Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 31
Guests Online: 30
Members Online: 1

Registered Members: 82835
Newest Member: phanton2043
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

Anyone want to help me pen test my website


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-06-09 20:09
I have a file storage website that I created several months ago. I have already pen tested it several times and found no significant security flaws. However, I can't confirm that the site is 100% secure because I am the only one that has pen tested it so far.

So, I'll give you guys permission to pen test it. However... do not delete any of the files off the website. I do have backups, but it's really annoying to restore them.

I would rather not post the URL directly, so here's the TinyURL: http://tinyurl.co. . .. If you access the URL directly without the userPfftass@site.com you'll see that it is protected with .htaccess, but the TinyURL contains all the information for it.

Alright, tell me if you find any security holes.

Thanks

Edited by rex_mundi on 11-12-13 13:44
Author

RE: Anyone want to help me pen test my website?

Demons Halo
Member



Posts: 261
Location: Sweden
Joined: 26.03.09
Rank:
Apprentice
Posted on 24-06-09 20:16
lol @ the popup window!


base_dropper@hotmail.com www.demonshalo.com
Author

RE: Anyone want to help me pen test my website?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-06-09 20:25
^ I know. You don't really get admin access to the site though. That only allows you to access it.
Author

RE: Anyone want to help me pen test my website?

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 24-06-09 22:00
Won't let me sign up.


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Anyone want to help me pen test my website?

KvK
Member



Posts: 94
Location: EIP‭‮
Joined: 17.01.09
Rank:
Apprentice
Posted on 24-06-09 22:59
You should add to the list of prevented file types. I was personnel able to upload php2 and chtml files. Although you're security is plenty good considering the type of site it is, it doesn't hurt to be on the safe side.

:happy:


Author

RE: Anyone want to help me pen test my website?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-06-09 23:11
Site down?


Author

RE: Anyone want to help me pen test my website?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-06-09 23:27
454447415244 wrote:
Site down?

Works fine for me.


Author

RE: Anyone want to help me pen test my website?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 01:17
works fine for me too.


Author

RE: Anyone want to help me pen test my website?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 01:26
system_meltdown wrote:
Won't let me sign up.


What error do you get when signing up?
Author

RE: Anyone want to help me pen test my website?

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 25-06-09 01:30
Ntvu wrote:
system_meltdown wrote:
Won't let me sign up.


What error do you get when signing up?


Your account was not able to be created. It seems like you didn't fill in all of the fields correctly.

Edit: working now!


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png



Edited by SySTeM on 25-06-09 01:31
http://www.elites0ft.com/
Author

RE: Anyone want to help me pen test my website?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 01:41
KvK wrote:
You should add to the list of prevented file types. I was personnel able to upload php2 and chtml files. Although you're security is plenty good considering the type of site it is, it doesn't hurt to be on the safe side.

:happy:


Thanks for the advice, but the problem is that it would be very annoying to keep on adding new restricted file extensions. Say if I move to a new host and it supports Python and Perl, then I would have to prevent files with the extensions .py and .pl from being uploaded. Or if the host also supports Ruby, then I would have to restrict those file extensions too.

I do have an alternative solution to my problem though. I'm considering implementing a feature that will automatically encrypt and change the file type of any uploaded file. For example, if a user uploads a file called shell.php:

1) Use is_uploaded_file() to check if the file is really an uploaded file. If it is, then proceed.

2) Use move_uploaded_file() to move the uploaded file to a .htaccess protected directory where users cannot access at all. So shell.php can be executed inside of that directory, but it can't happen because everyone is restricted from accessing anything within that directory.

3) Apply some simple encryption to the file contents (for example: base64_encode(strrev(file_get_contents($file))) but that would be kind of weak)

4) Save the encrypted file contents into a new non-executable file such as a zipped folder.

5) Move the zipped folder into the general directory (which is also .htaccess protected so no one can access it,)

6) When the file is downloaded, I will decrypt the file contents and send it to the output buffer (for example: strrev(base64_decode(readfile($file))) to decode it) and then use HTTP headers to perform a safe download.



Does that seem like a good and secure method?
Author

RE: Anyone want to help me pen test my website?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 01:52
I just logged out all of the users as I'm making some improvements to the site's security.
Author

RE: Anyone want to help me pen test my website?

p4plus2
Member

Your avatar

Posts: 167
Location:
Joined: 31.03.08
Rank:
Newbie
Posted on 25-06-09 02:00
Ntvu wrote:
KvK wrote:
You should add to the list of prevented file types. I was personnel able to upload php2 and chtml files. Although you're security is plenty good considering the type of site it is, it doesn't hurt to be on the safe side.

:happy:


Thanks for the advice, but the problem is that it would be very annoying to keep on adding new restricted file extensions. Say if I move to a new host and it supports Python and Perl, then I would have to prevent files with the extensions .py and .pl from being uploaded. Or if the host also supports Ruby, then I would have to restrict those file extensions too.

I do have an alternative solution to my problem though. I'm considering implementing a feature that will automatically encrypt and change the file type of any uploaded file. For example, if a user uploads a file called shell.php:

1) Use is_uploaded_file() to check if the file is really an uploaded file. If it is, then proceed.

2) Use move_uploaded_file() to move the uploaded file to a .htaccess protected directory where users cannot access at all. So shell.php can be executed inside of that directory, but it can't happen because everyone is restricted from accessing anything within that directory.

3) Apply some simple encryption to the file contents (for example: base64_encode(strrev(file_get_contents($file))) but that would be kind of weak)

4) Save the encrypted file contents into a new non-executable file such as a zipped folder.

5) Move the zipped folder into the general directory (which is also .htaccess protected so no one can access it,)

6) When the file is downloaded, I will decrypt the file contents and send it to the output buffer (for example: strrev(base64_decode(readfile($file))) to decode it) and then use HTTP headers to perform a safe download.



Does that seem like a good and secure method?


If I remember there was an method in cpanel to change mimetypes. If you change those to a mime type like octet-stream which should make the system ignore it as executable and make the internet browser download it as if it was a executable file.

Alternative to that method would be using a .htaccess file using
Code
AddType application/octet-stream TYPEHERE



Which should at least force the browser to ignore it(not sure about server for .htaccess method).

Not sure how well the method will work, and you could not use it on a php file. However, it is worth a shot so that you do not need to block so many file types.

(The method above is a method often used to mask php with a different file extension)


"You can't be something your not,
Be yourself by yourself
Stay away from me" ~Walk, Pantera

"Playing an acoustic guitar is like having sex with your clothes on" ~Dave Mustaine
p4plus2@hotmail.com
Author

RE: Anyone want to help me pen test my website?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 02:30
^ I use URL rewrites to mask the presence of PHP. Unfortunately I can't turn expose_php off so if you use the Tamper Data tool on Firefox you can see the X-Powered-By header which basically gives away that I'm using PHP. But that's a very trivial issue and shouldn't be a potential problem to worry about.

And as for that mime-type trick, it won't be necessary. I'll still use .php file extensions but I can mask it with a URL rewrite. Also I could use rewrites to rewrite .php to .html. For example:

Code

RewriteRule ^([0-9a-zA-Z?-]+)\.html$ $1.php





And as for dealing with uploading shells, I'll just encrypt the file contents and write them to a new .zip file. And when the file's going to be downloaded I'll just have the script decrypt the contents of the zipped folder and then output the results to the output buffer.
Author

RE: Anyone want to help me pen test my website?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-08-09 01:43
The unlimited file size idea is NOT a good one. Cap it at one gig...