- 浏览: 1743189 次
- 性别:
- 来自: 北京
文章分类
- 全部博客 (641)
- vb2005xu自己动手系列 (174)
- vb2005xu开发文章转摘 (47)
- vb2005xu发发牢骚 (99)
- vb2005xu新技术灌水 (12)
- vb2005xu网络资源集锦 (21)
- vb2005xu软件学习 (60)
- 英语学习 (3)
- JavaScript 学习 (54)
- JAVA OOP 巩固 之 CustomDatabase 的开发 (5)
- 2013年9月之前所在公司 记事 (7)
- FleaPHP/QEEPHP 资料 (87)
- JAVA MAIL 学习篇 (4)
- Python turbogears (5)
- Rails 个人开发四部曲 (3)
- 名人传 (8)
- iwp framework (5)
- 高考零分作文 (5)
- startos (8)
- lua (0)
- 职场 (1)
最新评论
-
hellotieye:
自己 评论 自己 挺嗨呀
Mysql sql查询时 if 的用法 -
igevin:
转载请标明出处,转自Gevin的博客http://blog.i ...
RESTful API 编写指南 -
Theobob:
...
实现简单的ACL -
vb2005xu:
比如 对于 curl 调用就不再需要 加各种if 判断了,
$ ...
搞一个简单的数据打印工具AsDebug の Laravel -
vb2005xu:
http://geekplux.com/wiki/
YII2 模块内自定义错误页
在http协议中伪造ip的可能性研究
些日子对自定义http协议的各个数据进行了研究,对于ip伪造的问题,我当时给的建议是使用代理服务器,不过后来发现,其实可以在http协议加入一个选项,来实现一个非伪造ip的伪造ip 。如何理解呢?理由如下:~
一、方法概述
在http协议数据头里面加入选项“x-forward-for”,例如:“x-forward-for:202.204.76.254”,这样发送出去
的包,就是一个特殊的包,在收包方看来,这个包的意思是,一个代理服务器发过来的数据包,而这个包的真是ip是“202.204.76.254”,其实还
是实现的是三次握手,但是只不过是在发包的同时,对收包方提到了一个第三者。
二、试用范围
因为现在的网站类的程序如果有IP限制的话,基本上都是会检测是不是代理服务器发送的数据的,如果是代理服务器发送的数据,那么他就把IP记为这个(透明)代理服务器发送的x-forward-for的IP。
以一段较为流行的php检测ip的代码为例:
那么大家可以看到这个IP是如何伪造的了。
三、应对方法
当然对于网站方面,这种伪造ip的情况虽然不是很多,但是如果在投票类的程序中,当然很需要这方面的检测了,呵呵。多多检测HTTP_CLIENT_IP吧。貌似这个还没有办法伪造?.............................
四、总体看法
这个办法之所以称之为非伪造ip的伪造ip,主要就是利用了现在大多数网站程序检测ip的一个漏洞。所以如果网站程序能够重新审视一下自己的ip检测办法,这个方法就会慢慢失效的。呵呵。
-------------------------
伪造 referer
首先说明,伪造访问来路不是什么光明正大的事情,目的就是为了欺骗服务器。原本以为给 XMLHTTP 对象增加一个 Referer 的header 就可以,结果却没有任何作用,改用 ServerXMLHTTP 也如此。
无意间发现公司内部项目使用的 paypal 扣款程序里面有 WinHttp.WinHttpRequest.5.1 对象,它负责把客户的信用卡信息提交到 paypal 的服务器,看来是一个核心的远程访问方法,google一下发现它居然用可以成功伪造所有 http 请求的 header 信息!下面的代码通过伪造 referer 的值,假装从百度首页提交一个表单到指定的 url 去:
var url = "http://www.yourtarget.com";
var param = "name=david&age=30";
var obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
obj.Open("POST", url, false);
obj.Option(4) = 13056;
obj.Option(6) = false; //false可以不自动跳转,截取服务端返回的302状态。
obj.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
obj.setRequestHeader("Referer", "http://www.baidu.com");
obj.Send(param);
WScript.Echo(obj.responseText);
保存为 xxx.js 文件,在命令行中运行 cscript.exe xxx.js。
从msdn得知,WinHttp.WinHttpRequest.5.1 是 msxml 4.0 的底层对象,也就是说 XMLHTTP/ServerXMLHTTP 也是在它的基础上封装而来。用 WinHttpRequest 发的请求,连 Fiddler 也监测不到,看来确实是比较底层的东西。
---------------------------邪恶的分割线------------------------
既然可以用它来伪造所有 http 请求的 header,那 Cookies、Sessionid 自然也就可以得到并传递了。下面是实战代码,用命令行登录博客园,共三次请求,第一次请求获取表单的 VIEWSTATE 和 EVENTVALIDATION,第二次带账户登录,第三次带Cookie访问其首页:
//封装成远程访问的函数
function RemoteCall(method, url, param, header){
var obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
obj.Open(method||"GET", url, false);
obj.Option(4) = 13056;
obj.Option(6) = false;
if(method=="POST"){
obj.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
}
if(header){
for(var key in header){
if(key=="Cookie"){//根据 MSDN 的建议,设置Cookie前,先设置一个无用的值
obj.setRequestHeader("Cookie", "string");
}
obj.setRequestHeader(key, header[key]);
}
}
obj.Send(param);
return obj;
}
//第一次远程访问博客园的登录入口
var url = "http://passport.cnblogs.com/login.aspx";
var objFirst = RemoteCall("GET", url, null);
//取得 viewstate 与 eventvalidation
var viewstate = objFirst.responseText.match(/id="__VIEWSTATE" value="(.*?)" \/>/)[1];
var eventvalidation = objFirst.responseText.match(/id="__EVENTVALIDATION" value="(.*?)" \/>/)[1];
//输入自己的账户与密码
var username = "";
var password = "";
var param = ""
+ "__VIEWSTATE="+encodeURIComponent(viewstate)
+ "&__EVENTVALIDATION="+encodeURIComponent(eventvalidation)
+ "&tbUserName="+username
+ "&tbPassword="+password
+ "&btnLogin="+encodeURIComponent("登 录");
var objSecond = RemoteCall("POST", url, param);
//登录成功后服务器执行 Response.Redirect 跳转,即向客户端发送了 302 状态代码
WScript.Echo(objSecond.status); //302即登录成功, 如果是200,则登录失败,页面没有跳转
//带上登录成功后的cookie,再次访问其首页
var json = {"Cookie": objSecond.getResponseHeader("Set-Cookie")};
var objThird = RemoteCall("GET", "http://www.cnblogs.com", null, json);
WScript.Echo(objThird.responseText);
上面的代码其实已经有一定恶意,我只为证明使用 WinHttpRequest 确实可以模拟浏览器发送请求,服务端也无法区别是从浏览器来的,还是从命令行来的。这证明到一点,从客户端提交来的任何数据都不可信,因为发送的 http 数据包不但表单值可以修改,连数据包的header都可以随意修改。同时也说明,使用 VIEWSTATE 对表单的安全性无任何用处。
引用一张著名的漫画,在互联网上,没有人知道你是一条狗。在服务端,没有人知道你是从命令行发送出来的。
-------------- 评论
精彩的处理方式。是原创吗?
obj.Option(4) = 13056;
obj.Option(6) = false;
这两个难道是 WinHttp.WinHttpRequest.5.1 方法自带的吗 ?
WinHttpRequest是从paypal接口中发现的。谈不上原创。
WinHttpRequest.Option 的取值有(从0开始计算):
WinHttpRequestOption_UserAgentString,
WinHttpRequestOption_URL,
WinHttpRequestOption_URLCodePage,
WinHttpRequestOption_EscapePercentInURL,
WinHttpRequestOption_SslErrorIgnoreFlags,
WinHttpRequestOption_SelectCertificate,
WinHttpRequestOption_EnableRedirects,
WinHttpRequestOption_UrlEscapeDisable,
WinHttpRequestOption_UrlEscapeDisableQuery,
WinHttpRequestOption_SecureProtocols,
WinHttpRequestOption_EnableTracing,
WinHttpRequestOption_RevertImpersonationOverSsl,
WinHttpRequestOption_EnableHttpsToHttpRedirects,
WinHttpRequestOption_EnablePassportAuthentication,
WinHttpRequestOption_MaxAutomaticRedirects,
WinHttpRequestOption_MaxResponseHeaderSize,
WinHttpRequestOption_MaxResponseDrainSize,
WinHttpRequestOption_EnableHttp1_1,
WinHttpRequestOption_EnableCertificateRevocationCheck
------------------- 附属文档
http://msdn.microsoft.com/en-us/library/aa383147%28v=vs.85%29.aspx
Authentication Using Script
This section demonstrates how to write script that uses the WinHttpRequest object to access data from a server that requires HTTP authentication.
Prerequisites and Requirements
Accessing a Web Site With Authentication
Checking the Status Codes
Related Topics
Prerequisites and Requirements
In addition to a working knowledge of Microsoft JScript, this example requires the following:
The current version of the Microsoft Windows Software Development Kit (SDK).
The proxy configuration tool to establish the proxy settings for Microsoft Windows HTTP Services (WinHTTP), if your connection to the Internet is through a proxy server. See Proxycfg.exe, a Proxy Configuration Tool for more information.
A familiarity with network terminology and concepts.
Accessing a Web Site With Authentication
Aa383147.wedge(en-us,VS.85).gifTo create a script that demonstrates authentication, do the following:
Open a text editor such as Microsoft Notepad.
Copy the following code into the text editor after replacing "[authenticationSite]" with the appropriate text to specify the URL of a site that requires HTTP authentication.
// Load the WinHttpRequest object.
var WinHttpReq =
new ActiveXObject("WinHttp.WinHttpRequest.5.1");
function getText1( )
{
// Specify the target resource.
WinHttpReq.open( "GET",
"http://[authenticationSite]",
false;
// Send a request to the server and wait for a response.
WinHttpReq.send( );
// Display the results of the request.
WScript.Echo( "No Credentials: " );
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText);
WScript.Echo( WinHttpReq.GetAllResponseHeaders);
WScript.Echo( );
};
function getText2( )
{
// HttpRequest SetCredentials flags
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER = 0;
// Specify the target resource.
WinHttpReq.open( "GET",
"http://[authenticationSite]",
false );
// Set credentials for server.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
// It might also be necessary to supply credentials
// to the proxy if you connect to the Internet
// through a proxy that requires authentication.
// Send a request to the server and wait for
// a response.
WinHttpReq.send( );
// Display the results of the request.
WScript.Echo( "Credentials: " );
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText );
WScript.Echo( WinHttpReq.GetAllResponseHeaders( ) );
WScript.Echo( );
};
getText1( );
getText2( );
Save the file as "Auth.js".
From a command prompt, type "cscript Auth.js" and press ENTER.
You now have a program that requests a resource two different ways. The first method requests the resource without supplying credentials. A 401 status code is returned to indicate that the server requires authentication. The response headers are also displayed and should look similar to the following:
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 27 Apr 2001 01:47:18 GMT
Content-Type: text/html
Server: Microsoft-IIS/5.0
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
Cache-control: private
Although the response indicates that access to the resource was denied, it still returns several headers that provide some information about the resource. The header named "WWW-Authenticate" indicates that the server requires authentication for this resource. If there was a header named "Proxy-Authenticate", it would indicate that the proxy server requires authentication. Each authenticate header contains an available authentication scheme and sometimes a realm. The realm value is case-sensitive and defines a set of servers or proxies for which the same credentials should be accepted.
There are two headers named "WWW-Authenticate", which indicate that multiple authentication schemes are supported. If you call the GetResponseHeader method to find "WWW-Authenticate" headers, the method only returns the contents of the first header of that name. In this case, it returns a value of "NTLM". To ensure that all occurrences of a header are processed, use the GetAllResponseHeaders method instead.
The second method call requests the same resource, but first supplies authentication credentials by calling the SetCredentials method. The following section of code shows how this method is used.
WinHttpReq.SetCredentials( "User Name", "Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
This method sets the user name to "UserName", the password to "Password", and indicates that the authorization credentials apply to the resource server. Authentication credentials can also be sent to a proxy.
When credentials are supplied, the server returns a 200 status code that indicates that the document can be retrieved.
Checking the Status Codes
The previous example is instructional, but it requires that the user explicitly supply credentials. An application that supplies credentials when it is necessary and does not supply credentials when it is not necessary is more useful. To implement a feature that does this, you must modify your example to examine the status code returned with the response.
For a complete list of possible status codes, along with descriptions, see HTTP Status Codes. For this example, however, you should encounter only one of three codes. A status code of 200 indicates that a resource is available and is being sent with the response. A status code of 401 indicates that the server requires authentication. A status code of 407 indicates that the proxy requires authentication.
Modify the example you created in the last section by replacing the "getText2" function with the following code (replace "[authenticationSite]" with your own text to specifies the URL of a site that requires HTTP authentication):
function getText2() {
WScript.Echo( "Credentials: " );
// HttpRequest SetCredentials flags.
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER = 0;
HTTPREQUEST_SETCREDENTIALS_FOR_PROXY = 1;
// Specify the target resource.
var targURL = "http://[authenticationSite]";
WinHttpReq.open( "GET", targURL, false );
var Done = false;
var Attempts = 0;
do
{
// Keep track of the number of request attempts.
Attempts++;
// Send a request to the server and wait for a response.
WinHttpReq.send( );
// Obtain the status code from the response.
var Status = WinHttpReq.Status;
switch (Status)
{
// A 200 status indicates that the resource was retrieved.
case 200:
Done = true;
break;
// A 401 status indicates that the server
// requires authentication.
case 401:
WScript.Echo( "Requires Server UserName and Password." );
// Specify the target resource.
WinHttpReq.open( "GET", targURL, false );
// Set credentials for the server.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
break;
// A 407 status indicates that the proxy
// requires authentication.
case 407:
WScript.Echo( "Requires Proxy UserName and Password." );
// Specify the target resource.
WinHttpReq.open( "GET", targURL, false );
// Set credentials for the proxy.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_PROXY );
break;
}
} while( ( !Done ) && ( Attempts < 3 ) );
// Display the results of the request.
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText );
WScript.Echo( WinHttpReq.GetAllResponseHeaders( ) );
WScript.Echo( );
};
Again, save and run the file. The second method still retrieves the document, but it only provides credentials when required. The "getText2" function executes the Open and Send methods as if authentication was not required. The status is retrieved with the Status property and a switch statement responds to the resulting status code. If the status is 401 (server requires authentication) or 407 (proxy requires authentication), the Open method is executed again. This is followed by the SetCredentials method, which sets the user name and password. The code then loops back to the Send method. If, after three attempts, the resource cannot be successfully retrieved, then the function stops execution.
Related Topics
Authentication in WinHTTP
WinHttpRequest
SetCredentials
HTTP/1.1 Request for Comments (RFC 2616)
Send comments about this topic to Microsoft
Build date: 7/14/2011
---
http://www.neilstuff.com/winhttp/
I got tired of waiting for MSDN as a reference to using the WinHttp ActiveXObject, so I'm transcribing things here. Visit MSDN's WinHttpRequest Object Reference for the original content.
WinHttp.WinHttpRequest.5.1
Methods of WinHttp
Abort: Aborts a WinHTTP Send method.
GetAllResponseHeaders: Retrieves all HTTP response headers.
GetResponseHeader: Retrieves the HTTP response headers.
Open: Opens an HTTP connection to an HTTP resource.
Send: Sends an HTTP request to an HTTP server.
SetAutoLogonPolicy: Sets the current Automatic Logon Policy.
SetClientCertificate: Selects a client certificate to send to a Secure Hypertext Transfer Protocol (HTTPS) server.
SetCredentials: Sets credentials to be used with an HTTP server梕ither an origin or a proxy server.
SetProxy: Sets proxy server information.
SetRequestHeader: Adds, changes, or deletes an HTTP request header.
SetTimeouts: Specifies, in milliseconds, the individual time-out components of a send/receive operation.
WaitForResponse: Specifies the wait time, in seconds, for an asynchronous Send method to complete, with optional time-out value.
Properties of WinHttp
Option: Sets or retrieves a WinHTTP option value.
ResponseBody: Retrieves the response entity body as an array of unsigned bytes.
ResponseStream: Retrieves the response entity body as an IStream.
ResponseText: Retrieves the response entity body as a string.
Status: Retrieves the HTTP status code from the last response.
StatusText: Retrieves HTTP status text.
Events of WinHttp
OnError: Occurs when there is a run-time error in the application.
OnResponseDataAvailable: Occurs when data is available from the response.
OnResponseFinished: Occurs when the response data is complete.
OnResponseStart: Occurs when the response data starts to be received.
WinHttp Methods
GetResponseHeader
The GetResponseHeader method gets the HTTP response headers.
Return Value = GetResponseHeader( *bstrHeader )
* = Required
Syntax
sHeader: A value of type string that specifies the case-insensitive header name.
Return Value: This method returns the value of the response header named in bstrHeader.
Remarks
Invoke this method only after the Send method has been called.
Example
The following code example shows how to open an HTTP connection, send an HTTP request, and get the date header from the response.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET",
"http://www.microsoft.com",
false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the date header.
WScript.Echo( WinHttpReq.GetResponseHeader("Date"));
Open
The Open method opens an HTTP connection to an HTTP resource.
Syntax
Open( *bstrMethod, *bstrUrl, varAsync = false )
* = Required.
bstrMethod: A value of type string that specifies the HTTP verb used for the Open method, such as "GET" or "PUT". Always use uppercase as some servers ignore lowercase HTTP verbs.
bstrUrl: A value of type string that contains the name of the resource. This must be an absolute URL.
varAsync: A value of type Boolean that specifies whether to open in asynchronous mode. True=Opens the HTTP connection in asynchronous mode.
Remarks
This method opens a connection to the resource identified in bstrUrl using the HTTP verb given in bstrMethod.
Example Code
The following code example shows how to open an HTTP connection, send an HTTP request, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
Send()
Syntax
The Send method sends an HTTP request to an HTTP server.
Send( varBody )
varBody: Data to be sent to the server.
Remarks
The request to be sent was defined in a prior call to the Open method. The calling application can provide data to be sent to the server through the varBody parameter. If the HTTP verb of the object's Open is "GET", this method sends the request without varBody, even if it is provided by the calling application.
Example Code
The following example shows how to open an HTTP connection, send an HTTP request, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
The following example shows how to post data to an HTTP server.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("PUT", "http://postserver/newdoc.htm", false);
// Post data to the HTTP server.
WinHttpReq.Send("Post data");
SetTimeouts
The SetTimeouts method specifies the individual time-out components of a send/receive operation, in milliseconds.
