一、URL跳转篇:
1、原理:先来看这段代码:
1 <?php 2 if(isset($_GET["url_redircetion_target"])){ 3 $url_redirected_target = $_GET["url_redircetion_target"]; 4 echo "<script>alert("Pass To The Next URL")</script><br><script>window.location.href="$url_redirected_target"</script>"; 5 } 6 ?>
可以明白了跳转的原理:
我们来看看刚刚跳转的包是怎么做的:
1 """ 2 GET / HTTP/1.1 3 Host: www.baidu.com 4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 6 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 7 Accept-Encoding: gzip, deflate 8 Referer: http://127.0.0.1/test.php?target=http://www.baidu.com 9 Cookie: BAIDUID=983F0A0F6219AC6AA7EB8EEA1CDAEFD8:FG=1; BIDUPSID=983F0A0F6219AC6AA7EB8EEA1CDAEFD8; PSTM=1513822556; BD_UPN=1d53; BD_HOME=0; H_PS_PSSID=1444_24566_13548_21100_20927 10 Connection: close 11 Upgrade-Insecure-Requests: 1 12 """
2、危害:
一般危害:钓鱼、欺诈
更严重的利用这种漏洞伪造referer。绕过referer验证机制。
根据博客http://blog.csdn.net/change518/article/details/53997509(鸣谢):
1 <?php 2 //header("location: ".$target);不会携带refer 3 //上文写的JS跳转带referer 4 ?>
二、参数污染:
1、对于GET或者POST请求中的参数,或者伪静态页面中的filepath或者filename(本质上也是参数)进行污染:
(1)数据类型污染:
para=1 -> para=str
para=1 -> para[] = 1
(2)数据内容污染:
para=index -> para=index$%%_*(&*&%%asjdshfjkds
http://www.test.com/index/indec1.html -> htto://www.test.com/index/%^&*(&/%^)(^.html
2、危害:
(1)出错暴露出框架、中间件、编程语言的版本号、绝对路径等信息;
(2)暴露出错误日志路径等;
3、防御:
开发处理好报错、关闭调试模式。