Uh oh. Looks like your using an ad blocker.
Our site is support by ads that help to pay our hosting costs. Please disable or whitelist us within your ad blocker to help us keep the site online.
All money generate by ads and donations is used to pay the hosting costs of the site.
Hall of Fame
| Multiple Vulnerabilities |
| User | Euforia33 |
| Reward | 250 points |
| Description | Euforia33 found multiple vulnerabilities on the site. |
|
| XSS Vulnerability |
| User | rex_mundi |
| Reward | 50 points |
| Description | rex_mundi found a XSS Vulnerability in the lost password system. |
|
| Blind SQL Injection |
| User | rex_mundi |
| Reward | 300 points |
| Description | rex_mundi found several Blind SQL Injections |
|
| BBcode Exploit & Patch |
| User | Euforia33 |
| Reward | 250 points |
| Description | Euforia33 found and patched a hole in the [IMG] tag |
|
| Multiple XSS vulnerabilitys |
| User | rex_mundi |
| Reward | 150 points |
| Description | Many XSS vulnerabilitys from the IMG tag to the PM system and the admin panel. |
|
| [IMG] Tag RFI vulnerability |
| User | Euforia33 |
| Reward | 150 points |
| Description | Euforia33 was able to include any PHP using the img tag |
|
| XSS Vulnerability |
| User | rex_mundi |
| Reward | 75 points |
| Description | rex_mundi found a XSS vulnerability that let him steal user's cookies. |
|
| XSS |
| User | nopcron |
| Reward | 30 points |
| Description | nopcron found a Cross Site Scripting exploit in realistic 8. |
|
| CSRF in Profile |
| User | rex_mundi |
| Reward | 100 points |
| Description | Rex injected csrf code into his profile which gave anyone who visited it free challenge points. |
|
| CSRF |
| User | korg |
| Reward | 100 points |
| Description | korg found and patched several csrf holes in the site. |
|
| CSRF in Buddy List |
| User | Infam0us |
| Reward | 35 points |
| Description | Infam0us discovered a CSRF vulnerability that allowed him to remove people from a user's buddy list. |
|
| Avatar Vuln |
| User | Infam0us |
| Reward | 60 points |
| Description | Infam0us was able to bypass the image-only filter for avatars to use any type of url he wanted by tacking on ?a=a.jpg or #a=a.jpg to the end of a URL. |
|
| XSS with img tags |
| User | Infam0us |
| Reward | 100 points |
| Description | Infam0us discovered that he could insert javascript into img tags by using decimal encoding. |
|
| CSRF in Codebank |
| User | cyber-guard |
| Reward | 35 points |
| Description | cyber-guard was able to create codes by getting users to visit an external site. He was able to use this in combination with his </textarea> vuln to do some interesting things. |
|
| Vulnerability in PM System and Code Bank |
| User | cyber-guard |
| Reward | 100 points |
| Description | cyber-guard discovered that he could use </textarea> to insert html into a PM, and this html would be executed if you clicked "preview". He was able to insert whatever html/javascript code he wanted into codes using this method upon editing them. |
|
| Basic 26 XSS |
| User | ADIGA |
| Reward | 25 points |
| Description | ADIGA found an XSS vulnerability in Basic Web Hacking 26 using the onmouseover attribute. |
|
| CSRF in Admin Blacklist Function |
| User | ynori7 |
| Reward | 35 points |
| Description | Ynori found a CSRF vulnerability in the blacklist function allowing any user to remove any (or all) blacklists by getting an admin with the proper prviliges to view a webpage. |
|
| CSRF in Articles Section |
| User | ynori7 |
| Reward | 35 points |
| Description | Ynori found a CSRF vulnerability in the Articles section allowing any user to delete any article by getting an admin to view a page. |
|
| CSRF in the shoutbox |
| User | stealth- |
| Reward | 15 points |
| Description | stealth- found a CSRF vulnerability in the shoutbox system that allowed him to make posts as other users. |
|
| Multiple CSRF vulnerabilities in the EM system |
| User | stealth- |
| Reward | 45 points |
| Description | stealth- found mulitple unchecked inputs in the EM system that allowed him to use CSRF to change exclusive member's settings. |
|
| Exploited Timed 6 |
| User | b4ckd0or |
| Reward | 100 points |
| Description | b4ckd0or found a CSRF vulnerability in timed6 that bypassed output filtering, allowing for JavaScript to be injected directly. This combination of CSRF and XSS would have allowed logged-in users to be directed to this page, where their session would be stolen. |
|
| DoS |
| User | pimpim |
| Reward | 20 points |
| Description | pimpim was able to make HBH's server DoS itself. He reported this and is therefor rewarded with 20 points. |
|
| Code Bank Hack |
| User | clone4 |
| Reward | 100 points |
| Description | clone4 was able to edit or delete code written by any user, but instead of exploiting this in a malicious manor, and reporting it, has been awarded 100 points. |
|
| UTF-7 XSS On Error Pages |
| User | SySTeM |
| Reward | 50 points |
| Description | SySTeM found an XSS vulnerability using the UTF-7 charset, http://www.hellboundhackers.org/\\\+ADw-script+AD4-alert(/xss/)+ADw-/script+AD4---//--, which when run with firefox, or internet explorer with character set auto detection turned on, caused an alert to appear. |
|
| XSS in print.php |
| User | SySTeM |
| Reward | 30 points |
| Description | SySTeM was able to post an article containing html, and then when a user goes to the print view of the article, the code would run. |
|
| CSRF Via Variable Injection |
| User | SySTeM |
| Reward | 35 points |
| Description | SySTeM was able to use a variable injection string (http://www.hellboundhackers.org/?_POST=lol=rofl.png) inside an image tag which would log someone out. |
|
| XSS |
| User | Uber0n |
| Reward | 40 points |
| Description | Uber0n found multiple XSS vulnerabilities in the site. |
|
| Server Security |
| User | richohealey |
| Reward | 100 points |
| Description | richohealey found and removed several malicious files that were uploaded onto the server and could have been used to cause damage. |
|
| DNS Injection |
| User | richohealey |
| Reward | 200 points |
| Description | richohealey found and fixed a DNS exploit on the server which would of enabled him to redirect the website to any location he wanted. |
|
| Messages XSS |
| User | Uber0n |
| Reward | 30 points |
| Description | Uber0n found a XSS hole in the messages pages that allowed him to inject code and send it to members. |
|
| XSS in [mail] tag |
| User | thk-geo |
| Reward | 15 points |
| Description | thk-geo was able to make an alert box pop up if a user clicked on a link in his sig. |
|
| XSS |
| User | spyware |
| Reward | 50 points |
| Description | Spyware was able to inject XSS into the forums, which was executed for people using the following browsers: IE6, Opera, and Netscape, he has been awarded 50 points for this. |
|
| Blind MySQL Injection |
| User | SySTeM |
| Reward | 100 points |
| Description | SySTeM found a blind mysql injection vulnerablity in the PM system |
|
| cURL Script |
| User | SySTeM |
| Reward | 40 points |
| Description | SySTeM used a cURL script in PHP to view the admin shoutbox entries. |
|
| XSS in Realistic 8 |
| User | SySTeM |
| Reward | 30 points |
| Description | SySTeM was able to include html tags in his refer. This refer was then logged in real 8 and anyone attempting the challenge would execute his code. |
|
| [IMG] Tag XSS vulnerability |
| User | SySTeM |
| Reward | 75 points |
| Description | SySTeM was able to escape our filters and insert a line segment that would allow him to make an alert box on any page that allowed BB code. |
|
| XSS |
| User | SySTeM |
| Reward | 100 points |
| Description | SySTeM was able to inject XSS into a function on the PM system. This could lead to stealing admin cookies. |
|
| XSS in members.php |
| User | SySTeM |
| Reward | 50 points |
| Description | SySTeM was able to find xss exploits in the members.php page by using the unfiltered variables. |
|
