Break through four pseudo-static injection methods

Pseudo-static is mainly used to hide the passed parameter names. pseudo-static is only a method for URL rewriting. Since parameter input is acceptable, injection cannot be prevented. Currently, the most effective way to prevent injection is to use LINQ. The general pseudo static page is as follows: http://www.bkjia.com/play/Diablo.html, before you see the first to determine whether this page is static or pseudo static, many identification methods.
 
For example, if the associated dynamic page is game. php, then when the user accesses it, the program will automatically convert to a http://www.XXX.com/game.php like? Action = play & amp; name = Diablo format. Of course, this part is executed by PHP and cannot be seen during access. If the parameter name = Diablo has an injection point but accesses a pseudo static page, the injection statement is similar. However, if the MYSQL database does not support annotator, because the slash for the comment will be accessed as a directory, there will be problems, so the injection here needs to complete the statement.
 
For injection point detection, you can use http://www.XXX.com/play/Diablo'and 1w.'1.html and http://www.XXX.com/play/Diablo'and 1w.'2.html to determine whether the joint query is successful. The statement I used is as follows: http://www.XXX.com/play/diablo'and 1 = 2 union select 1, 2... From information_schema.columns where 110000'1.html, but N tests fail. It is possible that there are other conditions following the SQL statement of the program. The specific reason is not carefully described.
 
Therefore, we can only use blind injection for detection at this time. However, due to the special characteristics of pseudo-static injection URLs, General injection tools cannot be used, therefore, the cookie written by the hedgehog is injected into the get method injection code of the hacker. You only need to write the injection parameter as Diablo, and then add .html to the prepared sentence, so you can directly inject it into the pangolin.
 
The injection speed depends on the transfer speed. It is better to use a lower version of pangolin, A higher version may cause some content to fail to be detected when you guess the letter because of its high speed. To better interpret pseudo-static, let's look at four pseudo-static php implementation methods:
 
 
Code
// Pseudo-static method 1
 
// Localhost/php100/test. php? Id | 1 @ action | 2
$ Php2Html_FileUrl = $ _ SERVER ["REQUEST_URI"];
Echo $ Php2Html_FileUrl ."
"; // Php100/test. php? Id | 1 @ action | 2
$ Php2Html_UrlString = str_replace ("?"," ", Str_replace ("/"," ", strrchr ($ Php2Html_FileUrl,"/"),"? ");
Echo $ Php2Html_UrlString ."
"; // Id | 1 @ action | 2
$ Php2Html_UrlQueryStrList = explode ("@", $ Php2Html_UrlString );
Print_r ($ Php2Html_UrlQueryStrList); // Array ([0] => id | 1 [1] => action | 2)
Echo"
";
Foreach ($ Php2Html_UrlQueryStrList as $ Php2Html_UrlQueryStr)
{
$ Php2Html_TmpArray = explode ("|", $ Php2Html_UrlQueryStr );
Print_r ($ Php2Html_TmpArray); // Array ([0] => id [1] => 1); Array ([0] => action [1] => 2)
Echo"
";
$ _ GET [$ Php2Html_TmpArray [0] = $ Php2Html_TmpArray [1];
}
// Echo 'false static: $ _ GET variable
';
Print_r ($ _ GET); // Array ([id | 1 @ action | 2] => [id] => 1 [action] => 2)
Echo"
";
Echo "";
Echo $ _ GET [id]."
"; // 1
Echo $ _ GET [action]; // 2
?>
 
Code
// Pseudo-static method 2
 
// Localhost/php100/test. php/1/2
$ Filename = basename ($ _ SERVER [''script _ name'']);
Echo $ _ SERVER [''script _ name'']."
"; // Php100/test. php
Echo $ filename ."
"; // Test. php
 
If (strtolower ($ filename) = 'test. php '){
If (! Empty ($ _ GET [id]) {
$ Id = intval ($ _ GET [id]);
Echo $ id ."
";
$ Action = intval ($ _ GET [action]);
Echo $ action ."
";
} Else {
$ Nav = $ _ SERVER [''request _ URI ''];
Echo "1:". $ nav ."
"; // Php100/test. php/1/2
$ Script = $ _ SERVER [''script _ name''];
Echo "2:". $ script ."
"; // Php100/test. php
$ Nav = ereg_replace ("^ $ script", "", urldecode ($ nav ));
Echo $ nav ."
"; // 1/2
$ Vars = explode ("/", $ nav );
Print_r ($ vars); // Array ([0] => [1] => 1 [2] => 2)
Echo"
";
$ Id = intval ($ vars [1]);
$ Action = intval ($ vars [2]);
}
Echo $ id. '&'. $ action;
}
?>
 
