ExtBasic 10
38 posts • Page 3 of 4 • 1, 2, 3, 4
Re: ExtBasic 10
by MrRubix on Thu Jul 10, 2008 4:00 pm
([msg=7110]see Re: ExtBasic 10[/msg])
You're trying to exploit exec in the end, right? So, google around and look for ways to exploit it.
- MrRubix
- New User
- Posts: 17
- Joined: Sun Jun 15, 2008 5:15 pm
- Blog: View Blog (0)
Re: ExtBasic 10
by ratm_hts on Fri Jul 11, 2008 7:35 am
([msg=7176]see Re: ExtBasic 10[/msg])
Google has thousand of answers. OWASP and Wikipedia know a lot.
The fact is that I don't want to simply pass the level...
I would like someone to explain me how can a constant string be exploited. To the best of my (little) knowledge, eval("\$a=\$b") is in no way different than a simple $a=$b, because of the escaping.
So, what can one do with it?
The fact is that I don't want to simply pass the level...
I would like someone to explain me how can a constant string be exploited. To the best of my (little) knowledge, eval("\$a=\$b") is in no way different than a simple $a=$b, because of the escaping.
So, what can one do with it?
- ratm_hts
- New User
- Posts: 4
- Joined: Sat Jun 28, 2008 7:56 pm
- Blog: View Blog (0)
Re: ExtBasic 10
by stringplayer92 on Sat Jul 12, 2008 7:51 pm
([msg=7300]see Re: ExtBasic 10[/msg])
I haven't been able to get this one but, from what I read on OWASP, the exploit is in the fact that exec() will execute code that is appended to the variable. So you could set the $y=10 then close the statement and add another to the end...
I hope this is an acceptable post, I haven't even completed the mission so I can't really give away anything can I?
stringplayer92
I hope this is an acceptable post, I haven't even completed the mission so I can't really give away anything can I?
stringplayer92
- stringplayer92
- New User
- Posts: 15
- Joined: Thu Apr 24, 2008 8:33 pm
- Blog: View Blog (0)
Re: ExtBasic 10
by int3grate on Sat Jul 12, 2008 10:49 pm
([msg=7308]see Re: ExtBasic 10[/msg])
Edited
- int3grate
- New User
- Posts: 38
- Joined: Tue May 27, 2008 7:54 pm
- Blog: View Blog (0)
Re: ExtBasic 10
by BhaaL on Sun Jul 13, 2008 5:23 am
([msg=7319]see Re: ExtBasic 10[/msg])
Edited
Last edited by TheMindRapist on Sat Aug 02, 2008 10:27 pm, edited 1 time in total.
Reason: Gives away 1;
Reason: Gives away 1;
- BhaaL
- Poster
- Posts: 270
- Joined: Sun Apr 13, 2008 11:16 am
- Blog: View Blog (0)
Re: ExtBasic 10
by int3grate on Sun Jul 13, 2008 6:50 pm
([msg=7358]see Re: ExtBasic 10[/msg])
Edited
Last edited by TheMindRapist on Sat Aug 02, 2008 10:28 pm, edited 1 time in total.
Reason: Gives away 1;
Reason: Gives away 1;
- int3grate
- New User
- Posts: 38
- Joined: Tue May 27, 2008 7:54 pm
- Blog: View Blog (0)
Re: ExtBasic 10
by int3grate on Sun Jul 13, 2008 6:57 pm
([msg=7360]see Re: ExtBasic 10[/msg])
also, in this example, can we assume register globals is off?
- int3grate
- New User
- Posts: 38
- Joined: Tue May 27, 2008 7:54 pm
- Blog: View Blog (0)
Re: ExtBasic 10
by sharpskater69 on Mon Jul 28, 2008 9:37 am
([msg=8523]see Re: ExtBasic 10[/msg])
Well, another case like #7, lots of possibilities but only one solution. There is enough info in this thread to pass the mission. Pay attention to BhaaL's post: you don't want to finish the statement then start a new, but just start a new one(you probably know what character does it too if you've written code before). Try single and doubles quotes too, it won't accept both. These are pretty cool though.
- sharpskater69
- New User
- Posts: 35
- Joined: Tue Apr 22, 2008 4:10 pm
- Blog: View Blog (0)
Re: ExtBasic 10
by malcolmst on Sun Aug 24, 2008 2:25 pm
([msg=10380]see Re: ExtBasic 10[/msg])
Argh I've tried everything I can think of but it doesn't work. I can't help but think I'm just a character off or something from the correct answer. Would someone be able to repost Bhaal's message or something similar that would get me on the right track without a spoiler (or a PM - but I'm not asking for the answer)?
I also think some of these missions could be improved (7 and 10 in particular) by changing the validation code to accept more than one answer which would have the correct result.
I also think some of these missions could be improved (7 and 10 in particular) by changing the validation code to accept more than one answer which would have the correct result.
- malcolmst
- New User
- Posts: 1
- Joined: Tue Aug 19, 2008 10:16 am
- Blog: View Blog (0)
Re: ExtBasic 10
by arash16 on Tue Aug 26, 2008 7:29 pm
([msg=10516]see Re: ExtBasic 10[/msg])
i really have no more idea about this mission
the vulnerability of the code is that eval might run the code more than once...
for example first $y is changed with it's contents then again eval("\$getit = xxx;") will be executed
the fact is that there's a bunch of possible things can be entered here.. some cases:
1: `/etc/bin/moo`
which is the shortest possible and will put answer to getit
2: "";echo `/etc/bin/moo`
3: 0;exec('etc/bin/moo')
4: 0;system('etc/bin/moo')
5: 0;passthru('etc/bin/moo')
6: 0;pcntl_exec('etc/bin/moo')
all of them can be used with double quotes too.. all of them can be assigned to getit else of using semi-colon to close the first statement...
i have used all possible things... but the question is: AM I SUPPOSED TO DO BRUTEFOCE to pass this fucking mission??
unfortunately these days HTS has changed it's path... it has become more a logic site than a hack related site...
FUCK
the vulnerability of the code is that eval might run the code more than once...
for example first $y is changed with it's contents then again eval("\$getit = xxx;") will be executed
the fact is that there's a bunch of possible things can be entered here.. some cases:
1: `/etc/bin/moo`
which is the shortest possible and will put answer to getit
2: "";echo `/etc/bin/moo`
3: 0;exec('etc/bin/moo')
4: 0;system('etc/bin/moo')
5: 0;passthru('etc/bin/moo')
6: 0;pcntl_exec('etc/bin/moo')
all of them can be used with double quotes too.. all of them can be assigned to getit else of using semi-colon to close the first statement...
i have used all possible things... but the question is: AM I SUPPOSED TO DO BRUTEFOCE to pass this fucking mission??
unfortunately these days HTS has changed it's path... it has become more a logic site than a hack related site...
FUCK- arash16
- New User
- Posts: 11
- Joined: Fri Jun 20, 2008 11:16 am
- Blog: View Blog (0)
38 posts • Page 3 of 4 • 1, 2, 3, 4
Who is online
Users browsing this forum: No registered users and 0 guests