and the pop-up window is found, and the injection is successful.
Step 3: Enter in the message column and find a pop-up window to prove that both the name and message can be XSS.