Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 30
Guests Online: 24
Members Online: 6

Registered Members: 82829
Newest Member: mmoclauq
Latest Articles
View Thread

HellBound Hackers | Events | General

Page 1 of 2 1 2 >
Author

find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 13:53
The event may now contine, the site is now on backslash'es server (http://www.webwhak.com/).

You can look in the news section of the page to view more.

http://root.cd (the site that this entire thread is about Wink)

[+] c4p_sl0ck - found out that member list will stretch if your name will be too long
[+] c4p_sl0ck - check that the shoutbox message isn't empty
[+] c4p_slock - shout message should not be posted when its empty
[+] backslash - shoutbox is floodable
[+] backslash - put recaptcha on register/contact forms and delay on login boxes
[+] backslash - make an archive system on the shoutbox
[+] backslash - forgotten in the my_profile section
[+] backslash - found out that the input in the shoutbox may be wayyy too long
[+] backslash - if you make 2 profiles with the same name they will come on the same personal page
[+] backslash - backslash was able to change my account
[+] system_meltdown - found a way to set his avatar to the logout page
[+] Raptor - found a xss vuln in the avatar section for IE and Opera browsers
[+] paranoiahax - found out that the forum is floodable (same way as the shoutbox posts)
[+] backslash - backslash social engineered me and thus managed to get full control over the site
[+] tms - found a CSRF in the forum, he was able to set a thread to the logout page

(from the news section of http://root.cd)
honor = CSRF/XSS
LFI/RFI = 3 euro
5 euro = (blind) sql injection
10 euro = full control over site
Please dont try to root it

once there is an update it will come on twitter, root.cd and here so your name will be mentioned on 3 places Wink.

Greetz,
Jelmer




Edited by on 22-04-09 14:01
Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 13:59
I'll help you with design if you like Wink


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 14:04
I want to help you with this.. i'll add you on msn.


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 14:08
allright, that would be great guys Grin


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 14:24
I'll add you too. Smile


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 20:10
quite a few (potentially fatal) flaws! Need fixing...


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 20:47
So people have already tried pen testing it Smile
Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 20:55
yeah.. there are quite a few flaws that I've been able to find, not sure what others have found


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 21:31
I tried a lot of XSS Injections but it didn'T work with a normal account.
So I think you have to gain admin rights with SQL Injection or some other exploit.

I will search a little bit xD
But it hard xD
Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 22:17
You're very well protected against XSS, that's for sure... Smile
Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 22:22
haha thanks Grin


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-09 22:58
The crop circles are talking to me!!!:whoa:
Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-04-09 12:23

[+] c4p_sl0ck - found out that memberlist will stretch if your name will be too long
[+] c4p_sl0ck - check that the shoutbox message isnt empty
[+] c4p_slock - shout message should not be posted when its empty
[+] Austin - shoutbox is floodable
[+] Austin - put recaptcha on register/contact forms and delay on login boxes
[+] Austin - make an archive system on the shoutbox
[+] Austin - </form> forgotten in the my_profile section
[+] Austin - found out that the input in the shoutbox may be wayyy too long
[+] backslash - if you make 2 profiles with the same name they will come on the same personal page
[+] backslash - backslash is able to change my account but he didnt noticed i think Wink
[+] system_meltdown - found a way to set his avatar to the logout page


Austin = backslash
backslash = Austin

Yeah, I did realise I was able to change your profile hence this picture:

www.eotl.org/photos/immortals/hannibal/1337.jpg

haha


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-04-09 12:54
lol yea i also realized that later =D anyhow, good job Pfft


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-04-09 13:00
well done to system for CSRFing it Pfft


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-04-09 13:07
can flood the forum by repeatedly pressing f5, it asks to resend the data, you want a spam filter on there.
also found that you can edit several accounts with the same name and create accounts which have already been created under the same name, however this might have already been found because austin was able to edit your account as it says


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-04-09 13:13
Yeah, it's good fun xD looks like Paranoiahax has mention something new... forum floods! Same method as shoutbox floods.


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-04-09 13:35
thanks paranoiahax, i just fixed system's csrf Grin


Author

RE: find security holes in my site and i will give you money!


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-04-09 16:23
Nice one buddy :-)
I think I've just found another exploit:
if you go to the members lists, and click on my profile it should log you out, system seemed to have done the same thing however you said you fixed it, i'm not sure how system did it but you definitely haven't fixed it fully.


Author

RE: find security holes in my site and i will give you money!

KvK
Member



Posts: 94
Location: EIP‭‮
Joined: 17.01.09
Rank:
Apprentice
Posted on 19-04-09 17:12
URI Exploit

http://root.cd/in. . .mber=Admin
Must be Logged In

I am able to force any member to connect to any computer on the net via Telnet through the viewing of my avatar. :happy:

(Similar vulnerability to System's)
------------------------------------------------------
EDIT:
Telnet Vulnerability Fixed (I Think...)
But URI Is Still Exploitable :happy:

http://root.cd/in. . .mber=Admin
Must be Logged In




Edited by KvK on 19-04-09 17:35
Page 1 of 2 1 2 >