Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [TEHTRI-Security] Ultra quick dummy PHP hacking challenge for FD readers

From: Laurent OUDOT at TEHTRI-Security <laurent.oudot-ml () tehtri-security com>
Date: Sun, 11 Dec 2011 20:32:18 +0100
Hello,

Back to this quick dummy PHP Hacking challenge. We remind you that the 
login was "adm", and the password was supposed to be "31337", when you 
check at this code:

<?php if($_POST['l']=='adm'&&  $_POST['p']=='31337') { echo "Welcome"; } 
else { echo "Tsss..."; } ?>

So we got answers from people claiming that there was no other solution 
than using "31337" as a password, by reading this code, and that it was 
quite a stupid question...

But as we said, PHP is magic, and let's have a look at some of the best 
answers we got for this quick challenge, where you had to propose p= 
seomthing that would also work, without being 31337:

#1 Our favorite PHP expert:
From: @i0n1c ( https://twitter.com/#!/i0n1c/status/144808482820984834 )
p=0.0000000000000000003133699999999999999900735000735000753000420042e23

#2 A nice answer that we got really quickly
From: @Tyr43l
p=+31336.9999999999999999999999999999999999999

#3 Someone who want to remain anonymous because of his "company" :)
From: ?
p=0x7a69


The passwords proposed by these people work, though it's not "31337"... 
Weird ? Here are some interesting pointers in case you'd like to go 
further (quick answers).

First, check this:
http://www.php.net/manual/en/language.operators.array.php

$a === $b       Identity        TRUE if $a and $b have the same key/value pairs in 
the same order and of the same types.

$a == $b        Equality        TRUE if $a and $b have the same key/value pairs.

So, when we had " if(... $_POST['p']=='31337') " it meant that PHP would 
not have to check that we had the same types.

That's why using Octal, Hexadecimal, etc, will also work.

And it's rare to see people looking at things like type enforcement 
through PHP source code, which sometimes lead to vulnerabilities...

Also, you can read more information about Integers and PHP from here:
http://php.net/manual/en/language.types.integer.php

As promised, winners all got the music "Song 4 Hackers" on Apple Store.

We also got emails from people asking to get "Song 4 Hackers" for free.
You can listen to sample from here http://elena-laurent.zimbalam.com/

Thanks for all the emails we got from friends of Full Disclosure,

We hope you enjoyed this tiny entertainment through PHP fun,

Check your code,
Peace,

Laurent OUDOT, CEO TEHTRI-Security, from BlackHat Abu-Dhabi


On 08/12/11 15:59, Laurent OUDOT at TEHTRI-Security wrote:

== Challenge ==

Title: Ultra quick dummy PHP challenge for Full-Disclosure readers

1. Read the following single line of PHP Source code. Find the most
geeky/funny way to remotely display "Welcome".

2. Directly send us your answer ->  do not Cc/To the mailing list! Please
keep the same subject so that we can try to find your reply.

3. You won? We'll then contact u,to grab your precious price (music).
Best answers will be shared back on this list, just for the lol :)


== PHP Source code (1 line) ==

Tips: "Your eyes can deceive you, don't trust them", Obi1 Kenobi.

<?php if($_POST['l']=='adm'&&  $_POST['p']=='31337') { echo "Welcome"; }
else { echo "Tsss..."; } ?>


== Weird (dummy) ?! ==

Q: I'm l33t and I can already see the password in the source code.WTF ?!
A: Hum... We will wait for the best answers. Remember, PHP is magic.
Though it's easy, it's a fun example to see how PHP can behave. Such
behavior might sometimes lead to security issues.

Q: Sir, what is the target platform,OS,etc? Can I get more information ?
A: Keep it simple. Choose yourself. Explain us your choices when needed.

Q: Huh, may I do fuzzing, bruteforce&  other l33t techniques: antiSEP..?
A: Pfff. Bro, let's do it with your own style. You don't need advices.


== Timing (quick) ==

Answers will be accepted till next Sunday noon GST [Gulf Standard Time].

Q: Why a so quick challenge ?
A: Cause it's just a quick (&dummy) PHP challenge.


== Winners ==

Top best answers will get track "Song 4 Hackers/g0t r8t" for free from:

http://itunes.apple.com/us/album/song-4-hackers-g0t-r8t/id475484468

Q: Why don't u propose pure l33t track, like Justin Bieber, Rick Roll..?
A: Cause.. Well, I know what you did last summer.

Q: I dont have iP* device. Could you provide an iPhone 4S with the song?
A: Lol :) Well,do u want a jailbroken? Left as a bonus exercise. Or not.


== More fun ? ==

Q: I do like such kind of stupid hacking tricks. Where can I grab more ?
A: Reach your local hackerspaces, or also join us during our trainings /
conferences, where we usually give/explain 0days/tricks directly:

- Middle East / United Arab Emirates / Abu Dhabi -->  BlackHat
  Training "Advanced PHP Hacking"
  When ? Next week, December 2011
[w]
https://www.blackhat.com/html/bh-ad-11/training/bh-ad-11-training_PHP.html

- Asia / India / Mumbai -->  Hack In The Box GSEC [!] Training
  "STRATEGIC CYBER ATTACKS – ADVANCED PERSISTENT THREATS AND BEYOND"
  When ? 20th&  21st February 2012
[w] http://gsec.hitb.org/?p=134

- Europe / Netherlands / Amsterdam -->  Hack In The Box [!]
  Training "Hunting Web Attackers"
  When ? 22nd&  23rd May 2012
[w] http://conference.hitb.org/hitbsecconf2012ams/?page_id=438


== End ==

Best regards and have (some seconds/minutes of) fun,

Laurent Estieux (CTO) and Laurent Oudot (CEO)
  TEHTRI-Security - "This is not a game"
  [w] http://www.tehtri-security.com/
  [w] http://twitter.com/tehtris



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: