- 浏览: 1779817 次
- 性别:
- 来自: 北京
文章分类
- 全部博客 (641)
- vb2005xu自己动手系列 (174)
- vb2005xu开发文章转摘 (47)
- vb2005xu发发牢骚 (99)
- vb2005xu新技术灌水 (12)
- vb2005xu网络资源集锦 (21)
- vb2005xu软件学习 (60)
- 英语学习 (3)
- JavaScript 学习 (54)
- JAVA OOP 巩固 之 CustomDatabase 的开发 (5)
- 2013年9月之前所在公司 记事 (7)
- FleaPHP/QEEPHP 资料 (87)
- JAVA MAIL 学习篇 (4)
- Python turbogears (5)
- Rails 个人开发四部曲 (3)
- 名人传 (8)
- iwp framework (5)
- 高考零分作文 (5)
- startos (8)
- lua (0)
- 职场 (1)
最新评论
-
hellotieye:
自己 评论 自己 挺嗨呀
Mysql sql查询时 if 的用法 -
igevin:
转载请标明出处,转自Gevin的博客http://blog.i ...
RESTful API 编写指南 -
Theobob:
...
实现简单的ACL -
vb2005xu:
比如 对于 curl 调用就不再需要 加各种if 判断了,
$ ...
搞一个简单的数据打印工具AsDebug の Laravel -
vb2005xu:
http://geekplux.com/wiki/
YII2 模块内自定义错误页
在http协议中伪造ip的可能性研究
些日子对自定义http协议的各个数据进行了研究,对于ip伪造的问题,我当时给的建议是使用代理服务器,不过后来发现,其实可以在http协议加入一个选项,来实现一个非伪造ip的伪造ip 。如何理解呢?理由如下:~
一、方法概述
在http协议数据头里面加入选项“x-forward-for”,例如:“x-forward-for:202.204.76.254”,这样发送出去
的包,就是一个特殊的包,在收包方看来,这个包的意思是,一个代理服务器发过来的数据包,而这个包的真是ip是“202.204.76.254”,其实还
是实现的是三次握手,但是只不过是在发包的同时,对收包方提到了一个第三者。
二、试用范围
因为现在的网站类的程序如果有IP限制的话,基本上都是会检测是不是代理服务器发送的数据的,如果是代理服务器发送的数据,那么他就把IP记为这个(透明)代理服务器发送的x-forward-for的IP。
以一段较为流行的php检测ip的代码为例:
那么大家可以看到这个IP是如何伪造的了。
三、应对方法
当然对于网站方面,这种伪造ip的情况虽然不是很多,但是如果在投票类的程序中,当然很需要这方面的检测了,呵呵。多多检测HTTP_CLIENT_IP吧。貌似这个还没有办法伪造?.............................
四、总体看法
这个办法之所以称之为非伪造ip的伪造ip,主要就是利用了现在大多数网站程序检测ip的一个漏洞。所以如果网站程序能够重新审视一下自己的ip检测办法,这个方法就会慢慢失效的。呵呵。
-------------------------
伪造 referer
首先说明,伪造访问来路不是什么光明正大的事情,目的就是为了欺骗服务器。原本以为给 XMLHTTP 对象增加一个 Referer 的header 就可以,结果却没有任何作用,改用 ServerXMLHTTP 也如此。
无意间发现公司内部项目使用的 paypal 扣款程序里面有 WinHttp.WinHttpRequest.5.1 对象,它负责把客户的信用卡信息提交到 paypal 的服务器,看来是一个核心的远程访问方法,google一下发现它居然用可以成功伪造所有 http 请求的 header 信息!下面的代码通过伪造 referer 的值,假装从百度首页提交一个表单到指定的 url 去:
var url = "http://www.yourtarget.com";
var param = "name=david&age=30";
var obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
obj.Open("POST", url, false);
obj.Option(4) = 13056;
obj.Option(6) = false; //false可以不自动跳转,截取服务端返回的302状态。
obj.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
obj.setRequestHeader("Referer", "http://www.baidu.com");
obj.Send(param);
WScript.Echo(obj.responseText);
保存为 xxx.js 文件,在命令行中运行 cscript.exe xxx.js。
从msdn得知,WinHttp.WinHttpRequest.5.1 是 msxml 4.0 的底层对象,也就是说 XMLHTTP/ServerXMLHTTP 也是在它的基础上封装而来。用 WinHttpRequest 发的请求,连 Fiddler 也监测不到,看来确实是比较底层的东西。
---------------------------邪恶的分割线------------------------
既然可以用它来伪造所有 http 请求的 header,那 Cookies、Sessionid 自然也就可以得到并传递了。下面是实战代码,用命令行登录博客园,共三次请求,第一次请求获取表单的 VIEWSTATE 和 EVENTVALIDATION,第二次带账户登录,第三次带Cookie访问其首页:
//封装成远程访问的函数
function RemoteCall(method, url, param, header){
var obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
obj.Open(method||"GET", url, false);
obj.Option(4) = 13056;
obj.Option(6) = false;
if(method=="POST"){
obj.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
}
if(header){
for(var key in header){
if(key=="Cookie"){//根据 MSDN 的建议,设置Cookie前,先设置一个无用的值
obj.setRequestHeader("Cookie", "string");
}
obj.setRequestHeader(key, header[key]);
}
}
obj.Send(param);
return obj;
}
//第一次远程访问博客园的登录入口
var url = "http://passport.cnblogs.com/login.aspx";
var objFirst = RemoteCall("GET", url, null);
//取得 viewstate 与 eventvalidation
var viewstate = objFirst.responseText.match(/id="__VIEWSTATE" value="(.*?)" \/>/)[1];
var eventvalidation = objFirst.responseText.match(/id="__EVENTVALIDATION" value="(.*?)" \/>/)[1];
//输入自己的账户与密码
var username = "";
var password = "";
var param = ""
+ "__VIEWSTATE="+encodeURIComponent(viewstate)
+ "&__EVENTVALIDATION="+encodeURIComponent(eventvalidation)
+ "&tbUserName="+username
+ "&tbPassword="+password
+ "&btnLogin="+encodeURIComponent("登 录");
var objSecond = RemoteCall("POST", url, param);
//登录成功后服务器执行 Response.Redirect 跳转,即向客户端发送了 302 状态代码
WScript.Echo(objSecond.status); //302即登录成功, 如果是200,则登录失败,页面没有跳转
//带上登录成功后的cookie,再次访问其首页
var json = {"Cookie": objSecond.getResponseHeader("Set-Cookie")};
var objThird = RemoteCall("GET", "http://www.cnblogs.com", null, json);
WScript.Echo(objThird.responseText);
上面的代码其实已经有一定恶意,我只为证明使用 WinHttpRequest 确实可以模拟浏览器发送请求,服务端也无法区别是从浏览器来的,还是从命令行来的。这证明到一点,从客户端提交来的任何数据都不可信,因为发送的 http 数据包不但表单值可以修改,连数据包的header都可以随意修改。同时也说明,使用 VIEWSTATE 对表单的安全性无任何用处。
引用一张著名的漫画,在互联网上,没有人知道你是一条狗。在服务端,没有人知道你是从命令行发送出来的。
-------------- 评论
精彩的处理方式。是原创吗?
obj.Option(4) = 13056;
obj.Option(6) = false;
这两个难道是 WinHttp.WinHttpRequest.5.1 方法自带的吗 ?
