WHERE TO START

Re: WHERE TO START

Post by pescador on Sun May 11, 2008 11:23 am
([msg=2250]see Re: WHERE TO START[/msg])

pescador wrote:I think I have the same problem as tehMurloc. When I call my script I receive my own cookie, so that seems to work. Now when I send it to a certain someone, nothing happens. Also, when I try to send a message to myself (I mean r-conner), I don't receive anything. Is that correct?


I did it. I changed my script a little and now it works. Slightly different than freakwolfe's examples.
pescador
New User
New User
 
Posts: 5
Joined: Mon Apr 28, 2008 10:29 am
Blog: View Blog (0)


Re: WHERE TO START

Post by vashtsakared on Tue Sep 30, 2008 2:15 pm
([msg=12878]see Re: WHERE TO START[/msg])

This might be too spoilery, but I don't know. If it is delete it. Message me if I'm on the right track, here.

I was thinking earlier, PHP is server-side evaluated. So you can't really just include a script in an e-mail and expect it to necessarily stay there. I don't know how posting PHP in forms works; it might be parsed out or it might remain. But generally, you could expect the server to evaluate it as soon as the file was retrieved. In other words, Mr. Crap can't see or submit to any PHP in the body of his mail. So in fact, you don't have to interact with him at all to get his cookie. He can see a blank page.

Is that right?
vashtsakared
New User
New User
 
Posts: 6
Joined: Sun Aug 17, 2008 3:42 pm
Blog: View Blog (0)


What am I doing wrong?

Post by christianboygenius on Mon May 04, 2009 9:44 pm
([msg=23161]see What am I doing wrong?[/msg])

Warning: May Contain Spoilers!!!!!!!!
-------------------------------------------------
I have been all over the crappysoft website. I am guessing that the key to this mission is using XSS in one of the forms to locate the boss' cookie. I have tried simple attacks in most of the forms and so far nothing has worked. I was wondering if someone could point me in the right direction... So far I have tried JavaScript attacks. That is pretty much it. Should I use some PHP? Thanks for any help...
christianboygenius
New User
New User
 
Posts: 7
Joined: Mon May 04, 2009 8:10 pm
Blog: View Blog (0)


Re: WHERE TO START

Post by fashizzlepop on Tue May 05, 2009 1:20 am
([msg=23166]see Re: WHERE TO START[/msg])

Wiki PHP and then look into how it works, this will help you understand how PHP is vulnerable. There's no such thing as "PHP attacks" but there are SQL injections. Not specifically for this challenge, but, it would be good to see how these correlate in a penetration attack on a website.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: WHERE TO START

Post by eljonto on Tue May 05, 2009 1:49 am
([msg=23168]see Re: WHERE TO START[/msg])

vashtsakared wrote:This might be too spoilery, but I don't know. If it is delete it. Message me if I'm on the right track, here.

I was thinking earlier, PHP is server-side evaluated. So you can't really just include a script in an e-mail and expect it to necessarily stay there. I don't know how posting PHP in forms works; it might be parsed out or it might remain. But generally, you could expect the server to evaluate it as soon as the file was retrieved. In other words, Mr. Crap can't see or submit to any PHP in the body of his mail. So in fact, you don't have to interact with him at all to get his cookie. He can see a blank page.

Is that right?


You have the right idea, but you don't use php script in the email.
You want his cookie, what's an easy way to get a cookie from a simple internet scripting language (think back to basic 10)
Now if you want to view that cookie you probably want his cookie to be saved somewhere, what language could this be done in? Think: How can users submit data to webpages and have that data saved?
-Quis custodiet ipsos custodes?, Juvenal
_________________________________________________________________
User avatar
eljonto
Poster
Poster
 
Posts: 373
Joined: Thu Apr 17, 2008 1:16 am
Location: Australia
Blog: View Blog (0)


Re: WHERE TO START

Post by SkaCahToa on Fri Oct 15, 2010 11:38 pm
([msg=47625]see Re: WHERE TO START[/msg])

I've paid the poor fella, but now I've gotten a message about clearing the logs by subscribing to them.... I'm not quite sure what's being ask of me. I've looked through the site and I can't find any log management or anything of the sort... or logs in general.
SkaCahToa
New User
New User
 
Posts: 2
Joined: Wed Jun 25, 2008 10:31 pm
Blog: View Blog (0)


Re: WHERE TO START

Post by sanddbox on Sat Oct 16, 2010 12:10 am
([msg=47626]see Re: WHERE TO START[/msg])

This topic is old, please don't revive it. By the way, the clearing the logs step should be pretty obvious. Just look at the site.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2344
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Previous

Return to (Real 9) CrappySoft

Who is online

Users browsing this forum: No registered users and 0 guests