In this task a we had a web application for testing the Heartbleed vulnerability. If we try to scan one we got back the response and the leaked stuff from memory. We are told then that the response was tracked in the **database. **That’s made us suppose for a sort of injection in the Heartbleed script response. But how to put an arbitrary data in the leaked memory? We set-up a python webserver with HTTPS support with OpenSSL support vulnerable. Then we scripted an exploit which flooded the webserver requesting something like GET /sql_injection_here for fill the memory with our injection.

http://pastebin.com/vuvQ05sH <– server_web300.py

http://pastebin.com/4Xbqxz4Q <– exploit_web300.py

Now just run those scripts and go to http://bleeding.pwn.seccon.jp/?ip=95.249.41.37&port=31337 . Once the page is loaded you can see in the html comment next to TIME=.. the flag: SECCON{IknewIt!SQLiteAgain!!!}

Razor4x