zoukankan      html  css  js  c++  java
  • web开发框架cookie注入方法和代码

    Web开发框架cookie注入是一种B/S软件开发平台常用的攻击方法,其可以绕过用户账户信息,通过虚拟方式,达到快速进入软件系统的目的,听起来很神奇,学起来并不难,从另一方面讲,学会web开发框架cookie注入方法,在B/S开发框架中也就知道了怎么去防范了,下面我们来一探究竟。

    引言

    Cookie是在HTTP协议下,服务器或脚本可以维护客户工作站上信息的一种方式。通常被用来辨别用户身份、进行session跟踪,最典型的应用就是保存用户的账号和密码用来自动登录网站和电子商务网站中的“购物车”。
    Cookie注入简单来说就是利用Cookie而发起的注入攻击。从本质上来讲,Cookie注入与传统的SQL注入并无不同,两者都是针对数据库的注入。
    web request对象它被用于从用户那里获取信息。Request对象的使用方法一般是这样的:request.form("参数名称"),但ASP.Net中规定也可以省略集合名称,直接用这样的方式获取数据:request("参数名称"),当使用这样的方式获取数据时,ASP.net规定是按QueryString、Form、Cookies的顺序来获取数据的。这样,当我们使用request("参数名称")方式获取客户端提交的数据,并且没有对使用request.cookies("参数名称")方式提交的数据进行过滤时,web开发框架中Cookie注入就产生了。

    Web开发框架B/S软件开发Cookie注入方法图

    代码

    下面这段代码告诉了我们怎么去进行cookie注入,B/S开发框架并没有这段攻击代码,但是我们要做好相关的防范,比如强密码,Post方式传值等。


    using System;
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using System.Net;
    using System.Text;
    using System.Web;
    
    namespace WebAPI.Controllers
    {
        public class HttpHelp
        {
            //CookieContainer是当前域的所有Cookie
            public CookieContainer CookieContainer { get; set; }
            //CookieCollection是该次请求相关的所有Cookie
            public CookieCollection CookieCollection { get; set; }
            public HttpHelp()
            {
                this.CookieCollection = new CookieCollection();
                this.CookieContainer = new CookieContainer();
            }
            public static string GetHtml(string url, string Referer, Encoding encode)
            {
                return new HttpHelp().GetHtml(url, Referer, encode, false);
            }
    
            
            public static string PostHtml(string url, string Referer, string data,string cookies,string domain)
            {
    
                return new HttpHelp().PostHtml(url, Referer, data, cookies,true, domain);
            }
            public string GetHtml(string url, string Referer, Encoding encode, bool SaveCookie)
            {
                HttpWebRequest req = WebRequest.Create(url) as HttpWebRequest;
                req.Method = "GET";
                req.CookieContainer = this.CookieContainer;
                req.Proxy = null;
                if (!string.IsNullOrEmpty(Referer))
                    req.Referer = Referer;
                using (HttpWebResponse hwr = req.GetResponse() as HttpWebResponse)
                {
                    if (SaveCookie)
                    {
                        this.CookieCollection = hwr.Cookies;
                        this.CookieContainer.GetCookies(req.RequestUri);
                    }
                    using (StreamReader SR = new StreamReader(hwr.GetResponseStream(), encode))
                    {
                        return SR.ReadToEnd();
                    }
                }
            }
            /// <summary>
            /// //B/S开发框架POST请求中一般要设置ContentType和UserAgent
            /// </summary>
            /// <param name="url"></param>
            /// <param name="Referer"></param>
            /// <param name="postData">Post请求需要传递的参数,格式:"UserName='张三'&age=25"/param>
            /// <param name="cookie">要传递的Cookie</param>
            /// <param name="SaveCookie">是否保存Cookie</param>
            /// <param name="domain">域名,例如:"cpas.net.cn"</param>
            /// <returns></returns>
            public string PostHtml(string url, string Referer, string postData,string cookie, bool SaveCookie,string domain)
            {
                Encoding encode = Encoding.UTF8;
                HttpWebRequest req = WebRequest.Create(url) as HttpWebRequest;
                req.CookieContainer = this.CookieContainer;
                req.ContentType = "application/x-www-form-urlencoded";
                req.Method = "POST";
                req.UserAgent = "Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0"; //建议使用火狐浏览器调试
                req.Proxy = null;
                req.ProtocolVersion = HttpVersion.Version10;
    
