Supplement the URL Spoofing with treasure! Processing of data submitted by POST method!

Supplement the URL Spoofing with treasure! Processing of data submitted by POST method!
(This is also awkward !)

First, we will build an environment:
IIS proxy for the jsp page under Resin! (Resin is a Java application server)

1. Obtain Resin:
Http://www.caucho.com/download/resin-2.1.16.zip
Decompress a directory after the download, for example:
E:/Resin/resin-2.1.16/

2. Configure Resin (the Java SDK configuration will not be described in detail)
Open in a text editor:
E:/Resin/resin-2.1.16/conf/resin. conf

<Http port = '000000'/>
Configurable port. The default value of resin is 8080!
If it is available, it will not be changed!

<Welcome-file-list> simplepost. jsp, index. xtp, index. jsp, index.html </welcome-file-list>
Configurable default welcome page!

3. Create a new directory test under E:/Resin/resin-2.1.16/webapps:
Compile E:/Resin/resin-2.1.16/webapps/test/index. jsp and save it!
E:/Resin/resin-2.1.16/webapps/test/is an Application.

<% @ Page import = 'java. util. * '%>
<HTML>
<Head>
<Title> test </title>
</Head>
<H1> Form Values: <Table>
<%
Enumeration e = request. getParameterNames ();
While (e. hasMoreElements ())
{
String name = (String) e. nextElement ();
String [] values = (String []) request. getParameterValues (name );
%>
<Tr> <td>
<% = Name %> <td> <% = values [0] %>
<%
If (values. length> 1)
{
For (int I = 1; I <values. length; I ++)
{
%>, <% = Values [I] %> <%
}
}
}
%>
</Table>
<Form action = 'HTTP: // localhost' method = 'post'>
<Input name = 'comment' type = "text" value = "<% = request. getParameter (" Comment ") %>">
<Input name = 'comment2' type = "text" value = "<% = request. getParameter (" Comment2 ") %>">
<Input type = submit>
</Form>
</Body>
</HTML>

4. compile C # Openlab. UrlCheat. cs: (modify the codes of Baoyu to complete POST processing)

// Openlab. UrlCheat. cs
// Command line compilation: csc/t: library Openlab. UrlCheat. cs
// The generated Openlab. UrlCheat. dll is stored in the main directory of IIS and a bin directory is created!
// Example: C:/Inetpub/wwwroot/bin/Openlab. UrlCheat. dll
Namespace Openlab. UrlCheat
{
Using System;
Using System. Configuration;
Using System. Web;
Using System. IO;
Using System. Net;
Using System. Text;

// Original Globals. cs
/// <Summary>
/// Summary description for Globals.
/// </Summary>
Public class Globals
{

// The default domain name is the blog
Private static string defaultDomain = "blog.joycode.com ";

Public static bool IsNullorEmpty (string text)
{
If (text! = Null)
{
Return (text. Trim () = string. Empty );
}
Return true;
}

/// <Summary>
/// Return the HttpWebResponse object based on the Url
/// </Summary>
/// <Param name = "url"> </param>
/// <Returns> </returns>
Public static HttpWebResponse WebResponse (string url)
{
HttpWebRequest request = (HttpWebRequest) WebRequest. Create (url );
HttpWebResponse response = (HttpWebResponse) request. GetResponse ();
Return response;
}

/// <Summary>
/// Obtain the encoding information of the webpage
/// </Summary>
/// <Param name = "response"> </param>
/// <Returns> </returns>
/// <Remarks> for a webpage, its ConentType contains encoding information, such as "text/html; charset = UTF-8" </remarks>
Public static Encoding GetEncoding (HttpWebResponse response)
{
String name = response. ContentEncoding;
Encoding code = Encoding. Default;
If (name = "")
{
String contentType = response. ContentType;
If (contentType. ToLower (). IndexOf ("charset ")! =-1)
{
Name = contentType. Substring (contentType. ToLower (). IndexOf ("charset =") + "charset =". Length );
}
}

If (name! = "")
{
Try
{
Code = Encoding. GetEncoding (name );
}
Catch {}
}
Return code;
}

