Press "Enter" to skip to content

[CSAW2017] Orange v1

Question

I wrote a little proxy program in NodeJS for my poems folder.

Everyone wants to read flag.txt but I like it too much to share.

http://web.chal.csaw.io:7311/?path=orange.txt

 

Solution

Based on the challenge name. It seems the concept are based on the presentation of Orange Tsai on DEFCON25.

About uri handling in node.js. If \xff are exists in uri, it will throw it away.

What if we input %EF%BC%AE%EF%BC%AE/ ?

%EF%BC%AE is 'Full Width Latin Capital Letter N '. And it's Unicode is \uFF2E.

So, if N appears in URL, node.js will delete \xff. So \x2e will be translated to ".".

Buf after have some try, %EF%BC%AE%EF%BC%AE/ is not work for this question. So i try to change one %EF%BC%AE to ".". And it works.

 

Finally payload:

http://web.chal.csaw.io:7311/?path=.%EF%BC%AE/flag.txt

 

 

Reference

https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Orange-Tsai-A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages.pdf

http://bobao.360.cn/learning/detail/4183.html

http://www.fileformat.info/info/unicode/char/ff2e/index.htm

Comments

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *