1分钟部署网站📞AI智能客服,大模型训练自有数据,简单好用,有效降低客服成本 广告
## 跨站脚本攻击(xss) 1、打开文件 ``` ./index.php ``` 在第一行加入: ``` include('./chuanhai_safe.php'); ``` 2、创建文件 ``` ./chuanhai_safe.php ``` 3、在文件里面加入以下代码 ``` <? /** * 川海安全-oneThink * * 20201204 */ class Safe{ //开始 public function start(){ $this->filterArr(); $this->xss(); } /** * 过滤参数 * @param string $str 接受的参数 * @return string */ public function filterWords($str) { $farr = array( "/<(\\/?)(script|i?frame|style|html|body|title|link|meta|object|\\?|\\%)([^>]*?)>/isU", "/(<[^>]*)on[a-zA-Z]+\s*=([^>]*>)/isU", "/select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dump/is" ); $str = preg_replace($farr,'',$str); return $str; } /** * 过滤接受的参数或者数组,如$_GET,$_POST * @param array|string $arr 接受的参数或者数组 * @return array|string */ public function filterArr() { $get = $_GET; if(is_array($get)){ foreach($get as $k => $v){ $_GET[$k] = $this->filterWords($v); } }else{ $_GET = $this->filterWords($v); } return $_GET; } //xss public function xss(){ //get安全验证 $get = $_GET; foreach($get as $key=>$v){ //检测是否包含特殊字符 $pregs = '/document|LF|eval|script|alert|\'|\/\*|\#|\--|\ --|\/|\*|\-|\+|\=|\~|\*@|\*!|\$|\%|\^|\&|\(|\)|\/|\/\/|\.\.\/|\.\/|\>|\</'; $check = preg_match($pregs,$v); if($check) $this->ajax_return(array('status'=>1,'message'=>'xss 10001')); } //前台进行参数验证 if(isset($_GET['a']) && $_GET['a']=='Index'){ //get安全验证 $get = $_GET; foreach($get as $key=>$v){ //检测是否包含特殊字符 $pregs = '/select|insert|update|CR|document|LF|eval|delete|script|alert|\'|\/\*|\#|\--|\ --|\/|\*|\-|\+|\=|\~|\*@|\*!|\$|\%|\^|\&|\(|\)|\/|\/\/|\.\.\/|\.\/|\>|\<|union|into|load_file|outfile/'; $check = preg_match($pregs,$v); if($check) $this->ajax_return(array('status'=>1,'message'=>'xss 10001')); //进行html转义 $v = htmlspecialchars($v); $get[$key] = (string)$v; } $_GET = $get; //get参数安全验证 $get_param = array('a','c','m','mid','cid','aid','page','type','word'); foreach($_GET as $key=>$v){ //如果该参数未在安全验证中定义 if(!in_array($key,$get_param)) $this->ajax_return(array('status'=>1,'message'=>'xss 10002')); } } //已知的网安参数验证 //20200701 $wvstest = $this->is_input('wvstest'); if($wvstest) $this->ajax_return(array('status'=>1,'message'=>'xss 10003')); } //is input private function is_input($name){ if(isset($_GET[$name])) return true; else if(isset($_POST[$name])) return true; return false; } //get input private function input($name){ $value = ''; if(isset($_GET[$name])){ $value = $_GET[$name]; } else if(isset($_POST[$name])){ $value = $_POST[$name]; } return $value; } //ajax return private function ajax_return($data=array()){ exit(json_encode($data)); } } $safe = new Safe(); $safe->start(); ```