WinHttpRequest是从paypal接口中发现的。谈不上原创。
WinHttpRequest.Option 的取值有(从0开始计算):
WinHttpRequestOption_UserAgentString,
WinHttpRequestOption_URL,
WinHttpRequestOption_URLCodePage,
WinHttpRequestOption_EscapePercentInURL,
WinHttpRequestOption_SslErrorIgnoreFlags,
WinHttpRequestOption_SelectCertificate,
WinHttpRequestOption_EnableRedirects,
WinHttpRequestOption_UrlEscapeDisable,
WinHttpRequestOption_UrlEscapeDisableQuery,
WinHttpRequestOption_SecureProtocols,
WinHttpRequestOption_EnableTracing,
WinHttpRequestOption_RevertImpersonationOverSsl,
WinHttpRequestOption_EnableHttpsToHttpRedirects,
WinHttpRequestOption_EnablePassportAuthentication,
WinHttpRequestOption_MaxAutomaticRedirects,
WinHttpRequestOption_MaxResponseHeaderSize,
WinHttpRequestOption_MaxResponseDrainSize,
WinHttpRequestOption_EnableHttp1_1,
WinHttpRequestOption_EnableCertificateRevocationCheck
------------------- 附属文档
http://msdn.microsoft.com/en-us/library/aa383147%28v=vs.85%29.aspx
Authentication Using Script
This section demonstrates how to write script that uses the WinHttpRequest object to access data from a server that requires HTTP authentication.
Prerequisites and Requirements
Accessing a Web Site With Authentication
Checking the Status Codes
Related Topics
Prerequisites and Requirements
In addition to a working knowledge of Microsoft JScript, this example requires the following:
The current version of the Microsoft Windows Software Development Kit (SDK).
The proxy configuration tool to establish the proxy settings for Microsoft Windows HTTP Services (WinHTTP), if your connection to the Internet is through a proxy server. See Proxycfg.exe, a Proxy Configuration Tool for more information.
A familiarity with network terminology and concepts.
Accessing a Web Site With Authentication
Aa383147.wedge(en-us,VS.85).gifTo create a script that demonstrates authentication, do the following:
Open a text editor such as Microsoft Notepad.
Copy the following code into the text editor after replacing "[authenticationSite]" with the appropriate text to specify the URL of a site that requires HTTP authentication.
// Load the WinHttpRequest object.
var WinHttpReq =
new ActiveXObject("WinHttp.WinHttpRequest.5.1");
function getText1( )
{
// Specify the target resource.
WinHttpReq.open( "GET",
"http://[authenticationSite]",
false;
// Send a request to the server and wait for a response.
WinHttpReq.send( );
// Display the results of the request.
WScript.Echo( "No Credentials: " );
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText);
WScript.Echo( WinHttpReq.GetAllResponseHeaders);
WScript.Echo( );
};
function getText2( )
{
// HttpRequest SetCredentials flags
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER = 0;
// Specify the target resource.
WinHttpReq.open( "GET",
"http://[authenticationSite]",
false );
// Set credentials for server.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
// It might also be necessary to supply credentials
// to the proxy if you connect to the Internet
// through a proxy that requires authentication.
// Send a request to the server and wait for
// a response.
WinHttpReq.send( );
// Display the results of the request.
WScript.Echo( "Credentials: " );
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText );
WScript.Echo( WinHttpReq.GetAllResponseHeaders( ) );
WScript.Echo( );
};
getText1( );
getText2( );
Save the file as "Auth.js".
From a command prompt, type "cscript Auth.js" and press ENTER.
You now have a program that requests a resource two different ways. The first method requests the resource without supplying credentials. A 401 status code is returned to indicate that the server requires authentication. The response headers are also displayed and should look similar to the following:
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 27 Apr 2001 01:47:18 GMT
Content-Type: text/html
Server: Microsoft-IIS/5.0
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
Cache-control: private
Although the response indicates that access to the resource was denied, it still returns several headers that provide some information about the resource. The header named "WWW-Authenticate" indicates that the server requires authentication for this resource. If there was a header named "Proxy-Authenticate", it would indicate that the proxy server requires authentication. Each authenticate header contains an available authentication scheme and sometimes a realm. The realm value is case-sensitive and defines a set of servers or proxies for which the same credentials should be accepted.
There are two headers named "WWW-Authenticate", which indicate that multiple authentication schemes are supported. If you call the GetResponseHeader method to find "WWW-Authenticate" headers, the method only returns the contents of the first header of that name. In this case, it returns a value of "NTLM". To ensure that all occurrences of a header are processed, use the GetAllResponseHeaders method instead.
The second method call requests the same resource, but first supplies authentication credentials by calling the SetCredentials method. The following section of code shows how this method is used.
WinHttpReq.SetCredentials( "User Name", "Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
This method sets the user name to "UserName", the password to "Password", and indicates that the authorization credentials apply to the resource server. Authentication credentials can also be sent to a proxy.
When credentials are supplied, the server returns a 200 status code that indicates that the document can be retrieved.
Checking the Status Codes
The previous example is instructional, but it requires that the user explicitly supply credentials. An application that supplies credentials when it is necessary and does not supply credentials when it is not necessary is more useful. To implement a feature that does this, you must modify your example to examine the status code returned with the response.
For a complete list of possible status codes, along with descriptions, see HTTP Status Codes. For this example, however, you should encounter only one of three codes. A status code of 200 indicates that a resource is available and is being sent with the response. A status code of 401 indicates that the server requires authentication. A status code of 407 indicates that the proxy requires authentication.
