HellBound Hackers
Join us at IRC!
Capitalism is an Island of wealth in a sea of poverty
Friday, May 25, 2012
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Additional:
Shop
Learn
Communicate
Submit
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Interact
Other
HellBoundHackers Executive:
HellBoundHackers Leisure:
Members Online
Total Online: 34
Web Spiders: 16
Guests Online: 31
Members Online: 3
AnkS, Test2311, darkmistry

Registered Members: 70211
Newest Member: Test2311
Latest Articles
View Thread

HellBound Hackers | Computer General | Webmasters Lounge
Author

Setting up a vulnerable Guestbook
cis_slayer
Member



Posts: 225
Location:
Joined: 23.10.06
Rank: Hacker Level 2
Posted on 12-12-07 03:29
okay so im not good with php at all and i have this open source scblockedript i got so i can practice javascblockedript injections and XSS. so, can someone look at this and show me how to make this vulnerable sorry...im just not good with php here is the index file

<!-- (c) copyright 2004, HIOX INDIA -->
<!-- This is a free tool provided by hioxidia.com -->
<!-- Please get in touch with us for using -->
<!-- this product in a commercial site. -->

<html>
<head>
</head>
<?php

$file = "gb.php";
$open = fopen($file, "r");
$size = filesize($file);
$count = fread($open, $size);

include 'col.php';

include 'header.php';
?>

<scblockedript language=javascblockedript>

function checkMailId(mailids)
{
var arr = new Array('.com','.net','.org','.biz','.coop','.info','.museum','.name','.pro'
,'.edu','.gov','.int','.mil','.ac','.ad','.ae','.af','.ag','.ai','.al',
'.am','.an','.ao','.aq','.ar','.as','.at','.au','.aw','.az','.ba','.bb',
'.bd','.be','.bf','.bg','.bh','.bi','.bj','.bm','.bn','.bo','.br','.bs',
'.bt','.bv','.bw','.by','.bz','.ca','.cc','.cd','.cf','.cg','.ch','.ci',
'.ck','.cl','.cm','.cn','.co','.cr','.cu','.cv','.cx','.cy','.cz','.de',
'.dj','.dk','.dm','.do','.dz','.ec','.ee','.eg','.eh','.er','.es','.et',
'.fi','.fj','.fk','.fm','.fo','.fr','.ga','.gd','.ge','.gf','.gg','.gh',
'.gi','.gl','.gm','.gn','.gp','.gq','.gr','.gs','.gt','.gu','.gv','.gy',
'.hk','.hm','.hn','.hr','.ht','.hu','.id','.ie','.il','.im','.in','.io',
'.iq','.ir','.is','.it','.je','.jm','.jo','.jp','.ke','.kg','.kh','.ki',
'.km','.kn','.kp','.kr','.kw','.ky','.kz','.la','.lb','.lc','.li','.lk',
'.lr','.ls','.lt','.lu','.lv','.ly','.ma','.mc','.md','.mg','.mh','.mk',
'.ml','.mm','.mn','.mo','.mp','.mq','.mr','.ms','.mt','.mu','.mv','.mw',
'.mx','.my','.mz','.na','.nc','.ne','.nf','.ng','.ni','.nl','.no','.np',
'.nr','.nu','.nz','.om','.pa','.pe','.pf','.pg','.ph','.pk','.pl','.pm',
'.pn','.pr','.ps','.pt','.pw','.py','.qa','.re','.ro','.rw','.ru','.sa',
'.sb','.sc','.sd','.se','.sg','.sh','.si','.sj','.sk','.sl','.sm','.sn',
'.so','.sr','.st','.sv','.sy','.sz','.tc','.td','.tf','.tg','.th','.tj',
'.tk','.tm','.tn','.to','.tp','.tr','.tt','.tv','.tw','.tz','.ua','.ug',
'.uk','.um','.us','.uy','.uz','.va','.vc','.ve','.vg','.vi','.vn','.vu',
'.ws','.wf','.ye','.yt','.yu','.za','.zm','.zw');
var mai = mailids;
var val = true;

