HTS Basic Web 2: A Forgotten File
This is the second mission in the Basic Web category. It is a significant step up from the first mission, where only the knowledge of a very basic technique was required. Here, you need to think logically. Let’s approach the problem in the same way as in the previous mission — check the source code. In the relevant code area, which you can find by searching for a string present in the mission paragraph (for instance “Sam”) with Ctrl F, you find only this:
What we see here is a simple HTML form, containing a password field and a submit button. Nothing interesting, that is. The only way we can continue here is by trying out the form and following wherever it leads: Just input some random password, e.g. “test”. You will, probably to your surprise, not be faced by a page saying “incorrect password”, but a page saying:
“Warning: fopen(password.php) [function.fopen]: failed to open stream: No such file or directory in /var/www/hackthissite.org/html/missions/basic/3/index.php on line 35″
First off, this is apparently an unintentional (from Network Security Sam’s point of view) error. Error messages are probably the by far most common security leak, and are often likely to expose vulnerabilities. This error message reveals first that the file is a PHP file (although this could be faked, it is not very likely), and second, more importantly, that there was a file which could not be opened. The mission designers left us a not-so-subtle hint (“However, he neglected to upload the password file”) which tells us what file was not uploaded: the password file.
Now for the logic thinking: Assuming that the password file existed, what happen? Probably, the password that you inputed would be matched with the one in the password file, and if they matched, you would be granted access to the next page. Now if there is no password file, what would the user input be matched with? Yep, you guessed it — nothing. Try just clicking the submit button without touching the password file. Mission complete.
Note that this is why it is very important — from a security perspective — to always check if every function works. In this case, if our dear Network Security Sam would only have taken a few seconds to check if his call to fopen() (a function that opens a file) really opened a file, his script would have been impenetrable.tramadol hcl 1cintoxication acute tramadola1 xanax mylanacetamin tramadolviagra 3.98 orderagcode aan xanaxlevitra 2cialis compare viagraviagra 2cialis levitra sales Map
Använder FireStats
[...] Hard-code the password. This is, though less managable, perhaps even better, since there otherwise could be problems if the password file could not be read for some reason. [...]
Pingback by Timblog � HTS Basic Web 3: Hidden Fields are Not That Hidden — July 18, 2006 @ 11:06 am
[...] The fifth basic web mission is very different from the prior missions (except maybe in one way the second mission) in that it requires an extensive use of logic. Actually this mission doesn’t have anything to do with hacking, but it teaches a very valuable lesson, which we will come to later. [...]
Pingback by Timblog » HTS Basic Web 6: Decrypt the Password — July 25, 2006 @ 8:15 pm
i actually DID just get an “error incorrect password” messge.
hmph, how strange….
Comment by stevo — February 7, 2008 @ 1:36 am
The password is simply…NONE!!!
THere is no password…just click OK
Comment by HotShot — February 7, 2008 @ 6:06 pm