Counterfeit and modify header information. XSS blind Cookies.

Not to mention, I read a book directly above, written by a foreigner recently. One of them is about [modifying host headers and malicious attacks] [some CMS backgrounds have a function, displays the visitor's client information, such as the visitor's browser version, or the visitor's OS, server, the User-Agent parameter of a request header is used to analyze the browser version and OS version used by the client. as a result, when the server obtains the information and displays it in the background, you insert the parameters in the request header. If the parameters are not filtered in the background and displayed directly, the blind match is successful ~! Similarly, some web pages will obtain Referer information, and you can also insert ...]

0x01 foreplay
Some websites will record your host information, which is generally sent by the Host Header, so you can modify the Host header information to achieve our goal.

The example above,
0x02 to do well, you must first sharpen the tool.

Burpsuite ah d

Take an H station and register an account. I found that I had to pay for the VIP.

Therefore, copy the burpsuite packet capture and modify it. Burp is not required. The User Agent Switcher of Firefox can also be modified ....

Not to mention, direct





Because the payment is made, you can talk to the administrator about how the payment failed. He will go to the background on his own, so ~~ You don't have.

0x03 ah d burst Chrysanthemum

Since I have obtained cookies, I will give you a demonstration.

Then XSS is ready.

Then, ah, D, burst Chrysanthemum
He is a bit pitfall here, that is, he needs to log on to the front-end before entering the background.

Then, "it's all you need !!