● POST 传参,参数在请求正文中。
● GET 传参"可见",POST 传参"不可见"。
● 以HTTP 协议通信,都是明文的
• 利用表单
<html>
<head>
<meta charset = 'utf-8'/>
</head>
<body>
<?php
if(empty($_POST['submit'])){
?>
<h1>用户登录</h1>
<form
action = ""
method = "post"
enctype = "application/x-www-form-urlencoded"
>
账号:<input type = 'text' name = "username" /><br />
密码:<input type = 'password' name = "password" /><br />
<input type = 'submit' name = "submit" value = "登录"/><br />
</form>
<?php
}else{
echo "您输入的用户名是{$_POST['username']},您输入的密码是{$_POST['password']}!";
}
?>
</body>
</html>
• 利用hackbar
进入网站,F12打开HackBar。
• 利用BurpSuite
复制网址,粘贴到
• 利用Python
>>> url = "http://192.168.174.129/php/array/post.php"
>>> data = {'username':'BOB','password':'123456','submit':'submit'}
>>> res = requests.post(url = url, data = data)
>>> res.text
"<html>\r\n\t<head>\r\n\t\t<meta charset = 'utf-8'/>\r\n\t</head>\r\n\t<body>\r\n\r\næ\x82¨è¾\x93å\x85¥ç\x9a\x84ç\x94¨æ\x88·å\x90\x8dæ\x98¯AJESTï¼\x8cæ\x82¨è¾\x93å\x85¥ç\x9a\x84å¯\x86ç\xa0\x81æ\x98¯123456ï¼\x81\r\n\t</body>\r\n</html>\r\n\r\n\r\n"
>>> res.content
b"<html>\r\n\t<head>\r\n\t\t<meta charset = 'utf-8'/>\r\n\t</head>\r\n\t<body>\r\n\r\n\xe6\x82\xa8\xe8\xbe\x93\xe5\x85\xa5\xe7\x9a\x84\xe7\x94\xa8\xe6\x88\xb7\xe5\x90\x8d\xe6\x98\xafAJEST\xef\xbc\x8c\xe6\x82\xa8\xe8\xbe\x93\xe5\x85\xa5\xe7\x9a\x84\xe5\xaf\x86\xe7\xa0\x81\xe6\x98\xaf123456\xef\xbc\x81\r\n\t</body>\r\n</html>\r\n\r\n\r\n"
>>> res.content.decode('utf-8')
"<html>\r\n\t<head>\r\n\t\t<meta charset = 'utf-8'/>\r\n\t</head>\r\n\t<body>\r\n\r\n您输入的用户名是BOB,您输入的密码是123456!\r\n\t</body>\r\n</html>\r\n\r\n\r\n"
>>>