DVWA's XSS cross-site scripting attack (storage type)

DVWA's XSS cross-site scripting attack (storage type)
Principle block diagram
low class
Intermediate
High level

Principle block diagram

Insert picture description here Redirect pop-up to
get cookies

low class

1. Popup

Insert the xss code:
Insert picture description here return to the xss page:
other people visit the page and trigger xss:

2. Redirect

Insert malicious code:
Insert picture description here

Return to the xss page and trigger a redirect:

Insert picture description here
Other people visit the page and trigger xss:

3. Get the cookie

Insert xss code:
Insert picture description here use kali linux to monitor:

Other people visit the page and trigger xss:
Insert picture description here get cookie:

Intermediate

View the source code of the page:

 <?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    
    
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = strip_tags( addslashes( $message ) );
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $message = htmlspecialchars( $message );

    // Sanitize name input
    $name = str_replace( '<script>', '', $name );
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    //mysql_close();
}

?>

It is found that the message materializes the html tag, and the name filters the <script> tag.

1. Popup

Change the label, copy, and bypass the mixed case.

2. Redirect

js code:

<scRipT>window.location = "http://www.4399.com"</script>

Insert code:
Insert picture description here Other people visit this page:

3. Get the cookie

Similar to low level, pay attention to filtering bypass.

High level

View the source code: The
message html tag is materialized, and the name is regularly filtered by <script >; this tag cannot be used.
use:

<body onload = alert('xss')>

<img src = '' onerror = alert('xss')>

<a href = '' onclick = alert('xss')>点我领红包</a>

The third one is used here.
xss page:
Insert picture description here
other people visit and "receive red envelopes":

DVWA's XSS cross-site scripting attack (DOM type) .