Syntax
SetTimeouts( ResolveTimeout, ConnectTimeout, SendTimeout, ReceiveTimeout )
ResolveTimeout: Value of type Integer integer. Time-out value applied when resolving a host name (such as www.microsoft.com) to an IP address (such as 192.168.131.199), in milliseconds. The default value is zero, meaning no time-out (infinite). If DNS timeout is specified using NAME_RESOLUTION_TIMEOUT, there is an overhead of one thread per request.
ConnectTimeout: Value of type Integer integer. Time-out value applied when establishing a communication socket with the target server, in milliseconds. The default value is 60,000 (60 seconds).
SendTimeout: Value of type Integer integer. Time-out value applied when sending an individual packet of request data on the communication socket to the target server, in milliseconds. A large request sent to an HTTP server are normally be broken up into multiple packets; the send time-out applies to sending each packet individually. The default value is 30,000 (30 seconds).
ReceiveTimeout: Value of type Integer integer. Time-out value applied when receiving a packet of response data from the target server, in milliseconds. Large responses are be broken up into multiple packets; the receive time-out applies to fetching each packet of data off the socket. The default value is 30,000 (30 seconds).
Remarks
All parameters are required. A value of 0 or -1 sets a time-out to wait infinitely. A value greater than 0 sets the time-out value in milliseconds. For example, 30,000 would set the time-out to 30 seconds. All negative values other than -1 cause this method to fail.
Time-out values are applied at the Winsock layer.
Example
The following example shows how to set all WinHTTP time-outs to 30 seconds, open an HTTP connection, and send an HTTP request.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Set time-outs. If time-outs are set, they must
// be set before open.
WinHttpReq.SetTimeouts(30000, 30000, 30000, 30000);
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
WaitForResponse()
The WaitForResponse method waits for an asynchronous Send method to complete, with optional time-out value, in seconds.
Syntax
Return Value = WaitForResponse( Timeout = -1)
Timeout: Time-out value, in seconds. Default time-out is infinite. To explicitly set time-out to infinite, use the value -1.
Return Value: True=A response has been received. False=A time-out error occurred.
Remarks
This method suspends execution while waiting for a response to an asynchronous request. This method should be called after a Send. Calling applications can specify an optional Timeout value, in seconds. If this method times out, the request is not aborted. This way, the calling application can continue to wait for the request, if desired, in a subsequent call to this method.
Calling this property after a synchronous Send method returns immediately and has no effect.
Example Code
This example shows how to open an asynchronous HTTP connection, send an HTTP request, wait for a response, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", true);
// Send the HTTP request.
WinHttpReq.Send();
// Wait for the response.
WinHttpReq.WaitForResponse();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
WinHttp Properties
WinHttp Events
----
http://msdn.microsoft.com/en-us/library/aa384106.aspx#events
WinHttpRequest Object
This topic provides information about using the WinHTTP WinHttpRequest COM object with scripting languages.
Members
The WinHttpRequest object has the following types of members:
Events
Methods
Properties
Events
The WinHttpRequest object has the following events.
Event Description
OnError
Occurs when there is a run-time error in the application.
OnResponseDataAvailable
Occurs when data is available from the response.
OnResponseFinished
Occurs when the response data is complete.
OnResponseStart
Occurs when the response data starts to be received.
Methods
The WinHttpRequest object has the following methods.
Method Description
Abort
Aborts a WinHTTP Send method.
GetAllResponseHeaders
Retrieves all HTTP response headers.
GetResponseHeader
Retrieves the HTTP response headers.
Open
Opens an HTTP connection to an HTTP resource.
Send
Sends an HTTP request to an HTTP server.
SetAutoLogonPolicy
Sets the current Automatic Logon Policy.
SetClientCertificate
Selects a client certificate to send to a Secure Hypertext Transfer Protocol (HTTPS) server.
SetCredentials
Sets credentials to be used with an HTTP server—either an origin or a proxy server.
SetProxy
Sets proxy server information.
SetRequestHeader
Adds, changes, or deletes an HTTP request header.
SetTimeouts
Specifies, in milliseconds, the individual time-out components of a send/receive operation.
WaitForResponse
Specifies the wait time, in seconds, for an asynchronous Send method to complete, with optional time-out value.
Properties
The WinHttpRequest object has the following properties.
Property Access type Description
Option
Read/write
Sets or retrieves a WinHTTP option value.
ResponseBody
Read-only
Retrieves the response entity body as an array of unsigned bytes.
ResponseStream
Read-only
Retrieves the response entity body as an IStream.
ResponseText
Read-only
Retrieves the response entity body as text.
Status
Read-only
Retrieves the HTTP status code from the last response.
StatusText
Read-only
Retrieves HTTP status text.
Remarks
The WinHttpRequest object uses the IErrorInfo interface to provide error data. A description and numerical error value can be obtained with the Err object in Microsoft Visual Basic Scripting Edition (VBScript), and the Error object in Microsoft JScript. The lower 16 bits of an error number correspond to the values found in Error Messages.
Note For Windows XP and Windows 2000, see Run-Time Requirements.
Requirements
Minimum supported client
Windows XP, Windows 2000 Professional with SP3
Minimum supported server
Windows Server 2003, Windows 2000 Server with SP3
Redistributable
WinHTTP 5.0 and Internet Explorer 5.01 or later on Windows XP and Windows 2000.
