CURL Local File Disclosure explained

Pretty simple bug bounty example, but it was my first and I got a bit excited. I can’t name the company because disclosure hasn’t been granted, but it was from a bounty.

I’m not going to disclose the impacted URL, or the amount I’ve gotten for it either. I will however say that the issue has been resolved on their end so there’s no chance the URL I’ve reported can be used for the same attack. It’s been nuked. That all being the case, I’ve made a sort of recreation of the problem.

I’m mostly writing this blog post because I didn’t know the functionality existed and I’m sure a bunch of other developers also aren’t aware. Learn something new every day. It’s probably WebSec 101 but at least as far as PHP is concerned I fail to see the point of leaving this feature enabled.

There was a file somewhere on (Company)’s network that would load a URL specified by a parameter, and simply echo it’s contents.

Anyway, here is an example of what it would look like:

 PHP |  copy code |? 
01
< ?php
02
 
03
	$ch = curl_init();
04
	curl_setopt_array($ch, array(
05
		CURLOPT_RETURNTRANSFER => 1,
06
		CURLOPT_URL => $_GET['url']));
07
 
08
	$data = curl_exec($ch);
09
 
10
	curl_close($ch);
11
 
12
	echo($data);
13
 
14
?>
Read more

SECCON 2014 – REA-JUU WATCH Write-up

Okay, so for this one we’re just given a URL and not much more.

I started burpsuite and started playing around. Read more

SECCON 2014 – Bleeding “Heartbleed” Test Write-up

For this one, took some trial and error.

You’re presented with a heartbleed testing engine

So the first part of this puzzle is to find out what’s wrong with this, first thing I do is utilize a valid host (cloudflarechallenge.com aka 107.170.194.215).

It responds with (image not available as it seems it has stopped returning this result?):

DATABASE ERROR!!! near “re”: syntax error

select time from results where result=’Connecting… Sending Client Hello… Waiting for Server Hello… … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 22, ver = 0301, length = 1 Sending heartbeat request… … received message: type = 24, ver = 0301, length = 249 Received heartbeat response: 09809*)(*)(76&^%&(*&^7657332 Hi there! Your scan has been logged! Have no fear, this is for research only — We’re never gonna give you up, never gonna let you down! WARNING: server returned more data than it should – server is vulnerable! ‘;

Well, it’s obvious SQL is the culprit here. Let’s honeypot! Read more

SECCON 2014 – Get from curious “FTP” server write-up

I connected using FlashFXP, this is important for later as I explain how somebody else solved it.

You’re tasked to connect to ftpsv.quals.seccon.jp:21 and just sort of figure it out, it accepts my connection over FTP but many things fail. Read more

SECCON 2014 – Reverse it write-up

First write-up of new CTF! This time I played for KnightSec and we gained 59th place. Not bad I suppose

So, you know, I’m an idiot still using PHP. That means I’m an oddball especially in the security community, which seems to favor python. Keep it in mind because you’ll be seeing it a lot.

For Reverse It, I fed the file given to the script below

 PHP |  copy code |? 
01
< ?php
02
	$fp1 = fopen('Reverseit', 'r');
03
	$fp2 = fopen('Reverseit_out', 'a+');
04
	$fp1s = filesize('Reverseit');
05
	$buffer = fread($fp1, $fp1s);
06
	$buffer = unpack('H*', $buffer);
07
	$buffer = strrev($buffer[1]);
08
	$buffer = pack('H*', $buffer);
09
 
10
	fwrite($fp2, $buffer);
11
 
12
	fclose($fp1);
13
	fclose($fp2);
14
?>
Read more

hack.lu 2014 write-up (Dalton’s Corporate Security Safe for Business)

Another day, another challenge. This one was for hack.lu (hosted by fluxfingers) 2014, also known as “WildWildWeb”!

Dalton's Corporate Security Safe for Business

Challenge Text

The link brings you here.

The first thing we see is a Captcha, which you can solve manually. However, it doesn’t give you the key so easily.
Going off of the hints given in the challenge text, I can assume they want us to make an automated method to solve the captcha.