                //将请求来源地址添加到请求报文中
                if (!string.IsNullOrEmpty(Referer))
                    req.Referer = Referer;
    
                //将请求参数添加到请求报文当中
                byte[] mybyte=null;
                if (!string.IsNullOrEmpty(postData) && postData.Length > 0)
                {
                    mybyte = Encoding.Default.GetBytes(postData);
                    req.ContentLength = mybyte.Length;
                }
                
                //将Cookie添加到请求报文中
                if (!string.IsNullOrEmpty(cookie))
                {
    
                    if (cookie.IndexOf(';') > 0)
                    {
                        var arr = cookie.Split(';');
                        for (int i = 0; i < arr.Length; i++)
                        {
                            var ck = arr[i].Split('=');
                            this.CookieContainer.Add(new Cookie { Name = ck[0].Trim(), Value = HttpUtility.UrlEncode(ck[1].Trim()),Domain= domain});
                        }
                    }
                    else
                    {
                        var ck = cookie.Split('=');
                        this.CookieContainer.Add(new Cookie { Name = ck[0].Trim(), Value = HttpUtility.UrlEncode(ck[1].Trim()) });
                    }
                }
    
                using (Stream stream = req.GetRequestStream())
                {
                    stream.Write(mybyte, 0, mybyte.Length);
                }
                using (HttpWebResponse hwr = req.GetResponse() as HttpWebResponse)
                {
                    if (SaveCookie)
                    {
                        this.CookieCollection = hwr.Cookies;
                        this.CookieContainer.GetCookies(req.RequestUri);
                    }
                    using (StreamReader SR = new StreamReader(hwr.GetResponseStream(), encode))
                    {
                        return SR.ReadToEnd();
                    }
                }
            }
            ///
            /// 上传文件
            ///web开发框架
            ///上传地址
            ///文件路径
            ///原网页file控件name
            ///请求流中的contentType
            ///返回的encoding
            ///post参数字典
            /// 
            public static string PostFile(string url, string filepath, string paramName, string contentType, Encoding encode, Dictionary<string, string> dict)
            {
                HttpWebRequest hrq = WebRequest.Create(url) as HttpWebRequest;
                string boundary = "---------------------------" + DateTime.Now.Ticks.ToString("x");
                byte[] boundarybytes = System.Text.Encoding.Default.GetBytes("
    --" + boundary + "
    ");
                hrq.ContentType = "multipart/form-data; boundary=" + boundary;
                hrq.Method = "POST";
                using (Stream stream = hrq.GetRequestStream())   //请求流
                {
                    //写入post参数
                    string formdataTemplete = "Content-Disposition: form-data; name="{0}"
    
    {1}";
                    if (dict != null && dict.Count > 0)
                    {
                        foreach (KeyValuePair<string, string> pair in dict)
                        {
                            stream.Write(boundarybytes, 0, boundarybytes.Length);
                            string formitem = string.Format(formdataTemplete, pair.Key, pair.Value);
                            byte[] formitemBytes = Encoding.Default.GetBytes(formitem);
                            stream.Write(formitemBytes, 0, formitemBytes.Length);
                        }
                    }
                    stream.Write(boundarybytes, 0, boundarybytes.Length);
                    //写入头信息
                    string headerTemplate = "Content-Disposition: form-data; name="{0}"; filename="{1}"
    Content-Type: {2}
    
    ";
                    string header = string.Format(headerTemplate, paramName, Path.GetFileName(filepath), contentType);
                    byte[] headerBytes = Encoding.UTF8.GetBytes(header);
                    stream.Write(headerBytes, 0, headerBytes.Length);
                    //写入文件
                    byte[] fileBytes = File.ReadAllBytes(filepath);
                    stream.Write(fileBytes, 0, fileBytes.Length);
                    //写入尾部
                    byte[] footerBytes = Encoding.Default.GetBytes("
    --" + boundary + "--
    ");
                    stream.Write(footerBytes, 0, footerBytes.Length);
                    using (HttpWebResponse hrp = hrq.GetResponse() as HttpWebResponse)//响应流
                    {
                        using (StreamReader SR = new StreamReader(hrp.GetResponseStream(), encode))
                        {
                            return SR.ReadToEnd();
                        }
                    }
                }
            }
        }
    }

