 |
|
| node: | --- kyberia hack contest --- |
| template: | 3 |
| parent: | h4ck!ng is the state of mind |
| owner: | niekt0 |
| viewed by: | |
| created: | 21.04.2009 - 14:24:41 |
| updated: | 06.05.2009 - 15:04:21 |
|
cwbe coordinatez: 101 63540 1701996 4658010 ABSOLUT KYBERIA |
| permissions | |
| you: | r, |
| system: | public |
| net: | yes |
total descendants::
total children::37
71 ❤️
| .maio | 0 |
| lupus yonderboy | 0 |
| e1m1 | 0 |
| afross | 0 |
| * | 0 |
| lulco | 0 |
| andread | 0 |
| dno | 0 |
| fefo | 0 |
| wwwnick | 0 |
| v92 | 0 |
| potion | 0 |
| Toth | 0 |
| darmozrac | 0 |
| zrnk☉ | 0 |
| fuz0 | 0 |
| ddd | 0 |
| daan | 0 |
| Dafko | 0 |
| fds | 0 |
| Rion-E | 0 |
| fk | 0 |
| chess | 0 |
| zoje | 0 |
| Martir | 0 |
| al-caid | 0 |
| -sXero- | 0 |
| huno | 0 |
| zyn | 0 |
| WooDy | 0 |
| harso | 0 |
| niekt0 | 0 |
| || | 0 |
| fifteen | 0 |
| duBeN | 0 |
| GAZ | 0 |
| wintop | 0 |
| dontbelight | 0 |
| porkac | 0 |
| maniac | 0 |
| piece_of_IT | 0 |
| jklmn | 0 |
| techko | 0 |
| coffee | 0 |
| boltzmann brain | 0 |
| xado | 0 |
| Klabla | 1 |
| bujak | 1 |
| Ruza | 1 |
| quaplo | 1 |
| [347] | 1 |
| visby | 1 |
| kristinuocic... | 1 |
| eyes wide open | 1 |
| Martini | 1 |
| Spacer | 1 |
| femme | 1 |
| rx | 1 |
| drobna | 1 |
| súdruh Kilián | 1 |
| freezy | 1 |
| robo | 1 |
| kpt_chloroform | 2 |
| mamba_the_black | 37 |
| dark tao | 37 |
---===||| kyberia hack contest |||===---
O co ide:
Najst na kyberii co najviac zranitelnosti (bezpecnostnych chyb), predpoklada sa primarne zameranie na webowu cast, ale nie je to obmedzenie.
Pravidla:
-Za platny nalez bude povazovane prakticky vsetko z OWASP vulnerability listu , pripadne akakolvek ina dostatocne zavazna chyba. Najcastejsie budu pravdepodobne rozne formy XSS, CSRF, session fixation...
-Zucastnit sa moze ktokolvek (idealne s kontom na kyberii) a to od 21.4.2009 00:01 do 5.5.2009 23:59,
-Do contestu sa netreba nijak prihlasovat, staci do tohoto fora pridat najdeny bug.
-Vitazom sa stane clovek ktory najde najzavaznejsi bug, (pripadne vela zavaznych).
-Porota si vyhradzuje patent na rozum pri posudzovani zavaznosti.
-Povolene su iba "rucne" testy, a to hlavne kvoli vykonnostnej narocnosti (teda napr. paros alebo webscarab mozete pouzit, ale bez automatickych modulov).
-Prosime nesnazte sa aktivne o DOS (denial of service) utoky,su to tiez zavazne chyby, ale nie prilis zlucitelne s funkcnostou kyberie pre ostatnych.
-Vsetky najdene nalezy piste do tohoto fora, pocita sa iba prvy nalezca jedneho bugu. Ak by ste nasli prilis kriticku chybu (napr. sql injection, file include) je vhodne ju naprv. napisat mne do posty, aby mohla byt opravena pred zverejnenim.
-Za lubovolny zverejneny bug pocas sutaze nebude nikto vyhodeny z kyberie ani nijak popotahovany;) To plati aj pre nahodne zhodenie kyberie, systematicke cielene zhadzovanie ale nebude tolerovane.
-Pri zverejneni bugu prosim zverejnite aj postup, akym sa da zreprodukovat, aby ho bolo mozne overit.
