PHP Vulnerability Full solution (eight)-http response split

This article mainly introduces the HTTP response split for PHP web site, standing at the attacker's point of view, to show you the HTTP response split.

Format of the HTTP request

1) Request Information: For example "get/index.php http/1.1", request index.php file

2) Header: For example "Host:localhost", indicating the server address

3) Blank line

4) Information body

Both the request information and the header must end with a newline character (CRLF), and the blank line can contain only line breaks and no other whitespace.

The following example sends an HTTP request to the server www.yhsafe.com

get/index.php http/1.1//Request Information

Host:www.yhsafe.com//table header

The space line symbol indicates the return key, and after a blank line the HTTP request is sent after a space, only the host header in the header of the HTTP request is necessary, and the rest of the HTTP headers are based on the content of the HTTP request. Method of HTTP request 1) GET: Request response 2) HEAD: The same response as GET, only requires response header 3) POST: Send data to the server for processing, Data contained in HTTP message body 4) PUT: Upload file 5) Delete: Delete file 6) Trace: Trace received request 7) options: Return to the HTTP request supported by the server 8) Connect: Convert HTTP request connection to transparent tcp/ The format of the IP channel HTTP response the server sends the following response after it has processed the HTTP request made by the client. 1) The first line is the status Code 2) the second line starts with the other information the status code contains a number that identifies the state and a word that describes the status. For example: http/1.1 OK200 is the number that identifies the status, OK is the word that describes the status, and the status code identifies the request successfully.

Examples of HTTP requests and responses

Open cmd input telnet, enter open www.00aq.com 80

Enter after opening the connection

get/index.php http/1.1

Host:www.00aq.com

Returns the header of the HTTP response

Back to home page content

Use PHP to send HTTP requests

Header function can be used to send HTTP request and response headers

Function prototypes

void header (String string [, bool replace [, int http_response_code]])

String is an HTTP table header

If replace is true, indicates that a previous similar header is to be replaced with the current table header, and if replace is false, the default value is true to use multiple similar headers

Http_response_code used to force HTTP response codes to use Http_response_code values

Instance:

4. Open an Internet socket connection
6. $fp = Fsockopen (www.00aq.com, n);
8. Write HTTP request Header
10. Fputs ($fp, "get/http/1.1\r\n");
12. Fputs ($fp, "host:www.00aq.com\r\n\r\n");
14. The string for the HTTP response
16. $http _response = "";
18. while (! Feof ($fp))
20. {
22. Reads a 256-bit HTTP response string
24. $http _response. = fgets ($fp,);
26. }
28. Turn off the Internet socket connection
30. Fclose ($fp);
32. displaying HTTP response information
34. echo nl2br (htmlentities ($http _response));
36. ?>

HTTP response split attack

The HTTP response split is due to an attacker's well-designed use of e-mail or links to allow the target user to generate two responses with one request, the previous response being the server's response, and the second being the attacker's designed response. This attack occurs because the Web program places the consumer's data in the HTTP response header, and the data of those users is well-designed by an attacker.

The functions that may be affected by the HTTP request response split include the following:

Header (); Setcookie (); session_id (); Setrawcookie ();

The HTTP response split typically occurs in:

Location Header: Writes the consumer's data to the redirected URL address

Set-cookie Header: Write user data to cookies

Instance:

2. Header ("Location:".) $_get[' page ']);
3. ?>

Request

Get/location.php?page=http://www.00aq.com http/1.1

Host:localhost

Return

http/1.1 302 Found

date:wed, Jan 03:44:24 GMT

server:apache/2.2.8 (WIN32) php/5.2.6

x-powered-by:php/5.2.6

Location:http://www.00aq.com

content-length:0

Keep-alive:timeout=5, max=100

Connection:keep-alive

Content-type:text/html

Visit the link below and a login window will appear directly

Http://localhost/location.php?page=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type: %20text/html%0d%0acontent-length:%20158%0d%0a%0d%0a Account%20 Password%20

Convert to a readable string:

Content-type:text/html

http/1.1 OK

Content-type:text/html

content-length:158

An HTTP request produced two responses

The precautionary approach:

1) Replace CRLF with newline characters

2. Header ("Location:".) strtr ($_get[' page '), array ("\ r" = ", " \ n " = " ")");
3. ?>

2) Use the latest version of PHP

In the latest version of PHP, newline characters are not allowed in the HTTP header

Hide HTTP Response Headers

Apache in httpd.conf, option Servertokens = Prod, serversignature = Off

PHP in php.ini, option expose_php = Off