var dot = mai.lastIndexOf(".");
var ext = mai.substring(dot,mai.length);
var at = mai.indexOf("@");

if(dot > 5 && at >1){
for(var i=0; i<arr.length; i++){
if(ext == arr[i]){val = true;break;}else{val = false;}}if(val == false){
alert("Your maild "+mai+" is not corrrrect");
return false;}}else{alert("Your maild "+mai+" is not correct");
return false;}return true;}

function check()
{
var tex = document.ssa.comment.value;
var len = tex.length;
var rem = 300-len;

if(len >= 300)
{
tex = tex.substring(0,300);
document.ssa.comment.value =tex;
return false;
}

if(rem<0)
rem=0;

document.ssa.rem.value =rem;
}

</scblockedript>

<table cellpadding=4 cellspacing=0 border=0 align=center>
<tr><td><br>Name *:</td><td><br>
<form name=ssa action="added.php" METHOD="POST" onSubmit="return checkMailId(ssa.from.value)">
<input type="text" name="name" size=20 maxlength="20"> [20]</td></tr>
<tr><td>Email *:</td><td><input type="text" name="from" size=27 maxlength="50"> [50]</td></tr>
<tr><td>WebSite:</td><td><input type="text" name="webs" size=27 maxlength="50"> [50]</td></tr>
<tr><td colspan=2><br>Please add your comments/suggestions *: [300]<br>
<textarea name="comment" rows=11 cols=55 wrap=physical onkeyup="check()"></textarea><br>
Words left - <input type="text" name="rem" size=3 readonly value=300>
</td></tr>
<tr><td colspan=2 align=right><input type="submit" value=" Add "></td></tr>
</form>
</table>

<br>
</td>
</tr>

<tr height=15% align=center><td align=center background="images/bg2.gif" style="font-size: 13px;">
<br>
<b><a href="lookgb.php"><font color=blue>Look in to My Guest Book</font></a></b> ||
<a href="admin.php"><font color=red>Admin Login</font></a><br>
<br>
<br>
<div align=right><font style="font-size: 12px;" > © copyright
<a href="http://www.hscblockedripts.com" style="text-decoration: none; color: #dadada;">hscblockedripts.com</a></font></div>

</td>
</tr>
</table>

</body>
</html>


many thanks
Author

RE: Setting up a vulnerable Guestbook
bigggnick
Member



Posts: 588
Location: the moon
Joined: 25.08.05
Rank: God
Posted on 12-12-07 03:32
give the source of ALL the files, all the php files, etc.

fuck this.
Author

RE: Setting up a vulnerable Guestbook
cis_slayer
Member



Posts: 225
Location:
Joined: 23.10.06
Rank: Hacker Level 2
Posted on 12-12-07 03:36
col.pho
<?php

$bxcolor = "#f5f7f6";
$bdcolor = "0648c";
$fontcol = "04400";
$oddmess = "#f8f9fb";
$evenmess = "#f8f9fc";
$html_enable = "true";

?>

<!-- (c) copyright 2004, HIOX INDIA -->
<!-- This is a free tool provided by hioxidia.com -->
<!-- Please get in touch with us for using -->
<!-- this product in a commercial site. -->




Edited by cis_slayer on 12-12-07 03:37
Author

RE: Setting up a vulnerable Guestbook
cis_slayer
Member



Posts: 225
Location:
Joined: 23.10.06
Rank: Hacker Level 2
Posted on 12-12-07 03:37
header.php
<!-- (c) copyright 2004, HIOX INDIA -->
<!-- This is a free tool provided by hioxidia.com -->
<!-- Please get in touch with us for using -->
<!-- this product in a commercial site. -->

