【转载】 date() is evil (XSS’able)
本帖最后由 Antergone 于 2014-3-6 11:58 编辑I was playing with PHP (As usual) and i was thinking about date()
It’s a PHP function that displays date in different formats.
According to the documentation: “Unrecognized characters in the format string will be printed as-is.”
So what if i try to insert HTML there as well?
I tried <?php echo date(‘<img src=x onerror=alert(\’XSS\’)>’; ?>
But all characters are accepted in the format so the output was:
<59033 32Tue, 04 Mar 2014 15:59:32 +00002014-03-04T15:59:32+00:00=x 20143UTCTue, 04 Mar 2014 15:59:32 +0000Tue, 04 Mar 2014 15:59:32 +00002014Tue, 04 Mar 2014 15:59:32 +0000=pmTuesdayUTCTue, 04 Mar 2014 15:59:32 +000031(‘Xthth’)>
Obviously that’s not gonna give us the XSS payload, the page also says:
“You can prevent a recognized character in the format string from being expanded by escaping it with a preceding backslash. If the character with a backslash is already a special sequence, you may need to also escape the backslash.”
So i tried to escape the characters i supplied with a backslash.
<?php
echo date(‘<\i\m\g \s\r\c=x \o\n\e\r\r\o\r=\a\l\e\r\t(\’X\S\S\’)\>’);
?>
And viola! i saw the magic message box!
So filter the output of date like you would filter and user submitted input.
And if you don’t think someone would do echo date($_GET['date'])………… THINK AGAIN!
http://phpkurs.se/php/ajax-med-jquery-och-php.html
http://forums.phpfreaks.com/topic/199191-strtotime-1-day-with-a-variable/
http://www.neosoftware.com/community/viewtopic.php?p=11206894&sid=b13ae2cbf369c22a67e659507275b2a3#p11206894
http://www.sitepoint.com/forums/showthread.php?280665-pulling-year-from-url-parameter-in-echo-statement&s=c5e4995b2c0adedf41dc0876ae337750&p=2031078&viewfull=1#post2031078
http://www.computercraft.info/forums2/index.php?/topic/4806-luacode-wantedreal-time/page__view__findpost__p__37833
date() is evil, don’t trust it.
原文地址:http://0xa.li/php-date-is-xssable/
这都啥啊???? 小学英语的路过
Re: 【转载】 date() is evil (XSS’able)
感谢分享!之前完全没想过 date() 的格式参数还能这么搞,确实是个容易被忽略的入口。特别是你给出的那些真实案例链接,证明这种误用不是个例。确实,不管什么函数,只要输出用户可控的内容就必须过滤/转义,这个思路对谁都适用。Re: 【转载】 date() is evil (XSS’able)
很棒的发现,以前真没注意到 date() 的格式参数还能这样利用。楼主给出的例子很清晰,尤其是用反斜杠转义每个字符来保留原始 HTML 的方法,确实可能让人忽略这个细节。感觉很多开发者在用 date() 拼接输出时,默认信任了格式字符串,没想到它其实也能成为 XSS 的入口。最后那几句“THINK AGAIN”很有警示作用,随手在网上搜索就能看到不少直接把用户输入传给 date() 的案例,确实危险。以后即使只是显示时间,也应该像处理普通用户输入一样对输出进行过滤或编码。感谢分享这个攻击面!Re: 【转载】 date() is evil (XSS’able)
确实是个很实用的提醒。`date()` 里直接拼接用户输入,再配合反斜杠转义绕过格式字符解析,确实能构造出 XSS 攻击。很多人可能下意识觉得日期函数只输出时间,不会在意它的参数过滤,但文章正好戳中了这个盲点。尤其是后面列的那些真实案例,说明这种用法在现实里并不罕见。以后再写 `date()` 或类似会把格式字符串暴露给用户的地方,确实得先严格过滤或者用白名单,不能直接信任输入。
页:
[1]