lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4EE0D0E5.2030603@tehtri-security.com>
Date: Thu, 08 Dec 2011 15:59:49 +0100
From: Laurent OUDOT at TEHTRI-Security <laurent.oudot-ml@...tri-security.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Laurent ESTIEUX - CTO at TEHTRI-Security
	<laurent.estieux-ml@...tri-security.com>
Subject: [TEHTRI-Security] Ultra quick dummy PHP hacking
 challenge for FD readers

== Challenge ==

Title: Ultra quick dummy PHP challenge for Full-Disclosure readers

1. Read the following single line of PHP Source code. Find the most
geeky/funny way to remotely display "Welcome".

2. Directly send us your answer -> do not Cc/To the mailing list! Please
keep the same subject so that we can try to find your reply.

3. You won? We'll then contact u,to grab your precious price (music).
Best answers will be shared back on this list, just for the lol :)


== PHP Source code (1 line) ==

Tips: "Your eyes can deceive you, don't trust them", Obi1 Kenobi.

<?php if($_POST['l']=='adm' && $_POST['p']=='31337') { echo "Welcome"; }
else { echo "Tsss..."; } ?>


== Weird (dummy) ?! ==

Q: I'm l33t and I can already see the password in the source code.WTF ?!
A: Hum... We will wait for the best answers. Remember, PHP is magic.
Though it's easy, it's a fun example to see how PHP can behave. Such
behavior might sometimes lead to security issues.

Q: Sir, what is the target platform,OS,etc? Can I get more information ?
A: Keep it simple. Choose yourself. Explain us your choices when needed.

Q: Huh, may I do fuzzing, bruteforce & other l33t techniques: antiSEP..?
A: Pfff. Bro, let's do it with your own style. You don't need advices.


== Timing (quick) ==

Answers will be accepted till next Sunday noon GST [Gulf Standard Time].

Q: Why a so quick challenge ?
A: Cause it's just a quick (&dummy) PHP challenge.


== Winners ==

Top best answers will get track "Song 4 Hackers/g0t r8t" for free from:

http://itunes.apple.com/us/album/song-4-hackers-g0t-r8t/id475484468

Q: Why don't u propose pure l33t track, like Justin Bieber, Rick Roll..?
A: Cause.. Well, I know what you did last summer.

Q: I dont have iP* device. Could you provide an iPhone 4S with the song?
A: Lol :) Well,do u want a jailbroken? Left as a bonus exercise. Or not.


== More fun ? ==

Q: I do like such kind of stupid hacking tricks. Where can I grab more ?
A: Reach your local hackerspaces, or also join us during our trainings /
conferences, where we usually give/explain 0days/tricks directly:

- Middle East / United Arab Emirates / Abu Dhabi --> BlackHat
 Training "Advanced PHP Hacking"
 When ? Next week, December 2011
[w]
https://www.blackhat.com/html/bh-ad-11/training/bh-ad-11-training_PHP.html

- Asia / India / Mumbai --> Hack In The Box GSEC [!] Training
 "STRATEGIC CYBER ATTACKS – ADVANCED PERSISTENT THREATS AND BEYOND"
 When ? 20th & 21st February 2012
[w] http://gsec.hitb.org/?p=134

- Europe / Netherlands / Amsterdam --> Hack In The Box [!]
 Training "Hunting Web Attackers"
 When ? 22nd & 23rd May 2012
[w] http://conference.hitb.org/hitbsecconf2012ams/?page_id=438


== End ==

Best regards and have (some seconds/minutes of) fun,

Laurent Estieux (CTO) and Laurent Oudot (CEO)
 TEHTRI-Security - "This is not a game"
 [w] http://www.tehtri-security.com/
 [w] http://twitter.com/tehtris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