===
===
===
===
===
Ad 1. Someone tries to exploit Internet Explorer. You see a command line which is subprocess of web browser (unlikely normal).
Ad 2. a) 16 days ~= (31337 4) / (700 * 109 * 3600 * 24) b) 10 days ~= 95 9 / (700 * 10 9 * 3600 * 24)
Ad 3. Lorem~Ipsum (Base64)
Ad 4. Yes. One of the programs guess the same as random, the other guess the opposite of random.
Ad 5. QWErty
$6$saltsaltsaltsalt$bcXJ8qxwY5sQ4v8MTl.0B1jeZ0z0JlA9jjmbUoCJZ.1wYXiLTU.q2ILyrDJLm890lyfuF7sWAeli0yjOyFPkf0
26. An attacker could work out the password reset token using the time.
Multiple SQL injection vulns.
Not a vuln, but a mistake - Line 6 of passwordRecover.php should be
if ($_GET['token'] == $result[0]['pass_recover']){([bcdfghjklm]).(...)*\1
13. All of the above.
14. Just 5 I think?
16. 4 and 5
21. Looks like it wants a password of "hunt". The logic under it is either expecting the bitwise NOT'd value of a different static key or is doing something I don't understand.
22. Stack cookie. 2 and 3.
23. Definitely missing a lot of things, but #20 allows support users to execute anything as root due to the "*".
24. #15 - SQL injection, #21 - MD5 is unsuitable for password hashing, #25 - if an exception triggers you will automatically be authenticated, as "" == "", #28 - String comparison vulnerable to timing attacks
25. Lots of command injection. Buffer overflow in `error` function (buf holds 128 bytes but 128 + strlen("error: ") bytes could be copied to it). Probably many other things I'm missing.
26. No CSRF tokens (arguably not that necessary for these since every form wants some sort of password, but you could exploit vulns through someone else's browser via CSRF as a way of hiding the true source of the attack), SQL injection and XSS via $_GET['id'], SQLi with $_GET['email'], weak DB pass, LDAP injection with $_POST['username'], == should be ===, all user rows will be set to have the same recoveryPass due to missing WHERE clause in tue UPDATE, string comparison timing attacks, time() is a very weak and predictable seed for generating a random recovery password, you can probably hijack the emailer to send phishing messages and links by adding some extra text to $email with " someuseryouwanttophish+also visit http://evilsite.com@gmail.com" (I don't know if mail()/Gmail would actually deliver that due to the leading space and such, though). Probably missing 1 or 2 things.
There is a "rundll322.exe", should be "rundll32.exe". Also, its description is "Print driver host for...", which would not make sense for the real rundll32.
Thanks.
If I'm Program 1 and I see a 0, I will guess 0. If Program 2 sees a 0, Program 1 guessed correctly and it doesn't matter what he guessed. If Program 2 sees a 1, he will guess the opposite (0) and this means that Program 1 was wrong but Program 2 was right.
If Program 1 sees a 1, he guesses 1. If Program 2 sees a 1, Program 1 is correct. If Program 2 sees a 0, he guesses 1 and is correct.
The above is a truthtable in words that shows they are always right.
For number 5, I translated the binary numbers to decimal and used an ASCII table to convert them to ')87*;+xorXOR'. This is a different answer than grandparent. The following C++ code does the conversion: http://pastebin.com/ThxdHHwu
Program A will receive a 0 or a 1 and will guess the opposite of this value.
Program B will receive a 0 or a 1 and will guess this same value.
So, you have 4 possibilities:
(A/B is the bit received, a/b is the guess, you 'win' if b == A || a == B) (In other words, if B's guess is equal to what A received, or vice versa)
A|B|a|b
0|0|1|0 (b == A)
0|1|1|1 (a == B)
1|0|0|0 (a == B)
1|1|0|1 (b == A)
Another way to think of it is that A is guessing that they will receive different values, and B is guessing that they will receive the same value. One must be right.
)87*;+xorXOR