shark0der Posted October 31, 2012 Report Share Posted October 31, 2012 (edited) Story: Gigel si-a facut propriul client de email. Incercati sa treceti de filtrul XSS care filtreaza campul "to" si "subject".Mesajul ("message") nu se ia in considerare pentru ca ne intereseaza codul sa se execute imediat ce Gigel deschide inboxul (este ignorat de server de fapt, nu are rost sa-l modificati).URL: Challenge-ul se afla aici.Rules: Castigatorul trebuie sa posteze screenshot in care sa se vada numele sau (in alert de exemplu) + message id ca sa pot verifica.Winers: -====Edit: am reparat eroarea "Error: something is broken. That's all I know :|". Va rog sa ma anuntati daca se mai intampla.====Edit 2: am facut un cron care verifica daca nu apare eroarea si o repara in caz de e . E o solutie mai taraneasca ca de fapt ar trebui sa repar problema din radacina, dar lucreaza You're all invited now!====Update: Daca mai primiti eroare, e din cauza ca nu ati trecut de filtru (vedeti discutiile de mai jos). Punct. Edited November 3, 2012 by shark0der Quote Link to comment Share on other sites More sharing options...
nAb.h4x Posted October 31, 2012 Report Share Posted October 31, 2012 Error: something is broken. That's all I know ) Tot imi apare Quote Link to comment Share on other sites More sharing options...
Cor3Quad Posted October 31, 2012 Report Share Posted October 31, 2012 Error: something is broken. That's all I know same here Quote Link to comment Share on other sites More sharing options...
shark0der Posted October 31, 2012 Author Report Share Posted October 31, 2012 Reparat. O sa fac un script sa se autorepare, am niste probleme cu serverul... Quote Link to comment Share on other sites More sharing options...
abraxyss Posted November 1, 2012 Report Share Posted November 1, 2012 (edited) //Removeduite filtrul revin cu editdaca pui simplu simbolul [<] scriptul ignora tot ce e in fata lui , daca pui < ii da display normal [<] , nu-l ruleaza , url-encode+< ii da display ca atare [<] (same for html-entities)g %3C igel unde sursa:g < igel acesta este outputul care-l primesc dupa ce dai url-encode de doua ori la [<].verdict : nu se poate trece de filtru [html injection][am incercat mult mai multe dar nu le pub pe toate ]nu le am cu javascript+ce-ai vazut tu shark0der a fost dupa ce am dat manual POST:to=a&subject=a Edited November 4, 2012 by abraxyss Quote Link to comment Share on other sites More sharing options...
shark0der Posted November 1, 2012 Author Report Share Posted November 1, 2012 (edited) Ascunde te rog rezultatul ca sa nu fie mai usor pentru altii EDIT: @abraxyssE valabila chestia care ai gasit-o? Te-am gasit in loguri dupa msg_id-ul postat inital, dar:1. sau nu am logat eu bine datele2. sau ceea ce ai gasit tu nu mergeAi gasit pana la urma sau nu? Edited November 2, 2012 by shark0der Quote Link to comment Share on other sites More sharing options...
Andrew. Posted November 2, 2012 Report Share Posted November 2, 2012 Si mie imi apare "Error: something is broken. That's all I know :|". Quote Link to comment Share on other sites More sharing options...
shark0der Posted November 2, 2012 Author Report Share Posted November 2, 2012 Andrew, tu macar nu figurezi in loguri. La ora la care ai postat tu, nu a fost nici o accesare la challenge (apache access.log). Quote Link to comment Share on other sites More sharing options...
Andrew. Posted November 3, 2012 Report Share Posted November 3, 2012 ^ Siii, de ce as minti? http://i.imgur.com/mdqky.png Quote Link to comment Share on other sites More sharing options...
shark0der Posted November 3, 2012 Author Report Share Posted November 3, 2012 Nu incercam sa te atac, doar spuneam ce am vazut in loguri:Ora serverului e +4. Mesajul tau era postat la 17:54. Tu din cate se vede folosesti Opera. Tragem concluziile.Inchidem discutia asta pentru ca este inutila.Totusi ca sa iti dau dreptate si tie: daca primesti eroare, e din cauza ca filtrul iti sterge continutul, si variabila ramane empty, de aici si eroarea.Ca sa verifici ca de fapt e din cauza filtrului si nu a serverului, incerci sa trimiti "x" si "y" in campuri, si vei vedea ca merge de fiecare data. Edit: Voi face update si la postul initial, ca sa fie clar tuturor. Quote Link to comment Share on other sites More sharing options...
Genius++ Posted November 4, 2012 Report Share Posted November 4, 2012 Ce interesant .... Quote Link to comment Share on other sites More sharing options...
Maximus Posted November 4, 2012 Report Share Posted November 4, 2012 "Error: something is broken. That's all I know :|" Quote Link to comment Share on other sites More sharing options...
Robert1995 Posted November 4, 2012 Report Share Posted November 4, 2012 Nu e bine ce faci.Un html entities si un strip_tags poate rezolva problema, dar are si niste "gauri". Uite-te la screenshot si uitete cum se pierde text.2012-11-04_1400 - RusuAndreiRobert's library Quote Link to comment Share on other sites More sharing options...
SKYNET32 Posted November 4, 2012 Report Share Posted November 4, 2012 Untitled2.png - Bilder und Fotos kostenlos auf ImageBanana hochladen Quote Link to comment Share on other sites More sharing options...
Hertz Posted November 5, 2012 Report Share Posted November 5, 2012 De ce se numeste "hertz" subdomeniul? Quote Link to comment Share on other sites More sharing options...
shark0der Posted November 5, 2012 Author Report Share Posted November 5, 2012 Pentru ca am hotarat sa numesc toate serverele cu chestii legate de muzica, hertz fiind unitatea de masura pentru frecventa, inclusiv a undelor sonore Quote Link to comment Share on other sites More sharing options...
eusimplu Posted November 14, 2012 Report Share Posted November 14, 2012 (edited) Mi se pare imposibil sa treci de filtru cand orice caracter 'lipit' de < nu este vizibil... , Si modul in care tu afisezi 'scriptul' mie imi pare impenetrabil:< script >alert(1)</ script>PS: am despertit < de restul caracterelor ca sa fie afisatDe curiozitate, tu ai reusit sa faci un bypass la el? Edited November 14, 2012 by eusimplu Quote Link to comment Share on other sites More sharing options...
abraxyss Posted November 15, 2012 Report Share Posted November 15, 2012 nu a reusit , a vrut sa vada daca e bun scriptu lui ... asta nu e challenge man ne-a folosit doar Quote Link to comment Share on other sites More sharing options...
shark0der Posted November 15, 2012 Author Report Share Posted November 15, 2012 @abraxyss: Din moment ce htmlspecialchars($text, ENT_QUOTES, 'utf-8'); e cunoscut ca bulletproof nu prea vad rostul sa fac ceea ce zici tu.Challenge-ul a fost mai mult un experiment pentru a valida o idee (o platforma de challenge-uri ca sa fiu mai exact si sa nu spuna cineva ca vorbesc bullshit-uri). Din pacate nu a fost prea activa lumea (~2000 de request-uri in 2 saptamaini), dar vedem. Quote Link to comment Share on other sites More sharing options...