Category: OverTheWire

14/09/2013

[OverTheWire] Natas – Level 23

http://natas23.natas.labs.overthewire.org/ Congratulations! You have reached the end… for now. Rồi, ai về nhà nấy, hẹn gặp lại

OverTheWire

14/09/2013

[OverTheWire] Natas – Level 22

http://natas22.natas.labs.overthewire.org/ only admins can reveal the password… Nhấn View sourcecode:

<?
session_start();

if(array_key_exists("revelio", $_GET)) {
    // only admins can reveal the password
    if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) {
    header("Location: /");
    }
}
?>

<?
    if(array_key_exists("revelio", $_GET)) {
    print "You are an admin. The credentials for the next level are:<br />";
    print "<pre>Username: natas23n";
    print "Password: <censored></pre>";
    }
?>

session_start();

if(array_key_exists("revelio", $_GET)) {

// only admins can reveal the password

if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) {

header("Location: /");

}

if(array_key_exists("revelio", $_GET)) {

print "You are an admin. The credentials for the next level are:<br />";

print "<pre>Username: natas23n";

print "Password: <censored></pre>";

}

Do không hiểu cơ chế của cái hàm header() nên mình rơi vào bế tắc, rất cảm ơn Nam Tóc Xù đã hint mình bài này Thực chất...

OverTheWire

14/09/2013

[OverTheWire] Natas – Level 21

http://natas21.natas.labs.overthewire.org/ Note: this website is colocated with http://natas21-experimenter.natas.labs.overthewire.org You are logged in as a regular user. Login as an admin to retrieve credentials for natas22. Nhấn View sourcecode:

<?

function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br />";
    print "<pre>Username: natas22n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22.";
    }
}
/* }}} */

session_start();
print_credentials();

?>

function print_credentials() { /* {{{ */

if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {

print "You are an admin. The credentials for the next level are:<br />";

print "<pre>Username: natas22n";

print "Password: <censored></pre>";

} else {

print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22.";

}

/* }}} */

session_start();

print_credentials();

Thua, đố làm được Chuyển...

OverTheWire

14/09/2013

[OverTheWire] Natas – Level 20

http://natas20.natas.labs.overthewire.org/ You are logged in as a regular user. Login as an admin to retrieve credentials for natas21. Nhấn View sourcecode:

<?

function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg<br />";
    }
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br />";
    print "<pre>Username: natas21n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas21.";
    }
}
/* }}} */

/* we don't need this */
function myopen($path, $name) {
    //debug("MYOPEN $path $name");
    return true;
}

/* we don't need this */
function myclose() {
    //debug("MYCLOSE");
    return true;
}

function myread($sid) {
    debug("MYREAD $sid");
    if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
    debug("Invalid SID");
        return "";
    }
    $filename = session_save_path() . "/" . "mysess_" . $sid;
    if(!file_exists($filename)) {
        debug("Session file doesn't exist");
        return "";
    }
    debug("Reading from ". $filename);
    $data = file_get_contents($filename);
    $_SESSION = array();
    foreach(explode("n", $data) as $line) {
        debug("Read [$line]");
    $parts = explode(" ", $line, 2);
    if($parts[0] != "") $_SESSION[$parts[0]] = $parts[1];
    }
    return session_encode();
}

function mywrite($sid, $data) {
    // $data contains the serialized version of $_SESSION
    // but our encoding is better
    debug("MYWRITE $sid $data");
    // make sure the sid is alnum only!!
    if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
    debug("Invalid SID");
        return;
    }
    $filename = session_save_path() . "/" . "mysess_" . $sid;
    $data = "";
    debug("Saving in ". $filename);
    ksort($_SESSION);
    foreach($_SESSION as $key => $value) {
        debug("$key => $value");
        $data .= "$key $valuen";
    }
    file_put_contents($filename, $data);
    chmod($filename, 0600);
}

/* we don't need this */
function mydestroy($sid) {
    //debug("MYDESTROY $sid");
    return true;
}
/* we don't need this */
function mygarbage($t) {
    //debug("MYGARBAGE $t");
    return true;
}

session_set_save_handler(
    "myopen",
    "myclose",
    "myread",
    "mywrite",
    "mydestroy",
    "mygarbage");
session_start();

if(array_key_exists("name", $_REQUEST)) {
    $_SESSION["name"] = $_REQUEST["name"];
    debug("Name set to " . $_REQUEST["name"]);
}

print_credentials();

$name = "";
if(array_key_exists("name", $_SESSION)) {
    $name = $_SESSION["name"];
}

?>

100

101

102

103

104

105

106

107

function debug($msg) { /* {{{ */

if(array_key_exists("debug", $_GET)) {

print "DEBUG: $msg<br />";

}

/* }}} */

function print_credentials() { /* {{{ */

if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {

print "You are an admin. The credentials for the next level are:<br />";

print "<pre>Username: natas21n";

print "Password: <censored></pre>";

} else {

print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas21.";

}

/* }}} */

/* we don't need this */

function myopen($path, $name) {

//debug("MYOPEN $path $name");

return true;

}

/* we don't need this */

function myclose() {

//debug("MYCLOSE");

return true;

}

function myread($sid) {

debug("MYREAD $sid");

if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {

debug("Invalid SID");

return "";

}

$filename = session_save_path() . "/" . "mysess_" . $sid;

if(!file_exists($filename)) {

debug("Session file doesn't exist");

return "";

}

debug("Reading from ". $filename);

$data = file_get_contents($filename);

$_SESSION = array();

foreach(explode("n", $data) as $line) {

debug("Read [$line]");

$parts = explode(" ", $line, 2);

if($parts[0] != "") $_SESSION[$parts[0]] = $parts[1];

}

return session_encode();

}

function mywrite($sid, $data) {

// $data contains the serialized version of $_SESSION

// but our encoding is better

debug("MYWRITE $sid $data");

// make sure the sid is alnum only!!

if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {

debug("Invalid SID");

return;

}

$filename = session_save_path() . "/" . "mysess_" . $sid;

$data = "";

debug("Saving in ". $filename);

ksort($_SESSION);

foreach($_SESSION as $key => $value) {

debug("$key => $value");

$data .= "$key $valuen";

}

file_put_contents($filename, $data);

chmod($filename, 0600);

}

/* we don't need this */

function mydestroy($sid) {

//debug("MYDESTROY $sid");

return true;

}

/* we don't need this */

function mygarbage($t) {

//debug("MYGARBAGE $t");

return true;

}

session_set_save_handler(

"myopen",

"myclose",

"myread",

"mywrite",

"mydestroy",

"mygarbage");

session_start();

if(array_key_exists("name", $_REQUEST)) {

$_SESSION["name"] = $_REQUEST["name"];

debug("Name set to " . $_REQUEST["name"]);

}

print_credentials();

$name = "";

if(array_key_exists("name", $_SESSION)) {

$name = $_SESSION["name"];

}

Chúng ta sẽ đi lần lượt theo quy trình xử lý của...

OverTheWire

14/09/2013

[OverTheWire] Natas – Level 19

http://natas19.natas.labs.overthewire.org/ This page uses mostly the same code as the previous level, but session IDs are no longer sequential… Please login with your admin account to retrieve credentials for natas20. Không có View sourcecode,...

OverTheWire

14/09/2013

[OverTheWire] Natas – Level 18

http://natas18.natas.labs.overthewire.org/ Please login with your admin account to retrieve credentials for natas19. Nhấn View sourcecode:

<?

