Complete explanation of PHP vulnerabilities (3)-Client script implantation

Client-side script insertion (Script Insertion) refers to inserting executable scripts into objects such as forms, pictures, animations, or hyperlink text. When the user opens these objects, the script implanted by the attacker will be executed, and the attack will begin.

HTML tags that can be used as script implants generally include the following:

1. Page scripts such as javascript and vbscript marked by the <script> tag. You can specify the js program code in the <script> tag, or you can specify the URL path of the js file in the src attribute. 2. The object marked by the <object> tag. These objects are java applets, multimedia files, ActiveX controls, etc. Usually the URL path of the object is specified in the data attribute </script>

3. Object marked with tag. These objects are multimedia files, such as swf files. Usually the URL path of the object is specified in the src attribute

4. Object marked with tag. These objects are java applets, and the URL path of the object is usually specified in the codebase attribute. 5. Objects marked with the

tag. Usually the URL path of the web application to process the form data is specified in the action attribute

The attack steps of client-side script implantation

1. The attacker logs in to the website after registering as a normal user

2. Open the message page and insert the attack js code

3. Other users log in to the website (including administrators) and browse the content of this message

4. The js code hidden in the message content is executed, and the attack is successful

Instance

Database

CREATE TABLE `postmessage` (

`id` int(11) NOT NULL auto_increment,

`subject` varchar(60) NOT NULL default ”,

`name` varchar(40) NOT NULL default ”,

`email ` varchar(25) NOT NULL default ”,

`question` mediumtext NOT NULL,

`postdate` datetime NOT NULL default '0000-00-00 00:00:00′,

PRIMARY KEY (`id`)

) ENGINE=MyISAM DEFAULT CHARSET=gb2312 COMMENT='User's Message' AUTO_INCREMENT=69;

//add.php insert message

//list.php message list

//show.php display message

Submit the message below

When browsing this message, the js script will be executed

Insert <script>while(1){windows.open();}</script> infinite pop-up box

Insert<script>location.href="http://www.php1.cn/"></script>

or use other self-constructed js code to attack

Prevention methods

Generally use the htmlspecialchars function to Convert special characters to HTML encoding

Function prototype

string htmlspecialchars (string string, int quote_style, string charset)

string is the string to be encoded

quote_style optional, the value can be ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES, default value ENT_COMPAT means converting only double quotes but not single quotes. ENT_QUOTES means converting both double quotes and single quotes. ENT_NOQUOTES, indicating that double quotes and single quotes will not be converted.

charset is optional, indicating the character set used. The

function will convert the following special characters into html encoding:

& —-> &

" —-> "

' —-> '

> —-> >

Change line 98 of show.php to

Then check the vulnerability page where js is inserted

The above is the complete solution of PHP vulnerabilities (3) - the content of client script implantation, For more related content, please pay attention to the PHP Chinese website (www.php.cn)!