This is just something i did in my down time I figured I’d share, because I hate how I solved it, but hey, works pretty nicely.
MaxMind’s databases can be found here, I only wanted to find out a country a specific IP is in, so I didn’t bother with the city-specific database. The method for converting that probably isn’t too far off, though.
You’ll want the GeoLite2-Country-Blocks-IPv4.csv and GeoLite2-Country-Locations-en.csv (or whatever language you choose, really)
First you make a new table in your database for each (tables should be named same as the filenames minus the file extension, you can rename them later if you choose) Read more
Pretty simple bug bounty example, but it was my first and I got a bit excited. I can’t name the company because disclosure hasn’t been granted, but it was from a bounty.
I’m not going to disclose the impacted URL, or the amount I’ve gotten for it either. I will however say that the issue has been resolved on their end so there’s no chance the URL I’ve reported can be used for the same attack. It’s been nuked. That all being the case, I’ve made a sort of recreation of the problem.
I’m mostly writing this blog post because I didn’t know the functionality existed and I’m sure a bunch of other developers also aren’t aware. Learn something new every day. It’s probably WebSec 101 but at least as far as PHP is concerned I fail to see the point of leaving this feature enabled.
There was a file somewhere on (Company)’s network that would load a URL specified by a parameter, and simply echo it’s contents.
Anyway, here is an example of what it would look like:
So the first part of this puzzle is to find out what’s wrong with this, first thing I do is utilize a valid host (cloudflarechallenge.com aka 22.214.171.124).
It responds with (image not available as it seems it has stopped returning this result?):
DATABASE ERROR!!! near “re”: syntax error
select time from results where result=’Connecting… Sending Client Hello… Waiting for Server Hello… … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 22, ver = 0301, length = 1 Sending heartbeat request… … received message: type = 24, ver = 0301, length = 249 Received heartbeat response: 09809*)(*)(76&^%&(*&^7657332 Hi there! Your scan has been logged! Have no fear, this is for research only — We’re never gonna give you up, never gonna let you down! WARNING: server returned more data than it should – server is vulnerable! ‘;
Well, it’s obvious SQL is the culprit here. Let’s honeypot! Read more
The first thing we see is a Captcha, which you can solve manually. However, it doesn’t give you the key so easily.
Going off of the hints given in the challenge text, I can assume they want us to make an automated method to solve the captcha.
First of all this is the first CTF that OpenToAll has actually won first place in
Though it was a student CTF and not widely publicized I’m still happy.
Anyway, this is a write-up for the ECTF 2014 challenge “The annoying admin”. The description is below, and please note that we solved it before the hint was provided!
The chat feature was added to Facelook website and to test it, founder of the company had sent a message in chat to the admin. Admin reads all the chat messages, but does not reply to anyone. Try to get that chat message and earn the bounty.
Hint: Admin likes to visit some links which he recieves from people