ExtBasic 10

Learn how to do code review

Re: ExtBasic 10

Post by MrRubix on Thu Jul 10, 2008 4:00 pm
([msg=7110]see Re: ExtBasic 10[/msg])

You're trying to exploit exec in the end, right? So, google around and look for ways to exploit it.
MrRubix
New User
New User
 
Posts: 17
Joined: Sun Jun 15, 2008 5:15 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by ratm_hts on Fri Jul 11, 2008 7:35 am
([msg=7176]see Re: ExtBasic 10[/msg])

Google has thousand of answers. OWASP and Wikipedia know a lot.

The fact is that I don't want to simply pass the level...
I would like someone to explain me how can a constant string be exploited. To the best of my (little) knowledge, eval("\$a=\$b") is in no way different than a simple $a=$b, because of the escaping.

So, what can one do with it?
ratm_hts
New User
New User
 
Posts: 4
Joined: Sat Jun 28, 2008 7:56 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by stringplayer92 on Sat Jul 12, 2008 7:51 pm
([msg=7300]see Re: ExtBasic 10[/msg])

I haven't been able to get this one but, from what I read on OWASP, the exploit is in the fact that exec() will execute code that is appended to the variable. So you could set the $y=10 then close the statement and add another to the end...

I hope this is an acceptable post, I haven't even completed the mission so I can't really give away anything can I?

stringplayer92
stringplayer92
New User
New User
 
Posts: 15
Joined: Thu Apr 24, 2008 8:33 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by int3grate on Sat Jul 12, 2008 10:49 pm
([msg=7308]see Re: ExtBasic 10[/msg])

Edited
int3grate
New User
New User
 
Posts: 38
Joined: Tue May 27, 2008 7:54 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by BhaaL on Sun Jul 13, 2008 5:23 am
([msg=7319]see Re: ExtBasic 10[/msg])

Edited
Last edited by TheMindRapist on Sat Aug 02, 2008 10:27 pm, edited 1 time in total.
Reason: Gives away 1;
BhaaL
Poster
Poster
 
Posts: 270
Joined: Sun Apr 13, 2008 11:16 am
Blog: View Blog (0)


Re: ExtBasic 10

Post by int3grate on Sun Jul 13, 2008 6:50 pm
([msg=7358]see Re: ExtBasic 10[/msg])

Edited
Last edited by TheMindRapist on Sat Aug 02, 2008 10:28 pm, edited 1 time in total.
Reason: Gives away 1;
int3grate
New User
New User
 
Posts: 38
Joined: Tue May 27, 2008 7:54 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by int3grate on Sun Jul 13, 2008 6:57 pm
([msg=7360]see Re: ExtBasic 10[/msg])

also, in this example, can we assume register globals is off?
int3grate
New User
New User
 
Posts: 38
Joined: Tue May 27, 2008 7:54 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by sharpskater69 on Mon Jul 28, 2008 9:37 am
([msg=8523]see Re: ExtBasic 10[/msg])

Well, another case like #7, lots of possibilities but only one solution. There is enough info in this thread to pass the mission. Pay attention to BhaaL's post: you don't want to finish the statement then start a new, but just start a new one(you probably know what character does it too if you've written code before). Try single and doubles quotes too, it won't accept both. These are pretty cool though.
sharpskater69
New User
New User
 
Posts: 34
Joined: Tue Apr 22, 2008 4:10 pm
Blog: View Blog (0)


Re: ExtBasic 10

Post by malcolmst on Sun Aug 24, 2008 2:25 pm
([msg=10380]see Re: ExtBasic 10[/msg])

Argh I've tried everything I can think of but it doesn't work. I can't help but think I'm just a character off or something from the correct answer. Would someone be able to repost Bhaal's message or something similar that would get me on the right track without a spoiler (or a PM - but I'm not asking for the answer)?

I also think some of these missions could be improved (7 and 10 in particular) by changing the validation code to accept more than one answer which would have the correct result.
malcolmst
New User
New User
 
Posts: 1
Joined: Tue Aug 19, 2008 10:16 am
Blog: View Blog (0)


Re: ExtBasic 10

Post by arash16 on Tue Aug 26, 2008 7:29 pm
([msg=10516]see Re: ExtBasic 10[/msg])

i really have no more idea about this mission
the vulnerability of the code is that eval might run the code more than once...
for example first $y is changed with it's contents then again eval("\$getit = xxx;") will be executed
the fact is that there's a bunch of possible things can be entered here.. some cases:

1: `/etc/bin/moo`
which is the shortest possible and will put answer to getit
2: "";echo `/etc/bin/moo`
3: 0;exec('etc/bin/moo')
4: 0;system('etc/bin/moo')
5: 0;passthru('etc/bin/moo')
6: 0;pcntl_exec('etc/bin/moo')

all of them can be used with double quotes too.. all of them can be assigned to getit else of using semi-colon to close the first statement...
i have used all possible things... but the question is: AM I SUPPOSED TO DO BRUTEFOCE to pass this fucking mission??
unfortunately these days HTS has changed it's path... it has become more a logic site than a hack related site...
:arrow: FUCK
arash16
New User
New User
 
Posts: 11
Joined: Fri Jun 20, 2008 11:16 am
Blog: View Blog (0)


PreviousNext

Return to Extended Basics

Who is online

Users browsing this forum: No registered users and 0 guests