2019-10-21 - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem

Header Data

From: emre erdoğan <po***e@gmail.com>
Message Hash: be3f7237485dc5d44ed903bde2125a6c8a88217b69efec7cc1a67d6be2bc5f21
Message ID: <CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL=mh5aULw@mail.gmail.com>
Reply To: <CAFb3bYD+5MpmvBFLXsrfph=S5uEfBUdz4Wvax44iObT7jK84jQ@mail.gmail.com>
UTC Datetime: 2019-10-21 04:24:17 UTC
Raw Date: Mon, 21 Oct 2019 14:24:17 +0300

Raw message 

Hi Sergen.

Did you try to redirect to "http://1.0.0.0" by using meta refresh?

Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 09:50 tarihinde
şunu yazdı:

> Thank you for your quick response, Tim.
> I don't use the Javascript page. I submit the HTML Page with the form.
> Then I take the required values and use a function as follows.
> function attempt_login () {
> global $ uamsecret, $ userpassword, $ username, $ password;
>
> $ hexchal = pack ("H32", $ _GET ['chal']);
> $ newchal = $ uamsecret? pack ("H *", md5 ($ hexchal. $ uamsecret)): $
> hexchal;
> $ response = md5 ("\ 0". $ password. $ newchal);
>
> $ newpwd = pack ("a32", $ password);
> $ pappassword = implode ('', unpack ("H32", ($ newpwd ^ $ newchal)));
> if ((isset ($ uamsecret)) && isset ($ userpassword)) {
> // print implode ('', array (
> // '<meta http-equiv = "refresh" content = "0; url =',
> // 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
> // 'logon? username =', $ username, '& password =', $ pappassword, '">'
> //));
> }
> else
> {
> print implode ('', array (
> '<meta http-equiv = "refresh" content = "0; url =',
> 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
> 'logon? username =', $ username, '& response =', $ response, '">'
> ));
> }
> }
> Everything works correctly, but I'm guessing that if the Challenge value
> is changed in the GET operation, res = Failed is returned. How can I
> prevent this?
>
> Tim <ti***8@gmail.com>, 20 Eki 2019 Paz, 04:18 tarihinde şunu yazdı:
>
>> Hi Sergen
>>
>> Unfortunately, the challenge value will continue to change as time goes
>> on. This is to prevent replay attacks and other such things. However, if
>> you're using the JS login page, it should already be fetching a new
>> challenge before it submits the login attempt. Are you using the JS page,
>> or the plain text version?
>>
>> Regards
>>
>> Tim
>>
>> On Sun, 20 Oct 2019 at 00:30, Sergen Çolak <se***7@gmail.com>
>> wrote:
>>
>>> Hello everybody,
>>> I have a question about Coovachilli. The link to the first time my PHP
>>> Page was loaded,
>>>
>>> http://192.168.80.1/admin/uam/hotspot?res=notyet&uamip=192.168.80.1&uamport=3990&challenge=8117e6bf4eb10d19edf8d47af8237bdd
>>> When I look at http://192.168.80.1:3990/json/status
>>> {"version": "1.0", "clientState": 0, "challenge":
>>> "8117e6bf4eb10d19edf8d47af8237bdd" ....
>>> The challenge value that appears in Json / status changes when I do not
>>> login for a certain time. And when I try to login, I get res = failed even
>>> though my username and password are correct. The Challenge mismatch in the
>>> Form, which appears to be exactly in Json. Can I prevent the challenge
>>> value from changing?
>>> Sorry for the bad English. Thank you.
>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

Thread