HTTP header injection

Mobile 2023-08-27 00:05:26 views: null

Article directory

HTTP header injection

Cookie injection

Taking sqli-labs-20 as an example, use Cookie injection to obtain database information

1. Send to repeater

First enter the username Dumb and the password Dumb to log in

After logging in, refresh the page to capture packets and send them to the repeater

image-20230824203432753

Determine the injection type in the repeater. After several attempts, it can be determined that the injection type is a character type, and it is a single quotation mark. If you don’t know how to judge the injection type, you can read my article:: MySQL injection type judgment method and principle analysis (demonstration sql statement execution command)

2. Judgment number of characters

After determining the injection type, and the page has an echo, you can use joint injection, you can refer to my article: Joint injection of MySQL

Enter at the cookie:

Cookie: uname=Dumb' and 1=2 union select 1,2,3#

image-20230824204408651

It can be found that the echo points are at positions 2 and 3

3. Get database information

Cookie: uname=Dumb' and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata#

image-20230824204505696

The same is true for obtaining field information later. If you want to continue to view table information, field information, and detailed data information, you can refer to my article: Joint Injection of MySQL

base64 injection

Take sqli-labs-22 as an example, use base64 injection to obtain database information

send to repeater

First enter the username Dumb and the password Dumb to log in

After logging in, refresh the page to capture packets and send them to the repeater

image-20230824205319394

Encoding and decoding process

It is found that the value in the cookie is url-encoded, so it needs to be decoded in the Decoder module. After decoding, it is found to be Base64, and it needs to be decoded by Base64. After getting the normal value, try sql injection, and then base64-encode the injection statement and put it in the cookie. The value can be.

image-20230824205223874

sql injection

1. Determine the injection type

Perform base64 encoding through the following sql statement, and then judge by echoing

Dumb and 1=1#
Dumb' and 1=2#
Dumb' and 1=1#
Dumb' and 1=2#
Dumb" and 1=1#
Dumb" and 1=2#

Finally, it can be judged that the injection type is a character type of double quotes. If you don’t know how to judge the injection type, you can read my article:: MySQL injection type judgment method and principle analysis (demonstration sql statement execution command)

2. Judgment number of characters

After determining the injection type, and the page has an echo, you can use joint injection, you can refer to my article: Joint injection of MySQL

Enter at the cookie:

Cookie: uname=RHVtYiIgb3JkZXIgYnkgNCM=

image-20230824211016974

It can be inferred that the number of fields is only 3

3. Determine the echo position

Dumb" and 1=2 union select 1,2,3#Base64 encoding will be performed, and then the cookie will be filled as follows:

Cookie: uname=RHVtYiIgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMj

image-20230824211327529

It can be judged that echoes are displayed at the 2nd and 3rd positions.

4. Obtain current database information through joint injection

Dumb" and 1=2 union select 1,2,database()#Base64 encoding will be performed, and then the cookie will be filled as follows:

RHVtYiIgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkj

image-20230824211539946

As you can see, the current database information is successfully obtained

So this base64 injection is actually the same as the normal injection method, nothing more than an extra encoding and decoding step.

For common injection methods, you can read my article: Joint Injection of MySQL

User-Agent injection

Take sqli-labs-18 as an example, use User-Agent injection to obtain database information

#Note: This level is similar to ordinary error injection, that is, it needs to capture the packet, and the injection point occurs in UserAgent, and it is used or --+invalid when it is closed. You need to use the right closing method to replace the right side of the original sql The quotation marks are closed, so as to achieve the purpose of not reporting an error in the statement itself, and then use the updatexml function to make the sql statement report an error, so as to achieve the purpose of reporting error injection

Enter the user name and password casually, click submit, and then use BP to capture the packet and send it to the repeater

image-20230824213849109

After testing the UserAgent, it is found that there are different echoes. After the single quote test, there is no data echo, but an error will be reported, indicating that it is a character injection of single quotes, so consider using error injection and modify the UA header to:

User-Agent: yuanboss' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1' = '1

image-20230824213823404

It can be found that the database has been found

What needs to be noted here is that the sql after I use #or --+comment is invalid, so the closing method on the right 'can also achieve the goal.

Guess you like

Origin blog.csdn.net/weixin_46367450/article/details/132483545
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com