Author | Basic 28 |
mikispag Member

Posts: 43 Location: Italy
Joined: 14.11.06 Rank: Newbie | |
This seems to be pretty tough 
Let's see what can we get here...
No apparent SQL injection, no NULLifying, no RFI.
Furthermore, the objective is not really clear. What's the aim, exactly?
Thank you!
Code is written, future is not |
 |
Author | RE: Basic 28 |
Uber0n Member

Posts: 1963 Location: Sweden
Joined: 13.06.06 Rank: Hacker Level 3 | |
mikispag wrote:
Furthermore, the objective is not really clear. What's the aim, exactly?
I just took a quick look at it, and I have no idea yet :happy: that's the fun about this kind of challenges...

http://uber0n.web. . . |
 |
Author | RE: Basic 28 |
Member

Posts: Location:
Joined: 01.01.70 Rank: Guest | |
I guess the aim is to get a hold of a message containing the password or something like that. ^^
|
 |
Author | RE: Basic 28 |
SySTeM Member

Posts: 1524 Location: England, UK
Joined: 27.07.05 Rank: HBH Guru | |
Last two posts removed because: contains a link which basically tells you how to do it, the idea is you're meant to work it out yourself, not follow a guide.
|
 |
Author | RE: Basic 28 |
Member

Posts: Location:
Joined: 01.01.70 Rank: Guest | |
At first glance I was thinking it might be email injection...where you could inject additional headers in the $name or $from variable or whatever it may be, but I can't wrap my head around how I could use email injection to get a pass. Oh well, maybe I'll try some more later, I haven't touched a challenge in quite a while.
|
 |
Author | RE: Basic 28 |
Member

Posts: Location:
Joined: 01.01.70 Rank: Guest | |
I dont get it, does this challenge actually send emails? Doesnt seem to be XSS, which was the first thing that sprung to mind. Even read the link system deleted and cant work it out... :whoa:
|
 |
Author | RE: Basic 28 |
Uber0n Member

Posts: 1963 Location: Sweden
Joined: 13.06.06 Rank: Hacker Level 3 | |
jjbutler88 wrote:
I dont get it, does this challenge actually send emails?
Nope, it's a simulated challenge I've got a few ideas now, just need to test them... (and I really don't think it's about about XSS)

http://uber0n.web. . . |
 |
Author | RE: Basic 28 |
shadowls You Like this!

Posts: 842 Location:
Joined: 07.12.06 Rank: God | |
The first thing came to mind was XSS, but does not seem like it is XSS.
If you think my post are useful to you, please vote for them. Thank You
knowledge is powerful itself - SHADOWLS
Made by:agentmax69, but remastered by: KvK
Coffee |
 |
Author | RE: Basic 28 |
Member

Posts: Location:
Joined: 01.01.70 Rank: Guest | |
I think its either some sort of email header injection or some nifty BBCode style injection.
|
 |
Author | RE: Basic 28 |
SySTeM Member

Posts: 1524 Location: England, UK
Joined: 27.07.05 Rank: HBH Guru | |
Uber0n wrote:
jjbutler88 wrote:
I dont get it, does this challenge actually send emails?
Nope, it's a simulated challenge  I've got a few ideas now, just need to test them... (and I really don't think it's about about XSS)
Erm, yes it does send emails actually... lol, not simulated. But thanks for guessing!
|
 |
Author | RE: Basic 28 |
Member

Posts: Location:
Joined: 01.01.70 Rank: Guest | |
system_meltdown wrote:
Uber0n wrote:
jjbutler88 wrote:
I dont get it, does this challenge actually send emails?
Nope, it's a simulated challenge  I've got a few ideas now, just need to test them... (and I really don't think it's about about XSS)
Erm, yes it does send emails actually... lol, not simulated. But thanks for guessing!
It does? So, as a part of the challenge I should be receiving an email? Or no?? Becuase it's not sending me the email. This only furthers my suspicions that the object is to use email injection of some sort.
|
 |
Author | RE: Basic 28 |
SySTeM Member

Posts: 1524 Location: England, UK
Joined: 27.07.05 Rank: HBH Guru | |
slpctrl wrote:
system_meltdown wrote:
Uber0n wrote:
jjbutler88 wrote:
I dont get it, does this challenge actually send emails?
Nope, it's a simulated challenge  I've got a few ideas now, just need to test them... (and I really don't think it's about about XSS)
Erm, yes it does send emails actually... lol, not simulated. But thanks for guessing!
It does? So, as a part of the challenge I should be receiving an email? Or no?? Becuase it's not sending me the email. This only furthers my suspicions that the object is to use email injection of some sort.
It's a form to contact the admin, so why would it send you the email? 
|
 |
Author | RE: Basic 28 |
Member

Posts: Location:
Joined: 01.01.70 Rank: Guest | |
system_meltdown wrote:
slpctrl wrote:
system_meltdown wrote:
Uber0n wrote:
jjbutler88 wrote:
I dont get it, does this challenge actually send emails?
Nope, it's a simulated challenge  I've got a few ideas now, just need to test them... (and I really don't think it's about about XSS)
Erm, yes it does send emails actually... lol, not simulated. But thanks for guessing!
It does? So, as a part of the challenge I should be receiving an email? Or no?? Becuase it's not sending me the email. This only furthers my suspicions that the object is to use email injection of some sort.
It's a form to contact the admin, so why would it send you the email? 
Ah alright 
|
 |
Author | RE: Basic 28 |
Member

Posts: Location:
Joined: 01.01.70 Rank: Guest | |
It's a form to contact the admin, so why would it send you the email?
Ive just done it! Read the sentence over and over until you get the idea.... 
@system, what %age of sites out there are vulnerable (?) to this? Never really thought of it, but seems like it could be useful.
|
 |
Author | RE: Basic 28 |
SySTeM Member

Posts: 1524 Location: England, UK
Joined: 27.07.05 Rank: HBH Guru | |
jjbutler88 wrote:
It's a form to contact the admin, so why would it send you the email?
Ive just done it! Read the sentence over and over until you get the idea....
@system, what %age of sites out there are vulnerable (?) to this? Never really thought of it, but seems like it could be useful.
Well done And erm, not sure, quite a few are though 
|
 |
Author | RE: Basic 28 |
shadowls You Like this!

Posts: 842 Location:
Joined: 07.12.06 Rank: God | |
jjbutler88 wrote:
It's a form to contact the admin, so why would it send you the email?
Ive just done it! Read the sentence over and over until you get the idea....
@system, what %age of sites out there are vulnerable (?) to this? Never really thought of it, but seems like it could be useful.
Im reading this thing over and over and over but stiill can't figure it out. Something about sensitive data im guessing. but don't know.
If you think my post are useful to you, please vote for them. Thank You
knowledge is powerful itself - SHADOWLS
Made by:agentmax69, but remastered by: KvK
Coffee |
 |
Author | RE: Basic 28 |
Member

Posts: Location:
Joined: 01.01.70 Rank: Guest | |
Ok, so excuse my hat turning a little black for this question, but wouldn't this work in say - password recovery forms? Thats a pretty damaging vulnerability then.
@shadowls - The admin doesn't want you to get the email, but you want it. Really dont want to spoil it just think how you can get that email...
Edited by on 10-07-08 01:10 |
 |
Author | RE: Basic 28 |
Uber0n Member

Posts: 1963 Location: Sweden
Joined: 13.06.06 Rank: Hacker Level 3 | |
system_meltdown wrote:
Erm, yes it does send emails actually... lol, not simulated. But thanks for guessing!
Haha, as soon as I read this I beat it xD I was sure it didn't require a real email, but just needed any email as input 

http://uber0n.web. . . |
 |
Author | RE: Basic 28 |
Member

Posts: Location:
Joined: 01.01.70 Rank: Guest | |
jjbutler88 wrote:
Ok, so excuse my hat turning a little black for this question, but wouldn't this work in say - password recovery forms? Thats a pretty damaging vulnerability then.
@shadowls - The admin doesn't want you to get the email, but you want it. Really dont want to spoil it just think how you can get that email...
What email?
Should I get the email that I just put before?
I don't get it... |
 |
Author | RE: Basic 28 |
Uber0n Member

Posts: 1963 Location: Sweden
Joined: 13.06.06 Rank: Hacker Level 3 | |
454447415244 wrote:
What email?
Should I get the email that I just put before?
I don't get it... 
You must do something to make it send the email to you. That's what the challenge is all about 

http://uber0n.web. . . |
 |