Safetech Blog - Security Tips and Tricks


by Ionut Cernica

Codegate 2014 quals – web 200 WriteUp

WebProxy WriteUp

We were given a web application with a proxy functionality.

In the response from the server a comment can be found which contains the link where the flag might be.

The request type is “GET” and it has one parameter named “url”.

The value of the “url” parameter is filtered. The server doesn’t accept words such as “php”, “//”, “127.0.0.1”, “58.229.183.24” as values. If the value sent to the server matches one of the words above the following message is retrieved as response:

1

After a little research I found out that it can be possible to use the other three representations of an IP. I made a script that transforms an IP in DWORD, HEXA and OCTAL representations and below is our way to bypass IP.

2

But there was one more problem: how to bypass the word “php”. The solution was simple. I used it plenty of times to bypass XSS filteres: I used double URL encoding to write the world “php” as “%2570hp” or “ph%2570”, etc.
Knowing how to bypass the filter in the backend I’ve made the following value which I inserted in the url parameter.

The response was 200 ok, but it wasn’t the entire response.

3

AS it can be seen, only a part of the response was revealed, only 2 lines.
So I verified if it is possible to insert other parameters in the request header. I tried with “%0d%0a” and it worked.
So I attached to my url the following:

The response from the server was:

I changed the word “localhost” with “hackme” and I decreased the range.
%20HTTP/1.1%0D%0AHost:%20hackme%0D%0ARange:%20bytes=76-110%0D%0A%0D%0A

Then I sent the following request:

And in the response it was our flag:
Password is WH0_IS_SnUS_bI1G_F4N

4

701 total views, 2 views today





Leave a Reply

Your email address will not be published. Required fields are marked *