Username: 
Password: 
Restrict session to IP 
Questions  |  score: 5  |  5.56 7.22 7.33 |  Solved By 130 People  |  238047 views  |  since Sep 28, 2012 - 21:02:39

Time to Reset (Exploit, Coding, PHP)

Time to Reset
I randomly browsed my todo and coded a challenge.
In this challenge you have to submit the password reset token for the user admin@wechall.net
Please note that your tokens are bound to your session.
You probably want to take a look at the sourcecode, also available in a highlighted version

The hint above is enough.

Good Luck!
GeSHi`ed PHP code for TimeToReset
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
62
63
64
6566
67
68
69
7071
72
73
74
7576
77
78
79
8081
82
83
84
8586
87
88
89
9091
92
93
94
9596
97
98
99
100101
102
103
104
105106
107
108
109
110111
112
113
114
115116
117
118
119
120121
122
123
124
125126
127
128
129
130131
132
133
134
135136
137
138
139
<?php
chdir('../../');
 
# Show source.
if (isset($_GET['show'])){
        header('Content-Type: text/plain');
        die(file_get_contents('challenge/time_to_reset/index.php'));
}
 define('GWF_PAGE_TITLE', 'Time to Reset');
require_once('challenge/html_head.php'); # output start of website
require_once GWF_CORE_PATH.'module/WeChall/solutionbox.php';
 
# Get the challengeif (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE)))
{
        $chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 7, 'challenge/time_to_reset/index.php', false);
}
 require_once 'challenge/time_to_reset/TTR_Form.include';
require_once 'challenge/time_to_reset/TTR_Tokens.include';
 
# And display the header
$chall->showHeader(); 
# Generate csrf token
srand(time()+rand(0, 100));
$csrf = ttr_random(32);
$ttr = new TTR_Form();$form = $ttr->getForm($chall, $csrf);
 
if (isset($_POST['reset']))
{
        echo ttr_request($chall, $form);}
elseif (isset($_POST['solve']))
{
        ttr_submit($chall);
} 
echo GWF_Website::getDefaultOutput();
 
echo GWF_Box::box($chall->lang('info', array('index.php?show=source', 'index.php?highlight=christmas')), $chall->lang('title'));
 if (Common::getGetString('highlight') === 'christmas')
{
        $source = '[PHP title=TimeToReset]'.trim(file_get_contents('challenge/time_to_reset/index.php')).'';
        echo GWF_Box::box(GWF_BBCode::decode($source));
} 
echo $form->templateY($chall->lang('ft_reset'), GWF_WEB_ROOT.'challenge/time_to_reset/index.php');
 
formSolutionbox($chall);
 srand(GWF_Random::rand()); # Reset seed to something more secure. (thx noother) (thx Mart)
 
# Print Challenge Footer
echo $chall->copyrightFooter();
# Print end of websiterequire_once('challenge/html_foot.php');
 
#################
### FUNCTIONS ###
################# 
function ttr_random($len, $alpha='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
{
        $alphalen = strlen($alpha) - 1;
        $key = '';        for($i = 0; $i < $len; $i++)
        {
                $key .= $alpha[rand(0, $alphalen)];
        }
        return $key;}
 
function ttr_request(WC_Challenge $chall, GWF_Form $form)
{
        if (false !== ($errors = $form->validate($chall)))        {
                return $errors;
        }
 
        # Generate reset token        $sid = GWF_Session::getSessSID();
        $email = $form->getVar('email');
        $token = ttr_random(16);
        
        if (!TTR_Tokens::insertToken($sid, $email, $token))        {
                return GWF_HTML::err('ERR_DATABASE', array(__FILE__, __LINE__));
        }
        
        # If it's your own real mail, even send it for the lulz :)        if ($email === GWF_User::getStaticOrGuest()->getValidMail())
        {
                ttr_mail_me($chall, $email, $token);
        }
                return GWF_HTML::message($chall->lang('title'), $chall->lang('msg_mail_sent'));
}
 
function ttr_submit(WC_Challenge $chall)
{        if ('' === ($answer = Common::getPostString('answer', '')))
        {
                return;
        }
                $sessid = GWF_Session::getSessSID();
 
        # First check all "custom" solutions
        $solutions = TTR_Tokens::getSolutions($sessid);
        foreach ($solutions as $solution)        {
                if ($solution['ttr_token'] === $answer)
                {
                        echo GWF_HTML::message($chall->lang('title'), $chall->lang('msg_reset_own', array(htmlspecialchars($solution['ttr_email']))));
                        return;                }
        }
        
        # Now lets check "THE" solution
        $solution = TTR_Tokens::getSolution($sessid);        $chall->setSolution($solution['ttr_token']);
        $chall->onSolve(GWF_User::getStaticOrGuest(), $answer);
}
 
function ttr_mail_me(WC_Challenge $chall, $email, $token){
        $mail = new GWF_Mail();
        $mail->setSender(GWF_BOT_EMAIL);
        $mail->setReceiver($email);
        $mail->setSubject($chall->lang('mail_subj'));        $mail->setBody($chall->lang('mail_body', array($token)));
        $mail->sendAsHTML('gizmore@wechall.net'); # cc me for testing purposes
}
?>
Request a Password reset
Your email
Your solution for Time to Reset
Answer
© 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 and 2024 by Gizmore