update ada's name

2025-01-11 20:52:16 -08:00
parent 7355435b6c
commit 6b60bdd861
3 changed files with 5 additions and 5 deletions
--- a/src/html/ada-hack-1.lisp
+++ b/src/html/ada-hack-1.lisp
@ -0,0 +1,14 @@
+(defun html () 
+  (page "ada" `((section () 
+                            (h1 () "a friend hacked its website.")
+                            (p () "but how?"))
+                   (section () 
+                            (p () "
+                               prior to natalie rewriting the backend of its website, there was a bug that would allow a bash command in a comment inside $[echo \\$\\[]] and not containing &lt; or &rt; to be executed upon querrying the url /html/%2e%2e/files/posts-to-homepage/{post file}.
+                               this was due to any url beginning with '/html/' being unconditionally put through parse_file(), which generates static content from the embedded bash in the html (see <a href='/html/site-info.html'></a>).
+                               in addition to this, the source code of the server could be attained via a similar method, requesting the path of the file, but with /files/ or /html/ in front of it, followed by %2e%2e.")
+                            (p () "
+                               ada was able to exploit this by first getting the source code of the webserver via the second method discussed above, examining it, and deducing the first vulnerability mentioned above.
+                               upon discovering the RCE available via the comment untrusted command evaluation, they were able to add an ssh key to this one's server and thus gain a shell.
+                               amazingly, at the same time that they did this, natalie's other friend's girlfriend (appearing in the comments as gexfan) was halfheartedly trying to mess with its site.
+                               this ended with around 15 messages on discord telling it its site had been hacked, only around two of which were from ada.")))))