First time ko po magpost at nakita ko po yung article na ito nirepost ko nalang ulit and manipulating it based sa naresearch ko 
sana po makatulong.
Note: if you want to learn more search on google CRLF Injection
HTTP/S Request Methods
There are a lot of methods but the most often used is:
- GET
- HEAD
- POST
- DELETE
- TRACE
- CONNECT
- etc
DEFINITION OF TERMS:
[host] = 188.100.100.123 Destination host
[port] = 22 Destination port
[host_port] = 188.100.100.123:22 Destination host and port, seperated by colon :
[ssh] = 188.100.100.123:22 SSH server ip and port that you set at settings
[protocol] = HTTP\1.0 or HTTP\1.1 HTTP protocol version
[netData] = CONNECT [host_port] [protocol] Short form of three keywords
[cr] = \r or Carriage Return (cr), U+000D
[lf] = \n or Line Feed (lf), U+000A
[crlf] = \r\n or Carriage Return (cr) (U+000D) followed by Line Feed (lf) (U+000A)
[lfcr] = \n\r LF (U+000A) followed by CR (U+000D)
[crlf][crlf] = \r\n\r\n To indicate the end of HTTP header
BUG = the bug host (ex. bug.com)
Line Feed means moving one line forward. The code is \n
Carriage Return means moving the cursor to the beginning of the line. The code is \r.
Protocol Version
There are three:
- HTTP/2.0
- HTTP/1.1
- HTTP/1.0
* HTTP/1.1 usually in BUG while HTTP/1.0 the protocol to SSH. Depending on the type *
Connection Type
There are two:
[realData] = connection at the end to have a 2 LINE or [crlf][crlf]
For example, if you're using SSH = CONNECT ipssh: portssh HTTP/1.0[crlf][crlf]
Depending on the type of connection
[NetData] = connection at the end that DO NOT HAVE LINE. And usually used to add other payloads such as "Host: bug.com, Connection: Keep-Alive", etc.
For example, if you're using "SSH = CONNECT ipssh: portssh HTTP/1.0" and if it was followed by the BUG (Host: bug.com) then:
CONNECT ipssh: portssh HTTP/1.0[crlf]Host: bug.com[crlf][crlf]
Depending on the type of CONNECTION, and if in follow BUG then added 1 new LINE([crlf]) then the followed BUG ends in 2 LINE([crlf][crlf])
Injection Method
Injection method is divided into 5 types:
- Normal
- Front Inject
- Back Inject
- Front Query
- Back Query
Injection Method Defined
Normal
Means that the connection is placed at the beginning and then followed by the BUG (Host: bug.com) payload with 1 LINE [crlf]
Example 1:
[netData]
[crlf] Host: bug.com
[crlf][crlf]
Example 2:
CONNECT ipssh: portssh HTTP/1.0 [crlf] Host: bug.com [crlf][crlf]
GREEN = SSH connections consist of METHOD ip and port with protocol version HTTP / 1.0
ORANGE = Bug
Front Inject
FRONT means the BUG was placed in front of the next follow connection (ssh / vpn / direct it depends).
Example 1:
GET
You do not have permission to view the full content of this post. Log in or register now.
HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
[realData]
Example 2:
GET
You do not have permission to view the full content of this post. Log in or register now.
HTTP/1.1 [crlf]Host: bug.com [crlf][crlf] CONNECT ipssh: portssh HTTP/1.0[crlf][crlf]
Method = GET
Red = BUG
Protocol version = HTTP/1.1
Pink = connection
Back Inject
BACK means behind the first connection (ssh / vpn / direct dependent) then followed by the BUG.
Example 1:
[realData] GET You do not have permission to view the full content of this post. Log in or register now.
HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
Example 2:
CONNECT ipssh: portssh HTTP/1.0[crlf][crlf]GETYou do not have permission to view the full content of this post. Log in or register now. HTTP/1.1 [crlf] Host: bug.com [crlf][crlf]
Blue = connection
Method = GET
Red = Bug
Protocol version = HTTP/1.1
Front Query
This means that there are BUG/s that slipped in front of the connection later in the end.