Ceny:
Planujeme ocenit 3 najlepsich, a to pravdepodobne binarnou formou (konto na hysterii, pozvanka na session, ..), ale zatial to nie je finalne. Ak by vitaz uz tieto "benefity" mal, vymyslime nieco ine.
Otazky? Sem!
Objavene bugy ( 23 + 8;):
Objavitel / bugy
id 660 (miloo)
1: SQL injection v POSTe "event=configure_system_access&node_system_access=private',node_name=(select password from users where user_id=$ID_OBETE), node_id='$ID_UTOCNIKA" na "https://kyberia.sk/id/$ID_UTOCNIKA"
Utocnik takto mohol tahat lubovolne data z sql databazy rychlostou jeden string na 2 requesty. (FIXNUTE)
2: SQL injection v /id/19/ -> set_bookmark_category, v node_id. Dosah obdobny ako 1. (FIXNUTE)
3: SQL injection v delete mail. (cislo mazanej spravy nie je osetrene). (FIXNUTE)
4: SQL injection v event=K (node_chosen[] checkbox). (FIXNUTE)
5: PHP shell (data upload nekontroloval korektne priponu uploadnuteho fajlu => upload php)
6: Root shell (stary kernel & ...)
id 2244 (Xanthix )
1: Stored XSS v userinfo (FIXNUTE)
id 2913832 (k)
1: stored XSS v nodename (IE only) (FIXNUTE)
2: SQL injection v konfiguracii nody. V poliach silencelist, masterlist, executelist, banlist a oplist
nebol osetrovany apostrof na vstupe, a teda sa dali zneuzit na sql injection. Exploit nedodal. (FIXNUTE)
3: reflected XSS v mene usera (mail)
4: reflected XSS v archiv hladani
5: censored for now
6: censored for now
id 1859269 (Toth)
1: V user submissions children sa zobrazuju privatne nody
2: Do moderated nody sa da zapisat cez id/noda/4
id 1580092 (sine)
1: CSRF (pri zmene emailu)
2: reflected XSS v preview
3: reflected XSS v chat
4: reflected XSS pri registrácii (login aj email )
5: session fixation na cookie PHPSESSID
6. reflected XSS v search
7. stored XSS v ankete (FIXNUTE)
8. v configure v poliach silencelist, masterlist, executelist, banlist a oplist je aj reflected XSS
9. SQL injection v configure_external_access v node. Dopad rovnaky ako v sqli od id 660. Zaroven aj XSS. (FIXNUTE)
10. Takmer blind SQL injection v logine (cez id). Da sa ziskat jeden bit na 1 request. (teoreticky mozno aj viac) (FIXNUTE)
11. Stored XSS v poste, ked user posle mail sam sebe (vo vsetkych atributoch). Nie je to priamo zneuzitelne, ale da sa tak premenit reflected XSS na stored XSS.
id 956 (gnomon)
1: je mozne preparentovat prispevok do privatnej nody kam user nema pristup
id 1595477 (e1m1)
1: Local file include (directory traversal). Cez -> event=../../../../../../../../etc/passwd%00 (FIXNUTE)
id 3764244 (Harvie)
1: nodu s nastavenym net=false videt bez prihlasenia z parrent nody, ktora ma net=true
2: presna identifikacia v http headroch (napr PHP/5.2.0-8+etch13)
---------------------------------------------
Zatial najvaci prielom: Root shell;) (miloo)
Game over!;)
O co ide:
Najst na kyberii co najviac zranitelnosti (bezpecnostnych chyb), predpoklada sa primarne zameranie na webowu cast, ale nie je to obmedzenie.
Pravidla:
-Za platny nalez bude povazovane prakticky vsetko z OWASP vulnerability listu , pripadne akakolvek ina dostatocne zavazna chyba. Najcastejsie budu pravdepodobne rozne formy XSS, CSRF, session fixation...
-Zucastnit sa moze ktokolvek (idealne s kontom na kyberii) a to od 21.4.2009 00:01 do 5.5.2009 23:59,
-Do contestu sa netreba nijak prihlasovat, staci do tohoto fora pridat najdeny bug.
-Vitazom sa stane clovek ktory najde najzavaznejsi bug, (pripadne vela zavaznych).
-Porota si vyhradzuje patent na rozum pri posudzovani zavaznosti.
-Povolene su iba "rucne" testy, a to hlavne kvoli vykonnostnej narocnosti (teda napr. paros alebo webscarab mozete pouzit, ale bez automatickych modulov).
