You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<!doctype html><htmllang="en"><head><metacharset="utf-8"><metaname="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title>Static Site</title><linkrel="stylesheet" href="./static/bootstrap.min.css"></head><bodyclass="text-center"><divclass="cover-container d-flex h-100 p-3 mx-auto flex-column"><headerclass="mt-5"><h3class="masthead-brand">Static Site</h3></header><mainrole="main" class="mt-5"><pclass="lead"><imgsrc="./static/hacker.gif"/></p><pclass="lead pt-5">
Ok, hackers, I created a static site with a strict Content-Security-Policy.
</p><pclass="lead">
It is simply impossible to steal my cookies now!
</p><pclass="lead">
But, you can still try:
</p><p><formid="form" class="form-inline justify-content-center" method="POST" action="https://bot-static-site.volgactf-task.ru/"><divclass="form-group"><labelfor="url">URL</label><inputtype="url" name="url" id="url" class="form-control mx-sm-3"><inputtype="submit" class="btn btn-secondary g-recaptcha" data-sitekey="6LdN230aAAAAAPsMXHWZ9szidC6tbkSzWDarMqmL" data-callback="onSubmit" data-action="submit"></div></form></p></main></div><scriptsrc="https://www.google.com/recaptcha/api.js"></script><scriptsrc="./static/captcha.js"></script></body></html>
Writeup
After review the nginx config and the html file, this part catch my eyes:
We can use CRLF injection and change the request. I am not familiar with nginx so I create an environment on my local to see how can I use it. After playing for a while I found that I can fake the Host header to read the file in my own bucket:
Static Site
Description
nginx config
index.html
Writeup
After review the nginx config and the html file, this part catch my eyes:
Then I googled
nginx $uri vulnerability
and found some useful resources:We can use CRLF injection and change the request. I am not familiar with nginx so I create an environment on my local to see how can I use it. After playing for a while I found that I can fake the
Host
header to read the file in my own bucket:So the solution is straightforward:
html file
js file
The text was updated successfully, but these errors were encountered: