xss patterns

There are some source code patterns for XSS I should cover

1. unserialize

<?php
$tainted = $_GET['input'];
$arr = unserialize($tainted);
echo($arr['foo']);
?>
  
---
exploit localhost:9000/vuln.php/?input=a:1:{s:3:"foo";s:26:"<script>alert(1);</script>";}

2. String function call

<?php
function getParam(){
    return $_GET['input'];
}

$funcName = 'getParam';
$tainted = $funcName();
echo($tainted);
?>

---
exploit localhost:9000/vuln.php/?input=<script>alert(1);</script>

3. call_user_func

<?php
function getParam(){
    return $_GET['input'];
}

$tainted = call_user_func('getParam');
echo($tainted);

---
exploit localhost:9000/vuln.php/?input=<script>alert(1);</script>
?>

4. call_user_func_array

<?php

function getParam(){
    return $_GET['input'];
}

$array = [];

$tainted = call_user_func_array('getParam', $array);

echo($tainted);

---
  exploit localhost:9000/vuln.php/?input=<script>alert(1);</script>
?>

5. xml template

vul.php
<?php
$tainted = $_GET['tainted'];

$output = '';
$title = 'target';

# template
$template_xml = simplexml_load_file("template.xml");
$res = $template_xml->xpath("//template[@name='{$title}']")[0];
$str = "\$output .= \"".$res."\";";
eval($str); # critical unsanitized data into a eval function!

#output
print_r($output);

?>

  ---
template.xml
  
<?xml version="1.0" encoding="UTF-8"?>
<theme name="MyBB Master Style" version="1600">

<template name="target" version="123"><![CDATA[
<h1>$tainted</h1>
]]></template>
</theme>
  
 ---
  exploit localhost:9000/vuln.php/?tainted=<script>altert(1);</script>
 

6. ob template

vuln.php
  <?php

$id = $_GET['id'];

ob_start();
include( 'template.php' ); 
$data = ob_get_contents();
@ob_end_clean();

print($data);

?>
  ---
  template.php
  <h1> example </h1>

<?php
echo $id;
?>
  ---
  exploit localhost:9000/vuln.php?id=<script>alert(1);</script>

7. PHP_SELF

<?php
$tainted = $_SERVER['PHP_SELF'];
echo($tainted);
?>
  ---
  exploit localhost:9000/vuln.php/<script>alert(1)</script>

8. FOREACH

<?php

foreach ($_GET as $key => $value)
{
    echo $value;
}

?>
  ---
  exploit localhost:9000/vuln.php/?input=<script>alert(1);</script>

9. COOKIE

<?php
$tainted = $_COOKIE['input'];
echo $tainted;
?>
  ---
  exploit curl 'http://localhost:9000/vuln.php' --cookie "input=</script> <script> alert(1) </script>"

10. print_r

<?php ?>
[<?php
$pId = "0";

$pId=$_GET['id'];


print_r( $pId );

?>]
  
  ---
  exploit localhost:9000/vuln.php?id=<script>alert(1);</script>

11. Singleton（单例模式）

<?php
require_once('singleton.php');
Singleton::getInstance()->setParam($_GET['input']);
echo(Singleton::getInstance()->getParam());
?>
  
  singleton.php
  <?php

class Singleton{
    protected $variable = '';

    # from: https://de.wikibooks.org/wiki/Websiteentwicklung:_PHP:_Muster_Singleton
    protected static $_instance = null;
    /**
    * clone
    *
    * Kopieren der Instanz von aussen ebenfalls verbieten
    */
   protected function __clone() {}
   
    /**
     * constructor
     *
     * externe Instanzierung verbieten
     */
    protected function __construct() {}

    public static function getInstance()
    {
        if (null === self::$_instance)
        {
            self::$_instance = new self;
        }
        return self::$_instance;
    }

    public function setParam($par){
        $this->variable = $par;
    }

    public function getParam(){
        return $this->variable;
    }

}

?>
  
  ---
  exploit localhost:9000/vuln.php/?input=<script>alert(1);</script>

12. type validation

<?php

$tainted = $_GET['tainted'];

if (!is_numeric($tainted))
{
    $tainted="";
}

echo $tainted;

?>

13. string replace escape

<?php

$tainted = $_GET['tainted'];

$tainted = preg_replace("/[^a-zA-Z]/", "", $tainted);

echo $tainted;

?>

14. build-in sanitize

<?php

$tainted = htmlspecialchars($_GET['tainted']);

echo $tainted;

?>
  

<?php

$tainted = htmlentities($_GET['tainted']);

echo $tainted;

?>

15. vendor sanitize

<?php


$tainted = $_GET['tainted'];

require_once 'htmlpurifier/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'b,strong,i,em,u,a[href|title],ul,ol,li,p[style],br,span[style]');
$config->set('CSS.AllowedProperties', 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align');
$purifier = new HTMLPurifier($config);
$tainted = $purifier->purify($tainted);

echo $tainted;

?>

16. List

<?php
$arr = array('useless', $_GET['input'] );
[$useless, $tainted]= $arr; 
echo($tainted);

---
  exploit localhost:9000/vuln.php/?input=<script>alert(1);</script>

?>

17. return_by_reference

<?php

function getParam(&$ref){
    $ref = $_GET['input'];
    return true;
}

$tainted;

if( getParam($tainted)){
    echo($tainted);
}

?>
  
---
  exploit localhost:9000/vuln.php/?input=<script>alert(1);</script>

18. global

source.php
<?php
  $global_var = $_GET['input'];
?>
vul.php  
<?php
require_once('source.php');
echo($global_var);
?>

---
  exploit localhost:9000/vuln.php/?input=<script>alert(1);</script>

<?php

function getParam(){
    global $var;
    $var = $_GET['input'];
}


function printGlobal(){
    global $var;
    echo $var;
}

getParam();
printGlobal();
?>

19. Field

vuln.php
  <?php
require_once('classassignment.php');
$foo = new Foo();
$foo->setParam('variable', $_GET['input']);
echo($foo->getParam());
?>
  
classassignment.php
  <?php

class Foo{
    protected $variable = '';
    public function setParam($variableName, $par){
        $this->$variableName = $par;
    }
    public function getParam(){
        return $this->variable;
    }
}
?>
  
  ---
  exploit localhost:9000/vuln.php/?input=<script>alert(1);</script>