-Prosime nesnazte sa aktivne o DOS (denial of service) utoky,su to tiez zavazne chyby, ale nie prilis zlucitelne s funkcnostou kyberie pre ostatnych.
-Vsetky najdene nalezy piste do tohoto fora, pocita sa iba prvy nalezca jedneho bugu. Ak by ste nasli prilis kriticku chybu (napr. sql injection, file include) je vhodne ju naprv. napisat mne do posty, aby mohla byt opravena pred zverejnenim.
-Za lubovolny zverejneny bug pocas sutaze nebude nikto vyhodeny z kyberie ani nijak popotahovany;) To plati aj pre nahodne zhodenie kyberie, systematicke cielene zhadzovanie ale nebude tolerovane.
-Pri zverejneni bugu prosim zverejnite aj postup, akym sa da zreprodukovat, aby ho bolo mozne overit.
Ceny:
Planujeme ocenit 3 najlepsich, a to pravdepodobne binarnou formou (konto na hysterii, pozvanka na session, ..), ale zatial to nie je finalne. Ak by vitaz uz tieto "benefity" mal, vymyslime nieco ine.
Otazky? Sem!
Objavene bugy ( 23 + 8;):
Objavitel / bugy
id 660 (miloo)
1: SQL injection v POSTe "event=configure_system_access&node_system_access=private',node_name=(select password from users where user_id=$ID_OBETE), node_id='$ID_UTOCNIKA" na "https://kyberia.sk/id/$ID_UTOCNIKA"
Utocnik takto mohol tahat lubovolne data z sql databazy rychlostou jeden string na 2 requesty. (FIXNUTE)
2: SQL injection v /id/19/ -> set_bookmark_category, v node_id. Dosah obdobny ako 1. (FIXNUTE)
3: SQL injection v delete mail. (cislo mazanej spravy nie je osetrene). (FIXNUTE)
4: SQL injection v event=K (node_chosen[] checkbox). (FIXNUTE)
5: PHP shell (data upload nekontroloval korektne priponu uploadnuteho fajlu => upload php)
6: Root shell (stary kernel & ...)
id 2244 (Xanthix )
1: Stored XSS v userinfo (FIXNUTE)
id 2913832 (k)
1: stored XSS v nodename (IE only) (FIXNUTE)
2: SQL injection v konfiguracii nody. V poliach silencelist, masterlist, executelist, banlist a oplist
nebol osetrovany apostrof na vstupe, a teda sa dali zneuzit na sql injection. Exploit nedodal. (FIXNUTE)
3: reflected XSS v mene usera (mail)
4: reflected XSS v archiv hladani
5: censored for now
6: censored for now
id 1859269 (Toth)
1: V user submissions children sa zobrazuju privatne nody
2: Do moderated nody sa da zapisat cez id/noda/4
id 1580092 (sine)
1: CSRF (pri zmene emailu)
2: reflected XSS v preview
3: reflected XSS v chat
4: reflected XSS pri registrácii (login aj email )
5: session fixation na cookie PHPSESSID
6. reflected XSS v search
7. stored XSS v ankete (FIXNUTE)
8. v configure v poliach silencelist, masterlist, executelist, banlist a oplist je aj reflected XSS
9. SQL injection v configure_external_access v node. Dopad rovnaky ako v sqli od id 660. Zaroven aj XSS. (FIXNUTE)
10. Takmer blind SQL injection v logine (cez id). Da sa ziskat jeden bit na 1 request. (teoreticky mozno aj viac) (FIXNUTE)
11. Stored XSS v poste, ked user posle mail sam sebe (vo vsetkych atributoch). Nie je to priamo zneuzitelne, ale da sa tak premenit reflected XSS na stored XSS.
id 956 (gnomon)
1: je mozne preparentovat prispevok do privatnej nody kam user nema pristup
id 1595477 (e1m1)
1: Local file include (directory traversal). Cez -> event=../../../../../../../../etc/passwd%00 (FIXNUTE)
id 3764244 (Harvie)
1: nodu s nastavenym net=false videt bez prihlasenia z parrent nody, ktora ma net=true
2: presna identifikacia v http headroch (napr PHP/5.2.0-8+etch13)
---------------------------------------------
Zatial najvaci prielom: Root shell;) (miloo)
Game over!;)
axone main