And this can easily be done with the php.

<?
 
header("Location: http://193.2.218.150:8080/SWAT2010/");
 
?>

Inside header you should put location to which you would like to forward user.Similar Posts:

• SWAT2010 :: available again
• SWAT2010 :: new location
• SWAT2010 :: unavailable
• hackertest.net level 17 :: Do you like cookies
• SWAT2010 preview

Here is the code we need to analyze:

<?php
        if (isset($_GET['name']) && isset($_GET['email'])) {
                $user = mysql_real_escape_string($_GET['name']);
                $email = mysql_real_escape_string($_GET['email']);
                $result= mysql_fetch_assoc(mysql_query("SELECT `email` FROM `members` WHERE name = '$user'"));
                $reply = false;
                if ($email == $result['email'])
                {
                        $reply = true;
                }
        } else {
                $reply = false;
        }
        echo ($reply) ? 1 : 0;
?>

There are many deceptions in this script but for us it is important to analyze first if statement. It checks whether name and email are set even if empty. Now notice that both are escaped before placed in SQL. And then second if statement check whether we compare result email to the inputted email. So you probably figure out now that two same values when compared are always the same. So what will probably be result if we input anything in. Result will be empty, now its simple if you compare empty to empty it is true.

vrfy.php?name=&email=

Similar Posts:

• Javascript Missions 1 :: Idiot Test
• JavaScript Challenge 3 :: Function again
• hackertest.net level 12 :: zoom in…
• Javascript Missions 3 :: Math time
• hackertest.net level 5 :: Save As…

Mission introduction:

This site in run by a new sysadmin who does not know much about web configuration
The script is located at http://moo.com/moo.php

Attempt to make the script think you are authed by entering the correct URI.

Here is the script (me.php):

Script we have to exploit:

<?php
$user = $_GET['user'];
$pass = $_GET['pass'];
if (isAuthed($user,$pass))
{
$passed=TRUE;
}
if ($passed==TRUE)
{
echo 'you win';
}
?>
<form action="me.php" method="get">
<input type="text" name="user" />
<input type="password" name="pass" />
</form>
<?php
function isAuthed($a,$b)
{
return FALSE;
}
?>

Now notice that form is passing parameters trough get method. This means that if server is not configured correctly or using global variables we can change any other variable in the code by entering it in the URL. However, before we proceed we have to exam code.

Method isAuthed always returns FALSE.  Therefore we cannot enter combination of username and password that will authenticate us. The third variable $passed is in fact control variable. If this variable is set to TRUE we win. Now we have to figure out how to change URL to change variable passed to TRUE.

From introduction we know that script is located on: http://moo.com/moo.php so to pass variable trough GET we attach ?passed=somevalue. And passed will have value somevalue.

So the final URL is:

http://moo.com/moo.php?passed=TRUE

Similar Posts:

• hackthissite.org basic 2 :: password is not
• Basic web hacking 5 :: asterix the wildcard
• Keylogger in C# :: Hooking and unhooking keyboard hook
• Basic Web Hacking 1 :: Simple Enter Pass
• hackertest.net level 2 :: Analysis Sherlock

In introduction:

You have this function, provide the value which must be POST-ed as filename to obtain the desired results:
Get the source code of hackthissite.org/index.php
here is the function:

We have to  find vulnerability in the following code:

So we have to find way to see code of the file on server. From the source code we may see that file to be opened is created merging strings using the name of the file and extension. So we have to enter correct name in the box to see file. Basically correct name is index since .php will be attached later in function call.

Now the problem is to solve how to traverse us into the root directory. We will do this by putting ../../ in front of the index. Since ../ returns us one directory back.

Because if you try to put anything in the box you will obtain URL similar to the following one:

http://www.hackthissite.org/missions/extbasic/template.php?lvl=2&pass=

So you may notice that we are in the directory missions/extbasic/. Using ../ will return us two directories back to root directory.

So final combined solution is:

../../index

Similar Posts:

• hackthissite.org basic 11 :: Music collection
• hackthissite.org basic 8 :: SSI
• hackthissite.org basic 9 :: tricky easy not
• Tutorials
• hackthissite.org Application 3 :: 127.0.0.1