Recruit page lack of security
Posted: Tue Sep 19, 2006 11:35 am
Hi. Recently i was searching for bugs in the system to help admins fix them, and heres what i found out. It seems that the recruitment page has the exact code as the main page it sound okay, but it isn't. First of all the main page is decrypted its good, but the recruit page isn't. Recruit page uses some sort of image generated code sequence, that can be exploited, by that i mean you can make a small program with wich one you can get the PIN, and make an auto-banker, other stuff...
Heres the proof of concept(in python):
Ok thats all i think.
p.s: sorry for the mistakes i'm a Lithuanian...
Heres the proof of concept(in python):
Code: Select all
#################################
# By abyss @ aitvaras irc net. #
#################################
import cookielib
import urllib2
import math
import string
#this is mine recruit page
response = cookielib.urllib.urlopen("http://stargatewars.com/recruit.php?uniqid=uy1133702463")
html = response.read()
#nbr1 stands for the first sequence of digits, there are four or more
#this script finds "pic/nbr1/e.gif" the 'e' letter and it is converted to
#integer, and so forth till we have 3digits the PIN, and its printed out.
if string.find(html, "nbr1/") != -1:
count = string.find(html, "nbr1/")
one = ord(html[count+5:count+6]) -100 +4
two = ord(html[count+31:count+32]) -100 +4
three = ord(html[count+57:count+58]) -100 +4
PIN = one * 100 + two * 10 + three
print PIN
Ok thats all i think.
p.s: sorry for the mistakes i'm a Lithuanian...