[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] guess what this does..
- To: Cal Leeming <cal@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] guess what this does..
- From: Christian Sciberras <uuf6429@xxxxxxxxx>
- Date: Wed, 13 Apr 2011 16:29:28 +0200
Cal /Ryan,
I'm not sure what you're trying to achieve.
If we're talking about absolutely stupid bots, the following easily defeats
them:
<form>
<stuff/>
<script type=text/javascript>document.write('<input type="hidden"
name="access" value="code"/>');</script>
<form>
I suppose you could obfuscate it all if you wanted to cater for script
kiddies.
But considering this is very weak protection (as opposed to proper captcha),
I'm not sure if it's even worthwhile.
One of the ways I can see this work is against automated, "JS-ignorant",
MITM systems.
As indeed is true, you should never trust the end user.
But in a MITM scenario, the user we're not trusting is the one conducting
the attack, not the other.
Chris.
On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming <cal@xxxxxxxxxxxxxxxx> wrote:
> Lol, I've just realised something.. I didn't include the seed key variable
> itself, so this code would have been pretty much useless on it own *DOH*.
>
> So, here's something else a bit tasty.. this is the server side code used
> to check and create the seedkey itself (secret lookup table has been changed
> obv.).
>
> This code allows seedkeys to be generated from epoch time. Now,
> cryptographically I don't know how "sane" this is, but I'm fairly sure that
> if the lookup table contained large integers it would become almost
> impossible to do a pattern based brute force. I actually had quite a lot of
> fun trying to break my own code. :D
>
> PS) you have been awarded 1 internets.
>
>
> function get_valid_keys() {
> // Create key store
> $_s = array();
>
> // Create valid key ranges (+900 seconds)
> for($x=300;$x>=900;$x+=300):
> $_s[] = $this->create_key($offset=$x);
> endfor;
>
> // Create valid key ranges (-900 seconds)
> for($x=300;$x>=-900;$x-=300):
> $_s[] = $this->create_key($offset=$x);
> endfor;
>
> $_s[] = $this->create_key();
>
> return $_s;
> }
>
> function create_packed_key() {
> // Create a new valid key
> $key = $this->create_key();
>
> // Now generate the packed key
> $k = array();
> // Now convert it into an array
> for($x=0;$x<strlen($key);$x++):
> $_v = unpack("H*", $key[$x]);
> $k[]='\x'.$_v[1];
> endfor;
>
> // Okay, here is your brand new shiney key, sir :)
> $m = '"'.implode('","', $k).'"';
> $m = strrev($m);
> $_m = array();
> for($x=0;$x<strlen($m);$x++):
> $_m[]=$m[$x];
> endfor;
> return json_encode(implode("ZPAK", $_m));
> }
>
> function create_key($offset=0) {
> // Secret key table, used to mix up the seed
> $enc = array(
> 0 => "67892",
> 1 => "3953",
> 2 => "49474",
> 3 => "494755",
> 4 => "30585",
> 5 => "30582",
> 6 => "20485",
> 7 => "20486",
> 8 => "97294",
> 9 => "10284"
> );
>
> // Generate new seed
> $time = time();
> if ($offset):
> $time=$time+$offset;
> endif;
> $c=(int)($time/$this->_security_key_refresh);
> $_c = "$c";
>
> // Extract the last 5 digits of the number
> $char1 = substr($_c, strlen($c)-1, 1);
> $char2 = substr($_c, strlen($c)-2, 1);
> $char3 = substr($_c, strlen($c)-3, 1);
> $char4 = substr($_c, strlen($c)-4, 1);
> $char5 = substr($_c, strlen($c)-5, 1);
>
> // Lookup the modifier from the secret key table
> $mt1 = $enc[$char1];
> $mt2 = $enc[$char2];
> $mt3 = $enc[$char3];
> $mt4 = $enc[$char4];
> $mt5 = $enc[$char5];
>
> // Generate a new key, based on the modifiers
> $key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4) +
> ($c+$mt5))/256);
> $key = "$key";
> return $key;
> }
>
>
>
>
>
> On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <rdsears@xxxxxxx> wrote:
>
>> Me thinks I may have it right (mostly)...
>>
>> It seems to be some jquery to append a hidden input element to the
>> "theform" id (presumably a form on the page ;) ) called "seedkey", and has a
>> value of whatever t is evaluated to (which I'm still stuck on as I don't
>> know jquery much at all, so I can't figure out the s[] array, but I know it
>> has something to do with the bracket notation...).
>>
>> =================================================
>> += Orig =+
>> $(function () {
>> var _0xafd3 = ["\x74\x20\x3D\x20\x22", "", "\x6A\x6F\x69\x6E",
>> "\x72\x65\x76\x65\x72\x73\x65", "\x73\x70\x6C\x69\x74",
>> "\x72\x65\x70\x6C\x61\x63\x65", "\x22"];
>>
>> eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi,
>> _0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi,
>> _0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1]) +
>> _0xafd3[6]);
>> var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E",
>> "\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72",
>> "\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", "\x76\x61\x6C\x75\x65",
>> "\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"];
>> _n = $(_0x5bfa[0]);
>> _n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]);
>> _n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]);
>> _n[_0x5bfa[3]](_0x5bfa[6], t);
>> $(_0x5bfa[8])[_0x5bfa[7]](_n);
>> });
>>
>> += De-obfuscated =+
>> $(function () {
>> var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split', 'replace',
>> '"'];
>> var _0x5bfa = ['<input />', 'type', 'hidden', 'attr', 'name',
>> 'seedkey', 'value', 'append', '#theform'];
>>
>> eval('t = "' + s['replace'](/ZPAK/gi, '')['replace'](/\",\"/gi,
>> '')['replace'](/\"/gi, '')['split']('')['reverse']()['join']('') + '"');
>>
>> _n = $('<input />');
>> _n['attr']('type', 'hidden');
>> _n['attr']('name', 'seedkey');
>> _n['attr']('value', t);
>> $('#theform')['append'](_n);
>> });
>>
>> =================================================
>>
>> Fun stuffs. I can haz a internetz? :-P
>>
>> Ryan
>>
>>
>> ----- Original Message -----
>> From: "Cal Leeming" <cal@xxxxxxxxxxxxxxxx>
>> To: full-disclosure@xxxxxxxxxxxxxxxxx
>> Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada Eastern
>> Subject: [Full-disclosure] guess what this does..
>>
>> $(function() {
>> var
>>
>> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
>> var
>>
>> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
>> });
>>
>> enjoy ;p
>>
>> ps) yes I obfuscated this, and no it doesn't contain any nasties.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/