Example:
CONNECT query.com@ ipssh: portssh HTTP/1.0[crlf][crlf] GET You do not have permission to view the full content of this post. Log in or register now. HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
or
CONNECT bug.com@ ipssh: portssh HTTP/1.0[crlf][crlf] GET You do not have permission to view the full content of this post. Log in or register now. HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
Blue = connection
Green = Query
Method = GET
Red = Bug
Protocol version = HTTP/1.1
* Query is usually the same as the BUG itself *
Back Query
This means that the BUG tucked itself behind a connection @.
Example:
CONNECT ipssh: portssh @query.com HTTP/1.0[crlf][crlf] GET You do not have permission to view the full content of this post. Log in or register now.
HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
Blue = connection
Pink = Query
Method = GET
Red = BUG
Protocol version = HTTP/1.1
*Query is usually the same as the bug itself *
REPLACE
Replace is replacing a specific response in order to connect with the bias current and most often, namely replacing it to 200 OK
Example:
Response Found:
302 FOUND
Replace to:
200 OK
Example 2:
Response Found
400 Bad Request
Replace to:
200 OK
Payload
There are many types of payload, Inject start time may not appear using payload.
But because security is tight then we also need a payload.
Example:
- Host: bug.com
- X-Online-Host: bug.com
- X-Forward-Host: bug.com
- X-Forwarded-For: bug.com
- Connection: Keep-Alive or Close
- Proxy-Connection: Keep-Alive or Close
- Content-Type: * / *
- Content-Length: 0 or 1024 or another one
- And many more
Proxy and Port
The use of proxy and proxy port could use the original operator.
Proxies can also use public or Squid Proxy from VPS with port 80/8000/8080/3128 / etc mouthful can be invited to the free internet.
References:
You do not have permission to view the full content of this post. Log in or register now.
https://phcorner.net/t/different-config-http-injector.158327/
You do not have permission to view the full content of this post. Log in or register now.
ctto: jkevin10
sana po makatulong.Note: if you want to learn more search on google CRLF Injection
HTTP/S Request Methods
There are a lot of methods but the most often used is:
- GET
- HEAD
- POST
- DELETE
- TRACE
- CONNECT
- etc
DEFINITION OF TERMS:
[host] = 188.100.100.123 Destination host
[port] = 22 Destination port
[host_port] = 188.100.100.123:22 Destination host and port, seperated by colon :
[ssh] = 188.100.100.123:22 SSH server ip and port that you set at settings
[protocol] = HTTP\1.0 or HTTP\1.1 HTTP protocol version
[netData] = CONNECT [host_port] [protocol] Short form of three keywords
[cr] = \r or Carriage Return (cr), U+000D
[lf] = \n or Line Feed (lf), U+000A
[crlf] = \r\n or Carriage Return (cr) (U+000D) followed by Line Feed (lf) (U+000A)
[lfcr] = \n\r LF (U+000A) followed by CR (U+000D)
[crlf][crlf] = \r\n\r\n To indicate the end of HTTP header
BUG = the bug host (ex. bug.com)
Line Feed means moving one line forward. The code is \n
Carriage Return means moving the cursor to the beginning of the line. The code is \r.
Protocol Version
There are three:
- HTTP/2.0
- HTTP/1.1
- HTTP/1.0
* HTTP/1.1 usually in BUG while HTTP/1.0 the protocol to SSH. Depending on the type *
Connection Type
There are two:
[realData] = connection at the end to have a 2 LINE or [crlf][crlf]
For example, if you're using SSH = CONNECT ipssh: portssh HTTP/1.0[crlf][crlf]
Depending on the type of connection
[NetData] = connection at the end that DO NOT HAVE LINE. And usually used to add other payloads such as "Host: bug.com, Connection: Keep-Alive", etc.
