Thursday, January 20, 2011

How To Beat Collapse Level 8

[Security Audit] We provide solutions. NET

[Security Audit] We provide solutions. NET

On January 20, 2010
, I received through Facebook, a private message sent directly from Oscar Leonardo
Serrano Cadena, who I met through some reports made many months ago.

private message Quote from:
Subject:
Exercise ... Message: Hi Alex
... I have a new administrator module with new assurances and implementations that I would try ... I would like to try to hack or whether it is safe or not ...

This is the link:



www.XXX.la


too much to your comments ....

When I received
-indeed gave me a lot of mental laziness, was planning an application for a
friend and I got to see it quickly when foreground juaz found a XSS,
, to be honest, I never liked the XSS , but it's something- then when I saw the parameters sent to query and retrieve information for display on the page, I saw that the ID's are sent in Base64 encryptado.

Figure 1: Shows the variable So
encoded in Base64
I gave encode the single quote at the algorithm and plop, a picture is worth a thousand words:
Image 2: Shows After some command sent in Base64 encoded, I realized it was a Blind iSQL
error caused by the single quote.
-pfff me never get along with that type of injection-, but obsessed with the challenges, I set bother to study and a few friends who helped me with some dudillas had. ( Gr3ttz for: Dariohxk "On the anti-ethical tutorial that I spent, XD-, Maztor -by- basic explanation, Progressive Death-by sissy: D-)
After about 5 hours I have also
-social life XD
I started to inject in the form to see what was the maximum I could do. First, recalling that he had previously done some reporting for the development company
(damossoluciones.net ), I thought I might use the same tables, fields and records that the previous sites. With a little luck, juaz, used the same tables and fields, but unfortunately the records are different, so after I do not play all that easy to say.
Getting information about records,
-taking into account that touched me, try-
character by character, I take about 4 minutes to get the user to remove the password now, it's time that I have not able: D, unfortunately
-password length is 40 characters, PUSSY play automate the task and make a PoCBlind in PHP that I will show later. For now I have a lot of sleep and today is a great day which I take advantage. 'll edit later, continuing the short history of yesterday.
Edited:
01/20/1911 - 21:39, since if I have no sleep, shit ... I could improve a bit the code,
, it is clear that he was elbowed quickly, so it is not so sophisticated that say, but carry out their duty: D, that is the important thing . The code is as follows
Figure 3: and the result is
Code used to automatically extract records from the database.


Figure 4:
Outturn of the code of Figure 3 .

For now leave it still, to speak directly to the first contact. Explaining a little about how this vulnerability works, and that way you could fix then post something to see that we agree.
I hope that is sexual or monetary agreement in this case I prefer cash. XDDDDD This reminded me of the next chapter of Family Guy.
Pitter is crap, even if he was in his position would have done it too ... hahahahaa

0 comments:

Post a Comment