mysql注入8
#0x10.c~标题HTTP查询字符串参数(GET):URL中发送的输入参数。HTTP正文参数(POST):HTTP主体中发送的输入参数。HTTP Cookie参数:HTTP cookie中发送的输入参数。HTTP标头:应用程序使用的HTTP请求标头。HTTP头字段是超文本传输协议(HTTP)中的请求和响应的消息头的组件。它们定义HTTP事务的操作参数。Example: Request HTTPCode:GET / HTTP/1.1Connection: Keep-AliveKeep-Alive: 300Accept:/Host: hostAccept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 ( .NET CLR 3.5.30729; .NET4.0E)Cookie: guest_id=v1%3A1328019064; pid=v1%3A1328839311134当存储在数据库中用于会话识别时,我们可以将HTTP Cookie视为应该测试的第一个潜在HTTP变量。我们将在基于Cookie的SQL注入示例中看到下一个。还有与应用程序相关的其他HTTP标头。X-Forwarded-For是一个HTTP头字段,被认为是事实上的标准,用于识别通过HTTP代理或负载均衡器连接到Web服务器的客户端的原始IP地址。我们将在表单提交的基础上看到这个漏洞的一个例子。<?php $req = mysql_query("SELECT user,password FROM admins WHERE user='".sanitize($_POST['user'])."' AND password='".md5($_POST['password'])."' AND ip_adr='".ip_adr()."'");由于sanitize()方法,可以正确控制变量login。<?php1function sanitize($param){ if (is_numeric($param)) { return $param; } else { return mysql_real_escape_string($param); } }让我们检查一下ip变量。 它正在分配ip_addr()方法的输出。<?phpfunction ip_adr() { if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip_adr = $_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip_adr = $_SERVER["REMOTE_ADDR"]; } if (preg_match("#^{1,3}.{1,3}.{1,3}.{1,3}#",$ip_addr)) { return $ip_adr; } else { return $_SERVER["REMOTE_ADDR"]; } }显然,从HTTP头X_FORWARDED_FOR中检索IP地址。 稍后由preg_match控制,它验证此参数是否确实包含至少一个IP地址。 事实上,在SQL查询中使用其值之前,环境变量HTTP_X_FORWARDED_FOR未正确清理。 这可以通过将任意SQL代码注入此字段来运行任何SQL查询。将此标头字段简单修改为:GET /index.php HTTP/1.1Host: X_FORWARDED_FOR :127.0.0.1' or 1=1#will lead to bypass the authentication control.User agent is an HTTP header field gives the software program used by the original client. This is for statistical purposes and the tracing of protocol violations. It should be included. The first white space delimited word must be the software product name, with an optional slash and version designator.Not all applications are written to capture the user-agent data, but sometimes applications are designed to store such information (ex: shopping cart providers) to make use of it. In this case, it’s worth investigating the user-agent header for possible issues.HTTP query example:GET /index.php HTTP/1.1Host: User-Agent: aaa' or 1/*Referer是另一个HTTP标头,一旦应用程序将其存储在数据库中而不对其进行清理,它可能容易受到sql注入攻击。 它是一个可选的头字段,允许客户端为服务器的好处指定从中获取请求中的URI的文档(或文档中的元素)的地址(URI)。 这允许服务器生成文档的反向链接列表,用于兴趣,记录等。它允许跟踪故障链接以进行维护。GET /index.php HTTP/1.1Host: User-Agent: aaa' or 1/*Referer: http://www.yaboukir.com
页:
[1]
