table of Contents
The response message is as follows:
Conditions of the Same Origin Strategy
Exploring the Same Origin Strategy
Why study this lesson
We learn the course of penetration testing, mainly for web applications, so we need a certain understanding of web architecture
Browse all things on the Internet:
Web working mechanism
Webpage, website
We can see beautiful pages on the Internet through a browser, which are generally .html pages rendered by the browser, which contain front-end technologies such as css. The collection of multiple web pages is the website.
Web container
Web container, also called Web server, mainly provides Web service, which is often referred to as HTTP service.
Common web containers are: Apache/IIS/Nginx, etc.
Apache is born to support PHP, and IIS is born to support .net.asp
Static pages
Static pages are all .html files, which are plain text files. These files contain html code.
HTML (HyperText Markup Language, HyperText Markup Language), interprets and runs in the browser.
Middleware server
The above can only show information to users in one direction. With the development of the Web, information has to flow in both directions, creating a need for interaction, that is, the concept of dynamic web pages; the so-called dynamic is the use of flash, php, asp, Java and other technologies to embed some executable scripts in the web pages, and the user's browser When interpreting the page, you start and run the script when you encounter it.
The use of scripts allows the Web service model to have two-way communication capabilities. The Web server model can also handle various transactions like traditional software, such as editing files, calculating interest, submitting forms, etc. The application of the Web architecture is greatly expanded.
These scripts can be embedded in the page, such as JS and so on. It can also be stored separately in the directory of the Web server in the form of files, such as .asp, .php, jsp files, etc. In this way, more and more functional scripts form a common toolkit, which can be managed separately, and can be used directly during Web business development. This is the middleware server, which is actually an extension of the processing capabilities of the Web server.
The emergence of databases
Static webpages and scripts are designed in advance and are generally not changed frequently. However, many contents on the website need to be updated frequently. It is obviously inappropriate to put these changed data in the static webpage program. The traditional method is to separate the data from the program. , The professional database used.
Web developers add a database server behind the Web server. These frequently changing data are stored in the database and can be updated at any time. When a user requests a page, the script uses the SQL database language to read the latest data from the data according to the page requested by the user and where the dynamic data is involved, to produce a "complete" page, and finally to send it to the user
Build a website
Source link: https://pan.baidu.com/s/1lsn9gfOQ1TbNwIiIn-9MJw
Extraction code: cy39
Copy the cms file in the source code to the root directory of the phpstudy website
The install.sql (database file)
in the cms folder has a database.inc.php (database configuration file) under the include file to open it by right-clicking
Create a new cms database (phpmyadmin)
Import, find install.sql (first select the database and then import)
Then refresh the page
HTTP protocol overview
HTTP (HyperText Transfer Protocol, HyperText Transfer Protocol, is the specification and requirements for message delivery.
-
Overview
| @ |
Proposed in 1990, the current version is 1.1. |
| @ |
HTTP is used to transfer html documents from a web server to a web browser. |
| @ |
It is a request and response protocol. The client sends a request, and the server responds to the request. |
| @ |
HTTP uses a reliable TCP connection, the default port is 80 |
| @ |
Support browser/server mode |
| @ |
Simple and fast: when the browser makes a request to the server, it only needs to transmit the request method and request path |
| @ |
Flexible: HTTP runs and transmits any type of data objects (including html, jpg, mp3) |
| .html |
|
Plain Text |
| .jpg |
|
image |
| .mp3 |
|
Audio |
| @ |
HTTP protocol is a stateless protocol |
-
URL
Uniform resource locator (URL), used to tell the web container, the path of the resource (file) requested by the browser. For example: http://localhost/test/requests.php?id=32
Why is there no username and password in the above url?
Omitted. Because a web service is published on the Internet to allow him to access anonymouslyProve the existence of username and password: ftp://1901:[email protected]
URL format:
Schema://login:password@adress:port/path/to/resource/?query_string#fragment
schema:// is the name of the protocol
login:password username and password
@adress address (including ip address or domain name)
port defaults to 80, others should add
/path/to/resource/ resource path
? query_string query string
fragment anchor (Realize page positioning)
| Port |
|
80 |
| Login |
|
username |
| Password |
|
password |
| Fragment |
|
Anchor point |
| @ |
URL encoding |
There are restrictions on the only characters allowed in the URL. [AZ][az][0-9], half-width minus sign (-), underscore period (.), and tilde (~) are allowed to appear directly in the path of the URL. Other characters will be percent-encoded (including spaces)
as follows:
| # |
|
%23 |
| []Space |
|
%20 |
Url encoding principle: %+ASCII code in hexadecimal form
Don't use Chinese when encoding url
When programming, a [+] plus sign will be used instead of spaces.
| @ |
Message analysis tool |
1、F12
2、wireshark
3、fiddler
4、Burp suite
…
HTTP message analysis
All communication messages of Web applications must comply with the specifications and requirements of the HTTP protocol.
GET /php/test/get.php HTTP/1.1
Host: 192.168.1.136
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.136/php/test/
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Several agency tools of Amway:
Proxy Switcher and Manager
Direct connection (that is, without using any proxy)
HTTP request consists of three parts: request line, request header, and request body
1. Request line: method, resource path, protocol/version
Method: GET
Resource path: /php/test/get.php
Protocol/version: HTTP/1.1
2. Request header
The content from the second line of the request message to the first empty line. Which contains many fields
There is a space between the request header and the request body, and there is no space between the request line and the request header
3. Request body
The above method (GET method) has no request body, you will see later (POST has request body)
Request method: (what fields does the request line have)
| GET |
The most commonly used method, usually the user requests a certain resource sent by the server. |
| POST |
You can submit parameters and forms to the server, including file streams, etc. |
| HEAD |
Similar to the GET method, but only the header is returned in the server response |
| PUT (dangerous) |
Contrary to GET reading the document from the server, the PUT method writes the document to the server |
| TRACE |
Echo browser request |
| OPTIONS |
Request the Web server to inform the various functions it supports |
| DELETE |
Request the server to delete the resource specified by the request URL (any file can be deleted) |
If our server enables any of PUT, TRACE, or DELETE, we think the server is dangerous!
-
experiment
Use telnet to simulate a browser to send HTTP requests
The feature of the http protocol is simple and fast. We only need to send the requested resource and path when requesting resources.
An http request message can be constructed:
Open telnet access in win7: control panel---program---open or close windows function---check telnet client---OK
Use telnet to send a get request:
telnet 172.16.132.161 80
------------------
GET /php/test/get.php HTTP/1.1 (request method + resource path + protocol version)
HOST: 172.16.132.161
-----------------
After the carriage return, it is blank (press ctrl+] to turn on the echo)
and then press carriage return to enter the blank interface, and paste the above message
Press Enter again, you can see the server's response
Telnet www.baidu.com 80
----------------
GET / HTTP/1.1
Host: www.baidu.com
-----------
Enter and see html (use cmd)
Create a new baidu.html file in the virtual machine, paste the above code into it, and visit
In this way, you can simulate the browser to send http requests through telnet
Use the OPTIONS method to test the HTTP requests allowed by the Web server
---------------
OPTIONS / HTTP/1.1
Host: 192.168.1.136
-------
Use telnet to transmit GET parameters
-------------
GET /php/test/get.php?name=AJEST&pwd=123456 HTTP/1.1
Host: 192.168.1.136
-------------
Use telnet to simulate POST and request to pass parameters
---------------
POST /php/test/post.php?http://192.168.1.136/php/test/post.php HTTP/1.1
Host: 192.168.1.136
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
name=GGG&pwd=123456
-------------
I want to use a simple method to submit data by post: (otherwise, write a form)
Tool: hackbar
What fields are in the request header:
| Host |
Mainly used to specify the Internet host and port number of the requested resource |
| User-Agent |
Browser fingerprint |
| Referer |
Contains a URL, which represents the previous URL of the current URL (this is the page from which this request is redirected) |
| Cookie |
Record the identity authentication information of the requester |
| Accept-Charset |
The user specifies the character set accepted by the client |
| Content-Type |
The medium type (that is, the data type) used to inform the receiver of the knowledge entity |
| Content-Length |
Used to indicate the length of the entity body, expressed as a decimal number stored in bytes |
| Last-Modified |
Used to indicate the last modification time and date of the resource |
RESPONSE
---------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 25 Apr 2020 09:50:59 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Content-Length: 13
Connection: close
Content-Type: text/html
array(0) {
}
------------------------------------------------------------------------------
响应报文由状态行(响应行)、响应报头、响应正文三部分组成。
1、状态行:协议/版本,状态代码,描述短语
协议/版本:HTTP/1.1
状态代码:200
描述短语:OK
2、响应报头
第二行开始到第一个空行为止的所有内容,其中包含了关于HTTP响应的重要字段。
3、响应正文
服务器返回资源的内容,即浏览器接收到的HTML 代码。
状态码
| 100~199 |
信息性状态码(少见) |
| 200~299 |
成功状态码(最常见,2开头就是请求成功) |
| 300~399 |
重定向状态码 |
| 400~499 |
客户端错误状态码 |
| 500~599 |
服务器错误状态码 |
写一个重定向代码:
location.php:
<?php
header("Location:./get.php");
?>
//我没在访问location.php的瞬间会直接到get.php页面主要字段
| Server |
服务器指纹 |
| Set-Cookie |
向浏览器端设置Cookie |
| Last-Modified |
服务器通过这个头信息告诉浏览器,资源的最后修改时间 |
| Content-Length |
请求正文长度 |
| Location |
重定向目标页面 |
| Refresh |
服务器通过Refresh头告诉浏览器定时刷新浏览器 |
同源策略的条件
- URL 的主机(FQDN:Fully Qualified Domain Name 全程域名)一致
- Schema 一致
- 端口号一致
同源策略的保护对象不仅仅时iframe 内文档。比如实现Ajax 时所使用的XMLHttpRequest 对象能够访问的 URL也受到了同源策略的限制。
sop叫同源策略
同源策略的探究
-
准备两个页面
-
-------index.html
<html>
<head>
<title> 跨 frame 的读取实验 </title>
<meta charset="utf-8">
</head>
<body>
<iframe name="iframe1" width="300" height="80"
src="http://192.168.3.10/sop/iframe.html"
>
</iframe>
<input type="button" οnclick="go()" value=" 密码: ">
<script>
function go(){
try {
var x = iframe1.document.form1.passwd.value;
document.getElementById('out').innerHTML = x;
} catch (e){
alert(e.message);
}
}
</script>
<span id="out"></span>
</body>
</html>
--------
--------iframe.html
<html>
<head>
<meta charset="utf-8">
</head>
<body>
<form name="form1"> iframe 的内层
密码 <input type="text" name="passwd" value="password1">
</form>
</body>
</html>
--------
这里我们使用我们服务器的浏览器测试这个实验(因为我们要使用不同的两个URL来访问我们的网页)
我们用指定的IP访问,可以正常读取
当时当我们使用我们本机的回环地址去访问时,打开页面,无法读取(这就是由同源策略限制,无法访问内层iframe)