<body style="font-family: Arial,Verdana,san-serif; margin: 0px;" bgcolor="<?php echo($bdcolor);?>">
<table align=center width=80% height=100% cellpadding=0 cellspacing=0 border=1 bgcolor="<?php echo($bxcolor);?>">
<tr height=10% align=center>
<td height=80 align=center background="images/bg2.gif">
<br>
<font color=#223356><b>Welcome Guest</b></font><br>
<br>
</td>
</tr>

<tr height=70% align=center>
<td align=left valign=top style="font-size: 14px; border: dashed 0px;">
<br>

<style>
a#tl{color: blue; text-decoration: none; font-size: 13px;}
a#tl:hover{color: aaaaff;}
</style>

<?php
if($block === false){
?>
<div align=center>
<a id=tl href="./admin.php">Admin HOME</a> ||
<a id=tl href="filter.php">Spam Filter</a> ||
<a id=tl href="ipblock.php">IP Blocker</a> ||
<a id=tl href="url.php">Properties</a>
<a id=t1 href="logout.php">Logout</a>

</div>
<?php
}
?>




Edited by cis_slayer on 12-12-07 03:38
Author

RE: Setting up a vulnerable Guestbook
cis_slayer
Member



Posts: 225
Location:
Joined: 23.10.06
Rank: Hacker Level 2
Posted on 12-12-07 03:39
url.php
<?php
include "authheader.php";

if($block == false){

include 'col.php';
include 'header.php';
echo "<br><br><br>";
?>

<?php
$iswrite = $_POST['what'];

if($iswrite == "write")
{
$bx = $_POST['Box'];

$bd = $_POST['Body'];
$fc = $_POST['Font'];
$omc = $_POST['Odd'];
$emc = $_POST['Even'];
$htmle = $_POST['var'];
$file = fopen('col.php',w);

fwrite($file,"<?php\n\n");
fwrite($file,"$"."bxcolor = \"$bx\";\n");
fwrite($file,"$"."bdcolor = \"$bd\";\n");
fwrite($file,"$"."fontcol = \"$fc\";\n");
fwrite($file,"$"."oddmess = \"$omc\";\n");
fwrite($file,"$"."evenmess = \"$emc\";\n");
fwrite($file,"$"."html_enable = \"$htmle\";\n\n");
fwrite($file,"?>\n\n");
fwrite($file, "<!-- (c) copyright 2004, HIOX INDIA -->\n");
fwrite($file, "<!-- This is a free tool provided by hioxidia.com -->\n");
fwrite($file, "<!-- Please get in touch with us for using -->\n");
fwrite($file, "<!-- this product in a commercial site. -->\n");

fclose($file);
}

include 'col.php';
?>


<table bgcolor=dfdff0 align=center style="padding: 10px; border:2px red groove;
font-family: arial, verdana, san-serif; font-size: 14px;">

<form name = col method = post action = "url.php">
<tr><td>Box Color: </td><td> <input type="text" name="Box" value = "<?php echo"$bxcolor"; ?>" /></td></tr>
<tr><td>Body Color: </td><td> <input type="text" name="Body" value = "<?php echo"$bdcolor";?>"/></td></tr>
<tr><td>Font Color: </td><td> <input type="text" name="Font" value = "<?php echo"$fontcol"; ?>" /></td></tr>
<tr><td>Odd Msg Color: </td><td> <input type="text" name="Odd" value = "<?php echo"$oddmess"; ?>" /></td></tr>
<tr><td>Even Msg Color: </td><td> <input type="text" name="Even" value = "<?php echo"$evenmess"; ?>"/></td></tr>

<tr><td>HTML Tags: </td><td>
<select name="var">
<option>Please select</option>
<?php
if ($html_enable == "true")
{
echo "<option value=true selected>Enable</option>
<option value=false>Disable</option>";
}else {
echo "<option value=true>Enable</option>
<option value=false selected>Disable</option>";
}
?>
</select>
</td></tr>
<tr><td colspan=2 align=right>
<input type=hidden value="write" name=what>
<input type='submit' value="change">
</td></tr>
<td colspan=2>Note:Change may cause effect in proprerties</td>
</form>
</table>


</body>
</html>

<?php
}
?>

<!-- (c) copyright 2004, HIOX INDIA -->
<!-- This is a free tool provided by hscblockedripts.com -->
<!-- Please get in touch with us for using -->
<!-- this product in a commercial site. -->
Author

RE: Setting up a vulnerable Guestbook
cis_slayer
Member



Posts: 225
Location:
Joined: 23.10.06
Rank: Hacker Level 2
Posted on 12-12-07 03:40
filter.php
<?php
include "authheader.php";

if($block == false){

include 'col.php';
include 'header.php';

echo "<br><br><br>";

$iswrite = $_POST['what'];
if($iswrite == "write")
{
echo "<div align=center style='color: green;'><b>filters have been updated</div>";
$str = $_POST['filters'];
$file = fopen('fil.php',w);
$ara = explode("\n",$str);
fwrite($file, "<?php \n\n");
for($yy=0; $yy<count($ara);$yy++)
{
$xxa = $ara[$yy];
$xxa = trim($xxa);
if($xxa != "")
fwrite($file, "$"."asi[$yy] = \"$xxa\";");
}

fwrite($file, $ara[$yy]);
fwrite($file, "\n?>");
fclose($file);
}

include "fil.php";
?>

<table bgcolor=dfdff0 align=center style="padding: 10px; border:2px red groove;
font-family: arial, verdana, san-serif; font-size: 14px;">
<form name=fil method=post action="<?php echo "$PHP_SELF"; ?>">
<tr><td></td><td>Add/Edit Filters .....<br>
<textarea name=filters rows=15 cols=50><?php
for($xx=0; $xx<count($asi); $xx++)
{
$word = $asi[$xx];
echo "$word \n";
}
?>
</textarea>
</td></tr>

<tr><td colspan=2 align=right>
<input type=hidden value=write name=what>
<input type='submit' value="create"> </td></tr>
<td colspan=2>Note: You wont get the messages Containig these Words </td>
</form>
</table>
</body>
</html>

<?php
}
?>

<!-- (c) copyright 2004, HIOX INDIA -->
<!-- This is a free tool provided by hscblockedripts.com -->
<!-- Please get in touch with us for using -->
<!-- this product in a commercial site. -->
Author

RE: Setting up a vulnerable Guestbook
DigitalFire
Member



Posts: 274
Location: Or perhaps just
Joined: 02.12.06
Rank: HBH Guru
Posted on 12-12-07 04:38
I dont see any type of filtering there, although i only looked over it once. And that is by far 10x more complicated that you need, if all you want to do is a little xss practice.

ill code you a basic php guestbook if you want. will only take me a few minutes.


I'll be in it all to watch it burn so carelessly
You cannot see a thing about me for in these blanks
Author

RE: Setting up a vulnerable Guestbook
Zephyr_Pure
Member



Posts: 2402
Location:
Joined: 15.09.06
Rank: God
Posted on 12-12-07 04:39
Instead of taking a prepared PHP guestbook, the best way to make a vulnerable guestbook is to write one yourself. Just make a simple form and have it echo the fields to the original page. It may not be pretty, but it will work for what you want. Continue to build / expand it as you learn more about PHP. Just as with any language, the best way to learn it is to start from the ground up.


I still check PMs from time to time.




Our responses were moronic, why shouldn't he follow suit? - Futility
Author

RE: Setting up a vulnerable Guestbook
cis_slayer
Member



Posts: 225
Location:
Joined: 23.10.06
Rank: Hacker Level 2
Posted on 12-12-07 20:56
cool....digitalfire if you wanna make it you can if not i will try my hand at it. but thanks for the replays

Guest
Username

Password

Remember Me


Bookmark This Page
Affiliates
Adverts

 

 

Links

Anime Wallpaper Site
By using, viewing or obtaining any information contained on this site, you agree to the disclaimer.

© HellBound Hackers 2008- 2009. Since 3rd December 2004.

20613362 Unique Visits

Powered by HBH-Fusion