如下代码抓包:
<h1>abc<h1/>
<img width="200px" src="a.png">
<img width="200px" src="b.png">
以下为请求行
GET /zhuabaotest.php HTTP/1.1
以下为消息头
Host: localhost
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
完整请求头:
GET /zhuabaotest.php HTTP/1.1
Host: localhost // 主机地址 如果是 80端口的话 默认这里就不显示了
Connection: keep-alive //表示长连接
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 //浏览器内核操作系统
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 //表示服务器可以接收的数据格式
Accept-Encoding: gzip, deflate, sdch, br //表示接受什么样的数据压缩格式
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 //页面语言
以上因为是从本地直接打开的网页,所以缺少一个 Referer 这个是标记从哪里过来的请求,,貌似防盗链用的比较多。完整写法貌似
==Referer:http://localhost/zhuabaotest.php== 类似于这种形式
$_SERVER
<?php print_r($_SERVER); ?>
输出:Array ( [PATH] => C:\Program Files\Java\jdk1.8.0_60\bin;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;D:\TortoiseSvn\bin;C:\Program Files\Microsoft SQL Server\120\Tools\Binn\;C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\;C:\Windows\system32\config\systemprofile\.dnx\bin;C:\Program Files\Microsoft DNX\Dnvm\;C:\Program Files (x86)\Common Files\Acronis\SnapAPI\;D:\TortoiseGit\bin;D:\UltraEdit; [SYSTEMROOT] => C:\Windows [COMSPEC] => C:\Windows\system32\cmd.exe [PATHEXT] => .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC [WINDIR] => C:\Windows [PHP_FCGI_MAX_REQUESTS] => 1000 [PHPRC] => D:/phpStudy/phpb [_FCGI_SHUTDOWN_EVENT_] => 1784 [SCRIPT_NAME] => /084testService.php [REQUEST_URI] => /084testService.php [QUERY_STRING] => [REQUEST_METHOD] => GET [SERVER_PROTOCOL] => HTTP/1.1 [GATEWAY_INTERFACE] => CGI/1.1 [REMOTE_PORT] => 2918 [SCRIPT_FILENAME] => D:/phpStudy/WWW/084testService.php [SERVER_ADMIN] => admin@phpStudy.net [CONTEXT_DOCUMENT_ROOT] => D:/phpStudy/WWW [CONTEXT_PREFIX] => [REQUEST_SCHEME] => http [DOCUMENT_ROOT] => D:/phpStudy/WWW [REMOTE_ADDR] => ::1 [SERVER_PORT] => 80 [SERVER_ADDR] => ::1 [SERVER_NAME] => localhost [SERVER_SOFTWARE] => Apache/2.4.10 (Win32) OpenSSL/0.9.8zb mod_fcgid/2.3.9 [SERVER_SIGNATURE] => [SystemRoot] => C:\Windows [HTTP_ACCEPT_LANGUAGE] => zh-CN,zh;q=0.8,en;q=0.6 [HTTP_ACCEPT_ENCODING] => gzip, deflate, sdch, br [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 [HTTP_UPGRADE_INSECURE_REQUESTS] => 1 [HTTP_CACHE_CONTROL] => max-age=0 [HTTP_CONNECTION] => close [HTTP_HOST] => localhost [FCGI_ROLE] => RESPONDER [PHP_SELF] => /084testService.php [REQUEST_TIME_FLOAT] => 1491969201.1587 [REQUEST_TIME] => 1491969201 )
//这个东西是个数组输出一大堆东西(⊙o⊙)
网页屏蔽非法链接访问:
这个是外部网页(模拟不在开发路径):
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="Generator" content="EditPlus?">
<meta name="Author" content="">
<meta name="Keywords" content="">
<meta name="Description" content="">
<title>Document</title>
</head>
<body>
<a href="http://localhost/084password.php">查看密码</a>
</body>
</html>
这个是本地网页
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="Generator" content="EditPlus®">
<meta name="Author" content="">
<meta name="Keywords" content="">
<meta name="Description" content="">
<title>Document</title>
</head>
<body>
<a href="084password.php">查看密码</a>
</body>
</html>
这里用来接收 根据服务器返回的Referer匹配来源,如果存在相等那么验证通过。
<?php
function setMyException($e){
echo "错误信息".$e->getMessage();
header("Location:warning.html");//这个可以跳转到预设的警告页面,测试可以这么写,正常处理异常可不能这么写。
}
set_exception_handler("setMyException");
if(isset($_SERVER['HTTP_REFERER'])){
$i = strpos($_SERVER['HTTP_REFERER'],"http://localhost/currentLookPw.html");//这应该算是完全匹配了
echo "第一次出现的位置:= ".$i;
if($i==0){
//echo "验证通过!!";
}else{
echo "";
throw new Exception("卧槽 你想干嘛 !!");
}
}else{
throw new Exception("卧槽 你想干嘛 !!");
}
echo "密码是1234";
?>
警告页:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="Generator" content="EditPlus®">
<meta name="Author" content="">
<meta name="Keywords" content="">
<meta name="Description" content="">
<title>Document</title>
</head>
<body>
<input type="text" name="" value="警告!非法地址入侵">
</body>
</html>
抓包 可以看到相同路径过来的带有Referer且路径匹配
外部的那个不行。
如上代码运行后效果
非盗链效果:
第一次出现的位置:= 0密码是1234
盗链效果:
警告!非法地址入侵;//这个会跳转到warning.html