小练习:修改HTTP请求报文

题目入口:传送门

前置工具:hackbar、BurpSuite

首先GET、POST传参不必多说。参数全部传完后来到这个页面:

小练习:修改HTTP请求报文_第1张图片

 请求报文如下:

POST /study/HttpAssess/check_A.php/?a=this_is_GET HTTP/1.1
Host: www.hikkibox.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

b=this_is_POST

下一步是传文件,首先看看传文件时请求报文的格式:

小练习:修改HTTP请求报文_第2张图片

POST /study/UploadStudy/upload.php HTTP/1.1
Host: www.hikkibox.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://www.hikkibox.top/study/UploadStudy/upload.php
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------17729561126908
Content-Length: 353

-----------------------------17729561126908
Content-Disposition: form-data; name="file"; filename="破解教程.txt"
Content-Type: text/plain

吾爱破解
-----------------------------17729561126908
Content-Disposition: form-data; name="submit"

点击提交
-----------------------------17729561126908--

接下来修改报文,第一步也是最重要的一步就是修改"Content-Type",还是用"application/x-www-form-urlencoded"的话是怎么也过不了的(试过了),连POST都会传失败,为什么?

改成如下形式就能过了:

POST /study/HttpAssess/check_A.php/?a=this_is_GET HTTP/1.1
Host: www.hikkibox.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=123
Content-Length: 183

--123
Content-Disposition: form-data; name="c"; filename="c"
Content-Type: image/png

this_is_FILES
--123
Content-Disposition: form-data; name="b"

this_is_POST
--123

小练习:修改HTTP请求报文_第3张图片

你可能感兴趣的:(CTF刷题,经验分享)