Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

扫描header问题 #1712

Open
zerokeeper opened this issue Feb 14, 2023 · 3 comments
Open

扫描header问题 #1712

zerokeeper opened this issue Feb 14, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@zerokeeper
Copy link

zerokeeper commented Feb 14, 2023
edited

用xray爬虫扫描spring应用的漏洞是发现,没有带上原始的Accept头,导致页面类型显示错误,无法判断出漏洞

xray webscan --plugins cmd-injection,sqldet --browser-crawler http://127.0.0.1:8090/springboot-spel-rce/

爬虫到的原始请求是

GET /springboot-spel-rce/article?id=1 HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/110.0.5481.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip

xray扫描实际发的包是

image

没有Accept header头,导致不能正确识别出漏洞,500错误,返回的json数据包。

带上原始的Accept头,就可以触发识别出漏洞,返回的是html数据包。

image

猜测可能是因为spring应用在请求没有带上Accept头时,默认返回json数据包。

sql注入也是这样的,去掉了Accept头,其他基础插件扫描未测试,估计也该也是。
这样会导致很多漏洞识别不出来,希望能及时调整一下。

建议:
扫描的时候带上原始爬虫请求的header头或者至少要保留Accept header头,只有在特效插件情况下的扫描才去掉或者修改 header头
@mashiro01
Copy link
Collaborator

这个问题确实存在,后续版本中会跟进修复相关内容,感谢师傅的反馈

@mashiro01 mashiro01 added the bug Something isn't working label Feb 14, 2023
@mashiro01
Copy link
Collaborator

师傅能详细描述下使用的靶场环境吗?这里自己搭建靶场之后发现xray请求能带上Accept Header相关内容以及其他的原始heaeder内容,但是针对自己搭建的靶场rad只能够爬取到Accept Header为*/*,仍需自己手动进行指定

@zerokeeper
Copy link
Author

好的,用的就是这个环境
https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-spel-rce

另外我是在目录下加了一个index.html页面,herf标签链接到的 /springboot-spel-rce/article?id=1
应该就会带上Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

模拟的正常点击访问的过程,正常大部分爬虫访问到的链接也都是这个Accept

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zerokeeper @mashiro01