url redirection

Pages: 12
this is for educational purpose

in a website (http://www.example.com/index.php) after the user is logged by submitting his password and username ,

he tried to access http://www.example.com/access.php. The browser sent a request to the server to access http://www.example.com/access.php by clicking a link but the server respond by 302 moved temporarily and redirect the user to
http://www.example.com/denied.php once redirected the page gives access denied
you do not have the permission to access the page.

my question is how to bypass the URL redirection (302 moved temporarily) and the http://www.example.com/denied.php/denied.php (access denied) and be able to access http://www.example.com/access.php????????????
It is not possible, but you can see any output from access.php if it sends anything (it most likely does not). It is completely up to the scripts to decide what you do or don't see.
it is absolutely possible . It is a training challenges for educational purpose

"if it sends anything (it most likely does not)"

when I tried to access access.php a plank page show up saying "please reactivate redirection".


" It is completely up to the scripts to decide what you do or don't see"

you did not say something new.


finally , if you ignore the answer it does not mean that it is impossible

Moreover , I do persist in the fact that if you are not able to answer me for some reasons please , let other do it . Because your answer is so trivial and meaningful
Unless something drastic changed in the last couple years since I last worked with PHP, I still stand by what I said.

Maybe I am not understanding you correctly?
closed account (Dy7SLyTq)
i have to agree with LB on this. if i write a php script to redirect you, there is nothing you can about it short of making a hack in [insert browser of choice here]. you cant really control being redirected off the page. you can however stop something from redirecting to another page (my dad works for a company that writes web filters so i found that interesting)
" short of making a hack in"

I already wrote "It is a training challenges for educational purpose". I means it is a legal hack challenge and there are people who solved it (but very few) . The problem is that I tried many attack techniques to bypass the URL redirection from access.php to denied.php but I failed.

"you can however stop something from redirecting to another page"

according to me , I tried firefox extension (Noredirect). It stopped the redirection but the page became blank .It seems that the site is not vulnerable against this type of attack.

But if you have another idea or technique , you can tell me .

another thing: the site of challenge show a cookie
so I tried
five type of attack:
cookie poisoning attack
cookie injection attack
cookie hijacking attack
session fixation attack
cookie decryption

but I did not succeed

so any idea on how to proceed???

as I said it is a CHALLENGE FOR EDUCATION PURPOSE AND IT IS LEGAL AND HAS NOTHING TO DO WITH ILLEGAL ACTIONS OR SOME OF THE SORT
I'd look into using something like Tamper Data to let you inspect and modify the HTTP request being sent to the server. That could give you the insight you need.

Is there anywhere you could specify a path, other than the URL bar? Or perhaps you could try changing the URL if there is a directory and using its parent directory to access the file, e.g. "http://www.example.com/secret/../access.php"
I don't think it's possible either.
It's as easy as not sending data at all, to avoid these attacks on the server-side.
Quite easy, isn't it.
closed account (Dy7SLyTq)
ILLEGAL ACTIONS OR SOME OF THE SORT

no one has said it is to the best of my knowledge so please calm down. can you show us the other submissions? because the only one to have any inkling so far is chrisname (which doesnt surprise me tbh) and three other x web devs (well idk what Ess is) dont know how to do it
"I'd look into using something like Tamper Data to let you inspect and modify the HTTP request being sent to the server. That could give you the insight you need"

I already tried with many tools

Is there anywhere you could specify a path, other than the URL bar?

no

Or perhaps you could try changing the URL if there is a directory and using its parent directory to access the file, e.g. "http://www.example.com/secret/../access.php"

it is not possible for two reasons

1) it is not vulnerable to directory traversal attack
2) it use a sophisticated 302 redirection whenever you try to access access.php and take you to denied.php

I need another special method rather than classical methods that I tried them all

any suggestion?
There is no hack that can allow what the OP wants. You would have to literally get the source of the PHP script, and as a client you are never able to do this.

It is entirely possible though, and very easy, to ignore the redirect, but this will not get you anywhere.
Last edited on
"I don't think it's possible either.
It's as easy as not sending data at all, to avoid these attacks on the server-side.
Quite easy, isn't it."

either you do not understand my message or I do not get your meaning

this is A CHALLENGE , and I need to solve it but I am confused after hundred of attempts. This is why I post my message here in the forum for help

so what do you mean by :"It's as easy as not sending data at all, to avoid these attacks on the server-side"!!!!!!!!!!!!!!!???

Imagine you're at the post office. You head for one of the counters and it has a sign in front of it saying "closed. Use next window". At that point, there's two things you can do: you can go to the next window, or you can stand there staring at the sign and the empty chair. There's certainly nothing you can do that will make the person who is not there do whatever it is you need done.
The same thing is happening here. When you loaded http://www.example.com/access.php, you actually did get a response: a blank page plus a redirect (redirects aren't part of a page's content). The blank page is the content. You can choose to not follow the redirect, but that won't get you any more data than you already have.
Last edited on
^ That.
If the server sends you no page, how are you supposed to read it?

EDIT: If this challenge has a solution, this is NOT the way to go.
Last edited on
I think this "academic challenge" is actually intended to be a trick question to get people to realize how the security of server-side scripting works.
I interpreted it as one of those "hackthissite"-type challenges where they present you a server with a (usually unrealistic) security flaw that you have to find.
"I interpreted it as one of those "hackthissite"-type challenges where they present you a server with a (usually unrealistic) security flaw that you have to find. "

exactly . But it is in another site which is light years more hard and difficult than the site you mentioned (which is for me easy).

what Helios and LB and DTScode said is very instructive and brilliant. May be it is a madness to try to bypass the redirection(in my challenge context of course).

EssGeEich: If this challenge has a solution, this is NOT the way to go.

May be you are totally right.

I found something new after many other attempts

I found the username of the administrator whose page is access.php

but I could not find the password

besides , there is a page (login.php) in which there is a submit form

for username and password . As I know the username , I tried to launch a brute force attack to find the password and therefore gain access to access.php but without any result.

then I tried sql injection attack by writing these syntax

or '1'='1'
or '1 = 1
or '1 or 1

and many others of the same type but I failed . So may be it is not vulnerable to sql injection attack too
but I know the username . So any suggestion maybe , any help would be appreciated

I hope you manually wrote the ' character, because if you type the ' character in a textbox, it becomes %27 in the URL request.
Last edited on
@EssGeEich
Only if it's a GET request, right? I don't think POST requests are escaped - I don't see any reason for it - and no-one in their right mind would use GET requests for SQL queries.
IDK, perhaps that may help somehow.
Pages: 12