IDL
HttpRequest.idl
Library
Winhttp.lib
DLL
Winhttp
无意间发现公司内部项目使用的 paypal 扣款程序里面有 WinHttp.WinHttpRequest.5.1 对象,它负责把客户的信用卡信息提交到 paypal 的服务器,看来是一个核心的远程访问方法,google一下发现它居然用可以成功伪造所有 http 请求的 header 信息!下面的代码通过伪造 referer 的值,假装从百度首页提交一个表单到指定的 url 去:
var url = "http://www.yourtarget.com";
var param = "name=david&age=30";
var obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
obj.Open("POST", url, false);
obj.Option(4) = 13056;
obj.Option(6) = false; //false可以不自动跳转,截取服务端返回的302状态。
obj.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
obj.setRequestHeader("Referer", "http://www.baidu.com");
obj.Send(param);
WScript.Echo(obj.responseText);
保存为 xxx.js 文件,在命令行中运行 cscript.exe xxx.js。
从msdn得知,WinHttp.WinHttpRequest.5.1 是 msxml 4.0 的底层对象,也就是说 XMLHTTP/ServerXMLHTTP 也是在它的基础上封装而来。用 WinHttpRequest 发的请求,连 Fiddler 也监测不到,看来确实是比较底层的东西。
---------------------------邪恶的分割线------------------------
既然可以用它来伪造所有 http 请求的 header,那 Cookies、Sessionid 自然也就可以得到并传递了。下面是实战代码,用命令行登录博客园,共三次请求,第一次请求获取表单的 VIEWSTATE 和 EVENTVALIDATION,第二次带账户登录,第三次带Cookie访问其首页:
//封装成远程访问的函数
function RemoteCall(method, url, param, header){
var obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
obj.Open(method||"GET", url, false);
obj.Option(4) = 13056;
obj.Option(6) = false;
if(method=="POST"){
obj.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
}
if(header){
for(var key in header){
if(key=="Cookie"){//根据 MSDN 的建议,设置Cookie前,先设置一个无用的值
obj.setRequestHeader("Cookie", "string");
}
obj.setRequestHeader(key, header[key]);
}
}
obj.Send(param);
return obj;
}
//第一次远程访问博客园的登录入口
var url = "http://passport.cnblogs.com/login.aspx";
var objFirst = RemoteCall("GET", url, null);
//取得 viewstate 与 eventvalidation
var viewstate = objFirst.responseText.match(/id="__VIEWSTATE" value="(.*?)" \/>/)[1];
var eventvalidation = objFirst.responseText.match(/id="__EVENTVALIDATION" value="(.*?)" \/>/)[1];
//输入自己的账户与密码
var username = "";
var password = "";
var param = ""
+ "__VIEWSTATE="+encodeURIComponent(viewstate)
+ "&__EVENTVALIDATION="+encodeURIComponent(eventvalidation)
+ "&tbUserName="+username
+ "&tbPassword="+password
+ "&btnLogin="+encodeURIComponent("登 录");
var objSecond = RemoteCall("POST", url, param);
//登录成功后服务器执行 Response.Redirect 跳转,即向客户端发送了 302 状态代码
WScript.Echo(objSecond.status); //302即登录成功, 如果是200,则登录失败,页面没有跳转
//带上登录成功后的cookie,再次访问其首页
var json = {"Cookie": objSecond.getResponseHeader("Set-Cookie")};
var objThird = RemoteCall("GET", "http://www.cnblogs.com", null, json);
WScript.Echo(objThird.responseText);
上面的代码其实已经有一定恶意,我只为证明使用 WinHttpRequest 确实可以模拟浏览器发送请求,服务端也无法区别是从浏览器来的,还是从命令行来的。这证明到一点,从客户端提交来的任何数据都不可信,因为发送的 http 数据包不但表单值可以修改,连数据包的header都可以随意修改。同时也说明,使用 VIEWSTATE 对表单的安全性无任何用处。
引用一张著名的漫画,在互联网上,没有人知道你是一条狗。在服务端,没有人知道你是从命令行发送出来的。
-------------- 评论
精彩的处理方式。是原创吗?
obj.Option(4) = 13056;
obj.Option(6) = false;
这两个难道是 WinHttp.WinHttpRequest.5.1 方法自带的吗 ?
WinHttpRequest是从paypal接口中发现的。谈不上原创。
WinHttpRequest.Option 的取值有(从0开始计算):
WinHttpRequestOption_UserAgentString,
WinHttpRequestOption_URL,
WinHttpRequestOption_URLCodePage,
WinHttpRequestOption_EscapePercentInURL,
WinHttpRequestOption_SslErrorIgnoreFlags,
WinHttpRequestOption_SelectCertificate,
WinHttpRequestOption_EnableRedirects,
WinHttpRequestOption_UrlEscapeDisable,
WinHttpRequestOption_UrlEscapeDisableQuery,
WinHttpRequestOption_SecureProtocols,
WinHttpRequestOption_EnableTracing,
WinHttpRequestOption_RevertImpersonationOverSsl,
WinHttpRequestOption_EnableHttpsToHttpRedirects,
WinHttpRequestOption_EnablePassportAuthentication,
WinHttpRequestOption_MaxAutomaticRedirects,
WinHttpRequestOption_MaxResponseHeaderSize,
WinHttpRequestOption_MaxResponseDrainSize,
WinHttpRequestOption_EnableHttp1_1,
WinHttpRequestOption_EnableCertificateRevocationCheck
------------------- 附属文档
http://msdn.microsoft.com/en-us/library/aa383147%28v=vs.85%29.aspx
Authentication Using Script
This section demonstrates how to write script that uses the WinHttpRequest object to access data from a server that requires HTTP authentication.
Prerequisites and Requirements
Accessing a Web Site With Authentication
Checking the Status Codes
Related Topics
Prerequisites and Requirements
In addition to a working knowledge of Microsoft JScript, this example requires the following:
The current version of the Microsoft Windows Software Development Kit (SDK).
The proxy configuration tool to establish the proxy settings for Microsoft Windows HTTP Services (WinHTTP), if your connection to the Internet is through a proxy server. See Proxycfg.exe, a Proxy Configuration Tool for more information.
A familiarity with network terminology and concepts.
Accessing a Web Site With Authentication
Aa383147.wedge(en-us,VS.85).gifTo create a script that demonstrates authentication, do the following:
Open a text editor such as Microsoft Notepad.
Copy the following code into the text editor after replacing "[authenticationSite]" with the appropriate text to specify the URL of a site that requires HTTP authentication.
// Load the WinHttpRequest object.
var WinHttpReq =
new ActiveXObject("WinHttp.WinHttpRequest.5.1");
function getText1( )
{
// Specify the target resource.
WinHttpReq.open( "GET",
"http://[authenticationSite]",
false;
// Send a request to the server and wait for a response.
WinHttpReq.send( );
// Display the results of the request.
WScript.Echo( "No Credentials: " );
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText);
WScript.Echo( WinHttpReq.GetAllResponseHeaders);
WScript.Echo( );
};
function getText2( )
{
// HttpRequest SetCredentials flags
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER = 0;
// Specify the target resource.
WinHttpReq.open( "GET",
"http://[authenticationSite]",
false );
// Set credentials for server.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
// It might also be necessary to supply credentials
// to the proxy if you connect to the Internet
// through a proxy that requires authentication.
// Send a request to the server and wait for
// a response.
WinHttpReq.send( );
// Display the results of the request.
WScript.Echo( "Credentials: " );
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText );
WScript.Echo( WinHttpReq.GetAllResponseHeaders( ) );
WScript.Echo( );
};
getText1( );
getText2( );
Save the file as "Auth.js".