Modify the example you created in the last section by replacing the "getText2" function with the following code (replace "[authenticationSite]" with your own text to specifies the URL of a site that requires HTTP authentication):
function getText2() {
WScript.Echo( "Credentials: " );
// HttpRequest SetCredentials flags.
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER = 0;
HTTPREQUEST_SETCREDENTIALS_FOR_PROXY = 1;
// Specify the target resource.
var targURL = "http://[authenticationSite]";
WinHttpReq.open( "GET", targURL, false );
var Done = false;
var Attempts = 0;
do
{
// Keep track of the number of request attempts.
Attempts++;
// Send a request to the server and wait for a response.
WinHttpReq.send( );
// Obtain the status code from the response.
var Status = WinHttpReq.Status;
switch (Status)
{
// A 200 status indicates that the resource was retrieved.
case 200:
Done = true;
break;
// A 401 status indicates that the server
// requires authentication.
case 401:
WScript.Echo( "Requires Server UserName and Password." );
// Specify the target resource.
WinHttpReq.open( "GET", targURL, false );
// Set credentials for the server.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
break;
// A 407 status indicates that the proxy
// requires authentication.
case 407:
WScript.Echo( "Requires Proxy UserName and Password." );
// Specify the target resource.
WinHttpReq.open( "GET", targURL, false );
// Set credentials for the proxy.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_PROXY );
break;
}
} while( ( !Done ) && ( Attempts < 3 ) );
// Display the results of the request.
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText );
WScript.Echo( WinHttpReq.GetAllResponseHeaders( ) );
WScript.Echo( );
};
Again, save and run the file. The second method still retrieves the document, but it only provides credentials when required. The "getText2" function executes the Open and Send methods as if authentication was not required. The status is retrieved with the Status property and a switch statement responds to the resulting status code. If the status is 401 (server requires authentication) or 407 (proxy requires authentication), the Open method is executed again. This is followed by the SetCredentials method, which sets the user name and password. The code then loops back to the Send method. If, after three attempts, the resource cannot be successfully retrieved, then the function stops execution.
Related Topics
Authentication in WinHTTP
WinHttpRequest
SetCredentials
HTTP/1.1 Request for Comments (RFC 2616)
Send comments about this topic to Microsoft
Build date: 7/14/2011
---
http://www.neilstuff.com/winhttp/
I got tired of waiting for MSDN as a reference to using the WinHttp ActiveXObject, so I'm transcribing things here. Visit MSDN's WinHttpRequest Object Reference for the original content.
WinHttp.WinHttpRequest.5.1
Methods of WinHttp
Abort: Aborts a WinHTTP Send method.
GetAllResponseHeaders: Retrieves all HTTP response headers.
GetResponseHeader: Retrieves the HTTP response headers.
Open: Opens an HTTP connection to an HTTP resource.
Send: Sends an HTTP request to an HTTP server.
SetAutoLogonPolicy: Sets the current Automatic Logon Policy.
SetClientCertificate: Selects a client certificate to send to a Secure Hypertext Transfer Protocol (HTTPS) server.
SetCredentials: Sets credentials to be used with an HTTP server梕ither an origin or a proxy server.
SetProxy: Sets proxy server information.
SetRequestHeader: Adds, changes, or deletes an HTTP request header.
SetTimeouts: Specifies, in milliseconds, the individual time-out components of a send/receive operation.
WaitForResponse: Specifies the wait time, in seconds, for an asynchronous Send method to complete, with optional time-out value.
Properties of WinHttp
Option: Sets or retrieves a WinHTTP option value.
ResponseBody: Retrieves the response entity body as an array of unsigned bytes.
ResponseStream: Retrieves the response entity body as an IStream.
ResponseText: Retrieves the response entity body as a string.
Status: Retrieves the HTTP status code from the last response.
StatusText: Retrieves HTTP status text.
Events of WinHttp
OnError: Occurs when there is a run-time error in the application.
OnResponseDataAvailable: Occurs when data is available from the response.
OnResponseFinished: Occurs when the response data is complete.
OnResponseStart: Occurs when the response data starts to be received.
WinHttp Methods
GetResponseHeader
The GetResponseHeader method gets the HTTP response headers.
Return Value = GetResponseHeader( *bstrHeader )
* = Required
Syntax
sHeader: A value of type string that specifies the case-insensitive header name.
Return Value: This method returns the value of the response header named in bstrHeader.
Remarks
Invoke this method only after the Send method has been called.
Example
The following code example shows how to open an HTTP connection, send an HTTP request, and get the date header from the response.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET",
"http://www.microsoft.com",
false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the date header.
WScript.Echo( WinHttpReq.GetResponseHeader("Date"));
Open
The Open method opens an HTTP connection to an HTTP resource.
Syntax
Open( *bstrMethod, *bstrUrl, varAsync = false )
* = Required.
bstrMethod: A value of type string that specifies the HTTP verb used for the Open method, such as "GET" or "PUT". Always use uppercase as some servers ignore lowercase HTTP verbs.
bstrUrl: A value of type string that contains the name of the resource. This must be an absolute URL.
varAsync: A value of type Boolean that specifies whether to open in asynchronous mode. True=Opens the HTTP connection in asynchronous mode.
Remarks
This method opens a connection to the resource identified in bstrUrl using the HTTP verb given in bstrMethod.
Example Code
The following code example shows how to open an HTTP connection, send an HTTP request, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
Send()
Syntax
The Send method sends an HTTP request to an HTTP server.
Send( varBody )
varBody: Data to be sent to the server.
Remarks
The request to be sent was defined in a prior call to the Open method. The calling application can provide data to be sent to the server through the varBody parameter. If the HTTP verb of the object's Open is "GET", this method sends the request without varBody, even if it is provided by the calling application.
Example Code
The following example shows how to open an HTTP connection, send an HTTP request, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
The following example shows how to post data to an HTTP server.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("PUT", "http://postserver/newdoc.htm", false);
// Post data to the HTTP server.
WinHttpReq.Send("Post data");
SetTimeouts
The SetTimeouts method specifies the individual time-out components of a send/receive operation, in milliseconds.
Syntax
SetTimeouts( ResolveTimeout, ConnectTimeout, SendTimeout, ReceiveTimeout )
ResolveTimeout: Value of type Integer integer. Time-out value applied when resolving a host name (such as www.microsoft.com) to an IP address (such as 192.168.131.199), in milliseconds. The default value is zero, meaning no time-out (infinite). If DNS timeout is specified using NAME_RESOLUTION_TIMEOUT, there is an overhead of one thread per request.
ConnectTimeout: Value of type Integer integer. Time-out value applied when establishing a communication socket with the target server, in milliseconds. The default value is 60,000 (60 seconds).
SendTimeout: Value of type Integer integer. Time-out value applied when sending an individual packet of request data on the communication socket to the target server, in milliseconds. A large request sent to an HTTP server are normally be broken up into multiple packets; the send time-out applies to sending each packet individually. The default value is 30,000 (30 seconds).
ReceiveTimeout: Value of type Integer integer. Time-out value applied when receiving a packet of response data from the target server, in milliseconds. Large responses are be broken up into multiple packets; the receive time-out applies to fetching each packet of data off the socket. The default value is 30,000 (30 seconds).
Remarks
All parameters are required. A value of 0 or -1 sets a time-out to wait infinitely. A value greater than 0 sets the time-out value in milliseconds. For example, 30,000 would set the time-out to 30 seconds. All negative values other than -1 cause this method to fail.
Time-out values are applied at the Winsock layer.
Example
The following example shows how to set all WinHTTP time-outs to 30 seconds, open an HTTP connection, and send an HTTP request.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Set time-outs. If time-outs are set, they must
// be set before open.
WinHttpReq.SetTimeouts(30000, 30000, 30000, 30000);
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
WaitForResponse()
The WaitForResponse method waits for an asynchronous Send method to complete, with optional time-out value, in seconds.
Syntax
Return Value = WaitForResponse( Timeout = -1)
Timeout: Time-out value, in seconds. Default time-out is infinite. To explicitly set time-out to infinite, use the value -1.
Return Value: True=A response has been received. False=A time-out error occurred.
Remarks
This method suspends execution while waiting for a response to an asynchronous request. This method should be called after a Send. Calling applications can specify an optional Timeout value, in seconds. If this method times out, the request is not aborted. This way, the calling application can continue to wait for the request, if desired, in a subsequent call to this method.
Calling this property after a synchronous Send method returns immediately and has no effect.
Example Code
This example shows how to open an asynchronous HTTP connection, send an HTTP request, wait for a response, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", true);
// Send the HTTP request.
WinHttpReq.Send();
// Wait for the response.
WinHttpReq.WaitForResponse();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
WinHttp Properties
WinHttp Events
----
http://msdn.microsoft.com/en-us/library/aa384106.aspx#events
WinHttpRequest Object
This topic provides information about using the WinHTTP WinHttpRequest COM object with scripting languages.
Members
The WinHttpRequest object has the following types of members:
Events
Methods
Properties
Events
The WinHttpRequest object has the following events.
Event Description
OnError
Occurs when there is a run-time error in the application.
OnResponseDataAvailable
Occurs when data is available from the response.
OnResponseFinished
Occurs when the response data is complete.
OnResponseStart
Occurs when the response data starts to be received.
Methods
The WinHttpRequest object has the following methods.
Method Description
Abort
Aborts a WinHTTP Send method.
GetAllResponseHeaders
Retrieves all HTTP response headers.
GetResponseHeader
Retrieves the HTTP response headers.
Open
Opens an HTTP connection to an HTTP resource.
Send
Sends an HTTP request to an HTTP server.
SetAutoLogonPolicy
Sets the current Automatic Logon Policy.
SetClientCertificate
Selects a client certificate to send to a Secure Hypertext Transfer Protocol (HTTPS) server.
SetCredentials
Sets credentials to be used with an HTTP server—either an origin or a proxy server.
SetProxy
Sets proxy server information.
SetRequestHeader
Adds, changes, or deletes an HTTP request header.
SetTimeouts
Specifies, in milliseconds, the individual time-out components of a send/receive operation.
WaitForResponse
Specifies the wait time, in seconds, for an asynchronous Send method to complete, with optional time-out value.
Properties
The WinHttpRequest object has the following properties.
Property Access type Description
Option
Read/write
Sets or retrieves a WinHTTP option value.
ResponseBody
Read-only
Retrieves the response entity body as an array of unsigned bytes.
ResponseStream
Read-only
Retrieves the response entity body as an IStream.
ResponseText
Read-only
Retrieves the response entity body as text.
Status
Read-only
Retrieves the HTTP status code from the last response.
StatusText
Read-only
Retrieves HTTP status text.
Remarks
The WinHttpRequest object uses the IErrorInfo interface to provide error data. A description and numerical error value can be obtained with the Err object in Microsoft Visual Basic Scripting Edition (VBScript), and the Error object in Microsoft JScript. The lower 16 bits of an error number correspond to the values found in Error Messages.
Note For Windows XP and Windows 2000, see Run-Time Requirements.
Requirements
Minimum supported client
Windows XP, Windows 2000 Professional with SP3
Minimum supported server
Windows Server 2003, Windows 2000 Server with SP3
Redistributable
WinHTTP 5.0 and Internet Explorer 5.01 or later on Windows XP and Windows 2000.
