Shulou(Shulou.com)06/01 Report--

In the HTTP request message, the request header is the part we need to focus on, the following is the main content of the request header:

Host, which specifies the URL of the requested resource.

(2) User-Agent, version information of client operating system and browser. Many websites use it to determine the operating system and browser type to display the corresponding page. There are also many UA to determine whether access is legal, whether it is user access or program access.

Windows version and kernel correspondence:

 Windows NT 4.0 = NT 4.0 Windows 2000 = NT 5.0 Windows XP = NT 5.1 Windows Vista = NT 6.0 Windows 7 = NT 6.1 Windows 8 = NT 6.2 Windows 8.1 = NT 6.3 Windows 10 = NT 10.0

(3) Accept, which specifies which MIME types of information the client can receive, such as Accept: text/html, indicating that the client wants to receive HTML text. If it is Accept:text/plain, it means that the client can only receive plain text, and the server cannot send pictures, videos, etc. to it. (MIME type is used to set how files with a certain extension are opened, and when files with that extension are accessed, browsers automatically open them with a specified application, such as image/jpeg for jpg images.)

(4) Accept-Language, which specifies the language that the client can receive. If this field is not set in the request message, the default is that any language can be received.

(5) Referer, Referer contains a URL that represents the URL before the current URL, that is, where the user came to this page. If you search through Baidu for a business advertising page, you are interested in this advertising page, the mouse click to send a request message to the business website, the Referer attribute value of this request message is http://×× w.baidu.com. If the Referer value is the URL of the page being visited, it means that we are visiting the page directly, rather than jumping from elsewhere. Referer is also widely used in anti-theft chains.

(6) Cookie, information sent by the client to the server to prove the user's status, used to indicate the identity of the requester.

(7) Cache-Control, which controls caching. For example, if a request wants the content returned by the response to be cached for a period of time at the client, or does not want to be cached, it can achieve its purpose through this message header. For example, Cache-Control: max-age=3600 means that the client caches the response content for 3600 seconds, that is, within 3600 seconds, if the client accesses the resource again, return the content directly from the client cache to the client, and do not obtain it from the server. Cache-Control: no-cache indicates that the content of the returned response is not cached on the client side.

Some items may not appear in the request header, but they are more important for ***. Here are some of them:

(8) x-forwarded-for, i.e. XFF header, which represents the IP of the client, there can be multiple, separated by commas.

Example: It seems a bit difficult

http://ctf5.shiyanbar.com/phpaudit/

After opening the link, you will be prompted with "Error! Your IP is not on the allowed list! "And gave the website source code.

Let's first analyze this code.

$_SERVER is a global variable that, like $_GET and $_POST, can be used to obtain information about the client. In this code, three different ways to get the client IP are used,

$_SERVER["REMOTE_ADDR"] gets the IP when the client and server establish a TCP connection by three-way handshake, which cannot be forged.

$_SERVER <$'HTTP_CLIENT_IP''and $_SERVER <$''HTTP_X_FORWARDED_FOR] both obtain information through HTTP headers and are therefore falsifiable. They get information from HTTP request header "CLIENT-IP" and "X-FORWARDED-FOR" fields respectively, but "CLIENT-IP" is not standard header information, while "X-FORWARDED-FOR" is, so it is preferable to modify this attribute.

For example, we write the following script file ourselves:

By default, only $_SERVER["REMOTE_ADDR"] can be obtained, because those two values are not available in the HTTP request header by default.

We use Burpsuite to intercept the message, then add two headers to it, and send it out. At this time, the server can obtain the IP of the client through three methods.

After figuring out these problems, the solution to this problem is very simple. Just change "CLIENT-IP" or "X-FORWARDED-FOR" to 1.1.1.1.

Finally, since $_SERVER["REMOTE_ADDR"] obtains the real IP of the client and the user cannot forge it, why does the server not use this method to obtain the client IP? This is because in a local area network environment, the client communicates directly with the server, and the connection is established through a three-way handshake. At this time, the acquired IP naturally has no problem. However, the network environment of the Internet is much more complicated. There is generally a firewall in front of the server, and a proxy server can also be set up on the client side. That is to say, the three-way handshake with the server is often not the client side, but these intermediate devices. This will lead to inaccurate IP obtained by using $_SERVER["REMOTE_ADDR"]. The IP obtained by using $_SERVER ['HTTP_CLIENT_IP'] and $_SERVER["HTTP_X_FORWARDED_FOR] comes directly from the message header sent by the client, which is not interfered by intermediate devices, so it is more accurate, but this also leaves room for *** to utilize.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.