一、URL跳转篇:

1、原理:先来看这段代码:

 <?php
if(isset($_GET["url_redircetion_target"])){
$url_redirected_target = $_GET["url_redircetion_target"];
echo "<script>alert(\"Pass To The Next URL\")</script><br><script>window.location.href=\"$url_redirected_target\"</script>";
}
?>

可以明白了跳转的原理:

我们来看看刚刚跳转的包是怎么做的:

 """
GET / HTTP/1.1
Host: www.baidu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/test.php?target=http://www.baidu.com
Cookie: BAIDUID=983F0A0F6219AC6AA7EB8EEA1CDAEFD8:FG=1; BIDUPSID=983F0A0F6219AC6AA7EB8EEA1CDAEFD8; PSTM=1513822556; BD_UPN=1d53; BD_HOME=0; H_PS_PSSID=1444_24566_13548_21100_20927
Connection: close
Upgrade-Insecure-Requests: 1
"""

2、危害:

一般危害:钓鱼、欺诈

更严重的利用这种漏洞伪造referer。绕过referer验证机制。

根据博客http://blog.csdn.net/change518/article/details/53997509(鸣谢):

 <?php
//header("location: ".$target);不会携带refer
//上文写的JS跳转带referer
?>

二、参数污染:

1、对于GET或者POST请求中的参数,或者伪静态页面中的filepath或者filename(本质上也是参数)进行污染:

(1)数据类型污染:

para=1 -> para=str

para=1 -> para[] = 1

(2)数据内容污染:

para=index -> para=index$%%_*(&*&%%asjdshfjkds

http://www.test.com/index/indec1.html -> htto://www.test.com/index/%^&*(&/%^)(^.html

2、危害:

(1)出错暴露出框架、中间件、编程语言的版本号、绝对路径等信息;

(2)暴露出错误日志路径等;

3、防御:

  开发处理好报错、关闭调试模式。

04-08 09:23