IDL
HttpRequest.idl
Library
Winhttp.lib
DLL
Winhttp
无意间发现公司内部项目使用的 paypal 扣款程序里面有 WinHttp.WinHttpRequest.5.1 对象,它负责把客户的信用卡信息提交到 paypal 的服务器,看来是一个核心的远程访问方法,google一下发现它居然用可以成功伪造所有 http 请求的 header 信息!下面的代码通过伪造 referer 的值,假装从百度首页提交一个表单到指定的 url 去:
var url = "http://www.yourtarget.com";
var param = "name=david&age=30";
var obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
obj.Open("POST", url, false);
obj.Option(4) = 13056;
obj.Option(6) = false; //false可以不自动跳转,截取服务端返回的302状态。
obj.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
obj.setRequestHeader("Referer", "http://www.baidu.com");
obj.Send(param);
WScript.Echo(obj.responseText);
保存为 xxx.js 文件,在命令行中运行 cscript.exe xxx.js。
从msdn得知,WinHttp.WinHttpRequest.5.1 是 msxml 4.0 的底层对象,也就是说 XMLHTTP/ServerXMLHTTP 也是在它的基础上封装而来。用 WinHttpRequest 发的请求,连 Fiddler 也监测不到,看来确实是比较底层的东西。
---------------------------邪恶的分割线------------------------
既然可以用它来伪造所有 http 请求的 header,那 Cookies、Sessionid 自然也就可以得到并传递了。下面是实战代码,用命令行登录博客园,共三次请求,第一次请求获取表单的 VIEWSTATE 和 EVENTVALIDATION,第二次带账户登录,第三次带Cookie访问其首页:
//封装成远程访问的函数
function RemoteCall(method, url, param, header){
var obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
obj.Open(method||"GET", url, false);
obj.Option(4) = 13056;
obj.Option(6) = false;
if(method=="POST"){
obj.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
}
if(header){
for(var key in header){
if(key=="Cookie"){//根据 MSDN 的建议,设置Cookie前,先设置一个无用的值
obj.setRequestHeader("Cookie", "string");
}
obj.setRequestHeader(key, header[key]);
}
}
obj.Send(param);
return obj;
}
//第一次远程访问博客园的登录入口
var url = "http://passport.cnblogs.com/login.aspx";
var objFirst = RemoteCall("GET", url, null);
//取得 viewstate 与 eventvalidation
var viewstate = objFirst.responseText.match(/id="__VIEWSTATE" value="(.*?)" \/>/)[1];
var eventvalidation = objFirst.responseText.match(/id="__EVENTVALIDATION" value="(.*?)" \/>/)[1];
//输入自己的账户与密码
var username = "";
var password = "";
var param = ""
+ "__VIEWSTATE="+encodeURIComponent(viewstate)
+ "&__EVENTVALIDATION="+encodeURIComponent(eventvalidation)
+ "&tbUserName="+username
+ "&tbPassword="+password
+ "&btnLogin="+encodeURIComponent("登 录");
var objSecond = RemoteCall("POST", url, param);
//登录成功后服务器执行 Response.Redirect 跳转,即向客户端发送了 302 状态代码
WScript.Echo(objSecond.status); //302即登录成功, 如果是200,则登录失败,页面没有跳转
//带上登录成功后的cookie,再次访问其首页
var json = {"Cookie": objSecond.getResponseHeader("Set-Cookie")};
var objThird = RemoteCall("GET", "http://www.cnblogs.com", null, json);
WScript.Echo(objThird.responseText);
上面的代码其实已经有一定恶意,我只为证明使用 WinHttpRequest 确实可以模拟浏览器发送请求,服务端也无法区别是从浏览器来的,还是从命令行来的。这证明到一点,从客户端提交来的任何数据都不可信,因为发送的 http 数据包不但表单值可以修改,连数据包的header都可以随意修改。同时也说明,使用 VIEWSTATE 对表单的安全性无任何用处。
引用一张著名的漫画,在互联网上,没有人知道你是一条狗。在服务端,没有人知道你是从命令行发送出来的。
-------------- 评论
精彩的处理方式。是原创吗?
obj.Option(4) = 13056;
obj.Option(6) = false;
这两个难道是 WinHttp.WinHttpRequest.5.1 方法自带的吗 ?
WinHttpRequest是从paypal接口中发现的。谈不上原创。
WinHttpRequest.Option 的取值有(从0开始计算):
WinHttpRequestOption_UserAgentString,
WinHttpRequestOption_URL,
WinHttpRequestOption_URLCodePage,
WinHttpRequestOption_EscapePercentInURL,
WinHttpRequestOption_SslErrorIgnoreFlags,
WinHttpRequestOption_SelectCertificate,
WinHttpRequestOption_EnableRedirects,
WinHttpRequestOption_UrlEscapeDisable,
WinHttpRequestOption_UrlEscapeDisableQuery,
WinHttpRequestOption_SecureProtocols,
WinHttpRequestOption_EnableTracing,
WinHttpRequestOption_RevertImpersonationOverSsl,
WinHttpRequestOption_EnableHttpsToHttpRedirects,
WinHttpRequestOption_EnablePassportAuthentication,
WinHttpRequestOption_MaxAutomaticRedirects,
WinHttpRequestOption_MaxResponseHeaderSize,
WinHttpRequestOption_MaxResponseDrainSize,
WinHttpRequestOption_EnableHttp1_1,
WinHttpRequestOption_EnableCertificateRevocationCheck
------------------- 附属文档
http://msdn.microsoft.com/en-us/library/aa383147%28v=vs.85%29.aspx
Authentication Using Script
This section demonstrates how to write script that uses the WinHttpRequest object to access data from a server that requires HTTP authentication.
Prerequisites and Requirements
Accessing a Web Site With Authentication
Checking the Status Codes
Related Topics
Prerequisites and Requirements
In addition to a working knowledge of Microsoft JScript, this example requires the following:
The current version of the Microsoft Windows Software Development Kit (SDK).
The proxy configuration tool to establish the proxy settings for Microsoft Windows HTTP Services (WinHTTP), if your connection to the Internet is through a proxy server. See Proxycfg.exe, a Proxy Configuration Tool for more information.
A familiarity with network terminology and concepts.
Accessing a Web Site With Authentication
Aa383147.wedge(en-us,VS.85).gifTo create a script that demonstrates authentication, do the following:
Open a text editor such as Microsoft Notepad.
Copy the following code into the text editor after replacing "[authenticationSite]" with the appropriate text to specify the URL of a site that requires HTTP authentication.
// Load the WinHttpRequest object.
var WinHttpReq =
new ActiveXObject("WinHttp.WinHttpRequest.5.1");
function getText1( )
{
// Specify the target resource.
WinHttpReq.open( "GET",
"http://[authenticationSite]",
false;
// Send a request to the server and wait for a response.
WinHttpReq.send( );
// Display the results of the request.
WScript.Echo( "No Credentials: " );
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText);
WScript.Echo( WinHttpReq.GetAllResponseHeaders);
WScript.Echo( );
};
function getText2( )
{
// HttpRequest SetCredentials flags
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER = 0;
// Specify the target resource.
WinHttpReq.open( "GET",
"http://[authenticationSite]",
false );
// Set credentials for server.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
// It might also be necessary to supply credentials
// to the proxy if you connect to the Internet
// through a proxy that requires authentication.
// Send a request to the server and wait for
// a response.
WinHttpReq.send( );
// Display the results of the request.
WScript.Echo( "Credentials: " );
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText );
WScript.Echo( WinHttpReq.GetAllResponseHeaders( ) );
WScript.Echo( );
};
getText1( );
getText2( );
Save the file as "Auth.js".
From a command prompt, type "cscript Auth.js" and press ENTER.
