Author: JsuFcz Source: Focus
Author Personal Homepage Address:
http://jsufcz.21xcn.net/
Before writing this article, it is necessary to explain the term "injection". Different from the usual SQL injection, the injection here is actually constructed to construct the HTTP request message, in place of the program, to implement the data automatic submission. Hey, I said this, I saw your strange smile, we only need to write a loop, use what language you said, send http packets to the specific web page, just a few minutes, huh, hehe, I burst. , And ..., 嘿, ... Even a cup of tea, then write again. First of all, it is still a hottest HTTP protocol. When we open a website, for example, http://www.163.com, actually IE as a client, will send the request message to the server (occasional Sniffer):
Get / http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, application / vnd.ms-powerPoint, Application / VND.MS-Excel, Application / Msword, Application / X-ShockWave -flash, * / * Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla / 4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: www.163.comConnection: Keep-AliveCookie: NETEASE_SSN = jsufcz NETESE_ADV = 11 & 22; province = 0; city = 0; ntes_uv_cookie = YES
We see that there are many fields in the above packets, of course, there are many things that are not necessarily, if we have programmed, only care about it. The minimum request message is specified in the HTTP / 1.1 protocol, consisting of a method field (Get / Post / HEAD), and host field (Host). As
Get / http / 1.1
Host: www.163.com
But in HTTP / 1.0, the Host field is not necessary. Why can't I save it, I believe that you also know that if you don't know, you don't tighten it.
In order to send data to the server, the browser usually submits packets to the server with a GET or POST method. After receiving the message, the server decodes the required data and processes, and finally returns the result. Usually we can see URL requests such as http://xxx.xxx.xxx.xxx/show.asp?id=xxx, we can construct our own message to complete
Get /Show.asp?id=xxx http / 1.1host: xxx.xxx.xxx.xxx
Limited by the URL length 1024, the GET method can only be submitted to a small amount of data. If we are entering an article, you can only use the Post method at this time. Before explaining some of the points of the Post method, let everyone see a POST request message, so that there is a general understanding of the POST packet. (Below is my message to a book, the coupling sample is cut off with Sniffer)
Post / GIF, Image / X-Xbitmap, Image / JPEG, Image / Pjpeg, Application / VND.MS-PowerPoint, Application / VND.MS-Excel, Application / MSWORD, application / x-shockwave-flash, * / * Referer: http://218.76.65.47/gbook/add.phpAccept-Language: zh-cnContent-Type: application / x-www-form-urlencodedAccept-Encoding: gzip, deflateUser -Agent: Mozilla / 4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 218.76.65.47Content-Length: 115Connection: Keep-Alivename = test & email = & comefrom = & homepage = & icq = & oicq = & image = say.gif & comment = test & password = & doadd =% B7% A2% CB% CD% C1% F4% D1% D4 is more than a piece of content in the field, which is the data submitted to the message. If there is a Chinese, it is necessary to pass the Urlencode encoding. Also let us save unnecessary fields, construct a minimum POST request
POST /gbook/add.php HTTP / 1.1Host: 218.76.65.47Content-Type: application / x-www-form-urlencodedContent-Length: 115name = test & email = & comefrom = & homepage = & icq = & oicq = & image = say.gif & comment = test & password = & doAdd =% B7% A2% CB% CD% C1% F4% D1% D4
The above Content-Type field is represented as a POST form type, and content-length is of course means that the length of the entity data is not, and it is not less, otherwise it will not be received correctly. In this way, the server-side processing page will receive the data you submitted, and receive the processing. If it is a message, it is written to the database. If you send a message to a certain speed at a very fast speed, it actually passed away from you.
Oh, I don't know what to say, I don't rude, I also want to try to make it clear. There is no way to don't have a relationship between the language. I will see my brother. Forgive me. Tell the client's send, next to the receipt of the server.
When the message data arrives at the server, the server underlying process is received and put into a specific buffer, and places some environment variables, such as "content_length", "query_string", etc., of course, this is still shielded some underlying details, such as customers The data submitted by the end is reset to the standard input of the requested page, even if you can't figure it out, you have to figure it out, even write the operating system. The high-level applications are subjected to data extraction such as CGI, ASP, PHP, etc., where CGI must perform Unencode decoding and string extraction. If you write a message to an ASP this, I submit a name (Name) and content (Body) field, and use the POST form unilateral submission, and should be received as follows in the ASP program: Name = Request.form ("Name")
Body = Request.form ("Body")
And add to the database
rs.addnew
RS ("Name") = Name
RS ("Body") = body
Rs.Update
At this point, it is basically finished, but it is necessary to pay attention to the "name = value" URLENCode encoding of the submit button in the physical content when sending the message, otherwise it may not write Enter the database, why? I am Finding the Reason!
