我使用一些捕获请求来检查我的网络应用程序是否受到任何攻击,今天我在存储 Src IP 的列中发现了这个(1'“5000)发送请求,以及它发送的内容:
{
"destinationIP": "MY.IP.IS.HERE",
"destinationPort": 80,
"headers": {
"referer": "1'\"3000",
"accept-language": "1'\"6000",
"client-ip": "1'\"4000",
"host": "mydomain.com",
"connection": "Keep-alive",
"x-forwarded-for": "1'\"5000",
"accept-encoding": "gzip,deflate,br",
"user-agent": "1'\"2000",
"via": "1'\"7000",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
},
"sourcePort": 60486,
"sourceIP": "103.161.35.121",
"requestURI": "/fonts/danapro/index/1'\"1000",
"httpMethod": "GET",
"queryString": "N/A",
"parameters": {}
}
这是获取SRC IP的代码:
private String getClientIpAddress(HttpServletRequest request) {
for (String header : TextUtils.HEADERS_TO_TRY) {
String ip = request.getHeader(header);
if (ip != null && !ip.isEmpty() && !"unknown".equalsIgnoreCase(ip)) {
return ip;
}
}
return request.getRemoteAddr();
}
还有 HEADER_TO_TRY :
public static final String[] HEADERS_TO_TRY = {
"X-Forwarded-For",
"Proxy-Client-IP",
"WL-Proxy-Client-IP",
"HTTP_X_FORWARDED_FOR",
"HTTP_X_FORWARDED",
"HTTP_X_CLUSTER_CLIENT_IP",
"HTTP_CLIENT_IP",
"HTTP_FORWARDED_FOR",
"HTTP_FORWARDED",
"HTTP_VIA",
"REMOTE_ADDR"
};
问题是 getClientIpAddress 如何返回 1'"5000 给我?它是什么?
值“1'”5000”是可疑的,类似于 SQL 注入或其他形式的注入攻击的尝试。攻击者经常使用“1'”等有效负载来测试与不正确的输入清理相关的漏洞。
SQL 注入测试:SQL 中使用单引号 ' 来表示字符串文字。未转义或处理不当的引用可能会破坏预期的查询结构,从而允许攻击者操纵数据库执行的 SQL 命令。
恶意探测:通过将此类值注入到各种标头和参数中,攻击者可以探测应用程序的响应,以查看其行为是否异常,从而表明存在潜在漏洞。