如何使用XSSaminer工具在PHP源码中挖掘XSS漏洞-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

如何使用XSSaminer工具在PHP源码中挖掘XSS漏洞

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 23, 2016 pm 01:02 PM

当想要在服务器的开source脚本代码中发掘跨站脚本漏洞时，使用静态分析方法可以使我们的分析过程变得更加简单并且自动化，另外，网上也可以找到许多相关的工具。

我近期发现了一种通过寻找共性pattern在PHPsource码中发掘跨站脚本漏洞的简单方法。该方法是使用一个名为 XSSaminer 的工具，该工具根据grep创建，并使用bash语言编写。

工具介绍

它首先会检查脚本参数：

if [ -z $1 ]then   echo -e "Usage:\n$0FILE\n$0 -r FOLDER"   exitelse   f=$1fi

代码分析：如果第一行的参数$1为空，就显示使用$0作为脚本名的用例并终止程序；否则，就将该参数分配给主函数中使用的f变量。

sources=(GET POST REQUEST "SERVER\['PHP""SERVER\['PATH_" "SERVER\['REQUEST_U")sinks=(echo die printprintfprint_rvar_dump)

接下来是带有不完整字符串的source和sink，之所以不完整，是因为它们只用于匹配。sink使用source，如果可以相互匹配（在没有任何过滤的情况下），我们就需要考虑是否有用户输入注入到已经生成的HTML代码中。

如果sink中使用了GET、POST或REQUEST全局变量，那么这很明显就是注入问题。但是SERVER有一些特殊的地方，假设输入以下网址（带有破坏HTML属性的注入）：

http://domain/page.php/"><svg onload=alert(1)>

尽管上面只提到了三个SERVERsource，但是我们却可以在上述代码中找到四个SERVER，如下：

$_SERVER[‘PHP_SELF’] – returns the current URL decodedhttp://domain/page.php/"><svg onload=alert(1)>$_SERVER[‘PATH_TRANSLATED’] – returns file path on the system/var/www/html/page.php/">$_SERVER[‘PATH_INFO’] – returns info between page name and querystring (?)/">$_SERVER[‘REQUEST_URI’] – returns the current URLhttp://domain/page.php/"><svg onload=alert(1)>

最后一个，REQUEST_URI，没有将URL特殊字符解码成双引号（“）或小于号（

xssam(){        fori in ${sources[@]}        do               a=$(grep-in "\$_${i}" $f | grep -o "\$.*=" | sed "s/[]\?=//g" | sort -u)                forj in ${sinks[@]}               do                       grep--color -in "${j}.*\$_${i}" $f                        fork in $a                       do                               grep--color -in "${j}.*$k" $f                       done               done        done}

Xssam 函数用于结合source和sink，通过前两个“for”循环找到直接的隐患位置，“a”变量用于获取接收不安全的全局值（source）的变量名称。借助第三个“for”循环实现一级的脚本变量追踪。

if [ $f != "-r" ]then        xssamelse        for i in $(find $2 -type f -name "*.php")        do               echo "File: $i"               f=$i               xssam        donefi

在主代码中，这段脚本用于选择是单个文件调用xssam函数还是进入递归模式。该过程通过使用命令行中提供的带有-r选项（代替文件名）的文件夹（$2）来满足另一个“for”循环中相同的函数调用。

用例：

./xssaminerFILE (单个文件)./xssaminer-r FOLDER (递归模式, 文件夹中所有的.php文件)

XSSaminer 的主要目标是比较容易实现的XSS，而且经常会出现误报，但是它的LoC/result率是十分高的。

测试实例

如下截图为该工具对WordPress主题 Rational Lite 的测试结果：

它在 2 个不同的文件中找到了 3 个 XSS 漏洞，但是第二个为误报，第一个得到确认：

通过在整个模块文件中追踪存在漏洞的代码，发现当使用dismiss_id GET参数回调未认证的ajax操作时会弹出警告，一个0day漏洞出现了。

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Working with Flash Session Data in LaravelMar 12, 2025 pm 05:08 PM

Laravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-

cURL in PHP: How to Use the PHP cURL Extension in REST APIsMar 14, 2025 am 11:42 AM

The PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.

Simplified HTTP Response Mocking in Laravel TestsMar 12, 2025 pm 05:09 PM

Laravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>

12 Best PHP Chat Scripts on CodeCanyonMar 13, 2025 pm 12:08 PM

Do you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom

Explain the concept of late static binding in PHP.Mar 21, 2025 pm 01:33 PM

Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo

PHP Logging: Best Practices for PHP Log AnalysisMar 10, 2025 pm 02:32 PM

PHP logging is essential for monitoring and debugging web applications, as well as capturing critical events, errors, and runtime behavior. It provides valuable insights into system performance, helps identify issues, and supports faster troubleshoot

HTTP Method Verification in LaravelMar 05, 2025 pm 04:14 PM

Laravel simplifies HTTP verb handling in incoming requests, streamlining diverse operation management within your applications. The method() and isMethod() methods efficiently identify and validate request types. This feature is crucial for building

Discover File Downloads in Laravel with Storage::downloadMar 06, 2025 am 02:22 AM

The Storage::download method of the Laravel framework provides a concise API for safely handling file downloads while managing abstractions of file storage. Here is an example of using Storage::download() in the example controller:

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hello Kitty Island Adventure: How To Get Giant Seeds

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

4 weeks agoByDDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

1 months agoByDDD

Two Point Museum: All Exhibits And Where To Find Them

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

EditPlus Chinese cracked version

Small size, syntax highlighting, does not support code prompt function

Dreamweaver CS6

Visual web development tools

WebStorm Mac version

Useful JavaScript development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

Hot Topics

Where is the login entrance for gmail email?

7384

1628

1357

1267

1216