Web - Server

Saturday 10 May 2014, 07:53  #1
Web - Server - CRLF
th3ss
th3ss
  • 5 posts

hi i know about CRLF injections and how to inject \n\r to headers and change the response
but i couldnt find out how to authenticate or steal the content of the page using this vuln

any help ?

Sunday 11 May 2014, 11:08  #2
Web - Server - CRLF
m31z0nyx
m31z0nyx
  • 394 posts

Hi th3ss,

Look at the log and guess what kind of data you can be asked to inject. 😉

Sunday 11 May 2014, 17:58  #3
Web - Server - CRLF
th3ss
th3ss
  • 5 posts

yeah i tryed that,injecting html code is not an option or sql query’s
i even tryed injecting system commands ...
i have no idea what to do :(

Sunday 11 May 2014, 21:16  #4
Web - Server - CRLF
m31z0nyx
m31z0nyx
  • 394 posts

hmm yeah. The major difficulty is may be to find out what is precisely requested.
What I can say is you will never find such thing as requested here for real. It only works here to make up an educational purpose CR/LF based challenge.

hope this can help finding a new approach :)

Sunday 22 February 2015, 04:27  #5
Web - Server - CRLF
her0kings1ey
her0kings1ey
  • 3 posts

i wonder after i inject false log ,what else can i do to get the flag.

Sunday 22 February 2015, 04:32  #6
Web - Server - CRLF
her0kings1ey
her0kings1ey
  • 3 posts

i get it...it should be exactly like the first log.

Monday 8 June 2015, 07:33  #7
Web - Server - CRLF
133720
133720
  • 3 posts

I don’t understand what mean inject false log is?

two way to inject crlf on username=injection&password=injection

Please tell me little guide for this.
Thanks my bros.
Cheers

Tuesday 9 June 2015, 09:35  #8
Web - Server - CRLF
mooh
mooh
  • 6 posts

Hi 133720, have a look at what her0kings1ey in the previous message wrote :)

Monday 29 June 2015, 01:34  #9
Web - Server - CRLF
Mister_Bert0ni
Mister_Bert0ni
  • 9 posts

Try use urlencode in your inject point and make the fake authentication log.

Monday 9 May 2016, 11:29  #10
Web - Server - CRLF
lucifer
lucifer
  • 1 posts

Where to do the injection in this challenge

Sunday 31 July 2016, 23:11  #11
Web - Server - CRLF
Technocratik
Technocratik
  • 2 posts

One amendment to her0kings1ey’s comment. Don’t try to reproduce the log *exactly* in your injection. Only the minimum amount to make it look genuine is needed. This threw me off for a while.

Monday 20 March 2017, 16:10  #12
Web - Server - CRLF
SystemShock
SystemShock
  • 2 posts

Thank you so much, Technocratik! I finally understood why I could’nt validate this challenge!

Monday 18 December 2017, 16:23  #13
Web - Server - CRLF
diis
diis
  • 1 posts

Ahhhh stuck on this challenge for days. To the new readers, like me... look at the original log without any of your inserted entries... what users connected? How can you make it seem like a user you know exists also successfully connected?

Monday 8 January 2018, 05:09  #14
Web - Server - CRLF
wuqi
wuqi
  • 3 posts

look at the log ,please...

Monday 28 January 2019, 13:31  #15
Web - Server - CRLF
ori
ori
  • 1 posts

hii
i tried to wrote a fake access to log file and i didn’t get nothing
can someone help me?

[Th1b4ud : NO SPOIL PLEASE]

Friday 26 July 2019, 15:52  #16
Web - Server - CRLF
tommie
tommie
  • 3 posts

What is the false data mean??
Explain to me please
i try to input anything but it get only "failed to authenticate".

Friday 25 October 2019, 19:22  #17
Web - Server - CRLF
viky123
viky123
  • 1 posts

hey,
I got the solution but can’t understand why that is the only solution.
Please , tell me how that solution worked actually .

New reply New reply   New topic New topic