/// <Summary>
/// Obtain text content
/// </Summary>
/// <Param name = "response"> </param>
/// <Returns> </returns>
Public static string TextContent (HttpWebResponse response)
{
String buffer = "", line;

Stream stream = response. GetResponseStream ();
StreamReader reader = new StreamReader (stream, GetEncoding (response ));

// Buffer = "<base href = http: // localhost: 1080/> ";
While (line = reader. ReadLine ())! = Null)
{

Buffer + = line + "/r/n ";
}
Stream. Close ();

Return buffer;
}

// Post Copy & paste from QuickStart by playyuer $ at $ Microshaoft.com
// Http://chs.gotdotnet.com/quickstart/util/srcview.aspx? Path =/quickstart/howto/samples/net/WebRequests/clientPOST. src & file = CS/clientpost. cs & font = 3
// I have an old post for reference.
// The HttpRequsetResponse class written in C #, asynchronous, and events... It's still hot!
// Http://blog.csdn.net/playyuer/archive/2003/07/03/2856.aspx
Public static string getPage (string url, string payload)
{
System. Net. WebResponse result = null;
String s = "";
Try
{

WebRequest req = WebRequest. Create (url );
Req. Method = "POST ";
Req. ContentType = "application/x-www-form-urlencoded ";
StringBuilder UrlEncoded = new StringBuilder ();
Char [] reserved = {'? ',' = ','&'};
Byte [] SomeBytes = null;

If (payload! = Null)
{
Int I = 0, j;
While (I <payload. Length)
{
J = payload. IndexOfAny (reserved, I );
If (j =-1)
{
UrlEncoded. Append (HttpUtility. UrlEncode (payload. Substring (I, payload. Length-I )));
Break;
}
UrlEncoded. Append (HttpUtility. UrlEncode (payload. Substring (I, j-I )));
UrlEncoded. Append (payload. Substring (j, 1 ));
I = j + 1;
}
SomeBytes = Encoding. UTF8.GetBytes (UrlEncoded. ToString ());
Req. ContentLength = SomeBytes. Length;
Stream newStream = req. GetRequestStream ();
NewStream. Write (SomeBytes, 0, SomeBytes. Length );
NewStream. Close ();
}
Else
{
Req. ContentLength = 0;
}

Result = req. GetResponse ();
Stream ReceiveStream = result. GetResponseStream ();
Encoding encode = System. Text. Encoding. GetEncoding ("UTF-8 ");
StreamReader sr = new StreamReader (ReceiveStream, encode );
Console. WriteLine ("/r/n received response stream ");
Char [] read = new Char [256];
Int count = sr. Read (read, 0,256 );
Console. WriteLine ("HTML.../r/n ");
While (count> 0)
{
String str = new String (read, 0, count );
Console. Write (str );
// Add by playyuer
S + = str;
Count = sr. Read (read, 0,256 );
}
Console. WriteLine ("");
Return s;
}
Catch (Exception e)
{
Console. WriteLine (e. ToString ());
Console. WriteLine ("/r/n cannot find the request URI, or its format is incorrect ");
Return s;
}
Finally
{
If (result! = Null)
{
Result. Close ();
}

}
}

/// <Summary>
/// Domain Name
/// </Summary>
/// <Remarks> If wildcard domain name resolution is supported, the effect of 1bu.com can also be achieved: </remarks>
Public static string Domain
{
Get
{
String domain = ConfigurationSettings. deleettings ["Domain"];
If (domain = null | domain = "")
Domain = defaultDomain;
Return domain;
}
}

/// <Summary>
/// Domain name URL
/// </Summary>
Public static string DomainUrl
{
Get
{
String url = Domain. ToLower ();
If (! Url. StartsWith ("http ://"))
{
Url = "http: //" + url;
}
If (! Url. EndsWith ("/"))
{
Url = url + "/";
}
Return url;
}
}

/// <Summary>
/// Real address
/// </Summary>
/// <Param name = "rawUrl"> </param>
/// <Returns> </returns>
Public static string RealUrl (string rawUrl)
{
String realUrl;
RealUrl = Globals. DomainUrl + rawUrl. TrimStart ('/');
Return realUrl;
}

Static public string ApplicationPath
{

Get
{
String applicationPath = HttpContext. Current. Request. ApplicationPath;

