Difference between revisions of "Summerschool Aachen 2004/Hacking the Web Lab"
|Line 49:||Line 49:|
-- [[George Danezis]]
-- [[George Danezis]]
Revision as of 19:38, 21 September 2004
The mediawiki vulnerability
Sourceforge has the source code for all previous versions of mediawiki still available, including the 1.3.0 beta versions. I downloaded beta4 and the final 1.3.0 version and did a diff -uNr, resulting in ~ 20000 (reduced to ~ 16000 without whitespace-only changes) lines. Most noticable changes include:
- additional addslashes calls in several places
- addslashes gets substituted by a new function escapePhpString in some places
Real World XSS exploits
If you are interested in finding more vulnerable webpages then looking for "Widdecombe of the Week" or "Widdy" in the NTK newsletter should find plenty.
Puzzle Game dievo.org
Nice playground for html tricks. Currently i am stuck level 1.
-- Mario Manno
I took a look at some of the web proxies mentioned in the lecture this morning, and decided to investigate developing a Firefox extension to get some of the same functionality (without the pain!). I didn't get very far, but I did find some useful resources, and looked at the source code for a number of existing extensions.
(My other achievement was successfully negotiating the purchase of writing paper, envelopes and some stamps in German!)
This web-site provides an interesting war game, testing some web-hacking skills. The first few exercises just test your ability to read the html source of pages (with a pathetic attempt at preventing right clicking, that does not work in proper browsers such as FireFox). The third is testing our ability to decode uuencoded strings, which a symple python script can do. Then the real fun starts: Exercise four requires the decompilation of a flash (swf) file. We have used a trial version of the "Liatro SWF Decoder", to unpack and inspect the actionscript source. All its secrets were revealed to us. Exercise five is about locating a script, but six kept quite a few people in the lab busy for a few hours!
"Six" required us to download a windows binary (a VB6 program), and extract from it the password by providing two magic strings. Since no hints were provided, we disassembled the beast (using PE Explorer), and tried to understand what it does. The two string compare calls were identified, and we guessed that the test must be the conditions yielding the hidden password. After briefly trying to transform the jumps to "noop" instruction (using frhed) we ran the thing using a debuger (Ollydbr) and read out what the comparision strings were. Inputting them into the program provided the magic password!
Some pointers to resources:
Lutz and I both had a look into the php sources to find ways to mess with the uniqid() method used for getting session ids and other stuff. It is also heavily used by some guestbook (Max knows which) to create database files and query into user info. So it might be pretty interesting to guess existing ones.
Anyway the source is not that challenging, it basically converts current time information into hex values, hereby claiming to construct (almost) unique values. You can actually improve this a little by adding more information but the concept stays the same. An idea of attack might be taking log in information (e.g. from a guestbook) and narrow down the timeframe a certain id might have been generated. You can then start a brute force attack on the possible values. On the other hand, simple implementation details such as adding a rand() call would probably render this useless. Maybe we will look into this further once we are a little bored...