Catalog

One 、http Head injection -User-Agent

Two 、http Head injection -- x-forwarded-for

3、 ... and 、http Head injection --  Referer

One 、http Head injection -User-Agent

1.user-agent What is it?

The user agent （User Agent, abbreviation UA）, Is a special string header , Enables the server to identify the operating system And version 、CPU type 、 browser And version 、 Browser rendering engine 、 Browser language 、 Browser plug-in etc. .

2.http Head （user-agent） Principle of injection

Because the back-end pair user-agent The data of is saved in the data , At this point, we can use SQL Inject .

3.http Head （user-agent） Implementation of Injection

3.1. open sqlilabs/Less-18/index.php, Open before entering password and user name burp suite Tools . Click on submit Get packets .

3.2. Get packet usage burp suite Of repeater Module operation

3.3. First, in the user-agent Add characters to see if it can cause an error , Then try to close  

3.4. closed , Due to the use and '1'='1 closed , therefore payload Need to be in and Front write

3.5. Because the error message can be echoed , So you can use error injection to get the current database

payload：' and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1'='1

Two 、http Head injection -- x-forwarded-for

1. What is? x-forwarded-for

X-Forwarded-For（XFF） Is used to identify the pass HTTP agent or Load balancing Way to connect to Web The server The most original client IP Address Of HTTP Request header field .

effect ： get HTTP The requester is real IP

2.x-forwarder-for Injection principle

x-forwarder-for Injection and user-agent The injection principle is similar , The back end saves the data to the database

3.x-forwarder-for Implementation of Injection

3.1. open sqlilabs/Less-18/index.php, Open before entering password and user name burp suite Tools . Click on submit Get packets .

3.2. Add X-forwarded-for Field . Before adding a field, it is host Address .

3.3 After adding X-forwarded-for After the field IP The address is IP Address .

3.4. Add a single quotation mark after the field to see if it can cause an error .

3.5 Try to close

3.6 Use error injection to obtain the database name of the current database

payload：X-forwarded-for:172.63.25.3' and updatexml(1,concat(0x7e,(selectdatabase()),0x7e),1) and '1'='1  .

3、 ... and 、http Head injection --  Referer

1. What is? referer

Referer yes http A field in the request header in the request package , It means this url The source of the .

2.referer Injection principle

Similar to the two above , The back-end code will referer The parameters in the field are saved to the database .

3.referer Implementation of Injection

3.1. open sqlilabs/Less-19/index.php, Open before entering password and user name burp suite Tools . Click on submit Get packets .

3.2. Add a single quotation mark directly after the field to see if it can cause an error

3.3 Try to close   Use and '1'='1 Successfully closed

3.4 Use error injection to view the current database name

payload：' and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '1'='1