Jump to content

Hack this Upload Site

Warptweet

By Warptweet
in Beta Test Your Stuff!

 Share

Recommended Posts

Warptweet Advanced Member

Warptweet

Posted
Posted

I've been hacked once again, despite my greatest efforts.

 

PLEASE hack my site, and tell me how you did it, and perhaps even suggestions on how to defend myself from the endless barrage of people who have nothing better to do with their lives other than ruin websites.

Link to comment
Share on other sites
corbin Regular Member

corbin

Posted
Posted

Look for the last mod time on your index file and then look through your Apache access log...

 

Should give you a hint at which page is being exploited.

 

 

 

There are of course better ways to find it, but you gave us no information at all....

Link to comment
Share on other sites
helraizer Regular Member

helraizer

Posted
Posted

evidenceeq2.jpg

 

Hmm...

SQL injection attempt. However, only files were uploaded, none of my database entries were modified...

 

Why don't you log IPS?

 

If you meant IP address; he does log it.  Only from what I can imagine, he's using a hidden field with value="<?php echo $_SERVER['REMOTE_ADDR']; ?>" and thus someone made an identical form pointing to the same place and and sent it with the hidden input value of 'i lurves no ipz'.

Link to comment
Share on other sites
Guest Xanza

Guest Xanza

Posted
Posted

Yea, database uploaders are nice, but they are subject to hacks very easily... My advice would be to create a pure php file uploader... You'll be able to specify the files that are allowed to be uploaded, and blacklisted files just as easily only their are no vulnerable databases that can be hacked. :P

Link to comment
Share on other sites
Warptweet Advanced Member

Warptweet

Posted
  • Author
Posted

It happened again.

 

I have a backup of all files, so it took seconds for me to reboot the site.

The new front page was actually quite funny. "CANT TOUCH DIS HACKARY. ROFL"

And a video of "Can't Touch This". I actually listened to it a couple of times.

 

I made some tight measures against the hacking..

Link to comment
Share on other sites
Warptweet Advanced Member

Warptweet

Posted
  • Author
Posted

I fixed the typo :D

Sorry, was in a rush to restore the site.

 

Please try hacking the website.

I implement mysql_escape_string to practically every variable in my PHP.

Also, for direct links, it direct links to a .php file which sends the direct download. You don't actually know the directory that the file is stored in. And the chances of you guessing it is too low to be considered possible. There are 1.84710571 × 10^89 possibilities :D

Link to comment
Share on other sites
Guest Xanza

Guest Xanza

Posted
Posted

Because he's not exploiting your script... He's "going in the back door" via MySQL. Which is why I suggested that you use a pure PHP upload system. :/

Link to comment
Share on other sites
Guest Xanza

Guest Xanza

Posted
Posted

haha, well if you ask me - someone that thinks they are protected by a single php function docent really have the technical knowledge to fix many security holes. ;)

Link to comment
Share on other sites
Warptweet Advanced Member

Warptweet

Posted
  • Author
Posted

HYPER EMERGENCY:

 

I wake up in the morning.

Forbidden: Warptweet.com, caramea.com, uploadpoints.com, merandtroy.com, everything. All my sites, all my folder.

I can't even access my files from my own highest-access cpanel.

 

They locked down my server. I had to contact my host to fix the problem!

 

I took uploadpoints.com offline. I made a backup and deleted all the files.

For some reason, the hackers can STILL edit the index.php! I'm guessing they hid a .php file somehwere in my other directories.

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.