    PostData传数据方法,web开发框架cookie注入方法和代码:

    public class HomeController : Controller
    {
        public ActionResult Index()
        {
            return View();
        }
        public ActionResult PostData()
        {
            string cookies = @"yunId=e2f41d2e81bb3b6d8cabd2541758d2a6; Hm_lvt_e6fbc851f9770ec4fe06b7cd3fdd0bbf=1472720372,1472720646
    ,1472732049,1472739127; JSESSIONID=4E54939270E5EEB62FD046516DDA6C8E; SERVERID=a45784edf4cda39b69776f05908de799
    |1472739332|1472739126; Hm_lpvt_e6fbc851f9770ec4fe06b7cd3fdd0bbf=1472739310; school=%7B%22suffix%22:null
    ,%22companyId%22:10434,%22delFlag%22:0,%22cusorder%22:null,%22createTime%22:1464575458000,%22updateTime
    %22:1468461617000,%22creator%22:null,%22updator%22:13725,%22schoolName%22:%22%E7%94%A8%E5%8F%8B%E5%AE
    %A1%E8%AE%A1%22,%22mark%22:null,%22overview%22:null,%22defaultFlag%22:1,%22schoolDesc%22:null,%22indexDomain
    %22:null,%22xzqhCode%22:null,%22schoolNum%22:null,%22schoolType%22:null,%22id%22:10805,%22start%22:0
    ,%22limit%22:12,%22page%22:1,%22pageSize%22:12,%22firstIndex%22:0,%22totalPages%22:0,%22lastPageNo%22
    :0,%22previousPageNo%22:1,%22nextPageNo%22:0,%22totalRecords%22:0%7D; schoolId=10805; schoolName=%E7
    %94%A8%E5%8F%8B%E5%AE%A1%E8%AE%A1; account=18620997006";
      
            var str = HttpHelp.PostHtml("http://cpas.net.cn/resolve/selTopic", "", "topicId=12379439&userExerciseId=22000&pager=1", cookies, "cpas.net.cn");
    
                        StringBuilder builder = new StringBuilder();
                        Match regex = Regex.Match(str, @"<div class=""que_answer_hd""><span>.+</span>");
                        builder.Append(regex.Value);
    
                        Match regex2 = Regex.Match(str, @"<div class=""que_question_number"">第d题");
                        builder.Append(regex2.Value + "</div>");
    
                        Match regex3 = Regex.Match(str, @"<div class=""que_question_introduce"">(?s).*</div>");
    
                        builder.Append(regex3.Value);
    
                        //将使用正则匹配到的东西写入到timu.txt文件夹中
                        using (StreamWriter SW = System.IO.File.AppendText("d:/timu.txt"))
                        {
                            if (builder.Length > 0)
                            {
                                SW.Write(builder.ToString());
                            }
                        }
            return View();
        }
    }
    web开发框架cookie注入是一种B/S软件开发平台常用的攻击方法,其可以绕过用户账户信息,通过虚拟方式,达到快速进入软件系统的目的,听起来很神奇,学起来并不难,从另一方面讲,学会web开发框架cookie注入方法,在B/S开发框架中也就知道了怎么去防范了,下面我们来一探究竟。
    本站文章除注明转载外,均为本站原创或翻译,欢迎任何形式的转载,但请务必注明出处,尊重他人劳动,共创和谐网络环境。
    转载请注明:文章转载自:华晨软件-云微开发平台 » web开发框架cookie注入方法和代码
    本文标题:web开发框架cookie注入方法和代码
  • 相关阅读:
    Python操作redis数据库
    计算机基础与操作系统
    git使用快速入门
    RESTful API设计规范
    Python数据分析常用的库总结
    关于Cookie和Session
    一个开发的Linux使用心得总结
    排序算法与查找算法
    Django的form,model自定制
    Redis基础、高级特性与性能调优
  • 原文地址:https://www.cnblogs.com/frfwef/p/14575947.html
Copyright © 2011-2022 走看看