For example, if you're using "SSH = CONNECT ipssh: portssh HTTP/1.0" and if it was followed by the BUG (Host: bug.com) then:
CONNECT ipssh: portssh HTTP/1.0[crlf]Host: bug.com[crlf][crlf]
Depending on the type of CONNECTION, and if in follow BUG then added 1 new LINE([crlf]) then the followed BUG ends in 2 LINE([crlf][crlf])
Injection Method
Injection method is divided into 5 types:
- Normal
- Front Inject
- Back Inject
- Front Query
- Back Query
Injection Method Defined
Normal
Means that the connection is placed at the beginning and then followed by the BUG (Host: bug.com) payload with 1 LINE [crlf]
Example 1:
[netData]
[crlf] Host: bug.com
[crlf][crlf]
Example 2:
CONNECT ipssh: portssh HTTP/1.0 [crlf] Host: bug.com [crlf][crlf]
GREEN = SSH connections consist of METHOD ip and port with protocol version HTTP / 1.0
ORANGE = Bug
Front Inject
FRONT means the BUG was placed in front of the next follow connection (ssh / vpn / direct it depends).
Example 1:
GET
You do not have permission to view the full content of this post. Log in or register now.
HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
[realData]
Example 2:
GET
You do not have permission to view the full content of this post. Log in or register now.
HTTP/1.1 [crlf]Host: bug.com [crlf][crlf] CONNECT ipssh: portssh HTTP/1.0[crlf][crlf]
Method = GET
Red = BUG
Protocol version = HTTP/1.1
Pink = connection
Back Inject
BACK means behind the first connection (ssh / vpn / direct dependent) then followed by the BUG.
Example 1:
[realData] GET You do not have permission to view the full content of this post. Log in or register now.
HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
Example 2:
CONNECT ipssh: portssh HTTP/1.0[crlf][crlf]GETYou do not have permission to view the full content of this post. Log in or register now. HTTP/1.1 [crlf] Host: bug.com [crlf][crlf]
Blue = connection
Method = GET
Red = Bug
Protocol version = HTTP/1.1
Front Query
This means that there are BUG/s that slipped in front of the connection later in the end.
Example:
CONNECT query.com@ ipssh: portssh HTTP/1.0[crlf][crlf] GET You do not have permission to view the full content of this post. Log in or register now. HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
or
CONNECT bug.com@ ipssh: portssh HTTP/1.0[crlf][crlf] GET You do not have permission to view the full content of this post. Log in or register now. HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
Blue = connection
Green = Query
Method = GET
Red = Bug
Protocol version = HTTP/1.1
* Query is usually the same as the BUG itself *
Back Query
This means that the BUG tucked itself behind a connection @.
Example:
CONNECT ipssh: portssh @query.com HTTP/1.0[crlf][crlf] GET You do not have permission to view the full content of this post. Log in or register now.
HTTP/1.1 [crlf]Host: bug.com [crlf][crlf]
Blue = connection
Pink = Query
Method = GET
Red = BUG
Protocol version = HTTP/1.1
*Query is usually the same as the bug itself *
REPLACE
Replace is replacing a specific response in order to connect with the bias current and most often, namely replacing it to 200 OK
Example:
Response Found:
302 FOUND
Replace to:
200 OK
Example 2:
Response Found
400 Bad Request
Replace to:
200 OK
Payload
There are many types of payload, Inject start time may not appear using payload.
But because security is tight then we also need a payload.
Example:
- Host: bug.com
- X-Online-Host: bug.com
- X-Forward-Host: bug.com
- X-Forwarded-For: bug.com
- Connection: Keep-Alive or Close
- Proxy-Connection: Keep-Alive or Close
- Content-Type: * / *
- Content-Length: 0 or 1024 or another one
- And many more
Proxy and Port
The use of proxy and proxy port could use the original operator.
Proxies can also use public or Squid Proxy from VPS with port 80/8000/8080/3128 / etc mouthful can be invited to the free internet.
References:
You do not have permission to view the full content of this post. Log in or register now.
https://phcorner.net/t/different-config-http-injector.158327/
You do not have permission to view the full content of this post. Log in or register now.
ctto: jkevin10