You now have a program that requests a resource two different ways. The first method requests the resource without supplying credentials. A 401 status code is returned to indicate that the server requires authentication. The response headers are also displayed and should look similar to the following:
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 27 Apr 2001 01:47:18 GMT
Content-Type: text/html
Server: Microsoft-IIS/5.0
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
Cache-control: private
Although the response indicates that access to the resource was denied, it still returns several headers that provide some information about the resource. The header named "WWW-Authenticate" indicates that the server requires authentication for this resource. If there was a header named "Proxy-Authenticate", it would indicate that the proxy server requires authentication. Each authenticate header contains an available authentication scheme and sometimes a realm. The realm value is case-sensitive and defines a set of servers or proxies for which the same credentials should be accepted.
There are two headers named "WWW-Authenticate", which indicate that multiple authentication schemes are supported. If you call the GetResponseHeader method to find "WWW-Authenticate" headers, the method only returns the contents of the first header of that name. In this case, it returns a value of "NTLM". To ensure that all occurrences of a header are processed, use the GetAllResponseHeaders method instead.
The second method call requests the same resource, but first supplies authentication credentials by calling the SetCredentials method. The following section of code shows how this method is used.
WinHttpReq.SetCredentials( "User Name", "Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
This method sets the user name to "UserName", the password to "Password", and indicates that the authorization credentials apply to the resource server. Authentication credentials can also be sent to a proxy.
When credentials are supplied, the server returns a 200 status code that indicates that the document can be retrieved.
Checking the Status Codes
The previous example is instructional, but it requires that the user explicitly supply credentials. An application that supplies credentials when it is necessary and does not supply credentials when it is not necessary is more useful. To implement a feature that does this, you must modify your example to examine the status code returned with the response.
For a complete list of possible status codes, along with descriptions, see HTTP Status Codes. For this example, however, you should encounter only one of three codes. A status code of 200 indicates that a resource is available and is being sent with the response. A status code of 401 indicates that the server requires authentication. A status code of 407 indicates that the proxy requires authentication.
Modify the example you created in the last section by replacing the "getText2" function with the following code (replace "[authenticationSite]" with your own text to specifies the URL of a site that requires HTTP authentication):
function getText2() {
WScript.Echo( "Credentials: " );
// HttpRequest SetCredentials flags.
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER = 0;
HTTPREQUEST_SETCREDENTIALS_FOR_PROXY = 1;
// Specify the target resource.
var targURL = "http://[authenticationSite]";
WinHttpReq.open( "GET", targURL, false );
var Done = false;
var Attempts = 0;
do
{
// Keep track of the number of request attempts.
Attempts++;
// Send a request to the server and wait for a response.
WinHttpReq.send( );
// Obtain the status code from the response.
var Status = WinHttpReq.Status;
switch (Status)
{
// A 200 status indicates that the resource was retrieved.
case 200:
Done = true;
break;
// A 401 status indicates that the server
// requires authentication.
case 401:
WScript.Echo( "Requires Server UserName and Password." );
// Specify the target resource.
WinHttpReq.open( "GET", targURL, false );
// Set credentials for the server.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
break;
// A 407 status indicates that the proxy
// requires authentication.
case 407:
WScript.Echo( "Requires Proxy UserName and Password." );
// Specify the target resource.
WinHttpReq.open( "GET", targURL, false );
// Set credentials for the proxy.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_PROXY );
break;
}
} while( ( !Done ) && ( Attempts < 3 ) );
// Display the results of the request.
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText );
WScript.Echo( WinHttpReq.GetAllResponseHeaders( ) );
WScript.Echo( );
};
Again, save and run the file. The second method still retrieves the document, but it only provides credentials when required. The "getText2" function executes the Open and Send methods as if authentication was not required. The status is retrieved with the Status property and a switch statement responds to the resulting status code. If the status is 401 (server requires authentication) or 407 (proxy requires authentication), the Open method is executed again. This is followed by the SetCredentials method, which sets the user name and password. The code then loops back to the Send method. If, after three attempts, the resource cannot be successfully retrieved, then the function stops execution.
Related Topics
Authentication in WinHTTP
WinHttpRequest
SetCredentials
HTTP/1.1 Request for Comments (RFC 2616)
Send comments about this topic to Microsoft
Build date: 7/14/2011
---
http://www.neilstuff.com/winhttp/
I got tired of waiting for MSDN as a reference to using the WinHttp ActiveXObject, so I'm transcribing things here. Visit MSDN's WinHttpRequest Object Reference for the original content.
WinHttp.WinHttpRequest.5.1
Methods of WinHttp
Abort: Aborts a WinHTTP Send method.
GetAllResponseHeaders: Retrieves all HTTP response headers.
GetResponseHeader: Retrieves the HTTP response headers.
Open: Opens an HTTP connection to an HTTP resource.
Send: Sends an HTTP request to an HTTP server.
SetAutoLogonPolicy: Sets the current Automatic Logon Policy.
SetClientCertificate: Selects a client certificate to send to a Secure Hypertext Transfer Protocol (HTTPS) server.
SetCredentials: Sets credentials to be used with an HTTP server梕ither an origin or a proxy server.
SetProxy: Sets proxy server information.
SetRequestHeader: Adds, changes, or deletes an HTTP request header.
SetTimeouts: Specifies, in milliseconds, the individual time-out components of a send/receive operation.
WaitForResponse: Specifies the wait time, in seconds, for an asynchronous Send method to complete, with optional time-out value.
Properties of WinHttp
Option: Sets or retrieves a WinHTTP option value.
ResponseBody: Retrieves the response entity body as an array of unsigned bytes.
ResponseStream: Retrieves the response entity body as an IStream.
ResponseText: Retrieves the response entity body as a string.
Status: Retrieves the HTTP status code from the last response.
StatusText: Retrieves HTTP status text.
Events of WinHttp
OnError: Occurs when there is a run-time error in the application.
OnResponseDataAvailable: Occurs when data is available from the response.
OnResponseFinished: Occurs when the response data is complete.
OnResponseStart: Occurs when the response data starts to be received.
WinHttp Methods
GetResponseHeader
The GetResponseHeader method gets the HTTP response headers.
Return Value = GetResponseHeader( *bstrHeader )
* = Required
Syntax
sHeader: A value of type string that specifies the case-insensitive header name.
Return Value: This method returns the value of the response header named in bstrHeader.
Remarks
Invoke this method only after the Send method has been called.
Example
The following code example shows how to open an HTTP connection, send an HTTP request, and get the date header from the response.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET",
"http://www.microsoft.com",
false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the date header.
