XSS EXPLOIT JAVA SCRIPT

-5

我的網站出現問題很多黑客來找我，竊取會員cookies並重定向到他們的網站。我搜索了一下，我發現了一個腳本，阻止xss利用，但我是新來的PHP，我不知道如何使用它。我試圖使用include和php文件的名稱。此腳本：XSS EXPLOIT JAVA SCRIPT

/* 

* XSS filter 
* 
* This was built from numerous sources 
* (thanks all, sorry I didn't track to credit you) 
* 
* It was tested against *most* exploits here: http://ha.ckers.org/xss.html 
* WARNING: Some weren't tested!!! 
* Those include the Actionscript and SSI samples, or any newer than Jan 2011 
* 
* 
* TO-DO: compare to SymphonyCMS filter: 
* https://github.com/symphonycms/xssfilter/blob/master/extension.driver.php 
* (Symphony's is probably faster than my hack) 
*/ 

function xss_clean($data) 
{ 
    // Fix &entity\n; 
    $data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data); 
    $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data); 
    $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data); 
    $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8'); 

// Remove any attribute starting with "on" or xmlns 
    $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data); 

// Remove javascript: and vbscript: protocols 
    $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data); 
    $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data); 
    $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data); 

// Only works in IE: <span style="width: expression(alert('Ping!'));"></span> 
    $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data); 
    $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data); 
    $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data); 

// Remove namespaced elements (we do not need them) 
    $data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data); 
    do 
    { 
    // Remove really unwanted tags 
     $old_data = $data; 
     $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data); 
    } 
    while ($old_data !== $data); 

// we are done... 

return $data; 

}

如何使用它？請解釋放在哪裏？

來源

2015-02-24 Westel Gamers

步驟1 xss_clean($_GET['something'])和$_POST['sth']更換$_GET['something']：正確格式化您的代碼。 – 2015-02-24 08:02:06

代碼是好的，我不知道如何格式化它是一個鏈接：http://gist.github.com/mbijon/1098477 – 2015-02-24 08:03:12

這並不困難。 1-rep用戶每天可以正確執行數百次。 – 2015-02-24 08:04:45

您需要包括這個文件，那麼無論你從客戶端讀取任何東西（或者更準確地說：在您輸出您的客戶端的輸入），你需要用xss_clean($_POST['sth'])

來源

2015-02-24 08:03:29 Adassko

在使用xss_clean（$ _GET）替換$ _GET之前，我需要在頁面頂部包含xss_clean.php，對吧？ – 2015-02-24 08:05:32

是的，這是正確的 – Adassko 2015-02-24 08:06:22

好吧，我會嘗試你說的和回覆後回覆。謝謝 – 2015-02-24 08:07:33

XSS EXPLOIT JAVA SCRIPT

回答

相關問題