exploit-db-mirror/exploits/multiple/webapps/47688.md at 809d81619e7de523c33f1757a06a759295b0f917

Offensive Security b4c96a5864 DB: 2021-09-03

28807 changes to exploits/shellcodes

2021-09-03 20:19:21 +00:00

593 B

Raw Blame History

The trick is to use a vertical tab (%09) and then place another URL in the tag. So once a victim clicks the link on the error page, she will go somewhere else.

As you can see, the browser changes the destination from relative / to an absolute url https://enoflag.de. The exploit is http://domain.tld/%09//otherdomain.tld

Here's the httpd configuration to reproduce the behavior:

    <Location />
        ProxyPass http://127.0.0.1:9000/ connectiontimeout=1 timeout=2
        ProxyPassReverse http://127.0.0.1:9000/
        Order allow,deny
        Allow from all
    </Location>

593 B Raw Blame History

593 B

Raw Blame History