Taking a peek at the source code… Read more

ECTF 2014 write-up (The Annoying Admin)

First of all this is the first CTF that OpenToAll has actually won first place in

So proud


Though it was a student CTF and not widely publicized I’m still happy.

Anyway, this is a write-up for the ECTF 2014 challenge “The annoying admin”. The description is below, and please note that we solved it before the hint was provided!

The chat feature was added to Facelook website and to test it, founder of the company had sent a message in chat to the admin. Admin reads all the chat messages, but does not reply to anyone. Try to get that chat message and earn the bounty.

Annoying Admin

Hint: Admin likes to visit some links which he recieves from people

Read more

Pwnium write-up #2 (Breakpoints)

This write-up will be a little rougher on newbies because there won’t be any C++ or hex-rays here.
re300 (Breakpoints) is an x64 ELF binary which I had to boot up my VM to solve!

If you want to play along, download the binary here, get the disassembler of your choice and GDB ready and let’s have a go.

 ASM |  copy code |? 
01
.text:0000000000400550 start           proc near
02
.text:0000000000400550                 xor     ebp, ebp
03
.text:0000000000400552                 mov     r9, rdx
04
.text:0000000000400555                 pop     rsi
05
.text:0000000000400556                 mov     rdx, rsp
06
.text:0000000000400559                 and     rsp, 0FFFFFFFFFFFFFFF0h
07
.text:000000000040055D                 push    rax
08
.text:000000000040055E                 push    rsp
09
.text:000000000040055F                 mov     r8, offset nullsub_1
10
.text:0000000000400566                 mov     rcx, offset sub_4066B0
11
.text:000000000040056D                 mov     rdi, offset main
12
.text:0000000000400574                 call    ___libc_start_main
13
.text:0000000000400579                 hlt
14
.text:0000000000400579 start           endp
15
Read more

Pwnium write-up #1 (Crackme Fast)

This is a quick write-up of the “Crackme Fast” challenge from Pwnium CTF

Let’s start at the beginning. The challenge stated that you had to download a file from a server, crack that application (retrieve a password from it) and submit it to the authentication server altogether in under 2 seconds. This means the moment the file is downloaded, you have under 2 seconds to finish the challenge to retrieve the flag.

Let’s start with the file itself. When I downloaded the file it saved as “4617155699eb1d2b7a17f7a5bdda27b4.bin”, I then opened it in Notepad++ and xvi32. Notepad++ told me it was some kind of uncompressed archive format containing a single executable. How did I know?

Read more

Parsing HTML with C++ (With extra UTF-8 woes)

So I was tasked with making a C++ project that scraped data from HTML pages.

For those who aren’t in the “know”, there’s no neato HTML DOM library like JSoup in C++. There’s nothing with jQuery-like selectors either. There’s some niche projects here and there (and there is a google project I was turned onto which I decided probably wasn’t for the best, but worth mentioning anyway) but nothing really substantial.

In PHP, you could do a couple things. Either use “Simple HTML DOM Parser“, or use simplexml with XPath. Both kind of suck for their own reasons (Simple HTML DOM Parser is written in PHP and causes tons of resources to be used for simple operations, and simplexml with XPath is… not fun, turns out C++ isn’t much better, but we’ll get to it later).

In JavaScript, you have jQuery. In Java, JSoup. Both are amazing. If I’m scraping something, I’d prefer to use these… but it’s just too bad I don’t use Java for much else besides android, and I don’t know how well nodejs actually works with jQuery, or if it does, or if it has something similar… I’ve never used node. Maybe worth looking into some day.

C++, though, I had to hack. It’s weird, usually you’ll find C++ libraries for anything but in this case the internet didn’t help me out too much, besides this blog post, so I went with it.

EDIT: MostThingsWeb informed me that he’s made an updated post here, maybe it’s more useful than my junk!

The tools I ended up using for my project:

  • CURL
  • MySQL++
  • libxml++
  • libtidy

Read more

Google+