XSS 存储型漏洞 · PHP学习 · 看云

NIUCLOUD是一款SaaS管理后台框架多应用插件+云编译。上千名开发者、服务商正在积极拥抱开发者生态。欢迎开发者们免费入驻。一起助力发展！广告

# XSS 存储型漏洞 **xss 漏洞大致分三种** - 反射型 XSS 漏洞 - 保存（存储）型 XSS 漏洞 - 基于 DOM 的 XSS 漏洞审计sql语句主要update insert 更新和插入语句检查内容输入输出没有被过滤或者过滤不严! 例子 ``` <pre class="calibre10">``` 表 CREATE TABLE `book` <span class="token3">(</span> `id` <span class="token4">int</span><span class="token3">(</span><span class="token6">5</span><span class="token3">)</span> NOT NULL auto_increment<span class="token3">,</span> `title` <span class="token4">varchar</span><span class="token3">(</span><span class="token6">32</span><span class="token3">)</span> NOT NULL<span class="token3">,</span> `con` text NOT NULL<span class="token3">,</span> PRIMARY KEY <span class="token3">(</span>`id`<span class="token3">)</span> <span class="token3">)</span> ENGINE<span class="token1">=</span>MyISAM DEFAULT CHARSET<span class="token1">=</span>gbk AUTO_INCREMENT<span class="token1">=</span><span class="token6">1</span> <span class="token3">;</span> ``` ``` 未过滤的插入sql代码 ``` <pre class="calibre10">``` <span class="token1"><</span><span class="token1">?</span>php <span class="token4">mysql_connect</span><span class="token3">(</span><span class="token2">'localhost'</span><span class="token3">,</span><span class="token2">'root'</span><span class="token3">,</span><span class="token2">''</span><span class="token3">)</span><span class="token3">;</span> <span class="token4">mysql_select_db</span><span class="token3">(</span><span class="token2">'test'</span><span class="token3">)</span><span class="token3">;</span> <span class="token4">mysql_query</span><span class="token3">(</span><span class="token2">"set names gbk"</span><span class="token3">)</span><span class="token3">;</span> <span class="token5">if</span><span class="token3">(</span><span class="token4">isset</span><span class="token3">(</span>$_POST<span class="token3">[</span><span class="token2">'submit'</span><span class="token3">]</span><span class="token3">)</span><span class="token3">)</span><span class="token3">{</span> $title<span class="token1">=</span>$_POST<span class="token3">[</span><span class="token2">'title'</span><span class="token3">]</span><span class="token3">;</span> $con<span class="token1">=</span>$_POST<span class="token3">[</span><span class="token2">'con'</span><span class="token3">]</span><span class="token3">;</span> $sql<span class="token1">=</span><span class="token2">"INSERT INTO `book` (`id` ,`title` ,`con`)VALUES (NULL , '$title', '$con');"</span><span class="token3">;</span> <span class="token5">if</span><span class="token3">(</span><span class="token4">mysql_query</span><span class="token3">(</span>$sql<span class="token3">)</span><span class="token3">)</span><span class="token3">{</span> echo <span class="token2">"留言成功"</span><span class="token3">;</span> <span class="token3">}</span><span class="token5">else</span><span class="token3">{</span> echo <span class="token2">"留言失败"</span><span class="token3">;</span> <span class="token3">}</span> <span class="token3">}</span><span class="token5">else</span><span class="token3">{</span> $sql<span class="token1">=</span><span class="token2">"select * from book"</span><span class="token3">;</span> <span class="token5">if</span><span class="token3">(</span>$row<span class="token1">=</span><span class="token4">mysql_query</span><span class="token3">(</span>$sql<span class="token3">)</span><span class="token3">)</span><span class="token3">{</span> <span class="token5">while</span><span class="token3">(</span>$rows<span class="token1">=</span><span class="token4">mysql_fetch_array</span><span class="token3">(</span>$row<span class="token3">)</span><span class="token3">)</span><span class="token3">{</span> echo $rows<span class="token3">[</span><span class="token2">'id'</span><span class="token3">]</span><span class="token3">.</span>$rows<span class="token3">[</span><span class="token2">'title'</span><span class="token3">]</span><span class="token3">.</span>$rows<span class="token3">[</span><span class="token2">'con'</span><span class="token3">]</span><span class="token3">.</span><span class="token2">"<br>"</span><span class="token3">;</span> <span class="token3">}</span> <span class="token3">}</span> <span class="token3">}</span> ``` ``` xss代码 ``` <pre class="calibre10">``` <span class="token1"><</span>html<span class="token1">></span> <span class="token1"><</span>h1<span class="token1">></span>存储型 xss 漏洞演示<span class="token1"><</span><span class="token1">/</span>h1<span class="token1">></span> <span class="token1"><</span>form action<span class="token1">=</span><span class="token2">"?action=insert"</span> method<span class="token1">=</span><span class="token2">"post"</span><span class="token1">></span> 标题：<span class="token1"><</span>input type<span class="token1">=</span><span class="token2">"text"</span> name<span class="token1">=</span><span class="token2">"title"</span><span class="token1">></span><span class="token1"><</span>br<span class="token1">></span> 内容：<span class="token1"><</span>textarea name<span class="token1">=</span><span class="token2">"con"</span><span class="token1">></span> 内容。。。<span class="token1"><</span>script<span class="token1">></span><span class="token1"><</span><span class="token4">alert</span><span class="token3">(</span><span class="token6">1</span><span class="token3">)</span><span class="token3">;</span><span class="token1"><</span><span class="token1">/</span>script<span class="token1">></span>。。。内容 <span class="token1"><</span><span class="token1">/</span>textarea<span class="token1">></span> <span class="token1"><</span>input type<span class="token1">=</span><span class="token2">"submit"</span> name<span class="token1">=</span><span class="token2">"submit"</span> value<span class="token1">=</span><span class="token2">"提交"</span><span class="token1">></span> <span class="token1"><</span>form<span class="token1">></span> <span class="token1"><</span><span class="token1">/</span>html<span class="token1">></span> ``` ``` 防御： htmispecialchars 函数字符替换后*&*(& 符号)*&**"*(双引号)*"*，除非设置了 **`ENT_NOQUOTES`***'*(单引号)设置了 **`ENT_QUOTES`**后，*'* (如果是**`ENT_HTML401`**) ，或者 *'* (如果是 **`ENT_XML1`** 、 **`ENT_XHTML`** 或 **`ENT_HTML5`**)。*<*(小于)*<**>*(大于)*>*