WScript.Echo( WinHttpReq.GetResponseHeader("Date"));
Open
The Open method opens an HTTP connection to an HTTP resource.
Syntax
Open( *bstrMethod, *bstrUrl, varAsync = false )
* = Required.
bstrMethod: A value of type string that specifies the HTTP verb used for the Open method, such as "GET" or "PUT". Always use uppercase as some servers ignore lowercase HTTP verbs.
bstrUrl: A value of type string that contains the name of the resource. This must be an absolute URL.
varAsync: A value of type Boolean that specifies whether to open in asynchronous mode. True=Opens the HTTP connection in asynchronous mode.
Remarks
This method opens a connection to the resource identified in bstrUrl using the HTTP verb given in bstrMethod.
Example Code
The following code example shows how to open an HTTP connection, send an HTTP request, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
Send()
Syntax
The Send method sends an HTTP request to an HTTP server.
Send( varBody )
varBody: Data to be sent to the server.
Remarks
The request to be sent was defined in a prior call to the Open method. The calling application can provide data to be sent to the server through the varBody parameter. If the HTTP verb of the object's Open is "GET", this method sends the request without varBody, even if it is provided by the calling application.
Example Code
The following example shows how to open an HTTP connection, send an HTTP request, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
The following example shows how to post data to an HTTP server.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("PUT", "http://postserver/newdoc.htm", false);
// Post data to the HTTP server.
WinHttpReq.Send("Post data");
SetTimeouts
The SetTimeouts method specifies the individual time-out components of a send/receive operation, in milliseconds.
Syntax
SetTimeouts( ResolveTimeout, ConnectTimeout, SendTimeout, ReceiveTimeout )
ResolveTimeout: Value of type Integer integer. Time-out value applied when resolving a host name (such as www.microsoft.com) to an IP address (such as 192.168.131.199), in milliseconds. The default value is zero, meaning no time-out (infinite). If DNS timeout is specified using NAME_RESOLUTION_TIMEOUT, there is an overhead of one thread per request.
ConnectTimeout: Value of type Integer integer. Time-out value applied when establishing a communication socket with the target server, in milliseconds. The default value is 60,000 (60 seconds).
SendTimeout: Value of type Integer integer. Time-out value applied when sending an individual packet of request data on the communication socket to the target server, in milliseconds. A large request sent to an HTTP server are normally be broken up into multiple packets; the send time-out applies to sending each packet individually. The default value is 30,000 (30 seconds).
ReceiveTimeout: Value of type Integer integer. Time-out value applied when receiving a packet of response data from the target server, in milliseconds. Large responses are be broken up into multiple packets; the receive time-out applies to fetching each packet of data off the socket. The default value is 30,000 (30 seconds).
Remarks
All parameters are required. A value of 0 or -1 sets a time-out to wait infinitely. A value greater than 0 sets the time-out value in milliseconds. For example, 30,000 would set the time-out to 30 seconds. All negative values other than -1 cause this method to fail.
Time-out values are applied at the Winsock layer.
Example
The following example shows how to set all WinHTTP time-outs to 30 seconds, open an HTTP connection, and send an HTTP request.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Set time-outs. If time-outs are set, they must
// be set before open.
WinHttpReq.SetTimeouts(30000, 30000, 30000, 30000);
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
WaitForResponse()
The WaitForResponse method waits for an asynchronous Send method to complete, with optional time-out value, in seconds.
Syntax
Return Value = WaitForResponse( Timeout = -1)
Timeout: Time-out value, in seconds. Default time-out is infinite. To explicitly set time-out to infinite, use the value -1.
Return Value: True=A response has been received. False=A time-out error occurred.
Remarks
This method suspends execution while waiting for a response to an asynchronous request. This method should be called after a Send. Calling applications can specify an optional Timeout value, in seconds. If this method times out, the request is not aborted. This way, the calling application can continue to wait for the request, if desired, in a subsequent call to this method.
Calling this property after a synchronous Send method returns immediately and has no effect.
Example Code
This example shows how to open an asynchronous HTTP connection, send an HTTP request, wait for a response, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", true);
// Send the HTTP request.
WinHttpReq.Send();
// Wait for the response.
WinHttpReq.WaitForResponse();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
WinHttp Properties
WinHttp Events
----
http://msdn.microsoft.com/en-us/library/aa384106.aspx#events
WinHttpRequest Object
This topic provides information about using the WinHTTP WinHttpRequest COM object with scripting languages.
Members
The WinHttpRequest object has the following types of members:
Events
Methods
Properties
Events
The WinHttpRequest object has the following events.
Event Description
OnError
Occurs when there is a run-time error in the application.
OnResponseDataAvailable
Occurs when data is available from the response.
OnResponseFinished
Occurs when the response data is complete.
OnResponseStart
Occurs when the response data starts to be received.
Methods
The WinHttpRequest object has the following methods.
Method Description
Abort
Aborts a WinHTTP Send method.
GetAllResponseHeaders
Retrieves all HTTP response headers.
GetResponseHeader
Retrieves the HTTP response headers.
Open
Opens an HTTP connection to an HTTP resource.
Send
Sends an HTTP request to an HTTP server.
SetAutoLogonPolicy
Sets the current Automatic Logon Policy.
SetClientCertificate
Selects a client certificate to send to a Secure Hypertext Transfer Protocol (HTTPS) server.
SetCredentials
Sets credentials to be used with an HTTP server—either an origin or a proxy server.
SetProxy
Sets proxy server information.
SetRequestHeader
Adds, changes, or deletes an HTTP request header.
SetTimeouts
Specifies, in milliseconds, the individual time-out components of a send/receive operation.
WaitForResponse
Specifies the wait time, in seconds, for an asynchronous Send method to complete, with optional time-out value.
Properties
The WinHttpRequest object has the following properties.
Property Access type Description
Option
Read/write
Sets or retrieves a WinHTTP option value.
ResponseBody
Read-only
Retrieves the response entity body as an array of unsigned bytes.
ResponseStream
Read-only
Retrieves the response entity body as an IStream.
ResponseText
Read-only
Retrieves the response entity body as text.
Status
Read-only
Retrieves the HTTP status code from the last response.
StatusText
Read-only
Retrieves HTTP status text.
Remarks
The WinHttpRequest object uses the IErrorInfo interface to provide error data. A description and numerical error value can be obtained with the Err object in Microsoft Visual Basic Scripting Edition (VBScript), and the Error object in Microsoft JScript. The lower 16 bits of an error number correspond to the values found in Error Messages.
