Home > Article > Backend Development > Complete explanation of PHP vulnerabilities (3)-Client script implantation
Client-side script insertion (Script Insertion) refers to inserting executable scripts into objects such as forms, pictures, animations, or hyperlink text. When the user opens these objects, the script implanted by the attacker will be executed, and the attack will begin.
HTML tags that can be used as script implants generally include the following:
1. Page scripts such as javascript and vbscript marked by the <script> tag. You can specify the js program code in the <script> tag, or you can specify the URL path of the js file in the src attribute. 2. The object marked by the <object> tag. These objects are java applets, multimedia files, ActiveX controls, etc. Usually the URL path of the object is specified in the data attribute </script>
3. Object marked with
4. Object marked with
The attack steps of client-side script implantation
1. The attacker logs in to the website after registering as a normal user
2. Open the message page and insert the attack js code
3. Other users log in to the website (including administrators) and browse the content of this message
4. The js code hidden in the message content is executed, and the attack is successful
InstanceDatabase
CREATE TABLE `postmessage` (
`id` int(11) NOT NULL auto_increment,
`subject` varchar(60) NOT NULL default ”,
`name` varchar(40) NOT NULL default ”,
`email ` varchar(25) NOT NULL default ”,
`question` mediumtext NOT NULL,
`postdate` datetime NOT NULL default '0000-00-00 00:00:00′,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=gb2312 COMMENT='User's Message' AUTO_INCREMENT=69;
//add.php insert message
//list.php message list
//show.php display message
Submit the message below
When browsing this message, the js script will be executed
Insert <script>while(1){windows.open();}</script> infinite pop-up box
Insert<script>location.href="http://www.php1.cn/"></script>
or use other self-constructed js code to attack
Prevention methods
Generally use the htmlspecialchars function to Convert special characters to HTML encoding
Function prototype
string htmlspecialchars (string string, int quote_style, string charset)
string is the string to be encoded
quote_style optional, the value can be ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES, default value ENT_COMPAT means converting only double quotes but not single quotes. ENT_QUOTES means converting both double quotes and single quotes. ENT_NOQUOTES, indicating that double quotes and single quotes will not be converted.
charset is optional, indicating the character set used. The
function will convert the following special characters into html encoding:
& —-> &
" —-> "
' —-> '
> —-> >
Change line 98 of show.php to
Then check the vulnerability page where js is inserted
The above is the complete solution of PHP vulnerabilities (3) - the content of client script implantation, For more related content, please pay attention to the PHP Chinese website (www.php.cn)!