H $'Content-Type: application/x-www-form-urlencoded' \ You can then paste this command into the terminal to re-issue the request outside Burp Suite. We're careful about escaping this data to avoid users being exploited by malicious requests injecting extra shell commands, or arbitrary curl arguments. Can you see it?Īs usual, the answer lies in the friendly manual: -data-binary Unfortunately, there's a subtler problem. This posts data exactly as specified with no extra processing whatsoever. If you start the data with the letter the rest should be a filename. So, this is safe: curl -data-binary '/home/albinowax/.ssh/id_rsa' -trace-ascii - Īnd this is. Not so safe: curl -data-binary -trace-ascii.
> -BEGIN RSA PRIVATE KEY-.b3BlbnNzaC1rZXktdjEA. We patched this vulnerability in release 2020.5.1 by switching to the newer and safer but less-supported -data-raw flag if the request body starts with an symbol.
We were lucky in that exploiting this in Burp Suite required relatively heavy user-interaction - the attacker would have to induce a user to visit a malicious website, copy the crafted request as a curl command, and then execute it via the command line. If a website uses curl with an attacker-controlled request body, this could have a significantly higher impact, so it's definitely worth keeping an eye out for during SSRF testing.
0 kommentar(er)
