我有一个php ajax站点,发现ajax库中存在XSS的可能性。请在下面找到请求和回应。rsargs[]参数可以采用任何脚本或值,因此容易受到攻击。到目前为止:html编码-没有工作,因为它修剪了我的内容
在下面的示例应用程序中,给出windows目录下的文件。
请求:POST /Weblogin.php HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: https://xxx.xx.xx.xx/Code/weblogin.php
Accept: application/json, text/javascript, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 172.25.152.91
Content-Length: 144
Connection: Keep-Alive
Cache-Control: no-cache
rs=GetWaitTime&rst=&rsrnd=1395815006191&rsobj=&rsargs[]=37091&rsargs[]=42lqd7b000&rsargs[]=../../../../../../../../../../windows/setupact.log%00
加:
HTTP/1.0 200 OK
Date: Wed, 26 Mar 2014 06:39:30 GMT
Server: Apache/2.2.12 (Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0
X-Powered-By: PHP/5.3.0
Connection: close
Content-Type: text/html
dispci.dll: ============BEGIN DisplayClassInstaller============
dispci.dll: ============BEGIN OnSelectBestCompatDrv============
dispci.dll: ============END OnSelectBestCompatDrv==============
dispci.dll: DisplayClassInstaller: Returning 0xe000020e for DIF 0x17 and device PCIVEN_1002&DEV_515E&SUBSYS_01E61028&REV_024&1FC3087&0&28F0
dispci.dll: ============END DisplayClassInstaller==============
dispci.dll: ============BEGIN DisplayClassInstaller============
dispci.dll: ============BEGIN OnDestroyPrivateData============
dispci.dll: ============END OnDestroyPrivateData==============
<br />
<b>Fatal error</b>: Call to undefined function get_wait_time() in <b>C:xampphtdocsCodefunctionsParent FunctionsGetWaitTime.php</b> on line <b>11</b><br />
这不是XSS漏洞,它是路径遍历。您似乎正在使用其中一个参数来构造文件路径,然后读取该文件。您应该验证文件路径构造中使用的用户输入,而不是html编码。你可以参考OWASP指南来保护你的应用。