PHP Vulnerability Full Solution (iii)-Client script implantation

Client-side scripting (script insertion) refers to inserting scripts that can be executed into objects such as forms, pictures, animations, or hyperlinked text. When the user opens these objects, the attacker's implanted script is executed and the attack begins.

HTML tags that can be used as script implants typically include the following:

1, <script> tags tagged javascript and vbscript and other page scripting programs. You can specify the JS program code within the <script> tag, or you can specify the URL path of the JS file within the SRC attribute.

2, <object> tags tagged objects. These objects are Java applets, multimedia files, ActiveX controls, and so on. The URL path of the object is typically specified within the Data property

3, <embed> tags tagged objects. These objects are multimedia files, such as: SWF files. The URL path of the object is typically specified within the SRC attribute

4, <applet> tags tagged objects. These objects are Java applets and typically specify the URL path of the object within the CodeBase property

5, <form> tags tagged objects. The URL path of the Web application to process the form data is typically specified within the Action property

Attack steps for client script implantation

1, the attacker registered ordinary users after landing site

2, open the Message page, insert the attack JS code

3, other user login website (including administrator), browse the content of this message

4, hidden in the message content of the JS code is executed, the attack succeeded

CREATE TABLE ' PostMessage ' (

' id ' int (one) not NULL auto_increment,

' Subject ' varchar not NULL default ' ',

' Name ' varchar (+) not NULL default ' ',

' Email ' varchar (+) not NULL default ' ',

' Question ' Mediumtext not NULL,

' Postdate ' datetime not NULL default ' 0000-00-00 00:00:00 ',

PRIMARY KEY (' id ')

Engine=myisam DEFAULT charset=gb2312 comment= ' user's message ' auto_increment=69;

add.php Insert Message

list.php message list

show.php Display Message

Submission of messages

The JS script will be executed when you view this message.

Insert <script>while (1) {Windows.open ();} </script> Infinite Bullet Box

Insert <script>location.href= "http://www.sectop.com";</script> Jump Fishing Page

Or use other self-constructed JS code to attack

Methods of prevention

Typically use the Htmlspecialchars function to convert special characters to HTML encoding

Function prototypes

String Htmlspecialchars (string string, int Quote_style, string charset)

String is the character to encode

Quote_style optional, the value can be Ent_compat, ent_quotes, Ent_noquotes, and the default value Ent_compat, which indicates that only double quotes are converted without converting single quotes. Ent_quotes, which represents both double and single quotation marks to be converted. Ent_noquotes, which means double quotes and single quotes are not converted

CharSet optional, indicating the character set used

The function converts the following special characters into HTML encoding:

&----> &

"---->"

'----> '

<----> <

>----> >

Change the 98th line of show.php

<?php Echo Htmlspecialchars (nl2br ($row [' question ']), ent_quotes);?>

And then look at the Insert JS Vulnerability page

PHP Vulnerability Full Solution (iii)-Client script implantation