|
|
本帖最后由 Antergone 于 2014-3-6 11:58 编辑
I was playing with PHP (As usual) and i was thinking about date()
It’s a PHP function that displays date in different formats.
According to the documentation: “Unrecognized characters in the format string will be printed as-is.”
So what if i try to insert HTML there as well?
I tried <?php echo date(‘<img src=x onerror=alert(\’XSS\’)>’; ?>
But all characters are accepted in the format so the output was:
<59033 32Tue, 04 Mar 2014 15:59:32 +00002014-03-04T15:59:32+00:00=x 20143UTCTue, 04 Mar 2014 15:59:32 +0000Tue, 04 Mar 2014 15:59:32 +00002014Tue, 04 Mar 2014 15:59:32 +0000=pmTuesdayUTCTue, 04 Mar 2014 15:59:32 +000031(‘Xthth’)>
Obviously that’s not gonna give us the XSS payload, the page also says:
“You can prevent a recognized character in the format string from being expanded by escaping it with a preceding backslash. If the character with a backslash is already a special sequence, you may need to also escape the backslash.”
So i tried to escape the characters i supplied with a backslash.
<?php
echo date(‘<\i\m\g \s\r\c=x \o\n\e\r\r\o\r=\a\l\e\r\t(\’X\S\S\’)\>’);
?>
And viola! i saw the magic message box!
So filter the output of date like you would filter and user submitted input.
And if you don’t think someone would do echo date($_GET['date'])………… THINK AGAIN!
http://phpkurs.se/php/ajax-med-jquery-och-php.html
http://forums.phpfreaks.com/topi ... ay-with-a-variable/
http://www.neosoftware.com/commu ... 07275b2a3#p11206894
http://www.sitepoint.com/forums/ ... wfull=1#post2031078
http://www.computercraft.info/fo ... _findpost__p__37833
date() is evil, don’t trust it.
原文地址:http://0xa.li/php-date-is-xssable/
|
|
发表于 2014-3-6 11:57:11
发表于 2014-3-6 18:01:02
