Members Online
Total Online: 40 Web Spiders: 24
Guests Online: 37
Members Online: 3
Registered Members: 67080 Newest Member: nawazbugti
|
Hall of Fame
| CSRF in HoF |
| User |
FantASM |
| Reward |
35 points |
| Description |
FantASM was able to add any HoF entry by sending an Administrator a PM with the right privileges. |
|
| CSRF in Add Points |
| User |
FantASM |
| Reward |
35 points |
| Description |
FantASM was able to Add Points to any account by sending an Administrator a PM with the right privileges. |
|
| XSS in Add Points |
| User |
FantASM |
| Reward |
50 points |
| Description |
FantASM found multiple XSS vulnerabilities in the Add Points page. |
|
| XSS in PM System |
| User |
FantASM |
| Reward |
50 points |
| Description |
FantASM was able to break out of the input field and inject his own javascript. |
|
| Multiple CSRF |
| User |
FantASM |
| Reward |
300 points |
| Description |
FantASM found multiple CSRF points around the site. |
|
| XSS in Rooting Challenge 2 |
| User |
FantASM |
| Reward |
30 points |
| Description |
FantASM was able to break out of the input field and inject his own javascript into the page. |
|
| Root |
| User |
Jelmer de Hen |
| Reward |
1337 points |
| Description |
Jelmer de Hen from h.ackack.net managed to get full control over the server and get root access. |
|
| Multiple CSRF |
| User |
FantASM |
| Reward |
200 points |
| Description |
FantASM found multiple CSRF points around the site which would have allowed him to post several items form a persons account. |
|
| CSRF in EM Notes |
| User |
FantASM |
| Reward |
30 points |
| Description |
FantASM found a CSRF vulnerability in the EM Note feature that allowed him to add or delete notes from a user's profile. |
|
| CSRF in Buddy List |
| User |
Infam0us |
| Reward |
35 points |
| Description |
Infam0us discovered a CSRF vulnerability that allowed him to remove people from a user's buddy list. |
|
| Avatar Vuln |
| User |
Infam0us |
| Reward |
60 points |
| Description |
Infam0us was able to bypass the image-only filter for avatars to use any type of url he wanted by tacking on ?a=a.jpg or #a=a.jpg to the end of a URL. |
|
| XSS with img tags |
| User |
Infam0us |
| Reward |
100 points |
| Description |
Infam0us discovered that he could insert javascript into img tags by using decimal encoding. |
|
| CSRF in Codebank |
| User |
cyber-guard |
| Reward |
35 points |
| Description |
cyber-guard was able to create codes by getting users to visit an external site. He was able to use this in combination with his </textarea> vuln to do some interesting things. |
|
| Vulnerability in PM System and Code Bank |
| User |
cyber-guard |
| Reward |
100 points |
| Description |
cyber-guard discovered that he could use </textarea> to insert html into a PM, and this html would be executed if you clicked "preview". He was able to insert whatever html/javascript code he wanted into codes using this method upon editing them. |
|
| Basic 26 XSS |
| User |
ADIGA |
| Reward |
25 points |
| Description |
ADIGA found an XSS vulnerability in Basic Web Hacking 26 using the onmouseover attribute. |
|
| CSRF in Admin Blacklist Function |
| User |
ynori7 |
| Reward |
35 points |
| Description |
Ynori found a CSRF vulnerability in the blacklist function allowing any user to remove any (or all) blacklists by getting an admin with the proper prviliges to view a webpage. |
|
| CSRF in Articles Section |
| User |
ynori7 |
| Reward |
35 points |
| Description |
Ynori found a CSRF vulnerability in the Articles section allowing any user to delete any article by getting an admin to view a page. |
|
| Blind MySQLi in Lostpassword Function |
| User |
Jelmer de Hen |
| Reward |
200 points |
| Description |
For a blind mysqli in the lostpassword functionality that let him capture password hashes. |
|
| Multiple SQL Injections in the registration system |
| User |
Jelmer de Hen |
| Reward |
100 points |
| Description |
Jelmer found multiple vulnerabile inputs in the registration system, which allowed him to steal password hashes and other user information. |
|
| SQL Injection in Real #7 |
| User |
Jelmer de Hen |
| Reward |
50 points |
| Description |
Jelmer found a blind sql injection in real #7 |
|
| Bypassed filters in PenTest #2 |
| User |
Jelmer de Hen |
| Reward |
100 points |
| Description |
Jelmer was able to bypass filtering in PenTest #2, which allowed him to include arbitrary javascript. |
|
| XSS in EM system |
| User |
Jelmer de Hen |
| Reward |
30 points |
| Description |
Jelmer found an unchecked input in the EM system that allowed him to inject javascript that would steal sessions |
|
| Created a CSRF worm |
| User |
Jelmer de Hen |
| Reward |
100 points |
| Description |
Jelmer created a CSRF worm that took advantage of unchecked inputs in the PM system. This worm sent PMs to various users containing a link to a page with the CSRF. This forced anyone following the link to spread the worm. |
|
| CSRF in the shoutbox |
| User |
stealth- |
| Reward |
15 points |
| Description |
stealth- found a CSRF vulnerability in the shoutbox system that allowed him to make posts as other users. |
|
| Multiple CSRF vulnerabilities in the EM system |
| User |
stealth- |
| Reward |
45 points |
| Description |
stealth- found mulitple unchecked inputs in the EM system that allowed him to use CSRF to change exclusive member's settings. |
|
| Exploited Timed 6 |
| User |
b4ckd0or |
| Reward |
100 points |
| Description |
b4ckd0or found a CSRF vulnerability in timed6 that bypassed output filtering, allowing for JavaScript to be injected directly. This combination of CSRF and XSS would have allowed logged-in users to be directed to this page, where their session would be stolen. |
|
| Session Hijacking |
| User |
skathgh420 |
| Reward |
10 points |
| Description |
skathgh420 found the plain-text version of the codebank was servering up content types that the browser would execute and was able to hijack sessions. |
|
| DoS |
| User |
pimpim |
| Reward |
20 points |
| Description |
pimpim was able to make HBH's server DoS itself. He reported this and is therefor rewarded with 20 points. |
|
| Most Bans |
| User |
Fritzo |
| Reward |
1337 points |
| Description |
Fritzo was given 1337 points for being banned 60 times and remove -cL from the surface |
|
| Code Bank Hack |
| User |
clone4 |
| Reward |
100 points |
| Description |
clone4 was able to edit or delete code written by any user, but instead of exploiting this in a malicious manor, and reporting it, has been awarded 100 points. |
|
| UTF-7 XSS On Error Pages |
| User |
SySTeM |
| Reward |
50 points |
| Description |
system found an XSS vulnerability using the UTF-7 charset, http://www.hellboundhackers.org/\\\+ADw-script+AD4-alert(/xss/)+ADw-/script+AD4---//--, which when run with firefox, or internet explorer with character set auto detection turned on, caused an alert to appear. |
|
| XSS in print.php |
| User |
SySTeM |
| Reward |
30 points |
| Description |
system_meltdown was able to post an article containing html, and then when a user goes to the print view of the article, the code would run. |
|
| XSS in Basic 26 |
| User |
fallingmidget |
| Reward |
25 points |
| Description |
fallingmidget was able to bypass filter and insert her own javascript into the page. |
|
| CSRF Via Variable Injection |
| User |
SySTeM |
| Reward |
35 points |
| Description |
system_meltdown was able to use a variable injection string (http://www.hellboundhackers.org/?_POST=lol=rofl.png) inside an image tag which would log someone out. |
|
| Real 17 Compression Stream Exploit |
| User |
MrBlueSky |
| Reward |
180 points |
| Description |
MrBlueSky was able to find a exploit in real17, this exploit allowed him to run a zip stream, to backup the config files and then proceed to download them. |
|
| XSS |
| User |
Uber0n |
| Reward |
40 points |
| Description |
Uber0n found multiple XSS vulnerabilities in the site. |
|
| Server Security |
| User |
richohealey |
| Reward |
100 points |
| Description |
richohealey found and removed several malicious files that were uploaded onto the server and could have been used to cause damage. |
|
| DNS Injection |
| User |
richohealey |
| Reward |
200 points |
| Description |
richohealey found and fixed a DNS exploit on the server which would of enabled him to redirect the website to any location he wanted. |
|
| Access to Database |
| User |
only_samurai |
| Reward |
200 points |
| Description |
only_samurai was able to remotely brute force the database and thus gained full access! |
|
| Profile Page XSS |
| User |
Th3Gamester |
| Reward |
50 points |
| Description |
Th3Gamester exploited HBH's dynamic titles on the profile page and injected XSS by requesting a page such as /profile/xss.html and has been awarded 50 points. |
|
| SQL Injection |
| User |
K_ros |
| Reward |
100 points |
| Description |
K_ros found a SQL Injection in the PM system and could execute his own SQL queries. |
|
| XSS |
| User |
sasi2103 |
| Reward |
25 points |
| Description |
sasi2103 was able to inject javascript onto the page in real 2 by manipulating the PHP_SELF variable. |
|
| CSRF |
| User |
only_samurai |
| Reward |
15 points |
| Description |
only_samurai was able to ban, unban, and delete any member he made by a CSRF in his profile when viewed by an admin. |
|
| Messages XSS |
| User |
Uber0n |
| Reward |
30 points |
| Description |
Uber0n found a XSS hole in the messages pages that allowed him to inject code and send it to members. |
|
| Held off a DDoS attack |
| User |
only_samurai |
| Reward |
80 points |
| Description |
only_samurai held off an extremely large DDoS attack on the hbh server and ensured the website suffered 0 downtime! |
|
| Phishing via [IMG] tags |
| User |
The_Cell |
| Reward |
80 points |
| Description |
The_Cell was able to trick members by asking them to enter their login details. The_Cell then logged their username and password via a .htaccessed image |
|
| XSS in [mail] tag |
| User |
mr noob |
| Reward |
30 points |
| Description |
mr_noob was able to take over any page with his sig by bypassing the [mail] tag and adding styles. |
|
| XSS in [mail] tag |
| User |
thk-geo |
| Reward |
15 points |
| Description |
thk-geo was able to make an alert box pop up if a user clicked on a link in his sig. |
|
| CSRF |
| User |
mozzer |
| Reward |
100 points |
| Description |
mozzer was able to edit users titles, user notes and profiles just by sending them a link to his site. |
|
| XSS |
| User |
spyware |
| Reward |
50 points |
| Description |
Spyware was able to inject XSS into the forums, which was executed for people using the following browsers: IE6, Opera, and Netscape, he has been awarded 50 points for this. |
|
| XSS |
| User |
only_samurai |
| Reward |
30 points |
| Description |
only_samurai was able to inject html into the shoutbox that would only be visible to admins via the shoutbox administration tool. This could enable him to redirect an admin to any page he wished. |
|
| CSRF in Avatars |
| User |
mozzer |
| Reward |
35 points |
| Description |
mozzer was able to use php to utilize CSRF in avatars |
|
| Denial of Service |
| User |
mozzer |
| Reward |
70 points |
| Description |
mozzer could of caused a Denial of Service attack on HBH by bypassing the filter on real 12 and including a certain page. |
|
| CSRF in avatar |
| User |
Xenoix |
| Reward |
30 points |
| Description |
Xenoix was able to put the HBH logout url into the avatar field and make people logout when they viewed a page with his avatar on. |
|
| Various Challenge XSS |
| User |
K_ros |
| Reward |
50 points |
| Description |
K_ros managed to find various XSS holes in many of the challenges and has been awarded: 50 points. |
|
| Blind MySQL Injection |
| User |
SySTeM |
| Reward |
100 points |
| Description |
system_meltdown found a blind mysql injection vulnerablity in the PM system |
|
| Real 12 Filter |
| User |
K_ros |
| Reward |
80 points |
| Description |
K_Ros managed to bypass the filter on real 12 again. This allowed him to view any file or directory he wanted on hbh, or even include his own shell. |
|
| XSS |
| User |
K_ros |
| Reward |
30 points |
| Description |
K_ros found a Cross Site Scripting exploit in the newsletter panel. |
|
| SQL Injection |
| User |
wolfmankurd |
| Reward |
200 points |
| Description |
Found a blind SQL injection vunerbility in the PM system. |
|
| WhiteAcid |
| User |
WhiteAcid |
| Reward |
250 points |
| Description |
WhiteAcid was able to find XSS holes in several areas of the site. From this he developed a exploit to allow him to steal plaintext passwords from any user he wished. |
|
| cURL Script |
| User |
SySTeM |
| Reward |
40 points |
| Description |
system_meltdown used a cURL script in PHP to view the admin shoutbox entries. |
|
| Realistic 12 - File Inclusion |
| User |
K_ros |
| Reward |
250 points |
| Description |
K_ros was able to excape the files, by using escaped html to browse any directory or vew any file he wanted. |
|
| Realistic 12 - Remote File Inclusion |
| User |
IPYouFy |
| Reward |
200 points |
| Description |
IPYouFy was able to exploit the filter of realistic 12's index page and he successfully included a shell which provided him full file access. |
|
| UBB - [URL] tag |
| User |
Jake |
| Reward |
50 points |
| Description |
Jake was able to escape the filters in the [url] UBB tag and inject XSS |
|
| XSS in Realistic 8 |
| User |
SySTeM |
| Reward |
30 points |
| Description |
system_meltdown was able to include html tags in his refer. This refer was then logged in real 8 and anyone attempting the challenge would execute his code. |
|
| [IMG] Tag XSS vulnerability |
| User |
SySTeM |
| Reward |
75 points |
| Description |
system_meltdown was able to escape our filters and insert a line segment that would allow him to make an alert box on any page that allowed BB code. |
|
| XSS |
| User |
SySTeM |
| Reward |
100 points |
| Description |
system_meltdown was able to inject XSS into a function on the PM system. This could lead to stealing admin cookies. |
|
| XSS in members.php |
| User |
SySTeM |
| Reward |
50 points |
| Description |
system_meltdown was able to find xss exploits in the members.php page by using the unfiltered variables. |
|
| XSS in Avatars |
| User |
skarecrow |
| Reward |
100 points |
| Description |
SkareCrow was able to inject XSS into the avatars. He used this to create a huge avatar that deformed the site's layout and could of stolen cookies. |
|
| Database Backup Scanner |
| User |
skarecrow |
| Reward |
150 points |
| Description |
Skarecrow was able to make a C++ program to generate every possible combination of backups and then he would check them. And he would download the backups and crack the admin hashes. |
|
| XSS |
| User |
thegreatone2176 |
| Reward |
100 points |
| Description |
TheGreatOne2176 was able to execute javascript into the submit article, submit link, submit news. |
|
| View Admin Threads |
| User |
thegreatone2176 |
| Reward |
150 points |
| Description |
TheGreatOne2176 was able to enter a special id in the URL bar and he could see admin threads. |
|
| XSS |
| User |
FireSt0rm |
| Reward |
100 points |
| Description |
Firestorm was able to inject XSS into the news comments and PMs. This could lead to the stealing of admin cookies. |
|
| Database Backup |
| User |
Jake |
| Reward |
200 points |
| Description |
Jake was able to make a database backup without admin access and then download that backup and crack the admin hashes. |
|
|
|
Main:
