lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4EE50542.3050400@tehtri-security.com>
Date: Sun, 11 Dec 2011 20:32:18 +0100
From: Laurent OUDOT at TEHTRI-Security <laurent.oudot-ml@...tri-security.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Laurent ESTIEUX - CTO at TEHTRI-Security
	<laurent.estieux-ml@...tri-security.com>
Subject: Re: [TEHTRI-Security] Ultra quick dummy PHP
 hacking challenge for FD readers

Hello,

Back to this quick dummy PHP Hacking challenge. We remind you that the 
login was "adm", and the password was supposed to be "31337", when you 
check at this code:

<?php if($_POST['l']=='adm'&&  $_POST['p']=='31337') { echo "Welcome"; } 
else { echo "Tsss..."; } ?>

So we got answers from people claiming that there was no other solution 
than using "31337" as a password, by reading this code, and that it was 
quite a stupid question...

But as we said, PHP is magic, and let's have a look at some of the best 
answers we got for this quick challenge, where you had to propose p= 
seomthing that would also work, without being 31337:

#1 Our favorite PHP expert:
From: @i0n1c ( https://twitter.com/#!/i0n1c/status/144808482820984834 )
p=0.0000000000000000003133699999999999999900735000735000753000420042e23

#2 A nice answer that we got really quickly
From: @Tyr43l
p=+31336.9999999999999999999999999999999999999

#3 Someone who want to remain anonymous because of his "company" :)
From: ?
p=0x7a69


The passwords proposed by these people work, though it's not "31337"... 
Weird ? Here are some interesting pointers in case you'd like to go 
further (quick answers).

First, check this:
http://www.php.net/manual/en/language.operators.array.php

$a === $b 	Identity 	TRUE if $a and $b have the same key/value pairs in 
the same order and of the same types.

$a == $b 	Equality 	TRUE if $a and $b have the same key/value pairs.

So, when we had " if(... $_POST['p']=='31337') " it meant that PHP would 
not have to check that we had the same types.

That's why using Octal, Hexadecimal, etc, will also work.

And it's rare to see people looking at things like type enforcement 
through PHP source code, which sometimes lead to vulnerabilities...

Also, you can read more information about Integers and PHP from here:
http://php.net/manual/en/language.types.integer.php

As promised, winners all got the music "Song 4 Hackers" on Apple Store.

We also got emails from people asking to get "Song 4 Hackers" for free.
You can listen to sample from here http://elena-laurent.zimbalam.com/

Thanks for all the emails we got from friends of Full Disclosure,

We hope you enjoyed this tiny entertainment through PHP fun,

Check your code,
Peace,

Laurent OUDOT, CEO TEHTRI-Security, from BlackHat Abu-Dhabi


On 08/12/11 15:59, Laurent OUDOT at TEHTRI-Security wrote:
> == Challenge ==
>
> Title: Ultra quick dummy PHP challenge for Full-Disclosure readers
>
> 1. Read the following single line of PHP Source code. Find the most
> geeky/funny way to remotely display "Welcome".
>
> 2. Directly send us your answer ->  do not Cc/To the mailing list! Please
> keep the same subject so that we can try to find your reply.
>
> 3. You won? We'll then contact u,to grab your precious price (music).
> Best answers will be shared back on this list, just for the lol :)
>
>
> == PHP Source code (1 line) ==
>
> Tips: "Your eyes can deceive you, don't trust them", Obi1 Kenobi.
>
> <?php if($_POST['l']=='adm'&&  $_POST['p']=='31337') { echo "Welcome"; }
> else { echo "Tsss..."; } ?>
>
>
> == Weird (dummy) ?! ==
>
> Q: I'm l33t and I can already see the password in the source code.WTF ?!
> A: Hum... We will wait for the best answers. Remember, PHP is magic.
> Though it's easy, it's a fun example to see how PHP can behave. Such
> behavior might sometimes lead to security issues.
>
> Q: Sir, what is the target platform,OS,etc? Can I get more information ?
> A: Keep it simple. Choose yourself. Explain us your choices when needed.
>
> Q: Huh, may I do fuzzing, bruteforce&  other l33t techniques: antiSEP..?
> A: Pfff. Bro, let's do it with your own style. You don't need advices.
>
>
> == Timing (quick) ==
>
> Answers will be accepted till next Sunday noon GST [Gulf Standard Time].
>
> Q: Why a so quick challenge ?
> A: Cause it's just a quick (&dummy) PHP challenge.
>
>
> == Winners ==
>
> Top best answers will get track "Song 4 Hackers/g0t r8t" for free from:
>
> http://itunes.apple.com/us/album/song-4-hackers-g0t-r8t/id475484468
>
> Q: Why don't u propose pure l33t track, like Justin Bieber, Rick Roll..?
> A: Cause.. Well, I know what you did last summer.
>
> Q: I dont have iP* device. Could you provide an iPhone 4S with the song?
> A: Lol :) Well,do u want a jailbroken? Left as a bonus exercise. Or not.
>
>
> == More fun ? ==
>
> Q: I do like such kind of stupid hacking tricks. Where can I grab more ?
> A: Reach your local hackerspaces, or also join us during our trainings /
> conferences, where we usually give/explain 0days/tricks directly:
>
> - Middle East / United Arab Emirates / Abu Dhabi -->  BlackHat
>   Training "Advanced PHP Hacking"
>   When ? Next week, December 2011
> [w]
> https://www.blackhat.com/html/bh-ad-11/training/bh-ad-11-training_PHP.html
>
> - Asia / India / Mumbai -->  Hack In The Box GSEC [!] Training
>   "STRATEGIC CYBER ATTACKS – ADVANCED PERSISTENT THREATS AND BEYOND"
>   When ? 20th&  21st February 2012
> [w] http://gsec.hitb.org/?p=134
>
> - Europe / Netherlands / Amsterdam -->  Hack In The Box [!]
>   Training "Hunting Web Attackers"
>   When ? 22nd&  23rd May 2012
> [w] http://conference.hitb.org/hitbsecconf2012ams/?page_id=438
>
>
> == End ==
>
> Best regards and have (some seconds/minutes of) fun,
>
> Laurent Estieux (CTO) and Laurent Oudot (CEO)
>   TEHTRI-Security - "This is not a game"
>   [w] http://www.tehtri-security.com/
>   [w] http://twitter.com/tehtris
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