Time to Reset (Exploit, Coding, PHP)
Time to Reset
I randomly browsed my todo and coded a challenge.
In this challenge you have to submit the password reset token for the user admin@wechall.net
Please note that your tokens are bound to your session.
You probably want to take a look at the sourcecode, also available in a highlighted version
In this challenge you have to submit the password reset token for the user admin@wechall.net
Please note that your tokens are bound to your session.
You probably want to take a look at the sourcecode, also available in a highlighted version
The hint above is enough.
Good Luck!GeSHi`ed PHP code for TimeToReset
1 2 3 4 56 7 8 9 1011 12 13 14 1516 17 18 19 2021 22 23 24 2526 27 28 29 3031 32 33 34 3536 37 38 39 4041 42 43 44 4546 47 48 49 5051 52 53 54 5556 57 58 59 6061 62 63 64 6566 67 68 69 7071 72 73 74 7576 77 78 79 8081 82 83 84 8586 87 88 89 9091 92 93 94 9596 97 98 99 100101 102 103 104 105106 107 108 109 110111 112 113 114 115116 117 118 119 120121 122 123 124 125126 127 128 129 130131 132 133 134 135136 137 138 139 | <?php chdir('../../'); # Show source. if (isset($_GET['show'])){ header('Content-Type: text/plain'); die(file_get_contents('challenge/time_to_reset/index.php')); } define('GWF_PAGE_TITLE', 'Time to Reset'); require_once('challenge/html_head.php'); # output start of website require_once GWF_CORE_PATH.'module/WeChall/solutionbox.php'; # Get the challengeif (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) { $chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 7, 'challenge/time_to_reset/index.php', false); } require_once 'challenge/time_to_reset/TTR_Form.include'; require_once 'challenge/time_to_reset/TTR_Tokens.include'; # And display the header $chall->showHeader(); # Generate csrf token srand(time()+rand(0, 100)); $csrf = ttr_random(32); $ttr = new TTR_Form();$form = $ttr->getForm($chall, $csrf); if (isset($_POST['reset'])) { echo ttr_request($chall, $form);} elseif (isset($_POST['solve'])) { ttr_submit($chall); } echo GWF_Website::getDefaultOutput(); echo GWF_Box::box($chall->lang('info', array('index.php?show=source', 'index.php?highlight=christmas')), $chall->lang('title')); if (Common::getGetString('highlight') === 'christmas') { $source = '[PHP title=TimeToReset]'.trim(file_get_contents('challenge/time_to_reset/index.php')).''; echo GWF_Box::box(GWF_BBCode::decode($source)); } echo $form->templateY($chall->lang('ft_reset'), GWF_WEB_ROOT.'challenge/time_to_reset/index.php'); formSolutionbox($chall); srand(GWF_Random::rand()); # Reset seed to something more secure. (thx noother) (thx Mart) # Print Challenge Footer echo $chall->copyrightFooter(); # Print end of websiterequire_once('challenge/html_foot.php'); ################# ### FUNCTIONS ### ################# function ttr_random($len, $alpha='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') { $alphalen = strlen($alpha) - 1; $key = ''; for($i = 0; $i < $len; $i++) { $key .= $alpha[rand(0, $alphalen)]; } return $key;} function ttr_request(WC_Challenge $chall, GWF_Form $form) { if (false !== ($errors = $form->validate($chall))) { return $errors; } # Generate reset token $sid = GWF_Session::getSessSID(); $email = $form->getVar('email'); $token = ttr_random(16); if (!TTR_Tokens::insertToken($sid, $email, $token)) { return GWF_HTML::err('ERR_DATABASE', array(__FILE__, __LINE__)); } # If it's your own real mail, even send it for the lulz :) if ($email === GWF_User::getStaticOrGuest()->getValidMail()) { ttr_mail_me($chall, $email, $token); } return GWF_HTML::message($chall->lang('title'), $chall->lang('msg_mail_sent')); } function ttr_submit(WC_Challenge $chall) { if ('' === ($answer = Common::getPostString('answer', ''))) { return; } $sessid = GWF_Session::getSessSID(); # First check all "custom" solutions $solutions = TTR_Tokens::getSolutions($sessid); foreach ($solutions as $solution) { if ($solution['ttr_token'] === $answer) { echo GWF_HTML::message($chall->lang('title'), $chall->lang('msg_reset_own', array(htmlspecialchars($solution['ttr_email'])))); return; } } # Now lets check "THE" solution $solution = TTR_Tokens::getSolution($sessid); $chall->setSolution($solution['ttr_token']); $chall->onSolve(GWF_User::getStaticOrGuest(), $answer); } function ttr_mail_me(WC_Challenge $chall, $email, $token){ $mail = new GWF_Mail(); $mail->setSender(GWF_BOT_EMAIL); $mail->setReceiver($email); $mail->setSubject($chall->lang('mail_subj')); $mail->setBody($chall->lang('mail_body', array($token))); $mail->sendAsHTML('gizmore@wechall.net'); # cc me for testing purposes } ?> |
© 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 and 2024 by Gizmore