$maxid = 640; // 640 should be enough for everyone

function isValidAdminLogin() { /* {{{ */
    if($_REQUEST["username"] == "admin") {
    /* This method of authentication appears to be unsafe and has been disabled for now. */
        //return 1;
    }

    return 0;
}
/* }}} */
function isValidID($id) { /* {{{ */
    return is_numeric($id);
}
/* }}} */
function createID($user) { /* {{{ */
    global $maxid;
    return rand(1, $maxid);
}
/* }}} */
function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg<br />";
    }
}
/* }}} */
function my_session_start() { /* {{{ */
    if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) {
    if(!session_start()) {
        debug("Session start failed");
        return false;
    } else {
        debug("Session start ok");
        if(!array_key_exists("admin", $_SESSION)) {
        debug("Session was old: admin flag set");
        $_SESSION["admin"] = 0; // backwards compatible, secure
        }
        return true;
    }
    }

    return false;
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br />";
    print "<pre>Username: natas19n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.";
    }
}
/* }}} */

$showform = true;
if(my_session_start()) {
    print_credentials();
    $showform = false;
} else {
    if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) {
    session_id(createID($_REQUEST["username"]));
    session_start();
    $_SESSION["admin"] = isValidAdminLogin();
    debug("New session started");
    $showform = false;
    print_credentials();
    }
}

if($showform) {
?>

$maxid = 640; // 640 should be enough for everyone

function isValidAdminLogin() { /* {{{ */

if($_REQUEST["username"] == "admin") {

/* This method of authentication appears to be unsafe and has been disabled for now. */

//return 1;

}

return 0;

}

/* }}} */

function isValidID($id) { /* {{{ */

return is_numeric($id);

}

/* }}} */

function createID($user) { /* {{{ */

global $maxid;

return rand(1, $maxid);

}

/* }}} */

function debug($msg) { /* {{{ */

if(array_key_exists("debug", $_GET)) {

print "DEBUG: $msg<br />";

}

/* }}} */

function my_session_start() { /* {{{ */

if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) {

if(!session_start()) {

debug("Session start failed");

return false;

} else {

debug("Session start ok");

if(!array_key_exists("admin", $_SESSION)) {

debug("Session was old: admin flag set");

$_SESSION["admin"] = 0; // backwards compatible, secure

}

return true;

}

return false;

}

/* }}} */

function print_credentials() { /* {{{ */

if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {

print "You are an admin. The credentials for the next level are:<br />";

print "<pre>Username: natas19n";

print "Password: <censored></pre>";

} else {

print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.";

}

/* }}} */

$showform = true;

if(my_session_start()) {

print_credentials();

$showform = false;

} else {

if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) {

session_id(createID($_REQUEST["username"]));

session_start();

$_SESSION["admin"] = isValidAdminLogin();

debug("New session started");

$showform = false;

print_credentials();

}

if($showform) {

Bài này sử dụng một custom-session-manager, với giá trị của PHPSESSID nằm ngẫu nhiên trong khoảng từ (1,...

OverTheWire

13/09/2013

[OverTheWire] Natas – Level 17

http://natas17.natas.labs.overthewire.org/ Nhấn View sourcecode:

<?

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysql_connect('localhost', 'natas17', '<censored>');
    mysql_select_db('natas17', $link);

    $query = "SELECT * from users where username="".$_REQUEST["username"].""";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br />";
    }

    $res = mysql_query($query, $link);
    if($res) {
    if(mysql_num_rows($res) > 0) {
        //echo "This user exists.<br />";
    } else {
        //echo "This user doesn't exist.<br />";
    }
    } else {
        //echo "Error in query.<br />";
    }

    mysql_close($link);
} else {
?>

<form action="index.php" method="POST">
Username: <input name="username"><br />
<input type="submit" value="Check existence" />
</form>
<? } ?>

CREATE TABLE `users` (

`username` varchar(64) DEFAULT NULL,

`password` varchar(64) DEFAULT NULL

);

if(array_key_exists("username", $_REQUEST)) {

$link = mysql_connect('localhost', 'natas17', '<censored>');

mysql_select_db('natas17', $link);

$query = "SELECT * from users where username="".$_REQUEST["username"].""";

if(array_key_exists("debug", $_GET)) {

echo "Executing query: $query<br />";

}

$res = mysql_query($query, $link);

if($res) {

if(mysql_num_rows($res) > 0) {

//echo "This user exists.<br />";

} else {

//echo "This user doesn't exist.<br />";

}

} else {

//echo "Error in query.<br />";

}

mysql_close($link);

} else {

Username: <input name="username"><br />

</form>

<? } ?>

Tất cả các thông báo đều đã bị xoẹt xoẹt, làm sao đây Dựa vào cái gì để phân biệt giữa True và False bây giờ … …… ………...

