Shulou(Shulou.com)06/02 Report--

This article mainly explains "Web network security analysis XFF injection attack principle", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn "Web network security analysis XFF injection attack principle" it!

XFF injection

The test address for the XFF injection attack is http://127.0.0.1/sqli/xff.php.

X-Forwarded-for is abbreviated as XFF header, which represents the real IP of the client. The client IP can be forged by modifying the value of X-Forwarded-for. Through the content of the Burp Suite settlement packet, set the X-Forwarded-for to 11.22.33.44, then visit the modified URL, and the page returns as normal, as shown in figure 62.

Figure 62 XFF header

Set X-Forwarded-for to 11.22.33.44, visit the URL again, and the page returns the error message of MySQL, as shown in figure 63.

Figure 63 visits the results of Xmuri ForwardedFranc forRu 11.22.33.44'

Set X-Forwarded-for to 11.22.33.44 'and 1 and 11.22.33.44' and 1 to 2, respectively, and access the URL again, as shown in figures 64 and 65.

Figure 64 accesses the results of Xmuri ForwardedFlavor for and 11600.

Fig. 65 results of visiting Xmuri ForwardedFranc for and 1century

Through the returned results of the page, you can determine that there is a SQL injection vulnerability in the changed address, and then you can use the number of fields in the order by judgment table, and finally test out that there are four fields in the database, and try to use the Union injection method. The syntax is Xmuri Forwarded for Union 11.22.33.44' union select 1 Magi 2, 3 Magi 4, as shown in figure 66.

Figure 66 using Union injection

Then, the Union injection method is used to complete the injection.

XFF injection Code Analysis

The getenv () function in PHP gets the value of an environment variable, similar to $_ SERVER or $_ ENV, returns the corresponding value of the environment variable, and returns FALSE if the environment variable does not exist.

The client IP address can be obtained using the following code. The program first determines whether the HTTP header parameter HTTP_CLIENT_IP exists, and if it does, it pays $ip. If it does not exist, it determines whether there is a HTTP header parameter HTTP_X_FORWARDED_FOR. If it exists, it assigns it to $ip. If it does not exist, it assigns the HTTP header parameter REMOTE_ADDR to $ip.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.