This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/* | |
* A simple method for communicating key->data sets accross | |
* requests/machines along with some meta-data regarding | |
* lifetime of the data as well as owner. | |
* | |
* For example, assume a token is emailed to individuals that | |
* allow them to access some particular data/functionality | |
* for a specific period of time. By providing a URL for them | |
* to click that has the token embedded, you can verify the data |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$encryptedString = '7DjnpOXG+FrUaOuc8x6vyrkk3atSiAf425ly5KpG7lOYgwouw2UATw=='; | |
$iv = '12345678'; | |
$passphrase = '8chrsLng'; | |
$string = &decryptPhpEncrypted $encryptedString, $passphrase, $iv; | |
# Expect: Some Secret thing I want to encrypt | |
sub decryptPhpEncrypted() { | |
my ($encryptedString, $passphrase, $iv) = @_; | |
my $keysize = length($passphrase); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# | |
# sha1 padding/length extension attack | |
# by rd@vnsecurity.net | |
# modified by ... rob@hines57.com | |
# | |
import sys | |
import hashlib | |
import sha |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<title>Bubba Hacks Level 2 Server</title> | |
</head> | |
<body> | |
<?php | |
$myPubKey = 'STICK YER OWN PUB KEY INFO HERE'; | |
print "Finding Real Path ...<br/>"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We can see that it's querying the SQL database with our user-supplied input. We also know that it is an sqlite3 database. When looking at the SQL statement, we can see that it's using the LIKE operator, which happens to have a wildcard character (%). When we supply the wildcard character, it will respond with all the secrets in the database. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
So let's step through the code and see what's happening: | |
creates $filename storing 'secret-combination.txt' | |
extract $_GET (all GET parameters supplied by the user) | |
if $attempt is set: | |
declare $combination with the trim()'d contents of $filename | |
if $attempt and $combination are equal | |
print contents of 'level02-password.txt' | |
else | |
print incorrect |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<title>Bubba Hacks Level 2 Server</title> | |
</head> | |
<body> | |
<h1>Your Level 3 Password</h1> | |
<?php echo file_get_contents('../password.txt'); ?> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ok, so let’s look at some important parts. We know it's sqlite3 again and how it is setup: | |
# CREATE TABLE users ( | |
# id VARCHAR(255) PRIMARY KEY AUTOINCREMENT, | |
# username VARCHAR(255), | |
# password_hash VARCHAR(255), | |
# salt VARCHAR(255) | |
# ); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a nice little XSS/XSRF challenge. The goal here is to get that karma_fountain to send you some karma, which in turn will let you view their password. | |
When registering a new account, you can insert malicious code into the password field, which will then be displayed once you send someone karma because the application is designed to show users your password once they receive karma. | |
In this situation they're including JQuery, so it makes our lives even easier when trying to make requests. The idea is to inject some malicious code into the karma_fountains page that will automatically make them transfer you some karma. | |
I went and created a new user named 'bubba' with the password: | |
'<script>$.post("transfer", { to: "bubba", amount: "2" } );</script>' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
So, this problem is just... insecure communication in general. There are a couple of issues here. | |
This code block checks to see if it was a POST but doesn't check if parameters supplied were on the GET or POST lines: | |
post '/*' do | |
pingback = params[:pingback] | |
username = params[:username] |
OlderNewer