The following is the relevant source code:
/ * Encode.h * // * Unencode URL encoding function * // * Here you should pay attention to the compiler when processing the Chinese characters, automatically reads one or two characters according to the bit 7 of the character, can be forced Use unsigned char * to read a character.
* / int IST (CHAR CH) {IF (CH == '|| CH =='% '|| CH ==' / '|| CH & 0x80) Return 1; Else Return 0;} int encode (char * s , char * d) {if (!! = 0; s ) {unsigned char * p = (unsigned char *) s; if (* p == ') ) {* D = '%'; * (D 1) = '2'; * (D 2) = '0'; D = 3;} else if (IST (* p)) {char A [3 ]; * d = '%'; Sprintf (A, "% 02x", * p); * (D 1) = a [0]; * (D 2) = a [1]; D = 3; } else {* d = * p; d ;}} * d = 0; return 1;} / * unencode url decoding function * / int unencode (char * s, char * d) {if (! s ||! d) ) RETURN 0; for (; * s! = 0; s ) {if (* s == ' ') {* d = ''; d ;} else if (* s == '%') {int code ; IF (SSCANF (S 1, "% 02x", & Code)! = 1) code = '?'; * D = code; s = 2; D ;} else {* D = * S; D ;}} * D = 0; RETURN 1;} / * booksend.cpp * // * packet sender * / # incrude
NULL) {Printf ("Resolve% S Error! / N", IP); return;} memcpy (& sin.sin_addr, phost-> h_addr_list [0], phost-> h_length);} sin.sin_port = htons (port) CHAR TEMPBUF [1024] = {0}; Sprintf (Tempbuf, "Post% S HTTP / 1.1 / N", Page); STRCPY (SendBuf, Tempbuf); Memset (Tempbuf, 0, Sizeof (Tempbuf); Sprintf Tempbuf, "Host:% S / N", IP); STRCAT (SendBuf, Tempbuf); STRCAT (SendBuf, "Accept: Image / GIF, * / * / N"); strcat (sendbuf, "Content-Type: Application / x-www-form-urlencoded / n "); MEMSET (Tempbuf, 0, SizeOf (Tempbuf)); Sprintf (Tempbuf," Content-Length:% D / N ", Strlen (Value); STRCAT (Sendbuf, Tempbuf; STRCAT (Sendbuf, "Connection: Keep-Alive / N / N"); strcat (sendbuf, value); for (int i = 0; i
Strlen (FilePath) -1; for (; * p! = '//'; p -); Printf ("--------------------- -------------------------------------------------- ----- / n "); Printf (" USAGE:% s ip port page value [TIMES] [DELAY] / N ", P 1); Printf (" Code by jsufcz - http: // jsufcz .21xcn.net / N "); Printf (" EX:% s 10.0.0.169 80 / homebk/add.php name = abc-body = HEHE-doADD = Send message ", P 1); Printf (" - -------------------------------------------------- ------------------------- / n ");} int Checkpra (int Argc, char * argv [=) {ified < 5) {Printf ("error usage: at least 4 parameters / n / n"); USAGE (Argv [0]); return -1;} else if (argc> 6) {printf ("wrong usage : Up to 6 parameters / n / n "); usage (argv [0]); return -1;} if (argc == 6) {TTIME = ATOI (Argv [5]);} if (argc == 7) {TTIME = ATOI (Argv [5]); DelayTime = ATOI (Argv [6]);} STRCPY (IP, Argv [1]); Port = ATOI (Argv [2]); STRCPY (Page, Argv [ 3]); Encode (Argv [4], Value); Return 0;} The above code has been compiled on VC6, you can also go to myself.
Personal home page (
Http://jsufcz.21xcn.net downloads to the source code and command line programs.
At the end of the article, there is still a little experience to share with you. If there is a submission of the expression or a picture in the message, if the relative link limit is limited, as long as it is a picture resource in this directory, you can bring it anymore, so if a picture is inherent. If you are big, you have broken by you.