Note For Windows XP and Windows 2000, see Run-Time Requirements.
Requirements
Minimum supported client
Windows XP, Windows 2000 Professional with SP3
Minimum supported server
Windows Server 2003, Windows 2000 Server with SP3
Redistributable
WinHTTP 5.0 and Internet Explorer 5.01 or later on Windows XP and Windows 2000.
IDL
HttpRequest.idl
Library
Winhttp.lib
DLL
Winhttp
发表评论
-
RESTful API 编写指南
2016-06-14 11:12 5182基于一些不错的RESTful ... -
谈冷热数据
2015-07-20 11:13 6156http://jishu.zol.com.cn/11379. ... -
贺岁文:部门正副经理之争
2015-01-29 11:57 1181http://blog.csdn.net/shenyisyn ... -
只能通过chrome网上应用商店安装该程序”的解决方法
2014-10-09 13:09 6148自 Chrome 21.x 开始默认只允许从 Chrome ... -
nginx同一iP多域名配置方法
2014-06-03 13:48 2692nginx绑定多个域名可又把多个域名规则写一个配置文件里,也 ... -
风车网陈晓峰回忆录:我的两个月倒闭史
2014-05-27 16:09 1341http://tech2ipo.com/54719 ... -
Debugging and Profiling PHP with Xdebug
2014-04-15 12:10 1739http://www.sitepoint.com/debug ... -
XHProf 中文文档
2014-04-15 11:26 1460XHProf文件(草稿) 翻译:徐 ... -
让普通用户登录phpmyadmin不显示information_schema
2014-02-13 16:54 1914http://www.cnblogs.com/faily20 ... -
apache2.2+svn1.6+TortoiseSVN在windows环境搭建
2013-12-21 21:58 4467今天空闲时间对SVN服务器端和客户端环境做了搭建,并且成功了 ... -
MiniCMS - 吐槽
2013-10-22 10:58 1448看到的深有感触, ... -
MySQL 数据库通过日志恢复
2013-08-14 17:09 1091http://blog.csdn.net/hanxin198 ... -
使用文件函数操作Memcache
2013-08-12 18:21 1525写道 最近一周,SAE又悄悄的上线了一个新功能.那就是开始 ... -
转 总结过去10年
2013-08-10 11:17 1122下面的好文 担心原作者删帖 转到此处吧 http:/ ... -
SAET SQL_CALC_FOUND_ROWS 问题
2013-07-20 14:22 2308上午遇到 应用数据查不到的问题,但是 数据库中明明 ... -
问一下使用struts的同学们,你们这些年,是怎么过来的?
2013-07-20 12:04 1371by 空虚浪子心 http://www.inbreak.ne ... -
杂谈产品灰度上线的研发模式
2013-05-13 13:45 1762写道 传统的产品研发 ... -
正则表达式口诀
2013-04-12 14:38 1467写道 来源:蓝血正则 ... -
Emacs 快速指南
2013-04-09 17:51 2328您正在阅读 Emacs 快速指南(Emacs tutorial ... -
推荐几个技术博客,持续更新中...
2013-03-18 10:07 3308推荐几个技术博客,我整理了一下googlereader的订 ...
相关推荐
### PHP 伪造IP和HTTP-REFERER的方法 #### 背景介绍 在网络环境中,IP地址和HTTP_REFERER(HTTP-REFERER)是两种常见的用于跟踪和识别用户请求的数据。其中,IP地址通常用来标识网络中的设备;而HTTP_REFERER则记录...
火狐浏览器插件,伪装IP,伪装UA,伪装refer
如果要伪造IP地址,只需添加相应的设置即可。 #### 知识点四:安全性考虑 虽然伪造HTTP头实现IP欺骗在某些场景下很有用,但这种行为也可能带来安全风险。例如,恶意用户可能利用此方法绕过安全策略,实施非法活动...
CURL不仅可以用于正常的Web交互,还可以用来模拟用户的登录行为以及伪造IP地址。这在很多情况下可能会造成安全风险,比如刷票、网络攻击等。因此,了解和防范这种伪造IP的行为是非常重要的。 本实例通过PHP的CURL库...
然而,需要注意的是,伪造IP地址可能会涉及隐私和安全问题,因此在实际应用中应谨慎使用。此外,许多服务器可能会有额外的验证机制来检测和防止IP地址的欺诈行为。 在PHP中,cURL还可以用于其他高级操作,如设置...
总的来说,虽然在技术上可以通过编程手段伪造IP地址,但在实际应用中应谨慎使用,避免违反法律法规或网站的使用协议。开发者在使用此类技术时应有明确的目的和合法的理由。同时,理解服务器端如何处理和验证IP地址也...
然而,有些不正当的行为,如伪造`referer`头信息,可能会干扰统计的准确性。本文主要探讨如何在C#的`WebBrowser`控件中识别并防范这种伪造行为。 `referer`头是HTTP协议的一部分,它记录了用户是从哪个页面点击链接...
首先,伪造IP来源和用户信息通常用于测试目的或者模拟不同环境的行为,而不是用于恶意活动,因为这可能违反网络服务的使用政策。以下是如何使用PHP和cURL实现这一功能的步骤: 1. **定义伪造的用户浏览器信息**: ...
通过这个函数,开发者可以直接与服务器建立TCP/IP连接,并手动发送HTTP请求数据包,包括设置HTTP_REFERER头。这种方法虽然复杂,但提供了对HTTP请求过程的高度控制,因此在性能和效果上可能是最好的。 虽然本文介绍...
PHP中伪造HTTP_REFERER的方法是一种技术手段,可以使用户在请求服务器时,修改HTTP请求中的Referer字段,以伪装成其他网站的来源。由于HTTP_REFERER通常用于网站安全验证,攻击者可以利用伪造的HTTP_REFERER绕过安全...
在特定情况下,如网络爬虫、自动化测试或模拟用户行为时,可能需要伪造IP地址和来源页面。以下将详细讲解如何使用PHP的CURL库来实现这一功能。 首先,伪造IP地址通常涉及到设置`HTTP_X_FORWARDED_FOR`和`CLIENT-IP`...
它创建了一个 `cURL` 实例,并设置了 `CURLOPT_REFERER` 和 `CURLOPT_HTTPHEADER`,其中 `HTTP_HEADER` 包含了两个 IP 头字段,这与第一个示例中的做法相同。同时,它还演示了如何发送 POST 数据。 在实际应用中,...