Real 16 Noob 2 Noob
Real 16 Noob 2 Noob
ghost | 7154 Reads | Spam Company
Mozzer is a freelance website developer. One of his projects from 6 months ago turned out to be for a corportate spamming company. When he went back to check on it he was horrified and set about trying to hack his own code. Unfortunately he couldn't find anything but noticed that there have been some slight alterations to his code. He mentioned something about "common directories", "session management" and ".inc files". Once you get access you will need to use the post system to edit the email database to say "admin@spamco.com". Hopefully a dose of their own medicine will sort this company out!!
Difficulty: Very Hard
Tools of the trade:-
- Tamperdata/Live HTTp Header (cookie reading)
- User agent switcher
- Should have read http://www.cgisecurity.com/lib/SessionIDs.pdf or should posses’ knowledge about session management.
- Should posses’ knowledge about "common directories" and ".inc files".
Mission: Get in as admin, and to use post system to edit the email database.
Now to get in as admin, we could try different things Look for admin directory, edit cookie, robots.txt etc.
But Notice what Mozzer mentioned in his message, something about session management Well… so for attacking the Session ID,
- Either we should know the admin’s Session ID or
- We would use our Session ID to inject in his cookie
The first one seems pretty tough, but the second one is possible.. How???? If we some how get the admin to click on a link with our Session ID.
To find your Session ID use Tamper data or Live HTTP Header, though you may use JavaScript… but why write when you can just copy-paste.
Make use of the directory that is used to include files and remember we have to login as the admin, so use the login.php url.
Now where to put the URL.. As stated before, we have to make the admin click on our url So where could we possibly use it, right the “Error Reporting†link.
Enter the url and submit it.
When you click on post message link, Enter address as admin@spamco.com [without the quotes]… Click to post.
Either the page would change due to META Tags or your post would not be submitted, check the source of the page "post message link" to know why.
Use the “logs†to answer your question. Still stumped!!! Well we didn’t use the 2nd tool of trade.
PS : Comments required especially from -The_Flash- & Killstream
ghost 17 years ago
good job it wouldve been nice if you showed us the "second tool of trade":happy::D
jaggedlancer 17 years ago
That really explained alto to me, Thanks :D but as above adding the useragent bit would be good but spose you cant spoon feed us :happy:
ghost 17 years ago
very nice job beating the challenge and writing up the article. had me stumped for a while .. should have thought of this sooner. ill be doing it later on i guess. 5 out of 5
ghost 17 years ago
This article is AWESOME. Again, your articles helped me. Thanks a lot. Now I know that exploit and it will sure help me. Thanks