一、URL跳转篇:
1、原理:先来看这段代码:
<?php
if(isset($_GET["url_redircetion_target"])){
$url_redirected_target = $_GET["url_redircetion_target"];
echo "<script>alert(\"Pass To The Next URL\")</script><br><script>window.location.href=\"$url_redirected_target\"</script>";
}
?>
可以明白了跳转的原理:
我们来看看刚刚跳转的包是怎么做的:
"""
GET / HTTP/1.1
Host: www.baidu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/test.php?target=http://www.baidu.com
Cookie: BAIDUID=983F0A0F6219AC6AA7EB8EEA1CDAEFD8:FG=1; BIDUPSID=983F0A0F6219AC6AA7EB8EEA1CDAEFD8; PSTM=1513822556; BD_UPN=1d53; BD_HOME=0; H_PS_PSSID=1444_24566_13548_21100_20927
Connection: close
Upgrade-Insecure-Requests: 1
"""
2、危害:
一般危害:钓鱼、欺诈
更严重的利用这种漏洞伪造referer。绕过referer验证机制。
根据博客http://blog.csdn.net/change518/article/details/53997509(鸣谢):
<?php
//header("location: ".$target);不会携带refer
//上文写的JS跳转带referer
?>
二、参数污染:
1、对于GET或者POST请求中的参数,或者伪静态页面中的filepath或者filename(本质上也是参数)进行污染:
(1)数据类型污染:
para=1 -> para=str
para=1 -> para[] = 1
(2)数据内容污染:
para=index -> para=index$%%_*(&*&%%asjdshfjkds
http://www.test.com/index/indec1.html -> htto://www.test.com/index/%^&*(&/%^)(^.html
2、危害:
(1)出错暴露出框架、中间件、编程语言的版本号、绝对路径等信息;
(2)暴露出错误日志路径等;
3、防御:
开发处理好报错、关闭调试模式。
