【www.bbyears.com--页面特效】
一、尝试过的URL跳转方法
代码如下echo "";
echo "
echo "<script language="Javascrīpt">window.location.replace="".$url."";";
以上三种方法均无法传递REFERER地址。
二、使用PHP Socket函数伪造REFER
下面是PHP伪造REFERER代码部分,经过测试可以实现REFERER地址传递,其中$url是输入地址。
$uinfo = parse_url($url);//解析URL地址,比如http://111cn.net/archives/1.html
if($uinfo["path"]) //
$data = $uinfo["path"];//这里得到/archives/1.html
else
$data = "/";//默认根
if(!$fsp = @fsockopen($uinfo["host"], (($uinfo["port"]) ? $uinfo["port"] : "80"), $errno, $errstr, 12)){
echo "对不起对方网站暂时无法打开,请您稍后访问:".$uinfo["host"]; exit;
}else{
fputs($fsp, "GET “.$data .” HTTP/1.0rn");//如果是跨站POST提交,可使用POST方法
fputs($fsp, "Host: ".$uinfo["host"]."rn");
fputs($fsp, "Referer: 111cn.netrn");//伪造REFERER地址
fputs($fsp, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)rnrn");
$res="";
while(!feof($fsp)) {
$res.=fgets($fsp, 128);
if(strstr($res,"200 OK")) {
header("Location:$url"); exit;
}
}
}
//如果是301或302状态码可以继续处理
//返回地址大概形式:HTTP/1.1 301 Moved PermanentlynContent-Length: 164nContent-Type: text/htmlnLocation: http://111cn.net/
$arr=explode("n",$res);
$arr=explode(": ",$arr[3]);//Location后面是真实重定向地址
header("location:".$arr[0]);//跳转目标地址
exit;
利用另一种方法 curl)伪造HTTP_REFERER
//PHP(前提是装了curl):
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "http://www.111cn.net/");
curl_setopt ($ch, CURLOPT_REFERER, "http://www.111cn.net/");
curl_exec ($ch);
curl_close ($ch);
//PHP(不装curl用sock)
$server = "blog.qita.in";
$host = "blog.qita.in";
$target = "/xxx.asp";
$referer = "http://www.baidu.com/"; // Referer
$port = 80;
$fp = fsockopen($server, $port, $errno, $errstr, 30);
if (!$fp)
{
echo "$errstr ($errno)
n";
}
else
{
$out = "GET $target HTTP/1.1rn";
$out .= "Host: $hostrn";
$out .= "Cookie: ASPSESSIONIDSQTBQSDA=DFCAPKLBBFICDAFMHNKIGKEGrn";
$out .= "Referer: $refererrn";
$out .= "Connection: Closernrn";
fwrite($fp, $out);
while (!feof($fp))
{
echo fgets($fp, 128);
}
fclose($fp);
}