From a command prompt, type "cscript Auth.js" and press ENTER.
You now have a program that requests a resource two different ways. The first method requests the resource without supplying credentials. A 401 status code is returned to indicate that the server requires authentication. The response headers are also displayed and should look similar to the following:
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 27 Apr 2001 01:47:18 GMT
Content-Type: text/html
Server: Microsoft-IIS/5.0
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
Cache-control: private
Although the response indicates that access to the resource was denied, it still returns several headers that provide some information about the resource. The header named "WWW-Authenticate" indicates that the server requires authentication for this resource. If there was a header named "Proxy-Authenticate", it would indicate that the proxy server requires authentication. Each authenticate header contains an available authentication scheme and sometimes a realm. The realm value is case-sensitive and defines a set of servers or proxies for which the same credentials should be accepted.
There are two headers named "WWW-Authenticate", which indicate that multiple authentication schemes are supported. If you call the GetResponseHeader method to find "WWW-Authenticate" headers, the method only returns the contents of the first header of that name. In this case, it returns a value of "NTLM". To ensure that all occurrences of a header are processed, use the GetAllResponseHeaders method instead.
The second method call requests the same resource, but first supplies authentication credentials by calling the SetCredentials method. The following section of code shows how this method is used.
WinHttpReq.SetCredentials( "User Name", "Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
This method sets the user name to "UserName", the password to "Password", and indicates that the authorization credentials apply to the resource server. Authentication credentials can also be sent to a proxy.
When credentials are supplied, the server returns a 200 status code that indicates that the document can be retrieved.
Checking the Status Codes
The previous example is instructional, but it requires that the user explicitly supply credentials. An application that supplies credentials when it is necessary and does not supply credentials when it is not necessary is more useful. To implement a feature that does this, you must modify your example to examine the status code returned with the response.
For a complete list of possible status codes, along with descriptions, see HTTP Status Codes. For this example, however, you should encounter only one of three codes. A status code of 200 indicates that a resource is available and is being sent with the response. A status code of 401 indicates that the server requires authentication. A status code of 407 indicates that the proxy requires authentication.
Modify the example you created in the last section by replacing the "getText2" function with the following code (replace "[authenticationSite]" with your own text to specifies the URL of a site that requires HTTP authentication):
function getText2() {
WScript.Echo( "Credentials: " );
// HttpRequest SetCredentials flags.
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER = 0;
HTTPREQUEST_SETCREDENTIALS_FOR_PROXY = 1;
// Specify the target resource.
var targURL = "http://[authenticationSite]";
WinHttpReq.open( "GET", targURL, false );
var Done = false;
var Attempts = 0;
do
{
// Keep track of the number of request attempts.
Attempts++;
// Send a request to the server and wait for a response.
WinHttpReq.send( );
// Obtain the status code from the response.
var Status = WinHttpReq.Status;
switch (Status)
{
// A 200 status indicates that the resource was retrieved.
case 200:
Done = true;
break;
// A 401 status indicates that the server
// requires authentication.
case 401:
WScript.Echo( "Requires Server UserName and Password." );
// Specify the target resource.
WinHttpReq.open( "GET", targURL, false );
// Set credentials for the server.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
break;
// A 407 status indicates that the proxy
// requires authentication.
case 407:
WScript.Echo( "Requires Proxy UserName and Password." );
// Specify the target resource.
WinHttpReq.open( "GET", targURL, false );
// Set credentials for the proxy.
WinHttpReq.SetCredentials( "User Name",
"Password",
HTTPREQUEST_SETCREDENTIALS_FOR_PROXY );
break;
}
} while( ( !Done ) && ( Attempts < 3 ) );
// Display the results of the request.
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText );
WScript.Echo( WinHttpReq.GetAllResponseHeaders( ) );
WScript.Echo( );
};
Again, save and run the file. The second method still retrieves the document, but it only provides credentials when required. The "getText2" function executes the Open and Send methods as if authentication was not required. The status is retrieved with the Status property and a switch statement responds to the resulting status code. If the status is 401 (server requires authentication) or 407 (proxy requires authentication), the Open method is executed again. This is followed by the SetCredentials method, which sets the user name and password. The code then loops back to the Send method. If, after three attempts, the resource cannot be successfully retrieved, then the function stops execution.
Related Topics
Authentication in WinHTTP
WinHttpRequest
SetCredentials
HTTP/1.1 Request for Comments (RFC 2616)
Send comments about this topic to Microsoft
Build date: 7/14/2011
---
http://www.neilstuff.com/winhttp/
I got tired of waiting for MSDN as a reference to using the WinHttp ActiveXObject, so I'm transcribing things here. Visit MSDN's WinHttpRequest Object Reference for the original content.
WinHttp.WinHttpRequest.5.1
Methods of WinHttp
Abort: Aborts a WinHTTP Send method.
GetAllResponseHeaders: Retrieves all HTTP response headers.
GetResponseHeader: Retrieves the HTTP response headers.
Open: Opens an HTTP connection to an HTTP resource.
Send: Sends an HTTP request to an HTTP server.
SetAutoLogonPolicy: Sets the current Automatic Logon Policy.
SetClientCertificate: Selects a client certificate to send to a Secure Hypertext Transfer Protocol (HTTPS) server.
SetCredentials: Sets credentials to be used with an HTTP server梕ither an origin or a proxy server.
SetProxy: Sets proxy server information.
SetRequestHeader: Adds, changes, or deletes an HTTP request header.
SetTimeouts: Specifies, in milliseconds, the individual time-out components of a send/receive operation.
WaitForResponse: Specifies the wait time, in seconds, for an asynchronous Send method to complete, with optional time-out value.
Properties of WinHttp
Option: Sets or retrieves a WinHTTP option value.
ResponseBody: Retrieves the response entity body as an array of unsigned bytes.
ResponseStream: Retrieves the response entity body as an IStream.
ResponseText: Retrieves the response entity body as a string.
Status: Retrieves the HTTP status code from the last response.
StatusText: Retrieves HTTP status text.
Events of WinHttp
OnError: Occurs when there is a run-time error in the application.
OnResponseDataAvailable: Occurs when data is available from the response.
OnResponseFinished: Occurs when the response data is complete.
OnResponseStart: Occurs when the response data starts to be received.
WinHttp Methods
GetResponseHeader
The GetResponseHeader method gets the HTTP response headers.
