Http Header-based SQL Injection

Generally, HTTP messages include the request message sent from the client to the server and the response message sent from the server to the client. These two types of messages are composed of a starting line, one or more header fields, an empty line that is only the end of the header field, and an optional message body. The HTTP header includes four parts: Common headers, request headers, response headers, and object headers. Each header field consists of a domain name, a colon (:), and a domain value. The domain name is case-insensitive. You can add any number of space characters before the Domain value. The header field can be expanded to multiple rows. At least one space or Tab character is used at the beginning of each line.
For example:


GET, HTTP, 1.1
Connection: Keep-Alive
Keep-Alive: 300
Accept :*/*
Host: host
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
Rv: 1.9.2.16) Gecko/20110319 Firefox/3.6.16 (. net clr 3.5.30729;. NET4.0E)
Cookie: guest_id = v1 % 3a1328020.64; pid = v1 % 3A1328839311134
How to execute an HTTP header SQL injection?
Download plug-in cookie management plug-in
Open the cookie manager and click the target website
 







Edit the cookie of the target website to verify whether the target website has an SQL injection with an http header. Edit the field content of the variable language_id and add the single quotation mark (') to refresh the page.
 
Refresh the page to determine whether the SQL injection vulnerability exists
 
OK. Download the plug-in tamper-data to modify the requested data content.
 
Enter an SQL injection statement


 
If order by 5 is input, the following error is returned.
 
Therefore, we can determine that the user table column is 4, and then use cookie manager to add the following code in the language_id field:
-1 + UNION + ALL + SELECT + 1, 2, 3, 4
Or enter the following statement to obtain the database user or version information.
Version () www.2cto.com
User ()
Concat (database ())
Group_concat
It will be easier to inject with SqlMap, and more articles about SqlMap will be introduced later :)
 
Related reading:
HyperTextTransferProtocol is short for Hypertext Transfer Protocol. It is used to transmit WWW Data. For details about HTTP, see rfc2616. The HTTP protocol uses the request/response model. The client sends a request to the server. The request header contains the request method, URI, Protocol version, and message structure similar to MIME containing the request modifier, customer information, and content. The server responds with a status line. The corresponding content includes the version of the Message Protocol, and the server information, entity metadata, and possible entity content are added to the success or error code.
 
 
Reprinted please indicate from: FreebuF. COM-http://www.freebuf.com/articles/4588.html