If (applicationPath = "/")
{
Return string. Empty;
}
Else
{
Return applicationPath. ToLower ();
}
}
}
}

// Original Redirect. cs
/// <Summary>
/// Redirection URL
/// </Summary>
Public class Redirect: IHttpHandler
{
Public Redirect ()
{

}

Public void ProcessRequest (HttpContext context)
{
String rawUrl = context. Request. RawUrl. ToLower ();
String realUrl = rawUrl;
If (! Globals. IsNullorEmpty (rawUrl ))
{
If (! RawUrl. StartsWith ("http ://"))
{
RealUrl = Globals. RealUrl (rawUrl );
}
}
Context. Response. Redirect (realUrl );
Context. Response. End ();
}

// Properties
Public bool IsReusable
{
Get
{
Return false;
}
}
}

// Original WebResponse. cs
/// <Summary>
/// Output content
/// </Summary>
Public class WebResponse: IHttpHandler
{

Public void ProcessRequest (HttpContext context)
{
String rawUrl = context. Request. RawUrl. ToLower ();
If (! Globals. IsNullorEmpty (rawUrl ))
{
// If it starts with "http: //", it indicates that it is an absolute path and you can directly jump to it.
If (! RawUrl. StartsWith ("http ://"))
{
String realUrl = Globals. RealUrl (rawUrl );
// Add by playyuer $ at $ Microshaoft.com
If (context. Request. HttpMethod. ToLower () = "get ")
{
HttpWebResponse response = Globals. WebResponse (realUrl );

// Jump if it is not of the text type
If (! Response. ContentType. ToLower (). StartsWith ("text /"))
Context. Response. Redirect (realUrl );

// For the text type, obtain the text content and then directly output it to the browser.
String content = Globals. TextContent (response );
Context. Response. Write (content );
}
// Add by playyuer $ at $ Microshaoft.com
Else // post
{
String S = "";
Foreach (string s in context. Request. Form. AllKeys)
{
If (S. Length> 0)
S + = "&";
S + = s + "=" + context. Request. Form [s];
}
// Context. Response. Write (S );
Context. Response. Write (Globals. getPage (realUrl, S ));
}
}
Else
{
Context. Response. Redirect (rawUrl );
}
}
Else
{
//
}
Context. Response. End ();
}

Public bool IsReusable
{
Get
{
Return false;
}
}
}
}

4. web. Config in the main directory of IIS, for example, C:/Inetpub/wwwroot/web. Config:

<? Xml version = "1.0" encoding = "UTF-8"?>
<Configuration>
<System. web>
<Compilation defaultLanguage = "c #" debug = "true"/>
<HttpHandlers>
<Add verb = "*" path = "*. gif" type = "Openlab. UrlCheat. Redirect, Openlab. UrlCheat"/>
<Add verb = "*" path = "*. jpg" type = "Openlab. UrlCheat. Redirect, Openlab. UrlCheat"/>
<Add verb = "*" path = "*. jpeg" type = "Openlab. UrlCheat. Redirect, Openlab. UrlCheat"/>
<Add verb = "*" path = "*. rar" type = "Openlab. UrlCheat. Redirect, Openlab. UrlCheat"/>
<Add verb = "*" path = "*. zip" type = "Openlab. UrlCheat. Redirect, Openlab. UrlCheat"/>
<Add verb = "*" path = "*. webinfo" type = "System. Web. HttpForbiddenHandler"/>
<Add verb = "GET" path = "*" type = "Openlab. UrlCheat. WebResponse, Openlab. UrlCheat"/>
<Add verb = "POST" path = "*" type = "Openlab. UrlCheat. WebResponse, Openlab. UrlCheat"/>
</HttpHandlers>
</System. web>
<Deleetask>
<! -- You can modify this domain name -->
<Add key = "Domain" value = "http: // localhost: 8080/test/"/>
</AppSettings>
</Configuration>

5. Run Resin and IIS
E:/Resin/resin-2.1.16/bin/httpd.exe

6. Access http: // localhost In the IE Address Bar
Submit some data for testing! Check whether the ECHO is correct ?!

I tested it slowly!
In addition, Baoyu and I have not considered replacing the href url!