Return Value = GetResponseHeader( *bstrHeader )
* = Required
Syntax
sHeader: A value of type string that specifies the case-insensitive header name.
Return Value: This method returns the value of the response header named in bstrHeader.
Remarks
Invoke this method only after the Send method has been called.
Example
The following code example shows how to open an HTTP connection, send an HTTP request, and get the date header from the response.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET",
"http://www.microsoft.com",
false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the date header.
WScript.Echo( WinHttpReq.GetResponseHeader("Date"));
Open
The Open method opens an HTTP connection to an HTTP resource.
Syntax
Open( *bstrMethod, *bstrUrl, varAsync = false )
* = Required.
bstrMethod: A value of type string that specifies the HTTP verb used for the Open method, such as "GET" or "PUT". Always use uppercase as some servers ignore lowercase HTTP verbs.
bstrUrl: A value of type string that contains the name of the resource. This must be an absolute URL.
varAsync: A value of type Boolean that specifies whether to open in asynchronous mode. True=Opens the HTTP connection in asynchronous mode.
Remarks
This method opens a connection to the resource identified in bstrUrl using the HTTP verb given in bstrMethod.
Example Code
The following code example shows how to open an HTTP connection, send an HTTP request, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
Send()
Syntax
The Send method sends an HTTP request to an HTTP server.
Send( varBody )
varBody: Data to be sent to the server.
Remarks
The request to be sent was defined in a prior call to the Open method. The calling application can provide data to be sent to the server through the varBody parameter. If the HTTP verb of the object's Open is "GET", this method sends the request without varBody, even if it is provided by the calling application.
Example Code
The following example shows how to open an HTTP connection, send an HTTP request, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
The following example shows how to post data to an HTTP server.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("PUT", "http://postserver/newdoc.htm", false);
// Post data to the HTTP server.
WinHttpReq.Send("Post data");
SetTimeouts
The SetTimeouts method specifies the individual time-out components of a send/receive operation, in milliseconds.
Syntax
SetTimeouts( ResolveTimeout, ConnectTimeout, SendTimeout, ReceiveTimeout )
ResolveTimeout: Value of type Integer integer. Time-out value applied when resolving a host name (such as www.microsoft.com) to an IP address (such as 192.168.131.199), in milliseconds. The default value is zero, meaning no time-out (infinite). If DNS timeout is specified using NAME_RESOLUTION_TIMEOUT, there is an overhead of one thread per request.
ConnectTimeout: Value of type Integer integer. Time-out value applied when establishing a communication socket with the target server, in milliseconds. The default value is 60,000 (60 seconds).
SendTimeout: Value of type Integer integer. Time-out value applied when sending an individual packet of request data on the communication socket to the target server, in milliseconds. A large request sent to an HTTP server are normally be broken up into multiple packets; the send time-out applies to sending each packet individually. The default value is 30,000 (30 seconds).
ReceiveTimeout: Value of type Integer integer. Time-out value applied when receiving a packet of response data from the target server, in milliseconds. Large responses are be broken up into multiple packets; the receive time-out applies to fetching each packet of data off the socket. The default value is 30,000 (30 seconds).
Remarks
All parameters are required. A value of 0 or -1 sets a time-out to wait infinitely. A value greater than 0 sets the time-out value in milliseconds. For example, 30,000 would set the time-out to 30 seconds. All negative values other than -1 cause this method to fail.
Time-out values are applied at the Winsock layer.
Example
The following example shows how to set all WinHTTP time-outs to 30 seconds, open an HTTP connection, and send an HTTP request.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Set time-outs. If time-outs are set, they must
// be set before open.
WinHttpReq.SetTimeouts(30000, 30000, 30000, 30000);
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", false);
// Send the HTTP request.
WinHttpReq.Send();
WaitForResponse()
The WaitForResponse method waits for an asynchronous Send method to complete, with optional time-out value, in seconds.
Syntax
Return Value = WaitForResponse( Timeout = -1)
Timeout: Time-out value, in seconds. Default time-out is infinite. To explicitly set time-out to infinite, use the value -1.
Return Value: True=A response has been received. False=A time-out error occurred.
Remarks
This method suspends execution while waiting for a response to an asynchronous request. This method should be called after a Send. Calling applications can specify an optional Timeout value, in seconds. If this method times out, the request is not aborted. This way, the calling application can continue to wait for the request, if desired, in a subsequent call to this method.
Calling this property after a synchronous Send method returns immediately and has no effect.
Example Code
This example shows how to open an asynchronous HTTP connection, send an HTTP request, wait for a response, and read the response text.
// Instantiate a WinHttpRequest object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Initialize an HTTP request.
WinHttpReq.Open("GET", "http://www.microsoft.com", true);
// Send the HTTP request.
WinHttpReq.Send();
// Wait for the response.
WinHttpReq.WaitForResponse();
// Display the response text.
WScript.Echo( WinHttpReq.ResponseText);
WinHttp Properties
WinHttp Events
----
http://msdn.microsoft.com/en-us/library/aa384106.aspx#events
WinHttpRequest Object
This topic provides information about using the WinHTTP WinHttpRequest COM object with scripting languages.
Members
The WinHttpRequest object has the following types of members:
Events
Methods
Properties
Events
The WinHttpRequest object has the following events.
Event Description
OnError
Occurs when there is a run-time error in the application.
OnResponseDataAvailable
Occurs when data is available from the response.
OnResponseFinished
Occurs when the response data is complete.
OnResponseStart
Occurs when the response data starts to be received.
Methods
The WinHttpRequest object has the following methods.
Method Description
Abort
Aborts a WinHTTP Send method.
GetAllResponseHeaders
Retrieves all HTTP response headers.
GetResponseHeader
Retrieves the HTTP response headers.
Open
Opens an HTTP connection to an HTTP resource.
Send
Sends an HTTP request to an HTTP server.
SetAutoLogonPolicy
Sets the current Automatic Logon Policy.
SetClientCertificate
Selects a client certificate to send to a Secure Hypertext Transfer Protocol (HTTPS) server.
SetCredentials
Sets credentials to be used with an HTTP server—either an origin or a proxy server.
SetProxy
Sets proxy server information.
SetRequestHeader
Adds, changes, or deletes an HTTP request header.
SetTimeouts
Specifies, in milliseconds, the individual time-out components of a send/receive operation.
