CRLF injection principle

Others 2020-03-24 17:55:45 views: null

CRLF refers to a carriage return (CR, ASCII 13, \ r,% 0d) and line feed (LF, ASCII 10, \ n,% 0a), the operating system is performed based on this identification wrap your input keyboard Enter key is the output of this character, but win identify and linux system uses just not the same.

Is separated by a crlf between two HTTP Header and Body among the HTTP, the HTTP message header if the control characters, inject some malicious wrap, so that the session cookie and can inject some html code, and so CRLF injection called the HTTP response Splitting, referred to as the HRS. CRLF vulnerabilities can cause Cookie会话固定and 反射型XSS(可过waf)hazards, XSS injection Use of: using two consecutive% 0d% oa will result in the separation between the header and the body, which can be inserted in the code forming the reflective type xss xss vulnerability.


test

CRLF injection vulnerability detection and detection of XSS vulnerabilities are also about the same. Or by modifying the parameters HTTP URL, inject malicious CRLF, see the malicious data is configured in response to the first output. Mainly in the redirection or see where to jump, you can add the address of the jump ?url=http://baidu.com/xxx%0a%0dSet-Cookie: test123=123test, the packet to see the results by looking at the response.

GET /index.php?c=rpzy&a=query&type=all&value=123&datatype=json&r=X1MU6E86%0a%0dSet-Cookie: test123=123 HTTP/1.1
Host: www.xxxxyou.net

Here we did not take advantage of the success, if the use of successful, there will be one line response packet Set-Cookie: test123=123data.


Principle Analysis

HRS vulnerability exists on the premise that: character input url which will affect the file, such as the relocation of them can try% 0d% 0a as crlf.

General site will be added in the HTTP header Location: http://baidu.comof the way to 302 jumps, so we can control the content is Location: XXX URLs behind, to address this pollution.

Assuming that the server (PHP) is handled:

if($_COOKIE("security_level") == 1)
{
    header("Location: ". $_GET['url']);
    exit;
}

The code means that when the condition is satisfied, the request packet url parameter value spliced ​​into the Location string, and the hair is arranged to respond to the client.

At this point the url parameter value is received on the server after we modified:
http://baidu.com/xxx%0a%0dSet-Cookie: test123=123

After the parameter value is spliced ​​to the Location url string, in response to the first set, you will see the response header:
Set-Cookie: test123=123


Restorations

Server receives parameters over the front end, prior to addition of Location, filtered needed \ r, \ n line terminator or the like, to avoid contamination of the data input to other HTTP header field.


references

https://www.jianshu.com/p/2f2e311e797b
https://blog.csdn.net/shakeyin1998/article/details/88411756

Guess you like

Origin www.cnblogs.com/mysticbinary/p/12560080.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com