Translate

2017年2月25日星期六

Root Me | Improper redirect



對於標題和挑戰的信息,我們將開始檢查HTTP標頭。


請求:
  1. GET /web-serveur/ch32/ HTTP/1.1
  2. Host: challenge01.root-me.org
  3. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  5. Accept-Language: es-AR,es;q=0.8,en-US;q=0.5,en;q=0.3
  6. Accept-Encoding: gzip, deflate
  7. Connection: close


響應(注意細節的第一行/隊列)

  1. HTTP/1.1 302 Moved Temporarily
  2. Server: nginx
  3. Date: Thu, 22 Sep 2016 13:20:00 GMT
  4. Content-Type: text/html; charset=UTF-8
  5. Connection: close
  6. Location: ./login.php?redirect
  7. Content-Length: 546


  • <html>
  • <body><link rel='stylesheet' property='stylesheet' id='s' type='text/css' href='/template/s.css' media='all' /><iframe id='iframe' src='https://www.root-me.org/?page=externe_header'></iframe>
  • <h1>Welcome !</h1>
  • <p>Yeah ! The redirection is OK, but without exit() after the header('Location: ...'), PHP just continue the execution and send the page content !...</p>
  • <p><a href="http://cwe.mitre.org/data/definitions/698.html">CWE-698: Execution After Redirect (EAR)</a></p>
  • <p>The flag is : ExecutionAfterRedirectIsBad</p>
  • </body>
  • </html> 




請求:
  1. GET /web-serveur/ch32/login.php?redirect HTTP/1.1
  2. Host: challenge01.root-me.org
  3. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  5. Accept-Language: es-AR,es;q=0.8,en-US;q=0.5,en;q=0.3
  6. Accept-Encoding: gzip, deflate
  7. Connection: close 


響應(在響應的HTML代碼,是要求以放置用戶名和密碼):

  1. HTTP/1.1 200 OK
  2. Server: nginx
  3. Date: Thu, 22 Sep 2016 13:21:04 GMT
  4. Content-Type: text/html; charset=UTF-8
  5. Connection: close
  6. Vary: Accept-Encoding
  7. Content-Length: 508




  • <body>
  • <link rel='stylesheet' property='stylesheet' id='s' type='text/css' href='/template/s.css' media='all' /><iframe id='iframe' src='https://www.root-me.org/?page=externe_header'></iframe>
  • <p>You must be authenticated in order to access this page !</p>
  • <form method="post" name="form" action="login.php">
  • <p>Login : <input type="text" name="login" ></p>
  • <p>Password : <input type="password" name="password" ></p>
  • <p><input type="submit" value="Log in" ></p>
  • </form>
  • </body>
  • </html> 



讓第一響應,更精確地到第一線。在那裡,我們可以發現:

  1. HTTP/1.1 302 Moved Temporarily 

基於挑戰的標題,我們會盡量改變由著名的OK狀態代碼HTTP響應。
  1. HTTP/1.1 200 OK
  2. Server: nginx
  3. Date: Thu, 22 Sep 2016 13:30:16 GMT
  4. Content-Type: text/html; charset=UTF-8
  5. Connection: close
  6. Location: ./login.php?redirect
  7. Content-Length: 546

  • <html>
  • <body><link rel='stylesheet' property='stylesheet' id='s' type='text/css' href='/template/s.css' media='all' /><iframe id='iframe' src='https://www.root-me.org/?page=externe_header'></iframe>
  • <h1>Welcome !</h1>
  • <p>Yeah ! The redirection is OK, but without exit() after the header('Location: ...'), PHP just continue the execution and send the page content !...</p>
  • <p><a href="http://cwe.mitre.org/data/definitions/698.html">CWE-698: Execution After Redirect (EAR)</a></p>
  • <p>The flag is : ExecutionAfterRedirectIsBad</p>
  • </body>
  • </html> 



好!在網絡上顯示的密碼。


但是,如果我們很小心,我們看到密碼被列入了第一個答案/響應(查線/響應的HTML代碼行15)

密碼/標誌::ExecutionAfterRedirectIsBad
發佈者: 沒有留言:
訂閱: 文章 (Atom)