incredibleindishell
commented
4 years ago In this case, application is just checking the presence of the domain "b0x.com". Script has regex defined in it to check if the string "b0x.com" is present in the domain name or not. Now, if domain name is like this "randomb0x.com" or "b0x.com.random", in both the domain names, we have string "b0x.com" present in it.
I just created one sub-domain entry with sub-domain name "b0x.com" for my domain "mannulinux.org". Full sub-domain will be "b0x.com.mannulinux.org". We need to host the script on the domain "b0x.com.mannulinux.org". The script is the same which we used for exploitation of "arbitrary_origin" trust.
Here, the only thing which has to be satisfied is "origin" having string value "b0x.com". We already have domain name with the string "b0x.com" in it and script will be same.
The sub-domain entry which I created, is available for use and not going to delete it. Domain "b0x.com.mannulinux.org" pointing to "127.0.0.1". If you want to perform the exploitation, just host the "arbitrary_origin_exploit.html" POC file on your local machine, modify the URL in line no. 53 to "bad_regex.php". Now, craft the URL as per localhost location and replace the "localhost" with "box.com.mannulinux.org"
For example, in my case script was hosted on URL "http://localhost/b0x/regex_exploit.html". Justed replaced the "localhost" with "b0x.com.mannulinux.org" and final URL was "http://b0x.com.mannulinux.org/b0x/regex_exploit.html".
Let me know if you have any issue.
Thanks,
Manish
sonbar95
Please make a POC and also attach the HTML page, what you have done for the 1st challenge.