A Challengers Handbook

by

Caesum

Exploits

There are a few simple techniques for doing exploit challenges but often they do require some research. Often levels will be simple well known exploit levels. You may be given a script that has a certain name (eg wwwboard.cgi) and are then expected to use some common exploit. It pays to check a good list of common url exploits like The Rudi Carell lists to see if it occurs there. Following that search google for scriptname + "exploit". This will get you through some levels easily. Sometimes the exploit will just be to obtain a certain file, for example /etc/passwd, and then you need to crack some password in jtr (discussed on the Linux page) for the answer.

Many recent exploit levels are php based or sql based and you need to read A study in scarlet for the php part. Personally I don't know of a good sql reference other than the MySQL Manual and as I use SQL practically everyday I havent found the need for much more. I think it is worth trying out your own site with php and sql, it will give you a lot of insight into these levels. Most php levels are simply about setting variables to different things in your page request, either with GET or POST. For GET requests you just add it to the url like somepage.php?somevariable=somevalue. For POST requests the easiest way is to use a html form to make the submission, possibly spoofing the referer in Proxomitron if need be. Since there is normally a form for the challenge anyway it is simply a matter of saving the page to your hard drive, making the required changes to the source which includes the full url for the action="url" part of the form and using it.

Many of these exploit levels include obvious clues as to what is required, a page asking you to register a name with 15 characters or less is just begging to be given 150 characters instead :)

Whenever you are faced with an input box and have to submit something it is worth submitting all kinds of strange strings with quotes and every symbol you can. What you want to find is some kind of different response from the level, because that means you are on the right track. Submitting '\|;#~@][)(*&^%$"!>< for the string and getting some error message will start you off in the right direction straight away.

The best levels normally give you some source code and ask you to exploit it. This is often a case of looking for where variables have not been initialised prior to use and then setting them within your request. If the source says something like 'if $blah==1 then...' and $blah was never initialised you simply do page.php?blah=1 and off you go.

Another common exploit problem uses ssi, if you input something and get a .shtml page back then you can bet they want an ssi exploit. This is normally something like <!-- #exec cmd="ls" --> or <!-- #include file="/etc/passwd -->.

Back to Contents