| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Dec 2011 20:32:18 +0100
From: Laurent OUDOT at TEHTRI-Security <laurent.oudot-ml@...tri-security.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Laurent ESTIEUX - CTO at TEHTRI-Security
<laurent.estieux-ml@...tri-security.com>
Subject: Re: [TEHTRI-Security] Ultra quick dummy PHP
hacking challenge for FD readers
Hello,
Back to this quick dummy PHP Hacking challenge. We remind you that the
login was "adm", and the password was supposed to be "31337", when you
check at this code:
<?php if($_POST['l']=='adm'&& $_POST['p']=='31337') { echo "Welcome"; }
else { echo "Tsss..."; } ?>
So we got answers from people claiming that there was no other solution
than using "31337" as a password, by reading this code, and that it was
quite a stupid question...
But as we said, PHP is magic, and let's have a look at some of the best
answers we got for this quick challenge, where you had to propose p=
seomthing that would also work, without being 31337:
#1 Our favorite PHP expert:
From: @i0n1c ( https://twitter.com/#!/i0n1c/status/144808482820984834 )
p=0.0000000000000000003133699999999999999900735000735000753000420042e23
#2 A nice answer that we got really quickly
From: @Tyr43l
p=+31336.9999999999999999999999999999999999999
#3 Someone who want to remain anonymous because of his "company" :)
From: ?
p=0x7a69
The passwords proposed by these people work, though it's not "31337"...
Weird ? Here are some interesting pointers in case you'd like to go
further (quick answers).
First, check this:
http://www.php.net/manual/en/language.operators.array.php
$a === $b Identity TRUE if $a and $b have the same key/value pairs in
the same order and of the same types.
$a == $b Equality TRUE if $a and $b have the same key/value pairs.
So, when we had " if(... $_POST['p']=='31337') " it meant that PHP would
not have to check that we had the same types.
That's why using Octal, Hexadecimal, etc, will also work.
And it's rare to see people looking at things like type enforcement
through PHP source code, which sometimes lead to vulnerabilities...
Also, you can read more information about Integers and PHP from here:
http://php.net/manual/en/language.types.integer.php
As promised, winners all got the music "Song 4 Hackers" on Apple Store.
We also got emails from people asking to get "Song 4 Hackers" for free.
You can listen to sample from here http://elena-laurent.zimbalam.com/
Thanks for all the emails we got from friends of Full Disclosure,
We hope you enjoyed this tiny entertainment through PHP fun,
Check your code,
Peace,
Laurent OUDOT, CEO TEHTRI-Security, from BlackHat Abu-Dhabi
On 08/12/11 15:59, Laurent OUDOT at TEHTRI-Security wrote:
> == Challenge ==
>
> Title: Ultra quick dummy PHP challenge for Full-Disclosure readers
>
> 1. Read the following single line of PHP Source code. Find the most
> geeky/funny way to remotely display "Welcome".
>
> 2. Directly send us your answer -> do not Cc/To the mailing list! Please
> keep the same subject so that we can try to find your reply.
>
> 3. You won? We'll then contact u,to grab your precious price (music).
> Best answers will be shared back on this list, just for the lol :)
>
>
> == PHP Source code (1 line) ==
>
> Tips: "Your eyes can deceive you, don't trust them", Obi1 Kenobi.
>
> <?php if($_POST['l']=='adm'&& $_POST['p']=='31337') { echo "Welcome"; }
> else { echo "Tsss..."; } ?>
>
>
> == Weird (dummy) ?! ==
>
> Q: I'm l33t and I can already see the password in the source code.WTF ?!
> A: Hum... We will wait for the best answers. Remember, PHP is magic.
> Though it's easy, it's a fun example to see how PHP can behave. Such
> behavior might sometimes lead to security issues.
>
> Q: Sir, what is the target platform,OS,etc? Can I get more information ?
> A: Keep it simple. Choose yourself. Explain us your choices when needed.
>
> Q: Huh, may I do fuzzing, bruteforce& other l33t techniques: antiSEP..?
> A: Pfff. Bro, let's do it with your own style. You don't need advices.
>
>
> == Timing (quick) ==
>
> Answers will be accepted till next Sunday noon GST [Gulf Standard Time].
>
> Q: Why a so quick challenge ?
> A: Cause it's just a quick (&dummy) PHP challenge.
>
>
> == Winners ==
>
> Top best answers will get track "Song 4 Hackers/g0t r8t" for free from:
>
> http://itunes.apple.com/us/album/song-4-hackers-g0t-r8t/id475484468
>
> Q: Why don't u propose pure l33t track, like Justin Bieber, Rick Roll..?
> A: Cause.. Well, I know what you did last summer.
>
> Q: I dont have iP* device. Could you provide an iPhone 4S with the song?
> A: Lol :) Well,do u want a jailbroken? Left as a bonus exercise. Or not.
>
>
> == More fun ? ==
>
> Q: I do like such kind of stupid hacking tricks. Where can I grab more ?
> A: Reach your local hackerspaces, or also join us during our trainings /
> conferences, where we usually give/explain 0days/tricks directly:
>
> - Middle East / United Arab Emirates / Abu Dhabi --> BlackHat
> Training "Advanced PHP Hacking"
> When ? Next week, December 2011
> [w]
> https://www.blackhat.com/html/bh-ad-11/training/bh-ad-11-training_PHP.html
>
> - Asia / India / Mumbai --> Hack In The Box GSEC [!] Training
> "STRATEGIC CYBER ATTACKS – ADVANCED PERSISTENT THREATS AND BEYOND"
> When ? 20th& 21st February 2012
> [w] http://gsec.hitb.org/?p=134
>
> - Europe / Netherlands / Amsterdam --> Hack In The Box [!]
> Training "Hunting Web Attackers"
> When ? 22nd& 23rd May 2012
> [w] http://conference.hitb.org/hitbsecconf2012ams/?page_id=438
>
>
> == End ==
>
> Best regards and have (some seconds/minutes of) fun,
>
> Laurent Estieux (CTO) and Laurent Oudot (CEO)
> TEHTRI-Security - "This is not a game"
> [w] http://www.tehtri-security.com/
> [w] http://twitter.com/tehtris
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists