Archive for July, 2006

HTS Basic Web 9: Directory Transversal

Basic Web mission 9 is so easy, it is barely worth a post of its own. The only thing that might be difficult is realizing that you should find a vulnerability in the eigth mission — however, that problem exists only if you attempt to solve mission 9 without looking or without reading the instructions.

This challenge is essentially identical to mission 8, except that the password file is in another directory. There isn’t much to learn from this, except that vulnerabilities are not always were you expect them to be.In the last mission, you entered the following in the name field:

Which, with .., goes down one step from /missions/basic/8/tmp/ to /missions/basic/8/. The directory we want to go to is /missions/basic/9/, which means that we will have to go down another step and up to the directory 9/ from there. This practice is called directory transversal.

Your file will be saved, and you can read it in order to find the filename out. Load the file, and you’ve got your password. Remember that the file is in /9, not /8.payday 20 loan 100 no fax11 loan 16 payday american moneyloan directory 20 14 paydayloans 2500 quick cashloan quick payday 37 26credit bad loan 2b personaluk loan advance 31 payday 45sites payday 53 37 loan Map

HTS Basic Web 8: Evil SSI

Network Security Sam never seems to learn from his mistakes. In mission 8 of the basic web missions, Sam has done the exact same mistake as in mission 7: he practices security through obscurity. This is never a good idea. This time, he saved an unencrypted password file somewhere in /var/www/hackthissite.org/html/missions/basic/8/. Last time, we used Sam’s insecure cal script. This time, his daughter Stephanie has put up a handy script for us.

Try out Stephanie’s name script. You’ll find out that whatever you input into that box is saved to a random filename with some additional text. This is where you should think about SSI. SSI is a technology that allows execution of server-side commands on the processing of files, a bit like PHP. The by far widest usage of SSI is to include header and footer files. The syntax of an SSI include looks like this:

You only need to use one command for this mission, exec. exec is used to execute any UNIX command on the server. Remember from the last mission what the command for listing all the files in a directory was? Try using it. Enter this into the name field:

This is the output I got:

Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml avpfeoie.shtml fviqpmaw.shtml kqbybdzc.shtml dzrnmzgx.shtml npcsygfl.shtml whqxxojt.shtml ylomcmvu.shtml uhdppswp.shtml gzntiicx.shtml dzwbqiuu.shtml qvzuieng.shtml smcerykh.shtml qjhnmhmq.shtml znodwztr.shtml!

Your name contains 254 characters.

Looks great, except one thing. It’s the wrong directory. If you look at the URL, it will say something like this:

http://www.hackthissite.org/missions/basic/8/tmp/nxlvdjcp.shtml

We need to ls one directory down. The path to the parent directory is always .., which means that we can list the files of the parent directory (/missions/basic/8/) with the following SSI code:

After you have found the obscure filename in the file list, you can simply access it in your browser and read the password.alladin casino resortairbrush casino gambling artyears episode new casino americanamericanexpresscom merchant gambling servicealiente station casinocarlo de monte francs 100 casinoportal casino 1 onlinemerchant americanexpresscom gambling service Map

Evil, Insulting CAPTCHA

I just got this CAPTCHA on digg.com:

4rsch. That must be the most disturbing spelling of “arse” I’ve ever seen.

Minesweeper Clone with Highscore in AJAX

I recently wrote a Minesweeper clone in PHP and Javascript with AJAX. Click the image to play it.

It calls the server with every click, which means that it is very difficult to cheat. It is possible, though, but I won’t say how.credit financial americanaccept info credit accept cardcredit card add link ascore about creditbest credit cards 1000 credit and cardcredit 3 cardcredit 2incorporate file new business separate Mapaccepting catds creditcredit about cardscredit discovered island graham 1831credit score loan 500advisors action creditcredit sex chat cams teens adultcredit acb bureaucredit laboratories employee abbott Map

HTS Permanent Programming 1: Anagram Solver

The first permanent programming challenge of HackThisSite.org was fun to work with, yet so simple with Perl. If it’s got to do with string, Perl can do it. Here is the script I used. You should of course change the path of $filename to whatever you decided to name the dictionary file.

#!/usr/local/bin/perl
my $filename = "/home/Tim/download/tmp/wordlist.txt";
my %wordlist;
my @curlist;
my $strid;
my $wrd;
my @inlist;
open( LIST,  "< " . $filename) || die "Aborting: could not open $filename\n";
foreach (<LIST>) {
	@curlist = (0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
	chop;
	s/\r//;
	$word = $_;
	foreach (split(//)) {
		$curlist[ord]  ;
	}
	$strid = join('', @curlist);
	$wordlist{$strid} = $word;
#	print $word . "\t" . $strid . "\n";
}
close(LIST);
print "word:";
while (<STDIN>) {
	chop;
	@inlist = ();
	foreach (split(/,/)) {
		@curlist = (0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
		$wrd = $_;
		foreach (split(//)) {
			$curlist[ord]  ;
		}
		$strid = join('', @curlist);
		if (exists($wordlist{$strid})) {
			print $wordlist{$strid} . "\n";
			push @inlist, $wordlist{$strid};
		} else {
			print "*** " . $wrd . ": not found\n";
			push @inlist, '-';
		}
	}
	print join(',', @inlist);
}

This script accepts a comma-separated list of words from standard input. To change that weird \n\t#-separated list you get when copy-pasting from Firefox, you can use my list conversion script that I wrote for this very mission.

Note that you could replace the wordlist with a good wordlist, and so get a working anagram solver.xxx movies full length free downloadporn movies full downloadgt dragonball moviesdumber dumb script movieerotic home moviesfarang ding dong moviesfemale ejaculation free moviesfemale monologues movie Mapbanks development loans financing ex-im leasefast loans remortgages payoutpay faxless virginia day loans inloans department education federal ofunsubsidized repayment federal stafford direct loansfederal student loans pay grants toloan advance federal home bankdallas home bank federal loan of Map

Celebrities Can’t Engage in Politics, They’re Too Politically Correct

I just read in Aftonbladet, a Swedish newspaper, about a new political party that is going to be started by Linda Rosing. Linda Rosing is an (in Sweden) well-known model and celebrity, mainly because of her participation in Swedish Big Brother 2003. Her party is called Unika partiet — in English, The Unique Party. According to Aftonbladet ^{[1], Swedish article}, Rosing said that it will be a broad party and it will (among other things) attempt to fight rape by stationing special police in the metro. She is supposed to have registered the domain unikapartiet.se already.

Yes, we do have a couple of other weird political parties in Sweden, such as Piratpartiet (The Pirate Party) and Feministiskt initiativ (Feministic Initiative). Fortunately we’ve got a unique party now for all the alternative people out there.

Irssi plugin: Hot-or-Not

This is my first irssi script, and it is very useful. If you ever get bored while hanging around on IRC, just type /horny and you will see something along the lines of:

01:34 -!- Irssi: 24 years old female, rated 8.4. Enjoy. http://pix2.hotornot.com/pics/HU/HU/HY/KM/ALBMBQBPXVKK.jpg
01:34 -!- Irssi: 19 years old female, rated 9.5. Enjoy. http://pix2.hotornot.com/pics/HU/H8/NE/HZ/AUHLORORSYXA.jpg
01:34 -!- Irssi: 18 years old female, rated 9.1. Enjoy. http://pix2.hotornot.com/pics/HU/HU/KS/KM/ALAZBRGQBQUR.jpg

This script fetches three random pictures from the Hot-or-Not API. It only gets images of females younger than 25 years and with a Hot-or-Not rating above 8, which means that I don’t care about minorities. Download the Irssi Hot-or-Not 0.1 source code, .pl or .zip.

Enjoy.

 
# /horny - Show URLs to random Hot-or-Not girls' pictures.
#
# /horny
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# 
#	Version 0.1 - 2006-07-29 - Tim A Johansson tim@gurka.se
#  Initial release
#
 
use Irssi;
use vars qw($VERSION %IRSSI); 
$VERSION = "0.1";
%IRSSI = (
	authors	=> "Tim A Johansson",
	contact	=> "tim\@gurka.se",
	name	=> "Irssi Hot-or-not",
	description	=> "/horny - Show URLs to random Hot-or-Not girls' pictures.",
	license	=> "GPL",
	url		=> "http://timjoh.com/irssi-plugin-hot-or-not/",
);
 
sub cmd_horny {
	use LWP::Simple;
	my $max_age = '25';
	my $min_rating = '8.1';
	for (my $i = 0; $i < 3; $i++) {
		$_ = get("http://services.hotornot.com/rest/?app_key=479NUNJHETN&method=Rate.getRandomProfile&retrieve_num=1&gender=female&max_age=$max_age&min_rating=$min_rating&get_rate_info=true");
		# Please don't steal my API key. Get your own for free at http://dev.hotornot.com/. It is used for tracking applicatons.
		if (m/gender>(.*?)<.*?age>(.*?)<.*?pic_url>(.*?)<.*?rating>(.*?)</) {
			Irssi::print($2 . ' years old ' . $1 . ', rated ' . $4 . '. Enjoy. ' . $3);
		} else {
			Irssi::print('Error: could not recognize string: ' . $_);
		}
	}
}
 
Irssi::command_bind('horny', 'cmd_horny');

HTS Basic Web 7: cal call unrelated?

Level 7 is a very easy level, if you are a Linux user. We don’t even have to check the source. The HackThisSite.org crew is kind enough to tell us where the password is: in an obscurely named file, saved in the current working directory. Now, we only need to come up with a way to get a directory listing. This is when a very useful and frequently used UNIX command should come to mind — ls. From the ls man page:

ls - list directory contents

Sounds good. If only we could perform arbitrary operations remotely. Take a look at that unrelated script that calls cal. Try it out by inputing a random year and submitting. It looks just like the normal output of cal. Remember that, when searching for security vulnerabilities, you should always think like the developer. How could cal.pl look like? This is a simplification:

print `cal $year`;

Where $year is the input. Injections are the bane of all web applications. Here, a Perl injection would come handy. What happens if you do not enter a year? If my guess about what the code looks like was correct, it will be executed as a normal command. Let’s take year 1337 just for the sake of it.

1337 && ls

The command executed now will be cal 1337 && ls /. This will first give you a calendar of the year 1337 AD, after which it will give you what you want: the directory listing. Just look through the directory listing after an obscurely named file, and then read the file in your web browser. Mission accomplished.

If you didn’t like Network Security Sam, you could’ve made things much, much more nasty. 1337 && rm -rf, for instance, would delete everything in the filesystem.

Flickr + Randomness = PicFlux

A couple of hours ago I stumbled upon Flickr’s API, which lets anyone fetch pictures from their servers with lots of options. Here is the most creative usage I came up with: PicFlux. The concept is very simple — once every minute, it fetches a random recent image from Flickr and copies it randomly onto a large canvas picture. This is the current image:

Refresh this page after a minute to see the updated canvas, with another picture randomly added.

WordPress Plugin: The Holy Blog

Tired of your old, boring blog? Are all its plugins just plain lame? Does it lack a divine touch? Then The Holy Blog is just what you need! (Holy Book — get the pun? Haha.) The Holy Blog appends a random Bible verse on every page in your blog. Here are som of the features:

• Verse cache for saving bandwidth and processing time
• Fully customizable CSS
• Choose verse update frequency
• Verse statistics
• Valid HTML/XHTML
• Random verse fetched from the ESV

Download and Install

Here, you can download The Holy Blog 1.1. Unzip it and upload the-holy-bible.php to your plugin directory, wp-content/plugins/. Now, you just have to go to the plugin tab in your administration panel and activate the plugin. To change the default settings, go to the options page conveniently located under “Options”.

Changelog

• 2006-07-26, version 1.1:
  • Options page
  • Current verse in options page
  • Verse statistics
  • Next-verse countdown
  • Custom CSS
  • Resetable CSS
  • Variable update frequency
  • “Update now”-option
• 2006-07-26, Version 1.0
  • Initial release

casino sloys alladvantages gambling of hotel2007 casino deposit bonuscasino 50newtown casino in 4bears lounge andresorts las all-inclusive vegas casinoakwasanee hogansburg ny casinoameristart casino Mapnaken 250 kg rlek mp3 k1981 rocky mp3mp3 dark 2046 chariot192k 1985 asia astra mp3 aorbludni mp3 187 sinmp3 hz 25000smiling keep 1983 mp3208 mp3 moonlight shadow Map