OverTheWire

13/09/2013

[OverTheWire] Natas – Level 16

http://natas16.natas.labs.overthewire.org/ For security reasons, we now filter even more on certain characters Find words containing… Nhấn View sourcecode:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&`'"]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i "$key" dictionary.txt");
    }
}
?>

$key = "";

if(array_key_exists("needle", $_REQUEST)) {

$key = $_REQUEST["needle"];

}

if($key != "") {

if(preg_match('/[;|&`'"]/',$key)) {

print "Input contains an illegal character!";

} else {

passthru("grep -i "$key" dictionary.txt");

}

Thấy quen quen Vì rằng input đã bị escape một số ký tự chủ chốt,...

OverTheWire

13/09/2013

[OverTheWire] Natas – Level 15

http://natas15.natas.labs.overthewire.org/ Nhấn View sourcecode:

<?

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysql_connect('localhost', 'natas15', '<censored>');
    mysql_select_db('natas15', $link);

    $query = "SELECT * from users where username="".$_REQUEST["username"].""";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br />";
    }

    $res = mysql_query($query, $link);
    if($res) {
    if(mysql_num_rows($res) > 0) {
        echo "This user exists.<br />";
    } else {
        echo "This user doesn't exist.<br />";
    }
    } else {
        echo "Error in query.<br />";
    }

    mysql_close($link);
} else {
?>

CREATE TABLE `users` (

`username` varchar(64) DEFAULT NULL,

`password` varchar(64) DEFAULT NULL

);

if(array_key_exists("username", $_REQUEST)) {

$link = mysql_connect('localhost', 'natas15', '<censored>');

mysql_select_db('natas15', $link);

$query = "SELECT * from users where username="".$_REQUEST["username"].""";

if(array_key_exists("debug", $_GET)) {

echo "Executing query: $query<br />";

}

$res = mysql_query($query, $link);

if($res) {

if(mysql_num_rows($res) > 0) {

echo "This user exists.<br />";

} else {

echo "This user doesn't exist.<br />";

}

} else {

echo "Error in query.<br />";

}

mysql_close($link);

} else {

Có một điều khác biệt so với task trước, đó là không hề có câu lệnh in ra password cho level tiếp theo. Vậy phải làm sao? Blind SQL...

OverTheWire

13/09/2013

[OverTheWire] Natas – Level 14

http://natas14.natas.labs.overthewire.org/ Nhấn View sourcecode:

<?
if(array_key_exists("username", $_REQUEST)) {
    $link = mysql_connect('localhost', 'natas14', '<censored>');
    mysql_select_db('natas14', $link);

    $query = "SELECT * from users where username="".$_REQUEST["username"]."" and password="".$_REQUEST["password"].""";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br />";
    }

    if(mysql_num_rows(mysql_query($query, $link)) > 0) {
            echo "Successful login! The password for natas15 is <censored><br />";
    } else {
            echo "Access denied!<br />";
    }
    mysql_close($link);
} else {
?>

if(array_key_exists("username", $_REQUEST)) {

$link = mysql_connect('localhost', 'natas14', '<censored>');

mysql_select_db('natas14', $link);

$query = "SELECT * from users where username="".$_REQUEST["username"]."" and password="".$_REQUEST["password"].""";

if(array_key_exists("debug", $_GET)) {

echo "Executing query: $query<br />";

}

if(mysql_num_rows(mysql_query($query, $link)) > 0) {

echo "Successful login! The password for natas15 is <censored><br />";

} else {

echo "Access denied!<br />";

}

mysql_close($link);

} else {

Ta thấy ngay được là username và password đều không bị escape. Inject với câu lệnh được dạy trong sách giáo khoa: username = ” OR 1=1# password =...

Category: OverTheWire

Recent comments