Code
// Pseudo-static method 3
 
Function mod_rewrite (){
Global $ _ GET;
$ Nav = $ _ SERVER ["REQUEST_URI"];
Echo $ nav ."
";
$ Script_name = $ _ SERVER ["SCRIPT_NAME"];
Echo $ script_name ."
";
$ Nav = substr (ereg_replace ("^ $ script_name", "", urldecode ($ nav), 1 );
Echo $ nav ."
";
$ Nav = preg_replace ("/^. ht (m) {1} (l) {0, 1} $/", "", $ nav); // The end of the sentence is .htmlor .htm.
Echo $ nav ."
";
$ Vars = explode ("/", $ nav );
Print_r ($ vars );
Echo"
";
For ($ I = 0; $ I
$ _ GET ["$ vars [$ I]"] = $ vars [$ I + 1];
}
Return $ _ GET;
}
Mod_rewrite ();
$ Year = $ _ GET ["year"]; // The result is 2006 ′
Echo $ year ."
";
$ Action = $ _ GET ["action"]; // The result is '_ add'
Echo $ action;
?>
 
Code
// Pseudo-static method 4
 
// Use the server variable to obtain the PATH_INFO information. In this example, It is/, 8630.html, that is, the part after the execution Script Name.
If (@ $ path_info = $ _ SERVER ["PATH_INFO"]) {
// Regular Expression Matching Parameters
If (preg_match ("/\/(\ d +), (\ d +), (\ d +) \. html/si", $ path_info, $ arr_path )){
$ Gid = intval ($ arr_path [1]); // get the value 1
$ Sid = intval ($ arr_path [2]); // get the value 100
$ Softid = intval ($ arr_path [3]); // get the value 8630
} Else dIE ("Path: Error !");
// Equivalent to soft. php? Gid = 1 & sid = 100 & softid = 8630
} Else dIE ('path: Nothing! ');
?>
Code
PHP anti-injection, mainly to prevent malicious writing to the background database;
// Anti-injection Function
Function inject_check ($ SQL _str ){
$ Check = eregi ('select | insert | update | delete | \ '| \/\ * | \. \. \/| \. \/| union | into | load_file
| Outfile ', $ SQL _str );
If ($ check ){
Echo "illegal content entered ";
Exit ();
} Else {
Return $ SQL _str;
}
}
// Convert the received Parameters
$ _ GET [type] = inject_check ($ _ GET [type]);
// Use the converted parameters later
 
In the previous article on pseudo-static injection, the writing is simple and basically a brief introduction to the methods and principles of pseudo-static injection, I have not mentioned many details, but I have to make some corrections. Like pseudo Static injection, you can use joint queries, but you have to guess the number of specific fields one by one. This is a little troublesome, this year, I mainly watched the website of laomei, and found that many pseudo-static websites have injection points, but most of the injection points are relatively hidden. Therefore, it takes a lot of time to penetrate the website, here we will take the penetration of a game site in the United States as an example to introduce the entire penetration and utilization process.
 
Some time ago it was boring. When I went to a game site to relax, I found that the site was doing well and the number of online users reached, because I visited the United States during the day and it was supposed to be evening, therefore, we can see that the traffic on this station is very large. I went to alexa to check that the ranking was around and the traffic was around. Then the traffic on this station is estimated to be more, I saw all the water in my mouth !!! Then I plan to check the security of the website. I only have two pages accessing the entire website that call PHP, but there is no injection point. The general information of the entire website is as follows: APACHE, PHP, unknown database (should be MYSQL), pseudo Static Page (found after check), cannot be found in the background, cannot crack the directory (access does not exist page or directory will return to the home page, status code is always 200 and 301, there will be many false reports during scanning), Can be registered (no injection points), cannot upload files, no common configuration vulnerabilities (such as directory browsing) no redundant files scanned, no FTP, no SSH, and no port scan. It seems that this website is very tricky. After all, others are also ranked within 4 K !!! I searched for PHP and sensitive pages on GG and baidu and did not find any new ones. In fact, sometimes I was pleasantly surprised to use baidu to search the pages on foreign sites! Because the website is pseudo-static, we have performed pseudo-static injection tests on the main pages, but there are no vulnerabilities, and we do not know what templates the website uses. I scanned the domain name with the bypass tool and found that more than a dozen websites were bound to the server. Unfortunately, all websites use the same website template, and all the situations are the same as those of the main site. It is estimated that many people think of Section C here. It is a pity that the IDCs of foreigners are more strange. Generally, a C is not put in a switch environment, the most BT thing I encountered was to set the subnet mask to 255.255.255.255.252. The better thing is that 255.255.255.255.255.244. Even if it is obtained from the same network segment, it is generally a LINUX server, which is extremely difficult to escalate permissions, the published 0-day is basically unavailable, so the C section simply gave up.
 
Follow-up points continue to return to the website, registered an account, looked at the user functions, basically only the permission to modify their own information, COOKIES test no vulnerability, however, it is found that the account of the website administrator is in the same table as the Registrar. You can change the ID in the URL to get the user name. Unfortunately, only the user name is available, and the user name is BT, hey !!!! Continue to explore the difficult bones ~~~~ After seeing the game page to find a voting connection, packet capture found is also pseudo static (connection type is as follows: http://www.XXXXX.com/vote/5453/1 ), through the pseudo Static injection point detection to determine the existence of injection vulnerability and after the submission will execute the update statement, the following statement is submitted at the detection (http://www.XXXXX.com/vote/5453 '/1 error, http://www.XXXXX.com/vote/5453-0/1 returns the normal game name http://www.bkjia.com/vote/5453-1/1 returns the name of the 5452 game, determines the presence of injection points) the connected table is member, but unfortunately the error statements shown are very complicated, there are all kinds of symbols, and there are no methods to complete them, and the tables and columns in the database do not know. It seems that only the source code can be used to construct the injection statement, only one brute-force physical path vulnerability was found on the entire website! It seems that this step has been completed by preliminary check. It is a word, difficult!
 
I went to bed very late, so I came up from time to check the website and the Administrator's online status. After a week, I felt uncomfortable. I opened this website again, then, we used the registration page, login page, and submission page as keywords to find the same template online. This time, we finally found a newly deployed website, in addition, the background path is admin. The admin account is the default admin account. After going in, you can directly use SHELL in the background and check the 0day of the website online, after reading the source code, I only found the injection point of the chicken ribs. At this time, I suddenly thought of something. I checked the table structure of the database through the uploaded SHELL. In the past, the member table had an administrator option, set 1 to a common user, Set 2 to an administrator, so that the permissions can be elevated through the injection point, and the SQL statement for voting is displayed on the php page, test directly on the Game Station after construction (statement: http://www.XXXXX.com/vote/5453;} ', xxx = 'xxx', xxx =' {xxxx/1), successful Upgraded to an administrator (after verification, we found that you can escalate the permission to another 0-day website template as long as you use this website template !), As long as the account has administrative permissions, the user name is displayed in yellow on the front-end page. log on to the Game Station in ecstasy and find that an administrator logon option is added to the user interface !!! The tragedy once again occurs. The connected directory is the default path, which cannot be found in the background. Instead, it is unwilling to use the background to scan the dictionary, and the dictionary of numbers and characters generated by myself is put into havij for brute-force cracking. Because havij can DIY the status code, I have removed the status of 200 and 301, no results after 3 days of scanning !!!! Tangle !!!!
 
One day after one week, I opened the website again and scanned the entire directory again using an online dictionary. This time, I found a server-status in the root directory, after the visit, I was so excited that APACHE provided the URL of the current service, so the pages accessed by the user can be checked, and then I found website watch for monitoring, after some keywords are set, the page is checked every 3 seconds on average. If any keyword is found, an alarm is triggered by MAIL and the page with the keyword is overwritten in the email, two days later, I successfully caught the background page. After opening the page, I found that it was 401 verification. The website did not have a download or FL vulnerability. I tried to log on with the obtained administrator information. All the results failed, my mind is congested !!!! By the way, do you still have the UPDATE permission !! Because of the relationship between MYSQL, the content in the same table cannot be updated to other columns in the same table, so the first time I failed, I checked the rebuild statement online successfully, I got the Administrator's md5 password. I checked the source code on Step 5 and used the Administrator's account to pass the 401 verification. I successfully logged on to the background. After going in, I uploaded the webshell and rebounded the mongoshell, the X64 system is found to be used, and all EXP obtained from the Internet cannot be Elevation of Privilege. However, two Internet IP addresses are found on the server, and another IP address can be linked to FTP and SSH, the administrator password and passwd username are used to log on to the system. It is found that the network administrator uses the public key Authentication and RSA encryption. The directory where the public key is stored is directly accessed. DENY is displayed, and the public key or DENY is downloaded directly, however, you can view all the website directories.
 
In this step, the intrusion has basically been successful, but the permission has not been raised, but the Administrator's user name has been put on GG and found his "footprint" everywhere ", he cannot log in with his password, but he can only log on to social engineering and tracking. It seems that it is a long process of Elevation of Privilege. It takes two months for the whole website to intrude into the website from the beginning to obtaining permissions, after some time, I tried to raise the right. Thanks a little more. In fact, the use of pseudo-static injection is still very valuable, in addition, combined with other chicken ribs, security issues can directly threaten the security of websites and even servers. In contrast, domestic platforms are rotten, and instant LINUX has WEBSHELL 80% permissions, I have never seen SSH verification with the public key. This is probably the gap. Write it here first and write a Complete Pseudo Static injection and check method when I have time !!! Permission escalation content to be continued (if the permission escalation is successful !)