[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F705613.3000902@hackerzvoice.net>
Date: Mon, 26 Mar 2012 13:42:11 +0200
From: majinboo <majinboo@...kerzvoice.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Oracle based personal data dumping attack on
the nuit du hack CTF
BTW last vuln' was also fixed during the prequals.
MajinBoo
Le 26/03/12 13:37, Damien Cauquil a écrit :
> Hi klondike,
>
>
> > PS: What I wonder now is, are the guys behind the CTF reading
> Full-disclosure?
>
> I guess you now have your answer.
>
> > The guys have a cool XSS injection on the fake webmail service which
> can be exploited with a properly crafted subject
>
> You're right, and it has been fixed during the prequals. Anyway, this
> vulnerability is minor because teams couldn't send emails to each
> others. At least, you can pwn your own web browser.
>
> For the last vuln mentionned, we were aware of it. Guys who wrote the
> code were seriously slapped.
>
> Damien, NDH prequals team
>
> --
> *Damien Cauquil*
> Directeur de Recherche
> CEH, CHFI, ECSA, CEI
> Tél. : +33 (0)1 78 76 58 21
> Fax.: +33 (0)1 40 12 74 41
>
> *Sysdream IT Security Services*
> 108, av. Gabriel Péri
> 93400 Saint Ouen
> http://www.sysdream.com/
>
> Le samedi 24 mars 2012 à 05:54 +0100, klondike a écrit :
>> El 24/03/12 05:27, klondike escribió:
>>> So I was bored with the nuit du hack prequals and decided to test a
>>> bit the e-mail service.
>>>
>>> The guys have a cool XSS injection on the fake webmail service which
>>> can be exploited with a properly crafted subject (i.e.
>>> <script>alert('Hello!');</script> ). I thought the guys behind nuit
>>> du hack were a bit more serious than this...
>>>
>>> klondike
>>>
>> BTW and on completely unrelated note there is an attack which could
>> allow an attacker to guess the addresses of the participants as long
>> as they are on a database owned by him. This attack works by
>> consulting the page as if it were a yes/no oracle and using the
>> results to know wether an address is on the page database or not.
>>
>> Usages of the attack? Well, trying to guess participants passwords,
>> phising attacks, spamming ... Pick your choice xD
>>
>> And as with any good full disclosure here you go a nice script to
>> exploit it:
>> while read email; do curl -s -o-
>> http://prequals.nuitduhack.com/rememberme.php -d "mail=$email" |
>> fgrep '<div class="error">This mail doesn'\''t correspond to any
>> account</div>' > /dev/null && echo Failure || echo "$email"; done
>>
>> Well don't be bad with it, participants have no fault of this,
>>
>> klondike
>>
>> PS: What I wonder now is, are the guys behind the CTF reading
>> Full-disclosure?
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter:http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia -http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists