Solution for wargame natas19

Posted on in Php • Tagged with Python, Wargames, Php, Security • 3 min read

Hi everyone

I am still trying to solve wargames on overthewire. Level 19 proofed to be very similar to level 18, where server side code looks something like the following:

<?

$maxid = 640; // 640 should be enough for everyone

function isValidAdminLogin() { /* {{{ */
    if($_REQUEST["username"] == "admin") {
    /* This method of authentication appears to be unsafe and has been disabled for now. */
        //return 1;
    }

    return 0;
}
/* }}} */
function isValidID($id) { /* {{{ */
    return is_numeric($id);
}
/* }}} */
function createID($user) { /* {{{ */
    global $maxid;
    return rand(1, $maxid);
}
/* }}} */
function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg";
    }
}
/* }}} */
function my_session_start() { /* {{{ */
    if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) {
        if(!session_start()) {
            debug("Session start failed");
            return false;
        } else {
            debug("Session start ok");
            if(!array_key_exists("admin", $_SESSION)) {
                debug("Session was old: admin flag set");
                $_SESSION["admin"] = 0; // backwards compatible, secure
            }
            return true;
        }
    }

    return false;
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
        print "You are an admin. The credentials for the next level are:";
        print "Username: natas19n";
        print "Password: ";  
    } else {  
        print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.";  
    }  
}  
/* }}} */

$showform = true;  
if(my_session_start()) {  
    print_credentials();  
    $showform = false;  
} else {  
    if(array_key_exists("username", $_REQUEST) &&
        array_key_exists("password", $_REQUEST)) {  
            session_id(createID($_REQUEST["username"]));  
            session_start();  
            $_SESSION …

Continue reading

Solution for Natas11 for natas wargame on overthewire.org

Posted on in Php • Tagged with Wargames, Php, Programming, Security • 2 min read

Solution for Natas web security wargame with by XORing the plaintext with the ciphertext...

Currently I am playing some wargames on overthewire.org.

The first 10 levels were very easy and everyone with some technical knowledge and programming experience should be able to solve them. But somehow I got stuck for a few hours on level 11. The task is to modify a XOR encrypted cookie. For some reason I couldn't figure out how to obtain the xor key that was used.

The challenge was to reverse engineer the key by having the plaintext and the ciphertext. Of course I should have realized very quickly that xoring the plaintext with the ciphertext yields us back the key. But why is this so? Consider the following math:

plaintext xor ciphertext == key <=> plaintext xor (plaintext xor key) <=> plaintext xor plaintext xor key <=> 00000... xor key == key

As you can see, the plaintext cancels out. If the plaintext would be a single byte, say, 1100 1101, then XORing this byte with itself yields:
1100 1101 XOR 1100 1101 -------- 0000 0000

To finally get to solution of the wargame, you can safe the following file as a PHP file and run it:

<?php

function …

Continue reading

Exploiting wordpress plugins through admin options (No 3. — Easy Media Gallery stored XSS)

Posted on in Php • Tagged with Vulnerablity, Websecurity, Exploit, Stored, Php, Programming, Security, Xss, Wordpress, Easy-media-gallery • 12 min read

Preface

This post is about general security weaknesses in wordpress plugins, that allow malicious attackers to gain code execution access on the web server (which is quite often the user www-data). To outline the problem shortly: Often, wordpress plugins need a administration form to handle settings and options. These options are meant to be exclusively alterable by the admin of the wordpress site. But unfortunately, lots of wordpress plugins suffer from a very dangerous combination of CSRF and stored XSS vulnerabilities, that wrapped up in a social engineering approach, may break the site.

I have done some research in the past about such attacks. You can read about a stored xss in flash album gallery plugin as well as my findings about a similar flaw in the wp members plugin.

How does the attack vector look like?

First we need to understand how administration menus are created in wordpress, because these forms are the point where data flows into a application. You can learn more about the underlying concept on wordpress codex.

But the crucial point to understand is, that they all consist of forms, independently of the fact that you can pack your options under a predefined and already …


Continue reading

The dangers of a poorly planned project

Posted on in Philosophical • Tagged with Architecture, Captcha, Philosophical, Programming, Php, Uncategorized, Wordpress • 9 min read

Preface

Do you like to fiddle around with programming projects in your spare time? And do you sometimes start endeavors ambitiously, but you never actually finish them? Are you fucking tired of stacking unsuccessful projects, doing mediocre work while never being thoroughly satisfied in what you do?

If yes, you may be inclined to listen to some words I have to say over my most recent failed project:

The idea was to create my own little captcha plugin for wordpress. You can learn more about the idea by delving into some of my accompanying investigations in the following blog posts:

Honestly I started this project because back in the time I was using this plugin and I was unsatisfied because for these reason. So this context information hopefully points out some of my motivations to start the project in the first place.

The destiny of every badly planned project

As with many spontaneously started projects in came up with in the past, I first was convinced that it was an awesome idea and subsequently started programming head-first without having a clear path or …


Continue reading

Cryptographically secure rand() replacement

Posted on in Cryptography • Tagged with Cryptography, Php, Security, Programming • 5 min read

If you are a programmer, you sometimes find yourself in the need for random numbers. There are many possible use cases:

  • Generate data for unit-tests.
  • Build secure passwords or keys as input for ciphers like AES, Twofish and its colleagues.
  • Simulating the real world for modelling applications.
  • A prominent use case: Lot's of gambling sites depend on good random number generators.

Now if you code in PHP, there are quite some different ways to obtain random numbers. There is the rand ( int $min , int $max ) function for instance: It yields a random number within the range specified by the $min and $max parameters.

The documentation states that this approach isn't particularly secure and shouldn't be used for applications that need to feed algorithms with cryptographically secure random data. Then there's mt_rand ( int $min , int $max ) that apparently creates better random values. Certainly not suitable for crypto purposes as well.
There were/are quite some applications concerned with security bugs because of using rand() or mt_rand() for passwords, encryption keys, session cookies, CSRF tokens and the like. See also this link to a related discussion on security.stackexchange.com.

But because of convenience of the $min, $max interfaces of rand() and …


Continue reading