织梦CMS 登录页面的XSS 注入漏洞及处理

一、客户检测报告:

事件URL:

http://127.0.0.1/mgr/login.php?gotopage=%22%3E%3Cinput%20type=%22text%22%20onInput=alert(1)%3E%3Cx=%22

事件类型:
漏洞-KingCms门户系统存储型XSS

事件URL:

http://127.0.0.1/mgr/login.php?gotopage=%22%3E%3Cinput%20type=%22text%22%20onInput=alert(1)%3E%3Cx=%22

 

二、XSS注入分析

检测方使用的注册方式(转码前):

http://127.0.0.1/mgr/login.php?gotopage="><input type="text" onInput=alert(1)><x="

原理是 利用目标表单页面上面的一个input 隐藏域:<input name="gotopage" value="${gotopage}"> 实现注入。

 

三、处理方式 : 

方法1:过滤js关键字 

function xss_clea1($var)
{
    $ra=array('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','/script/i','/javascript/i','/vbscript/i','/onload/i','/onunload/i','/onchange/i','/onsubmit/i','/onreset/i','/onselect/i','/onblur/i','/onfocus/i','/onabort/i','/onkeydown/i','/onkeypress/i','/onkeyup/i','/onclick/i','/ondblclick/i','/onmousedown/i','/onmousemove/i','/onmouseout/i','/onmouseover/i','/onmouseup/i','/onunload/i');
    $var = preg_replace($ra,'',$var);
   
    return htmlspecialchars($var,ENT_QUOTES);
}

方法2:转义特殊符号 及html 关键字

function xss_clean2($data){

 // Fix &entity\n;

 $data=str_replace(array('&','<','>'),array('&amp;','&lt;','&gt;'),$data);

 $data=preg_replace('/(&#*\w+)[\x00-\x20]+;/u','$1;',$data);

 $data=preg_replace('/(&#x*[0-9A-F]+);*/iu','$1;',$data);

 $data=html_entity_decode($data,ENT_COMPAT,'UTF-8');

 // Remove any attribute starting with "on" or xmlns

 $data=preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu','$1>',$data);

 // Remove javascript: and vbscript: protocols

 $data=preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu','$1=$2nojavascript...',$data);

 $data=preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu','$1=$2novbscript...',$data);

 $data=preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u','$1=$2nomozbinding...',$data);

 // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>

 $data=preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i','$1>',$data);

 $data=preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i','$1>',$data);

 $data=preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu','$1>',$data);

 // Remove namespaced elements (we do not need them)

 $data=preg_replace('#</*\w+:\w[^>]*+>#i','',$data);

 do{// Remove really unwanted tags

 $old_data=$data;

 $data=preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i','',$data);

 }while($old_data!==$data);

 // we are done...
  return $data;
}

 

四、如何使用:

 在接收页面,用这两个函数分别过滤所有的参数:

如: 


$gotopage = xss_clean1($gotopage);
$gotopage = xss_clean2($gotopage );

posted @ 2019-07-12 14:56  csdn代下载微robnote  阅读(1866)  评论(0编辑  收藏  举报