本文披露了ProjectDiscovery的httpx工具v1.7.0版本中存在的一个远程拒绝服务漏洞。攻击者可通过提供畸形<title>标签触发越界读取,导致扫描器崩溃。文章包含漏洞代码分析、触发条件和修复方案。
远程拒绝服务漏洞:httpx 1.7.0中通过畸形标签实现的越界读取
</h1><h2 id="漏洞概述">漏洞概述
</h2><p>通过向网站提供畸形的<code><title></code>标签,可远程导致ProjectDiscovery的httpx v1.7.0版本崩溃。该漏洞源于<code>trimTitleTags()</code>函数中缺少边界检查的经典越界读取问题。</p>
<h2 id="技术细节">技术细节
</h2><h3 id="漏洞代码">漏洞代码
</h3><div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span><span class="lnt">4
</span><span class="lnt">5
</span><span class="lnt">6
</span><span class="lnt">7
</span><span class="lnt">8
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kd">func</span> <span class="nf">trimTitleTags</span><span class="p">(</span><span class="nx">title</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nx">titleBegin</span> <span class="o">:=</span> <span class="nx">strings</span><span class="p">.</span><span class="nf">Index</span><span class="p">(</span><span class="nx">title</span><span class="p">,</span> <span class="s">">"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="nx">titleEnd</span> <span class="o">:=</span> <span class="nx">strings</span><span class="p">.</span><span class="nf">Index</span><span class="p">(</span><span class="nx">title</span><span class="p">,</span> <span class="s">"</"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nx">titleEnd</span> <span class="p"><</span> <span class="mi">0</span> <span class="o">||</span> <span class="nx">titleBegin</span> <span class="p"><</span> <span class="mi">0</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">title</span>
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">title</span><span class="p">[</span><span class="nx">titleBegin</span><span class="o">+</span><span class="mi">1</span> <span class="p">:</span> <span class="nx">titleEnd</span><span class="p">]</span> <span class="c1">// ← 此处发生PANIC</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="崩溃信息">崩溃信息
</h3><div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">panic: runtime error: slice bounds out of range [9:6]
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="影响范围">影响范围
</h2><ul>
<li>影响所有在自动化扫描管道中使用httpx的用户</li>
<li>一个畸形的HTML响应即可导致扫描器宕机</li>
<li>可通过单元测试或模糊测试在5分钟内发现此漏洞</li>
</ul>
<h2 id="触发条件">触发条件
</h2><p>💥 <strong>触发输入</strong>:</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"><title</></title>0
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="修复方案">修复方案
</h2><p>✅ <strong>修复链接</strong>:
<a class="link" href="https://github.com/projectdiscovery/httpx/pull/2198" target="_blank" rel="noopener"
>https://github.com/projectdiscovery/httpx/pull/2198</a></p>
<h2 id="概念验证">概念验证
</h2><p>📂 <strong>PoC及上下文</strong>:</p>
<h2 id="潜在利用">潜在利用
</h2><ul>
<li>崩溃扫描器</li>
<li>创建盲点</li>
<li>与HTML注入链结合利用</li>
</ul>
<hr>
<p><em>通过Full Disclosure邮件列表发送</em>
<em>Web存档和RSS:https://seclists.org/fulldisclosure/</em></p>
</section>
<footer class="article-footer">
<section class="article-tags">
<a href="/tags/httpx/">Httpx</a>
<a href="/tags/%E6%8B%92%E7%BB%9D%E6%9C%8D%E5%8A%A1/">拒绝服务</a>
<a href="/tags/%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/">漏洞分析</a>
<a href="/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/">网络安全</a>
</section>
<section class="article-copyright">
<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-copyright" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
<path stroke="none" d="M0 0h24v24H0z"/>
<circle cx="12" cy="12" r="9" />
<path d="M14.5 9a3.5 4 0 1 0 0 6" />
</svg>
<span>Licensed under CC BY-NC-SA 4.0</span>
</section>
</footer>
</article>
<aside class="related-content--wrapper">
<h2 class="section-title">相关文章</h2>
<div class="related-content">
<div class="flex article-list--tile">
<article class="">
<a href="/p/%E6%96%87%E4%BB%B6%E5%8F%91%E9%80%81%E5%B9%B3%E5%8F%B0filesender%E6%9B%9D%E6%9C%AA%E6%8E%88%E6%9D%83ssti%E6%BC%8F%E6%B4%9E%E5%8F%AF%E6%B3%84%E9%9C%B2mysql%E4%B8%8Es3%E5%AF%86%E9%92%A5/">
<div class="article-details">
<h2 class="article-title">文件发送平台FileSender曝未授权SSTI漏洞,可泄露MySQL与S3密钥</h2>
</div>
</a>
</article>
<article class="">
<a href="/p/ms-exchange%E6%96%B0%E6%94%BB%E5%87%BB%E9%9D%A2%E5%88%86%E6%9E%90proxyoracle%E6%BC%8F%E6%B4%9E%E9%93%BE%E4%B8%8E%E5%AF%86%E7%A0%81%E6%81%A2%E5%A4%8D%E6%94%BB%E5%87%BB/">
<div class="article-details">
<h2 class="article-title">MS Exchange新攻击面分析:ProxyOracle漏洞链与密码恢复攻击</h2>
</div>
</a>
</article>
<article class="">
<a href="/p/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E9%98%B2%E5%BE%A1%E6%92%AD%E5%AE%A2%E7%AC%AC280%E6%9C%9F%E8%BD%AF%E4%BB%B6%E8%B4%A3%E4%BB%BB%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E4%B8%8E%E6%B3%95%E8%A7%84%E6%9B%B4%E6%96%B0/">
<div class="article-details">
<h2 class="article-title">网络安全防御播客第280期:软件责任、数据泄露与法规更新</h2>
</div>
</a>
</article>
<article class="">
<a href="/p/%E5%AF%86%E7%A0%81%E7%AE%A1%E7%90%86%E5%99%A8%E6%BC%8F%E6%B4%9E%E4%B8%8E%E6%9A%97%E7%BD%91%E6%89%AB%E6%8F%8Flastpass%E9%A3%8E%E9%99%A9%E4%B8%8Eonionscan%E6%8A%80%E6%9C%AF%E8%A7%A3%E6%9E%90/">
<div class="article-details">
<h2 class="article-title">密码管理器漏洞与暗网扫描:LastPass风险与OnionScan技术解析</h2>
</div>
</a>
</article>
<article class="">
<a href="/p/%E9%98%B2%E5%BE%A1%E5%AE%89%E5%85%A8%E6%92%AD%E5%AE%A2%E7%AC%AC255%E6%9C%9Fsolarwinds%E4%BA%8B%E4%BB%B6%E4%B8%8E%E4%BE%9B%E5%BA%94%E9%93%BE%E6%94%BB%E5%87%BB%E6%B7%B1%E5%BA%A6%E8%A7%A3%E6%9E%90/">
<div class="article-details">
<h2 class="article-title">防御安全播客第255期:SolarWinds事件与供应链攻击深度解析</h2>
</div>
</a>
</article>
</div>
</div>
</aside>
<div class="disqus-container">
<div id="disqus_thread"></div>
<script>
window.disqus_config = function () {
};
(function() {
if (["localhost", "127.0.0.1"].indexOf(window.location.hostname) != -1) {
document.getElementById('disqus_thread').innerHTML = 'Disqus comments not available by default when the website is previewed locally.';
return;
}
var d = document, s = d.createElement('script'); s.async = true;
s.src = '//' + "hugo-theme-stack" + '.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
<a href="https://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
</div>
<style>
.disqus-container {
background-color: var(--card-background);
border-radius: var(--card-border-radius);
box-shadow: var(--shadow-l1);
padding: var(--card-padding);
}
</style>
<script>
window.addEventListener('onColorSchemeChange', (e) => {
if (typeof DISQUS == 'object') {
DISQUS.reset({
reload: true
});
}
})
</script>
<footer class="site-footer">
<section class="copyright">
©
2020 -
2025 qife
</section>
<section class="powerby">
使用 <a href="https://gohugo.io/" target="_blank" rel="noopener">Hugo</a> 构建 <br />
主题 <b><a href="https://github.com/CaiJimmy/hugo-theme-stack" target="_blank" rel="noopener" data-version="3.30.0">Stack</a></b> 由 <a href="https://jimmycai.com" target="_blank" rel="noopener">Jimmy</a> 设计
<div class="busuanzi-footer">
<span id="busuanzi_container_site_pv">
本站总访问量<span id="busuanzi_value_site_pv"></span>次
</span>
<span id="busuanzi_container_site_uv">
本站访客数<span id="busuanzi_value_site_uv"></span>人次
</span>
</div>
</section>
</footer>
<div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">
<div class="pswp__bg"></div>
<div class="pswp__scroll-wrap">
<div class="pswp__container">
<div class="pswp__item"></div>
<div class="pswp__item"></div>
<div class="pswp__item"></div>
</div>
<div class="pswp__ui pswp__ui--hidden">
<div class="pswp__top-bar">
<div class="pswp__counter"></div>
<button class="pswp__button pswp__button--close" title="Close (Esc)"></button>
<button class="pswp__button pswp__button--share" title="Share"></button>
<button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>
<button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>
<div class="pswp__preloader">
<div class="pswp__preloader__icn">
<div class="pswp__preloader__cut">
<div class="pswp__preloader__donut"></div>
</div>
</div>
</div>
</div>
<div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
<div class="pswp__share-tooltip"></div>
</div>
<button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)">
</button>
<button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)">
</button>
<div class="pswp__caption">
<div class="pswp__caption__center"></div>
</div>
</div>
</div>
</div><script
src="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.js"integrity="sha256-ePwmChbbvXbsO02lbM3HoHbSHTHFAeChekF1xKJdleo="crossorigin="anonymous"
defer
>
</script><script
src="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe-ui-default.min.js"integrity="sha256-UKkzOn/w1mBxRmLLGrSeyB4e1xbrp4xylgAWb3M42pU="crossorigin="anonymous"
defer
>
</script><link
rel="stylesheet"
href="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/default-skin/default-skin.min.css"crossorigin="anonymous"
><link
rel="stylesheet"
href="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.css"crossorigin="anonymous"
>
</main>
</div>
<script
src="https://cdn.jsdelivr.net/npm/node-vibrant@3.1.6/dist/vibrant.min.js"integrity="sha256-awcR2jno4kI5X0zL8ex0vi2z+KMkF24hUW8WePSA9HM="crossorigin="anonymous"
>
</script><script type="text/javascript" src="/ts/main.313ab02d2f8415261a3718a5b3d0e35b62826b81a7f2c46c8122082f4cba0bcf.js" defer></script>
<script>
(function () {
const customFont = document.createElement('link');
customFont.href = "https://fonts.googleapis.com/css2?family=Lato:wght@300;400;700&display=swap";
customFont.type = "text/css";
customFont.rel = "stylesheet";
document.head.appendChild(customFont);
}());
</script>
</body>
</html>