WaitForResponse
Specifies the wait time, in seconds, for an asynchronous Send method to complete, with optional time-out value.
Properties
The WinHttpRequest object has the following properties.
Property Access type Description
Option
Read/write
Sets or retrieves a WinHTTP option value.
ResponseBody
Read-only
Retrieves the response entity body as an array of unsigned bytes.
ResponseStream
Read-only
Retrieves the response entity body as an IStream.
ResponseText
Read-only
Retrieves the response entity body as text.
Status
Read-only
Retrieves the HTTP status code from the last response.
StatusText
Read-only
Retrieves HTTP status text.
Remarks
The WinHttpRequest object uses the IErrorInfo interface to provide error data. A description and numerical error value can be obtained with the Err object in Microsoft Visual Basic Scripting Edition (VBScript), and the Error object in Microsoft JScript. The lower 16 bits of an error number correspond to the values found in Error Messages.
Note For Windows XP and Windows 2000, see Run-Time Requirements.
Requirements
Minimum supported client
Windows XP, Windows 2000 Professional with SP3
Minimum supported server
Windows Server 2003, Windows 2000 Server with SP3
Redistributable
WinHTTP 5.0 and Internet Explorer 5.01 or later on Windows XP and Windows 2000.
IDL
HttpRequest.idl
Library
Winhttp.lib
DLL
Winhttp
发表评论
-
RESTful API 编写指南
2016-06-14 11:12 5094基于一些不错的RESTful ... -
谈冷热数据
2015-07-20 11:13 6093http://jishu.zol.com.cn/11379. ... -
贺岁文:部门正副经理之争
2015-01-29 11:57 1129http://blog.csdn.net/shenyisyn ... -
只能通过chrome网上应用商店安装该程序”的解决方法
2014-10-09 13:09 6077自 Chrome 21.x 开始默认只允许从 Chrome ... -
nginx同一iP多域名配置方法
2014-06-03 13:48 2626nginx绑定多个域名可又把多个域名规则写一个配置文件里,也 ... -
风车网陈晓峰回忆录:我的两个月倒闭史
2014-05-27 16:09 1270http://tech2ipo.com/54719 ... -
Debugging and Profiling PHP with Xdebug
2014-04-15 12:10 1662http://www.sitepoint.com/debug ... -
XHProf 中文文档
2014-04-15 11:26 1395XHProf文件(草稿) 翻译:徐 ... -
让普通用户登录phpmyadmin不显示information_schema
2014-02-13 16:54 1862http://www.cnblogs.com/faily20 ... -
apache2.2+svn1.6+TortoiseSVN在windows环境搭建
2013-12-21 21:58 4405今天空闲时间对SVN服务器端和客户端环境做了搭建,并且成功了 ... -
MiniCMS - 吐槽
2013-10-22 10:58 1379看到的深有感触, ... -
MySQL 数据库通过日志恢复
2013-08-14 17:09 1037http://blog.csdn.net/hanxin198 ... -
使用文件函数操作Memcache
2013-08-12 18:21 1469写道 最近一周,SAE又悄悄的上线了一个新功能.那就是开始 ... -
转 总结过去10年
2013-08-10 11:17 1080下面的好文 担心原作者删帖 转到此处吧 http:/ ... -
SAET SQL_CALC_FOUND_ROWS 问题
2013-07-20 14:22 2241上午遇到 应用数据查不到的问题,但是 数据库中明明 ... -
问一下使用struts的同学们,你们这些年,是怎么过来的?
2013-07-20 12:04 1310by 空虚浪子心 http://www.inbreak.ne ... -
杂谈产品灰度上线的研发模式
2013-05-13 13:45 1700写道 传统的产品研发 ... -
正则表达式口诀
2013-04-12 14:38 1396写道 来源:蓝血正则 ... -
Emacs 快速指南
2013-04-09 17:51 2270您正在阅读 Emacs 快速指南(Emacs tutorial ... -
推荐几个技术博客,持续更新中...
2013-03-18 10:07 3245推荐几个技术博客,我整理了一下googlereader的订 ...
相关推荐
php 伪造IP和HTTP-REFERER的方法,对于采集,匿名投票等很有用处
主要介绍了流量统计器如何鉴别C#:WebBrowser中伪造referer,需要的朋友可以参考下
主要介绍了php采用curl实现伪造IP来源的方法,主要涉及使用curl的CURLOPT_REFERER参数实现该功能,需要的朋友可以参考下
主要介绍了php使用curl伪造来源ip和refer的方法,涉及curl参数设置伪造来源相关操作技巧,需要的朋友可以参考下
代理IP、伪造IP、随机IP、伪造user-agent、伪造referer来路、自定义cookie,以便应对防采集措施 url地址加密转换,个性化url,让你的url地址与众不同 关键词内链功能 ftp上传需使用二进制上传方式,方法请百度 ...
//伪造IP curl_setopt($ch, CURLOPT_USERAGENT, $ua); // 伪造ua curl_setopt($ch, CURLOPT_ENCODING, 'gzip'); // 取消gzip压缩 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // https请求 不验证证书...
·代理IP、伪造IP、随机IP、伪造user-agent、伪造referer来路、自定义cookie,以便应对防采集措施 ·url地址加密转换,个性化url,让你的url地址与众不同 ·关键词内链功能 ·插件机制,内容灵活控制 ·还有更多功能...
2、加入了X-Forwarded-For,Client-IP的指定IP段随机伪造。 3、验证码识别支持自定义HTTP请求头部,再也不怕要Referer才能获取验证码等情况了。 4、可以添加批量代理服务器,Fuzz时轮询使用HTTP代理。 5、自动识别...
如果题目中遇到只能某某ip才能访问(ip伪造),修改或添加http请求头的X-Forwarded-For为题目允许的Ip地址,实验室:本地的诱惑 题目中说为了外国人的话:确保Accept-Language中有en-US 没有就自己加,如果说了只为了...
刷票行为,一直以来都是个难题,无法从根本上防止。 但是我们可以尽量减少刷票的伤害,比如:通过人为增加的逻辑限制。 ...1、使用CURL进行信息伪造 $ch = curl_init();...curl_setopt($ch, CURLOPT_REFERER, “ht
Function ProxyPage(url) Set Retrieval = CreateObject(“MSXML2.ServerXMLHTTP.5.0”) With ...”http://www.baidu.com/” ‘伪造referer .Send ProxyPage = BytesToBstr(.ResponseBody) End With Set Retrieval =