测试实验室中的主机头注入

测试实验室中的主机头注入

尝试查看服务器(在测试实验室中)是否容易受到主机头注入攻击。在第二种情况下,我将主机头插入为“www.cow.com”,仍然得到 302 Found。这是否意味着该服务器容易受到主机注入攻击?如果不是,我会看到 404 not found 吗?

场景 1:

kali01:~$ curl -v http://10.10.10.10/login.html

* Trying 10.10.10.10:80...

* TCP_NODELAY set

* Connected to 10.10.10.10 (10.10.10.10) port 80 (#0)

> GET /login.html HTTP/1.1

> Host: 10.10.10.10

> User-Agent: curl/7.67.0

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 302 Found

< Location: https://10.10.10.10:443/login.html

< Connection: close

< Strict-Transport-Security: max-age=15552000, preload

< X-Frame-Options: DENY

< Content-Length: 0
  1. 场景 2:

当主机头www.cow.com插入后我仍然得到 302 Found。

kali01:~$ curl -H "Host:www.cow.com" -v http://10.10.10.10/login.html

* Trying 10.10.10.10:80...

* TCP_NODELAY set

* Connected to 10.10.10.10 (10.10.10.10) port 80 (#0)

> GET /login.html HTTP/1.1

> Host:www.cow.com

> User-Agent: curl/7.67.0

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 302 Found

< Location: https://www.cow.com:443/login.html

< Connection: close

< Strict-Transport-Security: max-age=15552000, preload

< X-Frame-Options: DENY

< Content-Length: 0

<

* Closing connection 0

相关内容