From: Ian Lyte (ianlyte@hotmail.com)
Date: Fri Jun 27 2003 - 04:41:51 EDT
List,
I've come across a site protected by the following script :
function submitentry(){
password = document.password1.password2.value.toLowerCase()
username = document.password1.username2.value.toLowerCase()
passcode = 1
usercode = 1
for(i = 0; i < password.length; i++) {
passcode *= password.charCodeAt(i);
}
for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);
Essentially it takes each charCode and multiplies it by the next to give a
unique-ish (since letter order makes no odds) code for both user and
password i.e 12955552800 for example. This sum is then used later on in
further checks. Further research indicates its the script from
http://www.dynamicdrive.com/dynamicindex9/password.htm and should the
password and username match the hashes the user is redirected to
password.htm or password.html (easily seen in the source of the page - look
for {window.location=password+".htm"}or {window.location=password+".html"}).
Since this is apparently a fairly common script for those people trying
to protect pages without access to CGI I thought I would post here so people
are aware it only offers minimal protection - if it can be called protection
at all.
In the example above you can do it by hand. 12955552800 divides without
remainder by 100,97,101,114,116. These are the codes for 'daert'. Its
obvious looking at it that it should be 'trade'. Therefore we can just type
http://victim.com/pricing/trade.htm and 2 minutes later you have access to
the 'protected page'
Not all combinations are that simple as people don't always use words
like that for their protected pages. In this case the easy thing to do then
is feed the letters you get into Gammadyne's Random Word Generator (the eval
version does this just fine) and it will generate every possible combination
of the letters. A little bit of formatting to the output and you can stick
those combinations into doucment full of http://victom.com/pricing/xxxxx.htm
where xxxxx represents your letter. A quick run through with a link verifier
will highlight the page that exists which is the protected one.
Can anyone on the list code a quick and dirty reverser and send it to me
or the list? I realise that doing it by hand is a) slow and b) prone to
errors. An automated reverser would make the letter generation bit a lot
easier.
Thanks in advance
Ian
---------------------------------------------------------------------------
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.
Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT