Follow us on Twitter!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 24
Guests Online: 24
Members Online: 0

Registered Members: 82843
Newest Member: hx47
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 24-06-10 03:57
Hey guys, I'm working on a site, and I've coded all of it myself, so it isn't too fancy. Anyway, I was wondering if anyone wanted to help me try to find/fix security holes? I have found 2 (write to a file that executes php! HUGE problem!) and am in the process of fixing them, but I'm sure you could find more. Please note, it is the WHOLE site, not just the part that says "Are you here to see if you can hack into my site?" (I quickly threw that together for the noobs at my school to try to hack... They failed, lol.)

Anyway, the site is http://brian.escdev.info, and just assume that I gave you the password "Kisara". There is an admin password, but I'll let you try to find that.

Thanks for all your help, it is very appreciated! Smile

Edit: I'm sorry, but trying to log in with an empty password string isn't going to do anything. I get an email saying Someone tried to log in using the password: "" but that is about it. The add password page just notifies me so I can manually put it in. Remembr I gave you the password Kisara. It saves it to a cookie, and checks the cookie on every page.

Edit 2: GOOD JOB GUYS! Someone managed to log out of a non-existant user! Please provide info? Grin

Edit 3: HOLY CRAP GUYS!!!! I just got emailed 1260 error reports?!!?! WHY???? D:

Edit 4: I've dealt with the over 1,000 sms messages about those hotmail messages, but now you guys are getting close to the admin password (which is pretty easy to guess), here's some help for you. My name is Brian. Go guess it. Also, I've disabled emails, but it still writes all errors to a php page. Have fun Smile

Edit 5: At 8:21 today, (Wed, June 23, 2010) someone managed to get rid of their referer, date + time, and ip, leaving their possible malicious code untracible (for me) and I would like to congratulate you. That is put through a php post form to an email, never touching any other language. Good job Smile

Edited by jghgjb790 on 24-06-10 04:46
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-06-10 06:39
jghgjb790 wrote:
Hey guys, I'm working on a site, and I've coded all of it myself, so it isn't too fancy. Anyway, I was wondering if anyone wanted to help me try to find/fix security holes? I have found 2 (write to a file that executes php! HUGE problem!) and am in the process of fixing them, but I'm sure you could find more. Please note, it is the WHOLE site, not just the part that says "Are you here to see if you can hack into my site?" (I quickly threw that together for the noobs at my school to try to hack... They failed, lol.)


Thanks, it does look fun to poke around with. I poked at it for a few minutes, tomorrow when I have more time I will do it more.

Likely someone who knows a bit more about more advanced topics will be better equipped and beat me to the punch though. Frown

There's no absurdly gaping holes at least (imo). Smile




Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 24-06-10 19:24
Yeah, I JUST (literally, in the past 2 minutes) tried to make all submit forms sanitize the input. Before, it was entirely possible to execute php on the page where I moderate submissions. For example, you could have posted a picture with the description being
Code

<?php
$f=fopen("/index.html","w");
fwrite($f,"<h1>YOU HAVE BEEN HACKED!!!!</h1>")
;fclose($f);
 ?>
 



and then the next time I viewed the submissions (available to me online) it would have overwritten the entire homepage. I think I've sanitized the input, but you may want to play around with it.

Edit 1: I've fixed my php code, it was a problem in the one script that I found online, of course *eyeroll*. Anyway, I've sanitized the input from the pic submit form and the admin alert form.

Edit 2: I highly doubt you could use that (removed from my post) form to read anything because it puts the file name in img tags, and I'm pretty sure there are no client side scripts to view a servers file. Anything else that you want to test, please go ahead, I don't mind getting spammed as long as it is for the good of the site.

Edited by jghgjb790 on 25-06-10 19:21
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-06-10 04:10
Here is a XSS which bypasses that filter you made:
http://brian.escdev.info/pictures.php?pic=../icons/apache_pb2_ani.gif( onLoad=document.location=1337%20a


Explanation how to bypass the filter:
- The image causes the img tag to load properly, i do this so i can use the onLoad event later.
- The "(" character gets evaded by your filter by 2 single quotes "'('", these single quotes made it possible for me to escape from the src property.
- At the end i needed a whitespace so the Javascript wouldn't fail.

Here is a hint on building your own filter against XSS:
Think about what characters you will need, not what characters you will exclude.
Be sure to filter out these:
'"<>&#!-=(){};
If you need any of these, be sure that there can't be a XSS crafted out of it.
When you filter something don't replace it with other content, especially not with quotes Wink.

Author

RE: IRL pen-testing.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-06-10 04:19
Here is a link to the XSS, HBH is replacing "onEvent" with "onblockedEvent*", I wonder how many people were saved by this from being XSSED -.-'.
http://tinyurl.co. . .
Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 26-06-10 06:11
Aw, man.:angry: Thanks, I would never have thought of that. I fixed it, no more quotes. Will underscores do any harm? Here's a list of the replaced strings:
"
'
=
!
#
&
and
(
)
||
or
-->
<!--
--
php
javascript
<
>
[
]
{
}

Anything to add?

Edited by jghgjb790 on 26-06-10 06:31
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-06-10 20:14
As i said earlier, you should make a list of characters which you may use, not which you may not use (Google for "regular expressions php" and i am sure you will find useful information there).
Be sure when you filter that the actual purpose of the code is intact, at the moment "." will be filtered and replaced with "_DOT_" while this character can't do any harm.
Don't filter out underscores, it's pointless.
Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 26-06-10 20:28
Oh, man I am such an idiot. Thats what happens when you try to make a site secure with very little sleep. Well, I tried to fix it, but I have stuff to do, so I haven't had time to test it. Thanks for all your help, and I know, I'm an idiot.
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 27-06-10 00:05
I think someone logged out of "test". I realized that they just changed the value of the cookie then clicked log out.
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 27-06-10 23:20
Sessions and a database. Alright, I'll try my best to get everything working, but I have absolutely no experience with that, but I have to learn sometime Smile

Edit 1: Okay, I talked to the owner of the server (I don't own the server, but I know the person who does) and they won't let me use a database. So, I figured I could just create a file for every user and chmod them. Now, the sessions I understand, and I'm working on moving the whole site over to using them. No more cookie usage for me. I'll update whenever possible.

Edit 2: Moved EVERYTHING over to sessions, but I haven't tested everything. The login form requires a username now, so the user is Kisara (capital K) and the password is password. Good luck Smile

Edit 3: I was just asked to post some of the injections, attacks, etc, so here they are:
1) injecting javascript in the picture submit form. That was dumb of me. I forgot to filter the input. Sad
2) Again, javascript injection. I filtered the input, but made a horrible mistake. I thought it would create an error in any script if I put a quote in front of all characters that I didn't want. FAIL, someone managed to close the image tag and add a js script.
3) Of course, changing the cookie and logging out scared me. Non-existant user? Nope, altered "user" data.
4) And the picture viewing one can be read a few posts above.
Thanks for the help Smile

Edit 4): -sigh- The php won't let you use caps for some reason (?!?) so the username is kisara with no caps. I'll try to fix it, but try both just to make sure. Thanks!

Edited by jghgjb790 on 08-07-10 22:37
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 18-09-10 04:00
Sorry for the date, but I just wanted to update that my website is now located at http://todaystops. . .site90.net and that it has changed dramatically. This, unfortunately, means that there will be plenty of new security problems. Thanks for any replies.



Please note that I have no idea what I'm talking about in the above post. Please do not make any assumptions that I have a clue what anything that I just wrote means. Thank you.
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-09-10 01:00
Here is a XSS vulnerability:
http://todaystopsite.site90.net/login2.php
$_POST["user"]

You can trigger another XSS by creating a username containing client side scripting.
http://todaystopsite.site90.net/login.php
Log in with:
user:<blink>
passwd:b

Here is a LFI but you can't escape from the directory for as far as I tried:
http://todaystopsite.site90.net/pictures.php?pic=banner.png
Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 20-09-10 05:05
Jelmer de Hen wrote:


You can trigger another XSS by creating a username containing client side scripting.
Log in with:
user:<blink>
passwd:b


Although that isn't TECHNICALLY an XSS (from how I define it - a way to get information by sending a link or writing script to a viewable document, more of an "easter egg" if you will), I will try to fix it.

Jelmer de Hen wrote:
Here is a LFI but you can't escape from the directory for as far as I tried:
http://todaystopsite.site90.net/pictures.php?pic=banner.png


I realize that you can view the banner through that, but really, can't you view the banner anyway? And I already saw that, if you have "../" anywhere in the "pic" variable, it tells you to stop trying, in a kind of cruel way.

Edit 1: How did you know my name? And sorry I didn't add that in before, in order to create a user, you must input my name, which is Brian. Remember to capitalize the first letter. Smile

Edit 2: FYI, I use a flat file database for storing users. I know this isn't the safest way, but I encrypt the **** out of those passwords.



Please note that I have no idea what I'm talking about in the above post. Please do not make any assumptions that I have a clue what anything that I just wrote means. Thank you.


Edited by jghgjb790 on 20-09-10 05:10
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 20-09-10 21:40
jghgjb790 wrote:
Although that isn't TECHNICALLY an XSS (from how I define it - a way to get information by sending a link or writing script to a viewable document,


You're wrong.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 21-09-10 01:06
spyware wrote:
You're wrong.


Read my sig.
And as for the password files, how should I hide them? Put them one directory higher? Above the public html folder?



Please note that I have no idea what I'm talking about in the above post. Please do not make any assumptions that I have a clue what anything that I just wrote means. Thank you.
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.

osiris2
Member

Your avatar

Posts: 1
Location:
Joined: 20.05.10
Rank:
Guest
Posted on 26-09-10 11:25
I think I found something. It's not very dangerous and I'm not sure if I can call it an exploit. Here it is: http://tinyurl.co. . .

Edited by osiris2 on 26-09-10 11:29
Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 27-09-10 02:01
Although the video isn't one of my "accepted" ones, it isn't really a problem. I only made the video accept thing for people to share the videos on the list of videos. I don't care if you watch videos on the video page, besides, it takes more effort than its worth (imo).



Please note that I have no idea what I'm talking about in the above post. Please do not make any assumptions that I have a clue what anything that I just wrote means. Thank you.
http://todaystopsite.site90.net
Author

RE: IRL pen-testing.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-09-10 04:45
Queried the login page with bbcode injection.

Used this:

[table=border='1' cellspacing='0' cellpadding='0' width='100%'][tr=bgcolor='#ffffff'][td=width='*' onmouseover='javascript:alert(String.fromCharCode(88,83,83))']XSS[/td][/tr][/table]

and got this error:

User _OPENARRAY_table=border="1" cellspacing="0" cellpadding="0" width="100%"_CLOSEARRAY__OPENARRAY_tr=bgcolor="_POUND_ffffff"_CLOSEARRAY__OPENARRAY_td=width="*" onmouseover="javascript:alert_bracket_String.fromCharCode_bracket_88,83,83_bracket__bracket_"_CLOSEARRAY_XSS_OPENARRAY_slashtd_CLOSEARRAY__OPENARRAY_slashtr_CLOSEARRAY__OPENARRAY_slashtable_CLOSEARRAY_ not found. Please check your caps lock key and try again




Author

RE: IRL pen-testing.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 27-09-10 04:47
You try to log in as any non-existent user and you'll get an error. It is just extremely over filtered. Look at it.



Please note that I have no idea what I'm talking about in the above post. Please do not make any assumptions that I have a clue what anything that I just wrote means. Thank you.


Edited by jghgjb790 on 27-09-10 04:47
http://todaystopsite.site90.net