HackQuest: JavaScript: Now, what is that really?

Name: Now, what is that really?
Place: Melbourne, Australia
Target: Garage of James Fern

This guy developed software that MicroWorld stole. Now we steal it first, much safer.

Pressing “Enter Site” gives a JavaScript alert, “Sorry all wrong”. As usual, we look up the source code of the form.

32
33
34
35
36
37
38
39
40
41
42
43

      <form name="form" action="" method="post">
        Username<br>
        <input id="Eingabefeld2" type="TEXT" name="Name" value=""
        size="30" maxlength="30"><br>
        Password<br>
 
         <input id="Eingabefeld1" type="TEXT" name="Password"
        value="" size="30" maxlength="30"><br><br>
         <input type="BUTTON" name="Schaltfl&auml;chen1" value=
        "Enter Site" id="Schaltflaechen1" onclick=
        "pw(this.form)">
      </form>

Remember to note what you always should note; the username ID (Eingabefeld2/Name), the password ID (Eingabefeld1/Password) and the onclick event (pw(this.form)). We start by checking what the pw() function does. For a change, it isn’t obfuscated.

26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

function pw (form)
{
   var d1, d2, d3;
   d1=window.document.bgColor;
	 d2=form.Name.value;
	 d3=form.Password.value;
 
  if (d2==d1.length) { 
    if (d3==d1) {
      window.open (d1.substr(1, 10)+".php","_self")
    } else { 
      alert("Sorry all wrong.")
    } 
  } else { 
    alert("Sorry all wrong.") 
  } 
}

d2 and d3 are simply set to the username and password, respectively. d1, however, is set to the current background colour, which is a little uncommon. We then have two checks, the first one checks that d2 (username) equals the length of d1 (background colour). To find the exact background colour, we use a very useful technique called JavaScript injection.

With a JavaScript injection, we can execute arbitrary JavaScript commands at any page. Do so by putting the command in the location bar of your web browser (usually ctrl+L), prefixing it with “javascript:”. By making a JavaScript alert with the background colour in, we can easily copy that colour name. Put “javascript:alert(window.document.bgColor)” into the location bar, and you will see a popup with a colour name. In my case, it was #0e0e0e. This is d1.

The username was supposed to be the same as the length of the background colour. The length of #0e0e0e, i.e. the amount of characters in that string, is 7. Thus, the username must be “7″.

The next condition is “d3==d1″, which means that the password should be the same as the background colour, which is “#0e0e0e”.

Maybe Related?

Posted July 17, 2007 in Guides » HackQuest.

3 Comments »

  1. Web Site Design…

    I couldn’t understand some parts of this article, but it sounds interesting…

    Trackback by Web Site Design — October 8, 2007 @ 1:12 pm

  2. [...] click here to read [...]

    Pingback by hosthg » Blog Archive » HackQuest: JavaScript: Now, what is that really? — October 25, 2007 @ 10:26 am

  3. Oxycodone extraction….

    What is oxycodone. Difference between oxycodone and morphine. Fentanyl vs oxycodone. Oxycodone. Oxycodone prescription….

    Trackback by Oxycodone. — March 27, 2008 @ 7:21 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment

FireStats iconAnvänder FireStats