EOC - Post #1

1 minute read

Tip

White-box testing keywords mega list

Here is a list of keywords to look for when reading source code.

api
api_key
api_secret_key
secret_key
secret
BEGIN
PRIVATE
private
PRIVATE_KEY
private_key
key
token
CSRF
Arrays.equals
HMAC
random
mt_rand
rand
random.org
iv
encrypt
crypt
MCRYPT
RIJNDAEL
MCRYPT_RIJNDAEL_256
ECB
ecb
password
passwd
pass
hash
hashlib
hashed
md5
sha1
sha-1
sha2
sha-2
salt
bcrypt
$2a$
PBKDF2
blake2
CVE
vulnerable
stackoverflow
SO
base64
Base64
admin
rot13
tmp
system
exec
popen
backtick operator
pcntl_exec
eval
preg_replace
create_function
exec
passthru
system
shell_exec
popen
proc_open
pcntl_exec
assert
preg_replace('/.*/e',
create_function
include
include_once
require
require_once
$_GET
phpinfo
posix_mkfifo
posix_getlogin
posix_ttyname
getenv
get_current_user
proc_get_status
get_cfg_var
disk_free_space
disk_total_space
diskfreespace
getcwd
getlastmo
getmygid
getmyinode
getmypid
getmyuid
extract
parse_str
putenv
ini_set
mail
header
proc_nice
proc_terminate
proc_close
pfsockopen
fsockopen
apache_child_terminate
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
chmod
chown
shell=True
pickle.loads
yaml.load
debug
DebuggedApplication
Debug=True
evalex=True
Math.random

The keyword text file can be found here: http://bugbountyworld.com/other/keywords.txt.

Challenge

Write a script that greps for these keywords in source code and then prints them into a file with line numbers.

Here are the different categories that you can compete in:

  • Smallest script.
  • Most obscure language.
  • Fastest script.
  • Most user-friendly.

I will test the scripts against:

  • https://github.com/clarkio/vulnerable-app
  • https://github.com/adamdoupe/WackoPicko

Rules

As always the rules are:

  • DM me (@EdOverflow) your solution. Please send me a little write-up so that I can see how you went about solving the challenge.
  • Do not post solutions in the channel.
  • You may work in teams to solve challenge.
  • Challenges end when at least 5 people have solved the challenge.
  • If you have questions you can contact me. Please do not ask for solutions before the challenge ends.

References

  • https://stackoverflow.com/questions/3115559/exploitable-php-functions

Updated: