how set http header host in Penetration Testing web ?
https://github.com/nodejs/node/issues/20275
// 伪造host攻击测试
function fnDoHostAttack(url,fnCbk)
{
if(bRunHost)return;
bRunHost = true;
try{
var nPort = -1 < g_szUrl.indexOf("https")? 443: 80;
var uO = urlObj.parse(url), ss = "I.am.M.T.X.T",host = uO.host.split(/:/)[0], port = uO.port || nPort;
if(/.*?\/$/g.test(uO.path))uO.path = uO.path.substr(0, uO.path.length - 1);
// checkWeblogicT3(host,port);
if(program.t3)fnCheckJavaFx([host,port].join(":"));
fnSocket(host,port,'POST ' + uO.path + ' HTTP/1.1\r\nHost:'
+ ss + '\r\nUser-Agent:Mozilla/5.0 (iPhone; CPU iPhone OS 10_2 like '
+ szMyName
+ ') ' + g_szUa + ' MTX/3.0\r\nContent-Type: application/x-www-form-urlencoded'
+ '\r\n\r\n',
function(data)
{
var d = data && data.toString().trim() || "";
fnParseHttpHd(d,function(o)
{
var oD = {des:"伪造host攻击测试成功"};
if(o.location && -1 < String(o.location).indexOf(ss))
{
g_oRst["host"] = oD;
oD.des += ", response返回的location:" + o.location;
}
var n = d.indexOf(ss);
if(-1 < n)
{
var rg = new RegExp("(<.*?http:\\/\\/" + ss + ".*?>)","gim");
var a = rg.exec(d);
if(a)
{
var o = g_oRst["host"] || oD;
o.code = "返回的代码中存在攻击后的代码:" + a[1];
g_oRst["host"] = o;
}
}
});
});
}catch(e){fnLog(e)}
}
https://github.com/hktalent/myhktools